xworm | 50ea565937518de1685c92f332fffc1bc37a78b3e79e033c9f386ed5cd641bbc

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 01:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe
Size

142KB
MD5

c00217935070f3582e3e7352f9d4b33a
SHA1

a4a01d96f20c1858b2327d3cc42d9633e0c9c715
SHA256

87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1
SHA512

89e90e99ffd9a35512e44dd83a9dc7bbab213fa6ad6758dd11225a4615ee165e757d71057e3e6c21198120babbeee46e5217ff05494229f8ab602c5d71c1e190
SSDEEP

3072:kglFIo1nWg7NBWM8kWCZRTdkS6I81QcLLP9JurW2N8BJ:dlF2gjTdoLz9CW

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

107.150.19.19:7000

Mutex

xX4ZsXt0UfSKdG38

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1020-10-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1876 set thread context of 1020	1876	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	87

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1020	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1020	1876	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	87
PID 1876 wrote to memory of 1020	1876	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	87
PID 1876 wrote to memory of 1020	1876	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	87
PID 1876 wrote to memory of 1020	1876	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	87
PID 1876 wrote to memory of 1020	1876	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	87
PID 1876 wrote to memory of 1020	1876	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	87
PID 1876 wrote to memory of 1020	1876	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	87
PID 1876 wrote to memory of 1020	1876	87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe	87

C:\Users\Admin\AppData\Local\Temp\87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe
"C:\Users\Admin\AppData\Local\Temp\87fcd72d5a220af7e19b13236a28a6258e38cf6040f03cdb7fff46d98f01b0b1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1020-10-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1020-18-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1020-17-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/1020-16-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/1020-15-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/1020-12-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/1020-11-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/1876-4-0x0000000004C40000-0x0000000004CB6000-memory.dmp

Filesize
472KB

Download
memory/1876-8-0x0000000004E80000-0x0000000004EA2000-memory.dmp

Filesize
136KB

Download
memory/1876-9-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/1876-7-0x0000000004D30000-0x0000000004D4E000-memory.dmp

Filesize
120KB

Download
memory/1876-6-0x0000000004B40000-0x0000000004B4A000-memory.dmp

Filesize
40KB

Download
memory/1876-5-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1876-14-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/1876-0-0x0000000000130000-0x000000000015A000-memory.dmp

Filesize
168KB

Download
memory/1876-3-0x0000000004BA0000-0x0000000004C32000-memory.dmp

Filesize
584KB

Download
memory/1876-2-0x0000000005150000-0x00000000056F4000-memory.dmp

Filesize
5.6MB

Download
memory/1876-1-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download