Analysis
-
max time kernel
648s -
max time network
544s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
-
submitted
03-02-2025 14:29
General
-
Target
XWorm V5.3 Bin.7z
-
Size
29.0MB
-
MD5
0ea984ec2d550a4205fabd911f973a6c
-
SHA1
71307409e69eb60fe612315e09d4109f91cf23c9
-
SHA256
6b7c8ac18f492b4536307f4680cd40a9990bafc716d451575ba46c124c3f07b9
-
SHA512
7bdb043850bbc32d41872b4090426e2193582b139e8be25972b25b9f9fe3a1c54e089a5738a78a804211031a010b8e9a6bd8d983cb534fb34d4a0f87e9484eba
-
SSDEEP
786432:WqVzpgbD+4aZ/INeMVKyBMtD2Op14tMIADxrHLfygiw:dgbD+XtFMVKyGUuI4ZHLfyK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.3 Bin.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe"C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffd55c446f8,0x7ffd55c44708,0x7ffd55c447183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5118925403478635652,6189084733194507462,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,5118925403478635652,6189084733194507462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,5118925403478635652,6189084733194507462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5118925403478635652,6189084733194507462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5118925403478635652,6189084733194507462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5118925403478635652,6189084733194507462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5118925403478635652,6189084733194507462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5118925403478635652,6189084733194507462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5118925403478635652,6189084733194507462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5118925403478635652,6189084733194507462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:13⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffd55c446f8,0x7ffd55c44708,0x7ffd55c447183⤵
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50e97a507db8325bbdef7b1fcadf06f86
SHA17782c07045983db5ad0e43939b0c47b5f8e68736
SHA2566f1f11f1f73b9c7c2e6866ea6759c409515884f382e22135c9ffde466accacb1
SHA51247f8687649252eaa47447c56d53377577cfaad1d1a329f26d90d4b6a2f60110e022f262e98f77c409990909ed442e95a3a144971bda607fbbf8c5c52ca9f3f79
-
Filesize
72B
MD59231c59ee5951f32ee643f862c55d9b2
SHA12f0721c4584bcdafd817da9bfc89408c1271e966
SHA256226386caa58ddb24c92f435de5ca2c6887702bf463bd088f33abc8a312794a87
SHA512e48b8cb076241b71c937cd645334bf09193ed684b5387fb4b01902b1d072f970731e2dfc779f41314ca318dd814215b92c38b1a99977e63492f957edd2f7b651
-
Filesize
442B
MD5993adf3c0968de025e0610148a801dbd
SHA1d5ca8b7521458a119dcb1af6242fcc0cfec5843b
SHA256fb530f5c5aa5977cf4eb7f89e782b6091cac0705d8cb7c029d1abb6c9c3d3c0a
SHA512a3230326bc5edbd94b9b70590c4d367aecbec8aac1973f27526d5cfa0f585b0c84843c737f9670b50d64457468c5f71690f6188c1525b14d96b6a57d8fa03feb
-
Filesize
6KB
MD516ac4941bb40df860c2d48f5a10464db
SHA1fdf3f3f4ce47498100532af2dbddc0c8bd399b4b
SHA256a809eb2ba6efabae43f0e5b68ca55f296e41acba1b516922dc26ff2651a06d5c
SHA512a879c30fa060c1fa9f2c84bfc4150d0dc014e497dd9b0c0babfd546ed2a6a02af646dfbd162deda20bdf4567503fc5a97670947a3469012762437d6bb8819eb6
-
Filesize
5KB
MD5d444c151981a94153b191e00068d4b9a
SHA1f21c26d2989fd2017b4b6d1c696d6b2f07b30832
SHA2565e255f8ae9249985a032ed97f2133c0def6d46fb7d36cdb12f51d20775ea0451
SHA512329338f4167df2c05003714922a7d0c337a913cc5ecc9e3d5a186b3eaf0c96f6225b684cf425ed82e42d2eede5282a30c95ff2606d4e29a84311f974163eb1e2
-
Filesize
24KB
MD5d3cf62a37a81b6be14f728094d525c2e
SHA1b1c8be3150bcaf51049fef0eb72f768a758fc819
SHA25606b7847ece8bb7a2f1c8be1a6aa465103596bdd975d23d0402311a3050e7fba6
SHA512cfa8051f430caabf620fdbbc954eb255e8020683ab3b3ba861430b8427e0662fd1826b72ae2abb29e0fa27e1eea301f123ae25d0a398120b347260d4a46d0380
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD500b87f6bf486d85ec963e9c7e2d60189
SHA15d6f0320f42eebda7c3ac75b16251d3dfda2f14b
SHA256f013b102e369a793b59944f9cb294a03c090675ab29c6c11d33e67a8bb28987c
SHA51204eb2229134acf2ddeae52091f63a06f6c20a2581e5d2869259fc092fdda6d310d6803d97469f3ed675b26ffc7758999447baa46a396851480817fed4a6fbf2a
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
13.8MB
MD5897201dc6254281404ab74aa27790a71
SHA19409ddf7e72b7869f4d689c88f9bbc1bc241a56e
SHA256f41828bd13a3a85fdf7a1d688b21ce33d2015c3c5f46b4d92ab6ea8ea019e03a
SHA5122673cd7b927ffc22f3a4b4fbfcb1b4f576c416d67168e486e6d79fdd132129c9e244e36d7b7883a4a1ed51e993cc4384bf24f2fa3129584f2bd43fd16042de20
-
Filesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
Filesize
11.9MB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
13.9MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
8KB