Analysis Overview
SHA256
d4d60f2b5700a42ce59b0c449fe44532d08c81bc0aa1a68fd9f93eef1f42d4f7
Threat Level: Known bad
The file XWorm V5.0.rar was found to be: Known bad.
Malicious Activity Summary
Redline family
RedLine
RedLine payload
Contains code to disable Windows Defender
Loads dropped DLL
Executes dropped EXE
Obfuscated with Agile.Net obfuscator
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-18 20:40
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-18 20:40
Reported
2025-01-18 20:41
Platform
win11-20241007-en
Max time kernel
29s
Max time network
29s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWorm V5.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\XWorm V5.0\crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\XWorm V5.0\crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\XWorm V5.0\crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\XWorm V5.0\XWorm V5.0.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\XWorm V5.0\crack.exe
"C:\Users\Admin\Desktop\XWorm V5.0\crack.exe"
C:\Users\Admin\Desktop\XWorm V5.0\crack.exe
"C:\Users\Admin\Desktop\XWorm V5.0\crack.exe"
C:\Users\Admin\Desktop\XWorm V5.0\crack.exe
"C:\Users\Admin\Desktop\XWorm V5.0\crack.exe"
C:\Users\Admin\Desktop\XWorm V5.0\XWorm V5.0.exe
"C:\Users\Admin\Desktop\XWorm V5.0\XWorm V5.0.exe"
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe"
C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe
"C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe"
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2572 -ip 2572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 896
Network
| Country | Destination | Domain | Proto |
| NL | 45.15.156.127:23000 | tcp | |
| NL | 45.15.156.127:23000 | tcp | |
| NL | 45.15.156.127:23000 | tcp | |
| NL | 45.15.156.127:23000 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| NL | 45.15.156.127:23000 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zE8A15FAF7\XWorm V5.0\Icons\icon (15).ico
| MD5 | e3143e8c70427a56dac73a808cba0c79 |
| SHA1 | 63556c7ad9e778d5bd9092f834b5cc751e419d16 |
| SHA256 | b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188 |
| SHA512 | 74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc |
C:\Users\Admin\Desktop\XWorm V5.0\crack.exe
| MD5 | e5fb57e8214483fd395bd431cb3d1c4b |
| SHA1 | 60e22fc9e0068c8156462f003760efdcac82766b |
| SHA256 | e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684 |
| SHA512 | dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89 |
memory/4160-158-0x0000000001620000-0x0000000001676000-memory.dmp
memory/4160-162-0x00000000746AE000-0x00000000746AF000-memory.dmp
memory/4160-163-0x00000000746A0000-0x0000000074E51000-memory.dmp
memory/4160-164-0x0000000006170000-0x0000000006788000-memory.dmp
memory/4160-165-0x0000000005B80000-0x0000000005B92000-memory.dmp
memory/4160-166-0x0000000005CB0000-0x0000000005DBA000-memory.dmp
memory/4160-167-0x0000000005BE0000-0x0000000005C1C000-memory.dmp
memory/4160-168-0x0000000005C40000-0x0000000005C8C000-memory.dmp
memory/4692-170-0x0000000001030000-0x0000000001086000-memory.dmp
memory/3288-175-0x00000000011C0000-0x0000000001216000-memory.dmp
C:\Users\Admin\Desktop\XWorm V5.0\XWorm V5.0.exe
| MD5 | 5c945d21d2c9fe2586f55d4b69f14d9c |
| SHA1 | 40b4b68f56abcf112eed0af86891839fc13ee94c |
| SHA256 | 765fc3f5d7ca205f45e8f64f16e4157af78c5105f849afd8d896fbe7671d036f |
| SHA512 | 83be65f24f3bbc3b21217f5de32dc5d2768bd6763bd7e209be47f41cdb2594e8279b7202458eff57b3d70d02f065a8813da3d1f9d72195856873aafdb2ff995b |
memory/4160-182-0x00000000746AE000-0x00000000746AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XWorm V5.0.exe
| MD5 | 227494b22a4ee99f48a269c362fd5f19 |
| SHA1 | d32d08cf93d7f9450aee7e1e6c39d9d83b9a35c9 |
| SHA256 | 7471ff7818da2e044caf5bd89725b6283ed0304453c18a0490d6341f3a010ca2 |
| SHA512 | 71070e6b8042fa262ce12721e6c09104aec0a61ac0d6022f59f838077109b9476a5c1f8409242d93888eff6d36f0ee76337481fefe6f05e0f1243efbf350bee0 |
memory/2532-201-0x0000000000400000-0x0000000000F17000-memory.dmp
memory/3496-202-0x0000000001240000-0x0000000001296000-memory.dmp
memory/4192-206-0x0000020EE9AF0000-0x0000020EEA562000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CE8806DA1EF0F1BB553DFF4FC5E9FCCD\CE8806DA1EF0F1BB553DFF4FC5E9FCCD.dll
| MD5 | a239b7cac8be034a23e7e231d3bcc6df |
| SHA1 | ae3c239a17c2b4b4d2fba1ec862cf9644bf1346d |
| SHA256 | 063099408fd5fb10a7ea408a50b7fb5da1c36accc03b9b31c933df54385d32b8 |
| SHA512 | c79a2b08f7e95d49a588b1f41368f0dd8d4cd431ad3403301e4d30826d3df0907d01b28ef83116ad6f035218f06dbdf63a0f4f2f9130bba1b0b7e58f9fc67524 |
memory/4160-214-0x00000000746A0000-0x0000000074E51000-memory.dmp
memory/4192-215-0x0000020EED410000-0x0000020EEDFC6000-memory.dmp
C:\Users\Admin\Desktop\XWorm V5.0\XWormLoader.exe
| MD5 | e8e0065b1cade61de10069945bd335fa |
| SHA1 | 5076539e3ff6c7daa4af5c5abce274e3d8efb1d6 |
| SHA256 | 498063df1a178cf85f89062cdeca2a8f26cd93ff90d246e027d58f8972868303 |
| SHA512 | b89dee4c730480e9283759ec94e2d58c76e187e914af6382b1c630a549546bf979c1f36d751e51d32f6fc3468a382ac92a0947e05eb0f7f187b341b2d9f908cb |
C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe
| MD5 | 39d81ca537ceb52632fbb2e975c3ee2f |
| SHA1 | 0a3814bd3ccea28b144983daab277d72313524e4 |
| SHA256 | 76c4d61afdebf279316b40e1ca3c56996b16d760aa080d3121d6982f0e61d8e7 |
| SHA512 | 18f7acf9e7b992e95f06ab1c96f017a6e7acde36c1e7c1ff254853a1bfcde65abcdaa797b36071b9349e83aa2c0a45c6dfb2d637c153b53c66fc92066f6d4f9a |
memory/3824-228-0x0000000000400000-0x00000000004B2000-memory.dmp
memory/2572-230-0x00000000003D0000-0x00000000003EE000-memory.dmp