Analysis Overview
SHA256
1648ca4e081c346db19b9cb6f93cdbc7b3c607c48ccb5e663aef2f6f595a81a6
Threat Level: Likely benign
The file XWorm.exe was found to be: Likely benign.
Malicious Activity Summary
Unsigned PE
System Location Discovery: System Language Discovery
Checks SCSI registry key(s)
Checks processor information in registry
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 20:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 20:52
Reported
2025-01-27 20:55
Platform
win7-20241023-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
Files
memory/684-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp
memory/684-1-0x0000000001390000-0x0000000001A8A000-memory.dmp
memory/684-2-0x0000000074B30000-0x000000007521E000-memory.dmp
memory/684-5-0x0000000074B30000-0x000000007521E000-memory.dmp
memory/684-6-0x0000000074B3E000-0x0000000074B3F000-memory.dmp
memory/684-7-0x0000000074B30000-0x000000007521E000-memory.dmp
memory/684-8-0x0000000074B30000-0x000000007521E000-memory.dmp
memory/684-9-0x0000000074B30000-0x000000007521E000-memory.dmp
memory/684-12-0x0000000074B30000-0x000000007521E000-memory.dmp
memory/2700-13-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2700-14-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2700-15-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2700-16-0x0000000140000000-0x00000001405E8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 20:52
Reported
2025-01-27 20:55
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\AppData\Local\Temp\XWorm.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\XWorm.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4b0
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
Files
memory/4240-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp
memory/4240-1-0x0000000000B80000-0x000000000127A000-memory.dmp
memory/4240-2-0x0000000005B20000-0x0000000005BBC000-memory.dmp
memory/4240-3-0x0000000006170000-0x0000000006714000-memory.dmp
memory/4240-4-0x0000000005C60000-0x0000000005CF2000-memory.dmp
memory/4240-5-0x0000000005BD0000-0x0000000005BDA000-memory.dmp
memory/4240-6-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4240-7-0x0000000005D00000-0x0000000005D56000-memory.dmp
memory/4240-10-0x0000000009A30000-0x0000000009A96000-memory.dmp
memory/4240-11-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4240-12-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4240-13-0x0000000074F9E000-0x0000000074F9F000-memory.dmp
memory/4240-14-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4240-15-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4240-18-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/4240-20-0x0000000074F90000-0x0000000075740000-memory.dmp
memory/1628-21-0x000001851D790000-0x000001851D791000-memory.dmp
memory/1628-22-0x000001851D790000-0x000001851D791000-memory.dmp
memory/1628-23-0x000001851D790000-0x000001851D791000-memory.dmp
memory/1628-33-0x000001851D790000-0x000001851D791000-memory.dmp
memory/1628-32-0x000001851D790000-0x000001851D791000-memory.dmp
memory/1628-31-0x000001851D790000-0x000001851D791000-memory.dmp
memory/1628-30-0x000001851D790000-0x000001851D791000-memory.dmp
memory/1628-29-0x000001851D790000-0x000001851D791000-memory.dmp
memory/1628-28-0x000001851D790000-0x000001851D791000-memory.dmp
memory/1628-27-0x000001851D790000-0x000001851D791000-memory.dmp