xworm | af798e7c9e3ec896c9fc4891e128a5ef6035b027390320dd184d1dcef89ff470

Analysis

max time kernel
56s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe
Size

755KB
MD5

a8f5eb653b660a24e0a0017c684c1b96
SHA1

4b75c2c8dba5f4198873a8ed0e0c4d2bf146d881
SHA256

d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51
SHA512

0ff6026999fee1e6456a6557a82079a03622480edfd5aef9f7c1e3b03266a1e589fc4b3eb4568f3bec9f5f5f439f58aa313c8409241cbe4e1ffc1043c66a0b01
SSDEEP

12288:HwglEe171o1+1k155scBRTWgwxPzDnkbIStV4bkX7cst2Ket3D6ohYc8A4isx:CnNKkbI0NjKRs

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

dav12221.duckdns.org:7000

Mutex

VnoSv30JNEHEbKof

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4732-8-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 960 set thread context of 4732	960	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	84

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4732	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4732	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4732	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 4732	960	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	84
PID 960 wrote to memory of 4732	960	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	84
PID 960 wrote to memory of 4732	960	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	84
PID 960 wrote to memory of 4732	960	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	84
PID 960 wrote to memory of 4732	960	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	84
PID 960 wrote to memory of 4732	960	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	84
PID 960 wrote to memory of 4732	960	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	84
PID 960 wrote to memory of 4732	960	d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe	84

C:\Users\Admin\AppData\Local\Temp\d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe
"C:\Users\Admin\AppData\Local\Temp\d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe
  "C:\Users\Admin\AppData\Local\Temp\d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\d4d4c8f1217f38de76b3ba26865db8460987a0877ba70eb70f25fef6f5756c51.exe.log

Filesize
706B

MD5
2ef5ef69dadb8865b3d5b58c956077b8

SHA1
af2d869bac00685c745652bbd8b3fe82829a8998

SHA256
363502eb2a4e53ba02d2d85412b901fcf8e06de221736bdffa949799ef3d21e3

SHA512
66d4db5dd17d88e1d54ea0df3a7211a503dc4355de701259cefccc9f2e4e3ced9534b700099ffbb089a5a3acb082011c80b61801aa14aff76b379ce8f90d4fd3

Download Submit
memory/960-12-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/960-1-0x0000000003230000-0x000000000326E000-memory.dmp

Filesize
248KB

Download
memory/960-2-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/960-3-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download
memory/960-4-0x0000000005930000-0x00000000059C2000-memory.dmp

Filesize
584KB

Download
memory/960-5-0x0000000005A70000-0x0000000005B0C000-memory.dmp

Filesize
624KB

Download
memory/960-6-0x0000000003290000-0x00000000032A0000-memory.dmp

Filesize
64KB

Download
memory/960-7-0x00000000058C0000-0x00000000058C8000-memory.dmp

Filesize
32KB

Download
memory/960-0-0x0000000000D70000-0x0000000000E34000-memory.dmp

Filesize
784KB

Download
memory/4732-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4732-11-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4732-13-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/4732-14-0x0000000005D80000-0x0000000005D8A000-memory.dmp

Filesize
40KB

Download
memory/4732-15-0x00000000751A0000-0x0000000075950000-memory.dmp

Filesize
7.7MB

Download
memory/4732-16-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download