xworm | d3fe679fb3291ccb30e180bc23190e820dec0b357b7b39ab1999908261944d46 | Triage

Analysis

max time kernel
104s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2023, 22:24

Sharing

Report Analysis Logs

General

Target

bMOw.exe
Size

34KB
MD5

a362bfd18383f5536c46431fcc6aab63
SHA1

44ba9a386ffa7948f7eb7e0774f2fd4e17990f80
SHA256

d3fe679fb3291ccb30e180bc23190e820dec0b357b7b39ab1999908261944d46
SHA512

ce4660d0d87e4ba87a82e83c8bf975a821563e5dccbd09086bce180a2442a33b9b9294112f8f15b7921c583e5163d2aaadad985b6aedfa6eda2ad758bd7a215a
SSDEEP

768:sTcATS5Ity8aSNIOFM9JTIO9hnSAsRbyy:s42xLNrFM9JTIO91ARbF

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

64.235.61.43:42069

Mutex

QhYokEqu4q6rkaPE

Attributes

install_file
USB.exe

aes.plain

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1008	bMOw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	bMOw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1008	bMOw.exe

C:\Users\Admin\AppData\Local\Temp\bMOw.exe
"C:\Users\Admin\AppData\Local\Temp\bMOw.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1008-133-0x00000000006F0000-0x00000000006FE000-memory.dmp

Filesize
56KB

Download
memory/1008-134-0x000000001B490000-0x000000001B4A0000-memory.dmp

Filesize
64KB

Download
memory/1008-135-0x000000001B490000-0x000000001B4A0000-memory.dmp

Filesize
64KB

Download