xworm | ebf760dbfa32628221a5a902ffd7e98f560d181225e260ed4326aa36aa99f659

Analysis

max time kernel
2s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SgrmBroker.exe
Size

771KB
MD5

bda31b88c53cee7ee196b15f4f6ed413
SHA1

ae530f0d0459cea03e6d362e6a88c066a60e31e6
SHA256

d4965411f163368758c151b7d90bccfebe2067f65472847701cc880d00e15bab
SHA512

5b34cd28d5a5dfca43e5f2d9cf7cc156aff344b2b2c5625dfd387d81a5755d8afcb09ae723c3d76ea08930a84f92f83e8c72afc011ec61c836c27edd2b47155f
SSDEEP

12288:NcREkD5DFr/cp9gxh/xiAa5HLL4UYUdcpc3RrC2H1VdPQz2XzUBWOKK1sS/78yrA:NcR1vUbXvdPS1WmsS/FM

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

install_file
game.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral16/files/0x0007000000023223-8.dat	family_xworm
behavioral16/files/0x0007000000023223-40.dat	family_xworm
behavioral16/files/0x0007000000023223-39.dat	family_xworm
behavioral16/memory/1488-41-0x0000021646770000-0x00000216467C2000-memory.dmp	family_xworm
behavioral16/memory/1488-49-0x0000021646B60000-0x0000021646B76000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

C:\Users\Admin\AppData\Local\Temp\SgrmBroker.exe
"C:\Users\Admin\AppData\Local\Temp\SgrmBroker.exe"
1⤵
PID:1976
- C:\Users\Admin\MusNotify.exe
  "C:\Users\Admin\MusNotify.exe"
  2⤵
  PID:1488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\MusNotify.exe'
    3⤵
    PID:2972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MusNotify.exe'
    3⤵
    PID:2932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\MusNotify.exe'
    3⤵
    PID:2368

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2777aaee-5883-4fc0-9336-631b7f787734}
1⤵
PID:4912

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4300

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:936

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\MusNotify.exe

Filesize
55KB

MD5
79a2210a5925d6310d9d482b5f85bcce

SHA1
2b73103ed1be608a5221273f7a159d2349f06928

SHA256
2ca0e8bd087581bd0681ff5e6a606193b30dba476cb2b716e35f4f09ea8f99c4

SHA512
b946dff86a920c3109c1d2a815cc8eb1493f1495212f190bc7ae78aee2ff7b056333fa3881371265f21f3249fc3cca81441555c77ece5fd20ce3cf0926f8bf86

Download Submit
C:\Users\Admin\MusNotify.exe

Filesize
87KB

MD5
ceb0f5cb1da01fab16624aa8a7842915

SHA1
aca76eafd674e2b37179d25cc49f43ecbad3dc45

SHA256
7b3e127602a19748c7e83166cf6f57ec41dfa5682246d21e78e05311d6a705af

SHA512
76284b854abc41055aaf0361e96f9852378cf4c762571c8316b9b1440ee453de266c8aca2918a1aa92d2fdf751d6a3ab6e1d48bc7ed3982c65850e628f6d7e99

Download Submit
C:\Users\Admin\MusNotify.exe

Filesize
138KB

MD5
3334ba88b2b6d535834ff13338b88155

SHA1
0fc5cf7e1290443a7886abd335c4c7b751c7a1c7

SHA256
fef258d5b6aa55d8d8ea627a2526e226283a30ea62f4ffb7564830d378d8ab8f

SHA512
16913ef4202b7166f39132108f026fd34d1bf0ed40b9e8cef9936c464fb6ddcce20275334a3a43ec05d0a3f2e04cbc433c201739367d584af125c3f2574d35a5

Download Submit
memory/60-81-0x000001EFDD820000-0x000001EFDD84A000-memory.dmp

Filesize
168KB

Download
memory/60-71-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/60-68-0x000001EFDD820000-0x000001EFDD84A000-memory.dmp

Filesize
168KB

Download
memory/404-85-0x000001FA214F0000-0x000001FA2151A000-memory.dmp

Filesize
168KB

Download
memory/404-76-0x000001FA214F0000-0x000001FA2151A000-memory.dmp

Filesize
168KB

Download
memory/404-78-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/540-86-0x0000016A9CEA0000-0x0000016A9CECA000-memory.dmp

Filesize
168KB

Download
memory/540-82-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/540-79-0x0000016A9CEA0000-0x0000016A9CECA000-memory.dmp

Filesize
168KB

Download
memory/616-114-0x00000179FC450000-0x00000179FC47A000-memory.dmp

Filesize
168KB

Download
memory/616-69-0x00007FF8625EF000-0x00007FF8625F0000-memory.dmp

Filesize
4KB

Download
memory/616-113-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/616-56-0x00000179FC420000-0x00000179FC443000-memory.dmp

Filesize
140KB

Download
memory/616-59-0x00000179FC450000-0x00000179FC47A000-memory.dmp

Filesize
168KB

Download
memory/616-64-0x00007FF8625ED000-0x00007FF8625EE000-memory.dmp

Filesize
4KB

Download
memory/616-58-0x00000179FC450000-0x00000179FC47A000-memory.dmp

Filesize
168KB

Download
memory/672-75-0x000001DFC7780000-0x000001DFC77AA000-memory.dmp

Filesize
168KB

Download
memory/672-61-0x000001DFC7780000-0x000001DFC77AA000-memory.dmp

Filesize
168KB

Download
memory/672-63-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/860-167-0x000001C504B30000-0x000001C504B5A000-memory.dmp

Filesize
168KB

Download
memory/860-92-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/860-90-0x000001C504B30000-0x000001C504B5A000-memory.dmp

Filesize
168KB

Download
memory/936-185-0x00007FF862550000-0x00007FF862745000-memory.dmp

Filesize
2.0MB

Download
memory/936-177-0x00000155A9D60000-0x00000155A9D8A000-memory.dmp

Filesize
168KB

Download
memory/952-93-0x000001C6B6860000-0x000001C6B688A000-memory.dmp

Filesize
168KB

Download
memory/952-96-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/956-83-0x00007FF8625EC000-0x00007FF8625ED000-memory.dmp

Filesize
4KB

Download
memory/956-70-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/956-65-0x000001FDB61D0000-0x000001FDB61FA000-memory.dmp

Filesize
168KB

Download
memory/956-77-0x000001FDB61D0000-0x000001FDB61FA000-memory.dmp

Filesize
168KB

Download
memory/1040-98-0x000001B7356B0000-0x000001B7356DA000-memory.dmp

Filesize
168KB

Download
memory/1040-110-0x000001B7356B0000-0x000001B7356DA000-memory.dmp

Filesize
168KB

Download
memory/1040-101-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/1204-104-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/1204-103-0x000002E7D9DA0000-0x000002E7D9DCA000-memory.dmp

Filesize
168KB

Download
memory/1224-107-0x000001C45F6F0000-0x000001C45F71A000-memory.dmp

Filesize
168KB

Download
memory/1224-109-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/1320-125-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/1320-121-0x00000179773D0000-0x00000179773FA000-memory.dmp

Filesize
168KB

Download
memory/1320-128-0x00000179773D0000-0x00000179773FA000-memory.dmp

Filesize
168KB

Download
memory/1344-124-0x000002B9103A0000-0x000002B9103CA000-memory.dmp

Filesize
168KB

Download
memory/1344-127-0x00007FF8225D0000-0x00007FF8225E0000-memory.dmp

Filesize
64KB

Download
memory/1352-133-0x000001AEF93D0000-0x000001AEF93FA000-memory.dmp

Filesize
168KB

Download
memory/1372-137-0x00000200D00A0000-0x00000200D00CA000-memory.dmp

Filesize
168KB

Download
memory/1424-143-0x000001DAAA590000-0x000001DAAA5BA000-memory.dmp

Filesize
168KB

Download
memory/1488-47-0x0000021660FB0000-0x0000021660FC0000-memory.dmp

Filesize
64KB

Download
memory/1488-118-0x00007FF8445E0000-0x00007FF8450A1000-memory.dmp

Filesize
10.8MB

Download
memory/1488-45-0x00007FF861C60000-0x00007FF861D1E000-memory.dmp

Filesize
760KB

Download
memory/1488-49-0x0000021646B60000-0x0000021646B76000-memory.dmp

Filesize
88KB

Download
memory/1488-44-0x00007FF862550000-0x00007FF862745000-memory.dmp

Filesize
2.0MB

Download
memory/1488-41-0x0000021646770000-0x00000216467C2000-memory.dmp

Filesize
328KB

Download
memory/1488-42-0x00007FF8445E0000-0x00007FF8450A1000-memory.dmp

Filesize
10.8MB

Download
memory/1488-43-0x0000021646BB0000-0x0000021646BEE000-memory.dmp

Filesize
248KB

Download
memory/1512-147-0x00000163ADC00000-0x00000163ADC2A000-memory.dmp

Filesize
168KB

Download
memory/1524-152-0x000001A5B9D30000-0x000001A5B9D5A000-memory.dmp

Filesize
168KB

Download
memory/1552-159-0x00000282541D0000-0x00000282541FA000-memory.dmp

Filesize
168KB

Download
memory/1620-163-0x0000024FEE690000-0x0000024FEE6BA000-memory.dmp

Filesize
168KB

Download
memory/1788-173-0x000001E6E8360000-0x000001E6E838A000-memory.dmp

Filesize
168KB

Download
memory/1864-192-0x0000028749BD0000-0x0000028749BFA000-memory.dmp

Filesize
168KB

Download
memory/1976-2-0x000001A11C390000-0x000001A11C3DC000-memory.dmp

Filesize
304KB

Download
memory/1976-111-0x000001A11C400000-0x000001A11C410000-memory.dmp

Filesize
64KB

Download
memory/1976-0-0x000001A11A7D0000-0x000001A11A83A000-memory.dmp

Filesize
424KB

Download
memory/1976-100-0x00007FF8445E0000-0x00007FF8450A1000-memory.dmp

Filesize
10.8MB

Download
memory/1976-4-0x000001A11C400000-0x000001A11C410000-memory.dmp

Filesize
64KB

Download
memory/1976-1-0x00007FF8445E0000-0x00007FF8450A1000-memory.dmp

Filesize
10.8MB

Download
memory/4912-52-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4912-53-0x00007FF861C60000-0x00007FF861D1E000-memory.dmp

Filesize
760KB

Download
memory/4912-54-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4912-50-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4912-51-0x00007FF862550000-0x00007FF862745000-memory.dmp

Filesize
2.0MB

Download
memory/4912-48-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4912-46-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads