Managed XDR

386926506 (XWorm) — malware analysis report

File info

Filename
386926506
File type
MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=115, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hidenormalshowminimized
File size
4.8 KB
First seen
Last seen

Environment

w10/x86 en

Hashes

SHA1
1c3f697d14a797f9415b9373e2961300d5674926
SHA256
250e00404b4b7dead69ecf9b0b4b63005579ea22fb74a9f0e70e73b06f64fceb
MD5
f1fe086276c936a1851c69f611cbc8eb

Malwares

  • XWorm

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059.005 bad_vbs: Suspicious VBScript file
T1059.001 suspicious_process: Spawns a suspicious process
T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1055.002 inject_write_pe: Writes PE file to another process's memory
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1055 injection_failed: The attempt to inject into a process has failed

Defense Evasion

T1218 bypass_dev_utils: Executing .NET utility in a suspended state, potentially for injection
T1055.002 inject_write_pe: Writes PE file to another process's memory
T1497 debugs_self: Creates a process and debugs it
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1055 injection_failed: The attempt to inject into a process has failed

Discovery

T1497 debugs_self: Creates a process and debugs it
T1497.003 antisandbox_idletime: Detects Windows Idle Time to determine the uptime
T1518.001 wmi_check_av: Uses WMI to check for installed antivirus software
T1082 has_wmi: Executes one or several WMI requests
T1518 locates_browser: Attempts to identify where browsers are installed
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)

Command and Control

T1071.001 network_cnc_http: Suspicious HTTP traffic
T1071.001 network_http: Performs HTTP requests

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Other

yara_rules: Static rules
suricata_alert: Malicious traffic detected
ce_info: XWorm Configuration Data found
modifies_certs: Attempts to generate or modify system certificates
creates_exe: Creates executable files in the file system
network_powershell: Powershell process network connection detected
creates_suspended_process: Creates suspended process
writes_data: Writes big amount of data to disk

Related reports