Overview

overview

10

Static

static

10

XWorm v1.0.zip

windows11-21h2-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    105s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/03/2025, 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm v1.0.zip

  • Size

    25.3MB

  • MD5

    e93bff8706dee344a0aefe6077d3e615

  • SHA1

    b97a1ac869ed1ac447f1eb1424c82f357b6597e9

  • SHA256

    7126a0b0380193a8ff12dc6151167431e54338763ea5b66bf0734308ce7d5432

  • SHA512

    acc00dc330efee9e17d4e85bf43c158c5840bccb4e4dd40fd376fc308599133669654e4ce5f123105221e6a428aac828fe27886eb677bdd0b58ac58e4331d289

  • SSDEEP

    786432:XhE6wL3UILQNWxg1heldC9HrS6TfYR071e:XhV8jQNWxgnWdCVjfY271e

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\XWorm v1.0.zip"
    1⤵
      PID:3268
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2004
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\XWorm v1.0\" -spe -an -ai#7zMap5969:78:7zEvent26415
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:5748
      • C:\Users\Admin\Desktop\XWorm v1.0\XWorm.exe
        "C:\Users\Admin\Desktop\XWorm v1.0\XWorm.exe"
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:5484
      • C:\Windows\system32\wbem\WmiApSrv.exe
        C:\Windows\system32\wbem\WmiApSrv.exe
        1⤵
          PID:4668
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004BC
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:5412

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\Desktop\XWorm v1.0\GeoIP.dat
          Filesize

          1.2MB

          MD5

          8ef41798df108ce9bd41382c9721b1c9

          SHA1

          1e6227635a12039f4d380531b032bf773f0e6de0

          SHA256

          bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

          SHA512

          4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

          Download Submit

        • C:\Users\Admin\Desktop\XWorm v1.0\Intro.wav
          Filesize

          319KB

          MD5

          232b04fb1abe851a5cbcf6dac970674f

          SHA1

          d687afa6507432ae377516e5f14d754f3cc8dc7b

          SHA256

          4c0e42c48b2d0944023ec9b45dfb88029d92bce5a4f30aa8064e6400bd9488d2

          SHA512

          7ec75d4e764af2962da3226df5e6e117c02e90049b5d0df25551adcbcb3cc430f85325d8f41dd87793795ef049c3c66f5669e3170e6cf3eb6952aa2446c90515

          Download Submit

        • C:\Users\Admin\Desktop\XWorm v1.0\XWorm.exe
          Filesize

          7.0MB

          MD5

          b5e57d5713ab3060045e7691a79b2eca

          SHA1

          ac5fa163fcce3c1c6a4701504aeb07167b17d524

          SHA256

          f76f04f10251e077a5471bac699e726b1c7310c9c3493d8a63f080bef723a409

          SHA512

          128ffc6a4ec86ba2f79924d42bad78a0b68ca52e059d2dd02704f876388296453c34355b44b5819101df48109294eb95ad0097f928f6f3ac21bb677834896cb5

          Download Submit

        • memory/5484-134-0x0000000000340000-0x0000000000A3A000-memory.dmp

          Filesize

          7.0MB

          Download

        • memory/5484-135-0x0000000005510000-0x00000000055AC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/5484-137-0x00000000055B0000-0x0000000005642000-memory.dmp

          Filesize

          584KB

          Download

        • memory/5484-136-0x0000000005B60000-0x0000000006106000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/5484-138-0x00000000054D0000-0x00000000054DA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5484-139-0x00000000057F0000-0x0000000005846000-memory.dmp

          Filesize

          344KB

          Download

        • memory/5484-140-0x0000000006C30000-0x0000000006C96000-memory.dmp

          Filesize

          408KB

          Download