76f7a5d79b8df10dec30dc9faf6cbb6039fde1b93bd74210a61bf0943931f09d

Analysis

max time kernel
287s
max time network
296s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18/01/2025, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm-V6.1.zip
Size

26.5MB
MD5

75b715e998c88f168728e27dc6887819
SHA1

2d4d3f9702c0cd8b89b1b1d61ce05aa5c4b430d1
SHA256

76f7a5d79b8df10dec30dc9faf6cbb6039fde1b93bd74210a61bf0943931f09d
SHA512

85c4be0c1ed1d8bb740d314626c572bbd2258ce324394d4c27a87c2d8aa9f9723407ec792dcfe1467cc7d3a2e40178281ac964381db6b9d748f930c0907fdcf2
SSDEEP

786432:3vwgbHGy+fY6RXEDguMU0DADGj7VCubuu0SVww6vZqwffx:ogbHGyehuMdT7guxV7oswXx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3204	Xworm V6.1.exe
648	Xworm V6.1.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2488	7zFM.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2488	7zFM.exe
Token: 35	2488	7zFM.exe
Token: SeSecurityPrivilege	2488	7zFM.exe
Token: SeSecurityPrivilege	2488	7zFM.exe
Token: SeSecurityPrivilege	2488	7zFM.exe
Token: SeSecurityPrivilege	2488	7zFM.exe
Token: SeSecurityPrivilege	2488	7zFM.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe
2488	7zFM.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 3204	2488	7zFM.exe	80
PID 2488 wrote to memory of 3204	2488	7zFM.exe	80
PID 2488 wrote to memory of 1140	2488	7zFM.exe	86
PID 2488 wrote to memory of 1140	2488	7zFM.exe	86
PID 1140 wrote to memory of 3452	1140	cmd.exe	88
PID 1140 wrote to memory of 3452	1140	cmd.exe	88
PID 2488 wrote to memory of 648	2488	7zFM.exe	89
PID 2488 wrote to memory of 648	2488	7zFM.exe	89

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Xworm-V6.1.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\7zO8B93D129\Xworm V6.1.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8B93D129\Xworm V6.1.exe"
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO8B9F8F59\Fixer.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Windows\system32\lodctr.exe
    lodctr /r
    3⤵
    - Drops file in System32 directory
    PID:3452
- C:\Users\Admin\AppData\Local\Temp\7zO8B95F379\Xworm V6.1.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8B95F379\Xworm V6.1.exe"
  2⤵
  - Executes dropped EXE
  PID:648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:648

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\97453023-fdb0-46a5-a831-68db33ebf273.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8B93D129\Xworm V6.1.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8B9F8F59\Fixer.bat

Filesize
122B

MD5
2dabc46ce85aaff29f22cd74ec074f86

SHA1
208ae3e48d67b94cc8be7bbfd9341d373fa8a730

SHA256
a11703fd47d16020fa099a95bb4e46247d32cf8821dc1826e77a971cdd3c4c55

SHA512
6a50b525bc5d8eb008b1b0d704f9942f72f1413e65751e3de83d2e16ef3cf02ef171b9da3fff0d2d92a81daac7f61b379fcf7a393f46e914435f6261965a53b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
44KB

MD5
bc3d1639f16cb93350a76b95cd59108b

SHA1
47f1067b694967d71af236d5e33d31cb99741f4c

SHA256
004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9

SHA512
fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
47KB

MD5
69c02ba10f3f430568e00bcb54ddf5a9

SHA1
8b95d298633e37c42ea5f96ac08d950973d6ee9d

SHA256
62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e

SHA512
16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
47KB

MD5
391168ff06e8d68c7a6f90c1ccb088be

SHA1
c3f8c12481c9d3559e8df93ade8f5bfefd271627

SHA256
7f2847cbf10a70dec0bfb78ca1bf2e548caa8de43deb290cc21d4d1a47bd7525

SHA512
71fe34a07a2107c03fc4735ca78814adc1c55ee3362ce01d6b9983b0ac52315485135b58edecbcd67252c1e27a451138a765bdf3f746e1241834cf35106520c6

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
46KB

MD5
9c127d90b405f6e4e98e60bb83285a93

SHA1
358b36827fb8dbfd9f268d7278961ae3309baaa1

SHA256
878a012b076c81d7b46068109d9b9e1a86aa8527d87d0baee47b59b07502c578

SHA512
bd80bb82e6f2375107153b7da67ce4a3ab3d457103a8371f93e130edece21791d8a716ab9793b74c6b5ab10166ccb52aee430bc4b63403b7e4749d7db9929e73

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
32KB

MD5
50681b748a019d0096b5df4ebe1eab74

SHA1
0fa741b445f16f05a1984813c7b07cc66097e180

SHA256
33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a

SHA512
568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
322KB

MD5
0845cebf933086a66e207aae57a427ee

SHA1
ecf8587f451664c64e121f840f2c2f441ab2b78d

SHA256
7795c8ab095783b73f1752a4f38749d7c7f1685e2260257911784c371fe02071

SHA512
bd3a6fb855a163129d5c55caee9b3325eb541db43e3c606352e5825fc8c496fdef84c788fe7db5551393aef5fb802c6374a923c2d0aa072b02963d43ceaa8993

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
310KB

MD5
1ad05e460c6fbb5f7b96e059a4ab6cef

SHA1
1c3e4e455fa0630aaa78a1d19537d5ff787960cf

SHA256
0ae16c72ca5301b0f817e69a4bac29157369ecfbadc6c13a5a37db5901238c71

SHA512
c608aa10b547003b25ff63bb1999a5fff0256aadd8b005fdd26569a9828d3591129a0f21c11ec8e5d5f390b11c49f2ef8a6e36375c9e13d547415e0ec97a398f

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
360KB

MD5
1402add2a611322eb6f624705c8a9a4e

SHA1
d08b0b5e602d4587e534cf5e9c3d04c549a5aa47

SHA256
0ac43c8e77edb2c1468420653fc5d505b26cdc4da06c4121ce4bbecae561e6cb

SHA512
177d5ea7e77eee154042b5e064db67a5cac9435890a2ff65cd98da21433f4e7de743e9df22ac0ac61be89fc0be8655b46454ed4a930d13fc7c1dfebe5896781f

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
363KB

MD5
d0a8d13996333367f0e1721ca8658e00

SHA1
f48f432c5a0d3c425961e6ed6291ddb0f4b5a116

SHA256
68a7924621a0fbc13d0ea151617d13732a991cef944aae67d44fc030740a82e9

SHA512
8a68c62b5fc983975d010ae6504a1cbfdf34d5656e3277d9a09eb92929e201e27ca7bd2030740c8240a4afd56af57c223b4fd6de193bedf84ac7238777310de4

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
353KB

MD5
a5389200f9bbc7be1276d74ccd2939b4

SHA1
8d6f17c7d36f686e727b6e7b3a62812297228943

SHA256
494db162e2ccd95e69404a34170b6e59847f444881834f3c175c6bc70d783087

SHA512
fc1d1e81362d186410b4af3d6add3c8b32fdd75ea79b7e868cc16615358264af04f47170229d32dffcbf7e1ba2b841ccd2d4f27b0f8d82a0685806c22d3d0a92

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
158KB

MD5
41f2dbe6f02b3bb9802d60f10b4ef7a2

SHA1
f1b03d28e5be3db3341f3a399d1cc887fe8da794

SHA256
eca01d5405d7e8af92ea60f888f891415ea2e1e6484caff15cbaf5a645700db2

SHA512
1c7b85e12050d670d48121e7670e1dab787e0a0b134e0ab314dc571c3969d0f9652ff76666bb433aac5886ca532404963a3041a1d4b4352e3051c838965fd3b1

Download Submit
memory/3204-13-0x00000115B6E10000-0x00000115B7CF8000-memory.dmp

Filesize
14.9MB

Download
memory/3204-12-0x00007FFFAA933000-0x00007FFFAA935000-memory.dmp

Filesize
8KB

Download