Overview

overview

10

Static

static

10

XWorm V5.3.7z

windows10-ltsc_2021-x64

7

Resubmissions

28/03/2025, 18:47

250328-xffqks1qx4 10

27/03/2025, 23:25

250327-3ea2la1rv5 10

Analysis

  • max time kernel
    40s
  • max time network
    37s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    27/03/2025, 23:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm V5.3.7z

  • Size

    29.5MB

  • MD5

    9beb9885ff45fafcd599daa6878c6298

  • SHA1

    2f99bb2e16eb4140b96248d7092b6cf466afb1ab

  • SHA256

    a477aca2a30817273c6422a7378a28d7e1e46d13e99a8f84b978ef126cefa375

  • SHA512

    20c8a67c24a9b0a0e88f204b77d8cf40707f41115237b55cf1b6be01e0681f93256fadb84913323cbe0413e3d2d49a1058dd254c99c8f979a37705cdd6165062

  • SSDEEP

    786432:JfWIbeWlM/KrzeqOY0NoevqMlnkvlA/oUpxvgaRA+Xl7uPCZ6:JWICWVrDOHNooqMtkWwytlaA6

Score
7/10
agilenet

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\XWorm V5.3.7z"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Users\Admin\AppData\Local\Temp\7zO47B4A9D7\XWorm V5.2.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO47B4A9D7\XWorm V5.2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:4452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO47B4A9D7\XWorm V5.2.exe
    Filesize

    13.8MB

    MD5

    897201dc6254281404ab74aa27790a71

    SHA1

    9409ddf7e72b7869f4d689c88f9bbc1bc241a56e

    SHA256

    f41828bd13a3a85fdf7a1d688b21ce33d2015c3c5f46b4d92ab6ea8ea019e03a

    SHA512

    2673cd7b927ffc22f3a4b4fbfcb1b4f576c416d67168e486e6d79fdd132129c9e244e36d7b7883a4a1ed51e993cc4384bf24f2fa3129584f2bd43fd16042de20

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dll
    Filesize

    112KB

    MD5

    2f1a50031dcf5c87d92e8b2491fdcea6

    SHA1

    71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

    SHA256

    47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

    SHA512

    1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

    Download Submit

  • memory/4452-15-0x00007FFEF9F63000-0x00007FFEF9F65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4452-16-0x000002088FEE0000-0x0000020890CBE000-memory.dmp

    Filesize

    13.9MB

    Download

  • memory/4452-24-0x00007FFEF9F60000-0x00007FFEFAA22000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4452-25-0x00000208AC1E0000-0x00000208ACDCC000-memory.dmp

    Filesize

    11.9MB

    Download

  • memory/4452-26-0x00007FFEF9F60000-0x00007FFEFAA22000-memory.dmp

    Filesize

    10.8MB

    Download