Overview

overview

10

Static

static

10

XWorm V5.3....3.exe

windows7-x64

7

XWorm V5.3....3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    42s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2025 20:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm V5.3 Bin/XWorm V5.3 Optimized Bin/XWorm V5.3.exe

  • Size

    13.8MB

  • MD5

    897201dc6254281404ab74aa27790a71

  • SHA1

    9409ddf7e72b7869f4d689c88f9bbc1bc241a56e

  • SHA256

    f41828bd13a3a85fdf7a1d688b21ce33d2015c3c5f46b4d92ab6ea8ea019e03a

  • SHA512

    2673cd7b927ffc22f3a4b4fbfcb1b4f576c416d67168e486e6d79fdd132129c9e244e36d7b7883a4a1ed51e993cc4384bf24f2fa3129584f2bd43fd16042de20

  • SSDEEP

    98304:rtktdI2TeowYNva0P6olJ93ipte/Giw56/gpeejzhAAsnQqHKrzzIRwG4saY6c2n:rGt3JwVFcV/Gp7jiwzYwENy3W

Score
7/10
agilenetdiscovery

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/XCoderTools
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    200916572eec0b9bb48076102dc9465b

    SHA1

    7000d41149c7c1ef25956192b5b4564b5ef2b208

    SHA256

    bf6d24f7f9ad8f74bc150fe9a7edcabf6c83fd71cd23b25831beabdc2311d509

    SHA512

    2a18243833c8b1820bc9c499897cc172d2d2ed43709792060a01e2284042e27e3302ed69e1411566c92d8a93ed30190723df3943abbd2860aeddf73286a57aa2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f9543504e1c2e522fae3e41ea70774cc

    SHA1

    759e661f42fb7dfce26e6eeab30367531e2a54d8

    SHA256

    6798e3e8294d252640f7effad61417192fc8df5265ea6e6f877c1e264fd4dfa9

    SHA512

    1ca853d0d05bb08de05c4e42e16c1c8ad0c38e0c215dd576dc9479b6a823a9bd5e295e2a0f2c4825d584271290bc5356e6187a479bc89913cd084f3eb418c617

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    89eadf23d6a0c41ff27934eb900b0113

    SHA1

    0780a493516e19f0ca2b7482b513cd98c5551884

    SHA256

    1102c76e9261202c9fd4d2cb601d4606bd7683b194b3239e131886709f0bcf51

    SHA512

    4707ef83896a9fcbf039d5ba25a7127593804ef7dd67242f438330925b02c9692b0b2e229c84910b4bd6056a26bedffd17e41e8ad75eb28bcc8f415d0ff86812

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f27b3c12514f48c79dd93003d859bb12

    SHA1

    5556c596462c9c4bece753e3124c66c20a2a4f1f

    SHA256

    3c334d8e7d3b30c8ec2cd9dac6de501e640a99a42e93b013dd474912864c1ff5

    SHA512

    1cb61d700bc0860878dc2adbaf34ee8066dfe30f4a3d1b0bfa7af2c80efc6e269835ba6301a5f655e25d886d200541f8b6eb462ff2ebfb2c5d1812eacadaa6fb

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6b34b84a7b71eaf5ac7a11909fe9ac95

    SHA1

    4265f58bb3063828fbd111fc2bf7725df1f1150d

    SHA256

    86fc6d6df8dc61ccd4c9d282f3a1fc15ad7bac76a839c86a1f9aba75a5222095

    SHA512

    0a07cbe6d8df0f3ae9ab8c3945570a1179ff84eb0ecc17b309a0aa08e3588b49fc9b8e79d368abbf4be46b49ea773cf21a5235533ea37223ef89b4a9653cd0ea

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    89049404e134fc5f3b601622f9a44b82

    SHA1

    1d4a7a7024872b86b1d17a5261b86f7f5c018eb2

    SHA256

    7ce3d005530adf25a9f5a5c4ff3fdb8882f2f2e36da2cfcea212a1b7cd6ed271

    SHA512

    d0f6771ce437b01f883f10129911b8753ae88fed268cebd1d81f748a89405c5383c6bf3adc56d75f685a0be316cd954b9bd160c337151fd97441c74115e9e865

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    694c8fc79f5edc5dea607c1d7526789b

    SHA1

    cf3a75200e16354b89fc9edad875c75f9877767b

    SHA256

    13adf1b5799f5159571100a068245f67fdeab7bef68869f6015a612fd03d1666

    SHA512

    3d24103268b8868835b3684b7baad4b08d439aad9780a04959c4f4a752e31cf60b0692ad2a25b99c04d7fee62bcbb80322b89e2e51de80b31af44445db31688b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab7CC1.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar7D31.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dll
    Filesize

    112KB

    MD5

    2f1a50031dcf5c87d92e8b2491fdcea6

    SHA1

    71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

    SHA256

    47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

    SHA512

    1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

    Download Submit

  • memory/2016-9-0x000000001CF80000-0x000000001DB6C000-memory.dmp

    Filesize

    11.9MB

    Download

  • memory/2016-13-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2016-12-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2016-11-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2016-10-0x000000001DC70000-0x000000001DE64000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2016-0-0x000007FEF5D23000-0x000007FEF5D24000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2016-8-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2016-1-0x0000000000870000-0x000000000164E000-memory.dmp

    Filesize

    13.9MB

    Download