Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
06-02-2025 00:57
General
-
Target
XWorm V5.6 PAID.7z
-
Size
29.0MB
-
MD5
0ea984ec2d550a4205fabd911f973a6c
-
SHA1
71307409e69eb60fe612315e09d4109f91cf23c9
-
SHA256
6b7c8ac18f492b4536307f4680cd40a9990bafc716d451575ba46c124c3f07b9
-
SHA512
7bdb043850bbc32d41872b4090426e2193582b139e8be25972b25b9f9fe3a1c54e089a5738a78a804211031a010b8e9a6bd8d983cb534fb34d4a0f87e9484eba
-
SSDEEP
786432:WqVzpgbD+4aZ/INeMVKyBMtD2Op14tMIADxrHLfygiw:dgbD+XtFMVKyGUuI4ZHLfyK
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.6 PAID.7z"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe"C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\XWorm V5.3.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd31af3cb8,0x7ffd31af3cc8,0x7ffd31af3cd83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2891559457444459813,12772239635276013005,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4816 /prefetch:23⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd31af3cb8,0x7ffd31af3cc8,0x7ffd31af3cd83⤵
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\XWorm V5.3 Bin\XWorm V5.3 Optimized Bin\Readme.txt1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5051a939f60dced99602add88b5b71f58
SHA1a71acd61be911ff6ff7e5a9e5965597c8c7c0765
SHA2562cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10
SHA512a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f
-
Filesize
152B
MD5003b92b33b2eb97e6c1a0929121829b8
SHA16f18e96c7a2e07fb5a80acb3c9916748fd48827a
SHA2568001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54
SHA51218005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77
-
Filesize
72B
MD5665408e2dbab96d81520730bd3f65896
SHA17b0c2bc3035a83a0d34dfb8adb143a8cc41c8463
SHA256fda6460bd6f77819df8f7318dd46d414ac82fe9d7f3b34a19788736ee12dda11
SHA51233b8f6a6db4d670a64fe811e6b4a5de8ca945371937b3e4f52f2cac2cb881bc1a918eac3b81c1f290caa5a994bfd9e231474c41bede5c43ba3eb24db9a3f4ebe
-
Filesize
442B
MD5b70b78518c8789a378fb9e735de510cb
SHA13301bfa0ab97944c7d9fc73c3041bb3150b40a93
SHA2567cab450c514e65131baab35ebbf6bcb48ca92e601c2cfda750c7a7582ff4e16c
SHA5124cc0c29c14d008f3f9f8783f930226ca9600c77d08929775c10071085a588dd06c828b9bb5e3ffbc7d83d6a5438f693269233317dda41bdb1cdabf80f0bf8234
-
Filesize
6KB
MD5c25e43245b51f70341503e24fe7898f7
SHA18f7a74372078fa67552f9e462f8fabb1949c1f92
SHA256d091361f764d94d58d3b2a86b1d1449188be2e45920c1ca92754449cab911289
SHA5120da10ec565411ccd5c3f9c3ccff730d7b498392d067d1a743eccd2058fd44c25f907a3bf89ffcb5f583f4c6691fe8fcefd60e13e0ad4b1f7c7fec01800d00796
-
Filesize
5KB
MD5878782349239a65c9ba1d4f4ab8592b1
SHA11046d2f6576a98b1bd9e34833d2dd131749c5468
SHA256a133fca25911ba72bd4903505b5f6113d381d9b9e402712abf04407dae8eb0ae
SHA512ba44284e6acc8a341872c7f64c08ad0a670f4d7a6c47c2b961b003a6f474162ad66f0bf988493bf38395363a6c039b47bdf23d9e35fae1edfad497bc9a82429e
-
Filesize
6KB
MD59d6b2297a92f6e407312e9335966cdd5
SHA1a1db478b6831daecdbd92782d9a8917baf156a37
SHA256e55a33cac86cd048bb4414c612badda375fba2e6cf7c6dd3926cbbf59ff9b9b5
SHA512c4722ca724caf8acf2d09249771d46c99524f2dabc789be7dee058979ae3ddbdc0c46f8f58e3b5645e632318e52d14d60cfdab4d2b596c92bf629944828e5c9b
-
Filesize
538B
MD5e36d46c69024314e7eeee708e0354cca
SHA19aaef0e0aed958c4d79af2de6b3009e112b84b46
SHA256ef2ba3da14cbd7410cbfacca203ac125b01dff349a69719aa725419655560600
SHA512ddcf1902bcc392b96be54afa5d451db9a7ffeb84518e791e92007647a6a5a888f7a71b4be4e623e4a000ab0d7ef2cc7f402c9b4c1c8555e68197467c47838fbf
-
Filesize
538B
MD5f9a3551160909edbcfd5975a80907f48
SHA12777d281cad7c38ed40be2c4b2eb1ec3cf464701
SHA2563721607c6085c86c21d8a297de88cf71ea747c37225fe90d07c716185c25afaf
SHA512aefb228d34ac764eca184f74e20944f4c564ca36da5be16ec74122f4306170c9ba3e19d760461b54651a7432d80cf7d1e8940d4adc286bbc9cf2b7de8b7d19bb
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5542fadd9f1f553c6bc74c17b3c77243d
SHA1d4ceffefe32189d658f6debb901b008f1a24653f
SHA2560069c01ff825d360847521a7fb6a8a81e16687e02332e544f95484a892f9128e
SHA512c53ea37bd8d746a931d3ac69721dcc3046483c1e72be07a6b024a11b434edf69d112508d03fb9bf754e2ad93baf64d48a5d33c781cabb876aaeca175a367c56d
-
Filesize
10KB
MD563f7634dd31a50f7138c69219782f7df
SHA15b8f630574fbaaf400f47c87005dd2c167d78a3b
SHA256da8b00db643c8e117c0d6c3c660f8635707d1b84a129de1f8b8262bc202cc6fe
SHA512c1587a89f8efb8d42ae67b141d92d73527d77ff108a98ab462635b709fe1f6dc8efa1ae42ad5cee2509073d6dc890a766555efd730578e728e2c67e87b4509fa
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
112KB
MD52f1a50031dcf5c87d92e8b2491fdcea6
SHA171e2aaa2d1bb7dbe32a00e1d01d744830ecce08f
SHA25647578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed
SHA5121c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8
-
Filesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
190B
MD5e388f90db8883175638a3f6180d68444
SHA1bb433eb2c51569624097172e339c9f9368f0372d
SHA256f10fd461b04f640b6940665b5f6ea4d1af954992c74978b71a21a58d8cdca3f3
SHA512b659fddd67a9142474e5bc0dd53b0a18a53ebfccfe8b3170d47eae0d9cc04fae867314e4fd8b537d235f7608d6aaa825329f2fcc07f64eb0650e48e1d6b54b88
-
Filesize
13.8MB
MD5897201dc6254281404ab74aa27790a71
SHA19409ddf7e72b7869f4d689c88f9bbc1bc241a56e
SHA256f41828bd13a3a85fdf7a1d688b21ce33d2015c3c5f46b4d92ab6ea8ea019e03a
SHA5122673cd7b927ffc22f3a4b4fbfcb1b4f576c416d67168e486e6d79fdd132129c9e244e36d7b7883a4a1ed51e993cc4384bf24f2fa3129584f2bd43fd16042de20
-
Filesize
183B
MD566f09a3993dcae94acfe39d45b553f58
SHA19d09f8e22d464f7021d7f713269b8169aed98682
SHA2567ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
2.0MB
-
Filesize
11.9MB
-
Filesize
10.8MB
-
Filesize
13.9MB
-
Filesize
8KB