xworm | c43fa1f0bbfbb8f91d9a339b97922494bf790c6b58bf973b56836ef52a3196cd

max time kernel
69s
max time network
70s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 18:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ent.exe
Size

44KB
MD5

211661398474b9c96a1d704823d0e552
SHA1

5afcd1a87a69ea1c84a06fdf7079660133ceb28a
SHA256

c43fa1f0bbfbb8f91d9a339b97922494bf790c6b58bf973b56836ef52a3196cd
SHA512

51717923b8d063874d5216db14adbe506826715773845c17961c5e52ed072380ea8b9b75d55559f855e6f42c35c8dd984c055eb3d1f7bec02c62463423c96666
SSDEEP

768:trlZa605WoOu+tpBERbGTHDUgkbZCfr2A33O3sh0l0E:tfq0u+tpKbAjXkbZCjjO3s60E

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/XzLzRHpk

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1632-1-0x0000000000D10000-0x0000000000D22000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
6	0.tcp.eu.ngrok.io
8	0.tcp.eu.ngrok.io
4	pastebin.com

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	ent.exe
Token: SeShutdownPrivilege	1400	shutdown.exe
Token: SeRemoteShutdownPrivilege	1400	shutdown.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1400	1632	ent.exe	32
PID 1632 wrote to memory of 1400	1632	ent.exe	32
PID 1632 wrote to memory of 1400	1632	ent.exe	32

C:\Users\Admin\AppData\Local\Temp\ent.exe
"C:\Users\Admin\AppData\Local\Temp\ent.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\system32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2344

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-0-0x000007FEF5873000-0x000007FEF5874000-memory.dmp

Filesize
4KB

Download
memory/1632-1-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download
memory/1632-2-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-3-0x000007FEF5873000-0x000007FEF5874000-memory.dmp

Filesize
4KB

Download
memory/1632-4-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-5-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/1632-7-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Filesize
9.9MB

Download
memory/2344-6-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis