xworm | 001e2be0b431a33fbc7d0eb1fabd07d5c1cdba26ebef12e85b2a7ba58bdd995c

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
06/10/2023, 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bLYU.exe
Size

56KB
MD5

99ac1041885d76a382b9a79e8c6cfe81
SHA1

1e32ee6a17e9526d41832177ed2d765fac9b8753
SHA256

001e2be0b431a33fbc7d0eb1fabd07d5c1cdba26ebef12e85b2a7ba58bdd995c
SHA512

55158c15a94735bf2ad80d70ce255c55d5a08749ae0596229f7e27878a22add8c191d8e69c866f6d98270b3332ee8c3cde60ee7cfdc502dcd38c74fe844ce754
SSDEEP

768:cFhVBuPWuUzEbOszEaN9B+7Bpe3GnAZQgS1m2LRRqsEbGlYFer7wiJncDqjP619s:nbOsQzBQ3GQQZ1TffEbGyC7wkn2O7nV

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

18.231.156.119:7000

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1444-0-0x0000000000C50000-0x0000000000C64000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bLYU.lnk	bLYU.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bLYU.lnk	bLYU.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	bLYU.exe

C:\Users\Admin\AppData\Local\Temp\bLYU.exe
"C:\Users\Admin\AppData\Local\Temp\bLYU.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1444-0-0x0000000000C50000-0x0000000000C64000-memory.dmp

Filesize
80KB

Download
memory/1444-1-0x00007FF8AF640000-0x00007FF8B0101000-memory.dmp

Filesize
10.8MB

Download
memory/1444-2-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download
memory/1444-7-0x00007FF8AF640000-0x00007FF8B0101000-memory.dmp

Filesize
10.8MB

Download
memory/1444-8-0x000000001B8F0000-0x000000001B900000-memory.dmp

Filesize
64KB

Download