xworm | 7f93aaedcf0185373266c8c4e710eef2716641ebb241d68c80f33e525c448e5c | Triage

Analysis

max time kernel
7s
max time network
10s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27/04/2024, 23:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34343.exe
Size

168KB
MD5

9b5c4a6eb426547f25b2055958f48655
SHA1

07dfd8eedf365dfd988b685feb5ad42889b27e87
SHA256

83bfd94ce2f17c995d11f4ec8e419c939184bea281139432b16b41467dbd8ddf
SHA512

cb736bd251e9ed9af134d7f9d5e483282227f3ab24a33c66f3e9ce7863678880b50d75cb1ab14a4635d7e1122c8cf2a05ebc6376b1e84247a52410f191c501f7
SSDEEP

3072:E0W1Czzb14m1QwOmw4NpVq8BxFRzaqF+o2GQJ7/JzqVfGvL:E0VbSTgVqwlL

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

dffsdfsdfe434334.bounceme.net:7000

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3956-0-0x0000000000EF0000-0x0000000000F20000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3956	34343.exe

C:\Users\Admin\AppData\Local\Temp\34343.exe
"C:\Users\Admin\AppData\Local\Temp\34343.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3956-0-0x0000000000EF0000-0x0000000000F20000-memory.dmp

Filesize
192KB

Download
memory/3956-1-0x00007FF9543D0000-0x00007FF954E91000-memory.dmp

Filesize
10.8MB

Download
memory/3956-2-0x000000001BD30000-0x000000001BD40000-memory.dmp

Filesize
64KB

Download