xworm | 50ea565937518de1685c92f332fffc1bc37a78b3e79e033c9f386ed5cd641bbc

Analysis

max time kernel
117s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-04-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe
Size

142KB
MD5

c00217935070f3582e3e7352f9d4b33a
SHA1

a4a01d96f20c1858b2327d3cc42d9633e0c9c715
SHA256

87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1
SHA512

89e90e99ffd9a35512e44dd83a9dc7bbab213fa6ad6758dd11225a4615ee165e757d71057e3e6c21198120babbeee46e5217ff05494229f8ab602c5d71c1e190
SSDEEP

3072:kglFIo1nWg7NBWM8kWCZRTdkS6I81QcLLP9JurW2N8BJ:dlF2gjTdoLz9CW

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

107.150.19.19:7000

Mutex

xX4ZsXt0UfSKdG38

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2004-8-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2004-9-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2004-12-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2004-14-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
behavioral1/memory/2004-16-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	RegAsm.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28
PID 2748 wrote to memory of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28
PID 2748 wrote to memory of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28
PID 2748 wrote to memory of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28
PID 2748 wrote to memory of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28
PID 2748 wrote to memory of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28
PID 2748 wrote to memory of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28
PID 2748 wrote to memory of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28
PID 2748 wrote to memory of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28
PID 2748 wrote to memory of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28
PID 2748 wrote to memory of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28
PID 2748 wrote to memory of 2004	2748	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	28

C:\Users\Admin\AppData\Local\Temp\87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe
"C:\Users\Admin\AppData\Local\Temp\87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2004-9-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2004-16-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2004-14-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2004-8-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2004-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2004-12-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2004-7-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2748-0-0x0000000000290000-0x00000000002BA000-memory.dmp

Filesize
168KB

Download
memory/2748-1-0x0000000074D00000-0x00000000753EE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-4-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/2748-3-0x0000000000410000-0x0000000000432000-memory.dmp

Filesize
136KB

Download
memory/2748-2-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/2748-17-0x0000000074D00000-0x00000000753EE000-memory.dmp

Filesize
6.9MB

Download