Analysis
-
max time kernel
29s -
max time network
29s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/01/2025, 20:40
Behavioral task
behavioral1
Sample
XWorm V5.0.rar
Resource
win11-20241007-en
General
-
Target
XWorm V5.0.rar
-
Size
29.4MB
-
MD5
88e60256792f6294b0758ccaa2039ebb
-
SHA1
956c2e5c56b70e411c3d7571a47c4d98336750f7
-
SHA256
d4d60f2b5700a42ce59b0c449fe44532d08c81bc0aa1a68fd9f93eef1f42d4f7
-
SHA512
e65646d957ce58ac1a3b19f21bf1351953751a60a1febc76f49d2e658d958e579479bdbdcf25e3d47ce161ad8cac25c3531924effb59bfb6fa3ddbf5c8249b00
-
SSDEEP
786432:oy+YS3/Hxn8Op25INyrYl4MrK2i9UKuAb:+FfWv5+yreZZif
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/memory/4160-158-0x0000000001620000-0x0000000001676000-memory.dmp family_redline behavioral1/memory/4692-170-0x0000000001030000-0x0000000001086000-memory.dmp family_redline behavioral1/memory/3288-175-0x00000000011C0000-0x0000000001216000-memory.dmp family_redline behavioral1/memory/3496-202-0x0000000001240000-0x0000000001296000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 8 IoCs
pid Process 4160 crack.exe 4692 crack.exe 3288 crack.exe 2532 XWorm V5.0.exe 3496 build.exe 4192 XWorm V5.0.exe 3824 XWormLoader.exe 2572 XWormLoader.exe -
Loads dropped DLL 1 IoCs
pid Process 4192 XWorm V5.0.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x001900000002ab15-180.dat agile_net behavioral1/files/0x001900000002ab19-194.dat agile_net behavioral1/memory/2532-201-0x0000000000400000-0x0000000000F17000-memory.dmp agile_net behavioral1/memory/4192-206-0x0000020EE9AF0000-0x0000020EEA562000-memory.dmp agile_net -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3528 2572 WerFault.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWormLoader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWormLoader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWorm V5.0.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4520 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 4520 7zFM.exe Token: 35 4520 7zFM.exe Token: SeSecurityPrivilege 4520 7zFM.exe Token: SeDebugPrivilege 4192 XWorm V5.0.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4520 7zFM.exe 4520 7zFM.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2532 wrote to memory of 3496 2532 XWorm V5.0.exe 89 PID 2532 wrote to memory of 3496 2532 XWorm V5.0.exe 89 PID 2532 wrote to memory of 3496 2532 XWorm V5.0.exe 89 PID 2532 wrote to memory of 4192 2532 XWorm V5.0.exe 91 PID 2532 wrote to memory of 4192 2532 XWorm V5.0.exe 91 PID 3824 wrote to memory of 2572 3824 XWormLoader.exe 96 PID 3824 wrote to memory of 2572 3824 XWormLoader.exe 96 PID 3824 wrote to memory of 2572 3824 XWormLoader.exe 96
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4520
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1416
-
C:\Users\Admin\Desktop\XWorm V5.0\crack.exe"C:\Users\Admin\Desktop\XWorm V5.0\crack.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4160
-
C:\Users\Admin\Desktop\XWorm V5.0\crack.exe"C:\Users\Admin\Desktop\XWorm V5.0\crack.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4692
-
C:\Users\Admin\Desktop\XWorm V5.0\crack.exe"C:\Users\Admin\Desktop\XWorm V5.0\crack.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3288
-
C:\Users\Admin\Desktop\XWorm V5.0\XWorm V5.0.exe"C:\Users\Admin\Desktop\XWorm V5.0\XWorm V5.0.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3496
-
-
C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe"C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 8963⤵
- Program crash
PID:3528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2572 -ip 25721⤵PID:3412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
Filesize112KB
MD5a239b7cac8be034a23e7e231d3bcc6df
SHA1ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d
SHA256063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8
SHA512c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524
-
Filesize
10.4MB
MD5227494b22a4ee99f48a269c362fd5f19
SHA1d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9
SHA2567471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2
SHA51271070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0
-
Filesize
101KB
MD539d81ca537ceb52632fbb2e975c3ee2f
SHA10a3814bd3ccea28b144983daab277d72313524e4
SHA25676c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7
SHA51218f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a
-
Filesize
11.1MB
MD55c945d21d2c9fe2586f55d4b69f14d9c
SHA140b4b68f56abcf112eed0af86891839fc13ee94c
SHA256765fc3f5d7ca205f45e8f64f16e4157af78c5105f849afd8d896fbe7671d036f
SHA51283be65f24f3bbc3b21217f5de32dc5d2768bd6763bd7e209be47f41cdb2594e8279b7202458eff57b3d70d02f065a8813da3d1f9d72195856873aafdb2ff995b
-
Filesize
684KB
MD5e8e0065b1cade61de10069945bd335fa
SHA15076539e3ff6c7daa4af5c5abce274e3d8efb1d6
SHA256498063df1a178cf85f89062cdeca2a8f26cd93ff90d246e027d58f8972868303
SHA512b89dee4c730480e9283759ec94e2d58c76e187e914af6382b1c630a549546bf979c1f36d751e51d32f6fc3468a382ac92a0947e05eb0f7f187b341b2d9f908cb
-
Filesize
506KB
MD5e5fb57e8214483fd395bd431cb3d1c4b
SHA160e22fc9e0068c8156462f003760efdcac82766b
SHA256e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684
SHA512dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89