xworm | 546915e509d4f1c3a8b0f9d415ba3ade1b5095e1f69eef877e64f36203b4da67

Analysis

max time kernel
3s
max time network
30s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
07-01-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Synapse X.exe
Size

39KB
MD5

dc4d4769d663fbf00bfe6d0e83f5f0ec
SHA1

bfb1de87f74d835aef883d131b5f12f7bc2db549
SHA256

1c4ce5bfffdd71630d23fe0cfbf1217d8b195db9899d2ca53ee1c89b0b25caa1
SHA512

efae356790fe1dfe557e6709b8f6b541b4cb43844735d9bd866f8f8e579e37342e69258b663cc1c08144c6fd10006b5b7482d6855711b85417ab9281c6286cc2
SSDEEP

768:0Q46ubAL+1XrjW6vXPcCQgoyfccJY2sJvo80F5Pi9j/k67OMhF3trQ:f46ubHXrjdPcCQzyBJY2cCF497k67OMS

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

TcK6iKFmjhETcMYi

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/RqgnZ1zk

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/748-0-0x0000000000800000-0x0000000000810000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	Synapse X.exe

C:\Users\Admin\AppData\Local\Temp\Synapse X.exe
"C:\Users\Admin\AppData\Local\Temp\Synapse X.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Synapse X.exe'
  2⤵
  PID:312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Synapse X.exe'
  2⤵
  PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/312-49-0x0000018A4C910000-0x0000018A4C920000-memory.dmp

Filesize
64KB

Download
memory/312-52-0x00007FFCD4CA0000-0x00007FFCD568C000-memory.dmp

Filesize
9.9MB

Download
memory/312-7-0x00007FFCD4CA0000-0x00007FFCD568C000-memory.dmp

Filesize
9.9MB

Download
memory/312-8-0x0000018A4C910000-0x0000018A4C920000-memory.dmp

Filesize
64KB

Download
memory/312-13-0x0000018A4CA20000-0x0000018A4CA96000-memory.dmp

Filesize
472KB

Download
memory/312-26-0x0000018A4C910000-0x0000018A4C920000-memory.dmp

Filesize
64KB

Download
memory/312-10-0x0000018A343D0000-0x0000018A343F2000-memory.dmp

Filesize
136KB

Download
memory/312-9-0x0000018A4C910000-0x0000018A4C920000-memory.dmp

Filesize
64KB

Download
memory/748-103-0x000000001B700000-0x000000001B710000-memory.dmp

Filesize
64KB

Download
memory/748-1-0x00007FFCD4CA0000-0x00007FFCD568C000-memory.dmp

Filesize
9.9MB

Download
memory/748-63-0x00007FFCD4CA0000-0x00007FFCD568C000-memory.dmp

Filesize
9.9MB

Download
memory/748-2-0x000000001B700000-0x000000001B710000-memory.dmp

Filesize
64KB

Download
memory/748-0-0x0000000000800000-0x0000000000810000-memory.dmp

Filesize
64KB

Download
memory/4268-60-0x0000013F7F6B0000-0x0000013F7F6C0000-memory.dmp

Filesize
64KB

Download
memory/4268-77-0x0000013F7F6B0000-0x0000013F7F6C0000-memory.dmp

Filesize
64KB

Download
memory/4268-57-0x00007FFCD4CA0000-0x00007FFCD568C000-memory.dmp

Filesize
9.9MB

Download
memory/4268-99-0x0000013F7F6B0000-0x0000013F7F6C0000-memory.dmp

Filesize
64KB

Download
memory/4268-102-0x00007FFCD4CA0000-0x00007FFCD568C000-memory.dmp

Filesize
9.9MB

Download
memory/4268-58-0x0000013F7F6B0000-0x0000013F7F6C0000-memory.dmp

Filesize
64KB

Download