xworm | 2eef7833fa4b54da04b6c5043efbe11e5dd151a70b2fcc290251d5ee1a34f6dc

Analysis

max time kernel
139s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 06:41

Target

XClienww.exe
Size

30KB
MD5

69c83edef0d409cb392d39b953540dd9
SHA1

c9284521655bb3e4f78e80288f4d2a2dbddbafaf
SHA256

2eef7833fa4b54da04b6c5043efbe11e5dd151a70b2fcc290251d5ee1a34f6dc
SHA512

e89317e0c898c695b8fd6c54372ea52f663f40c6be27ac86008d701be0f844d6cf81815a417118b09d7ef323be1e095e722fb1960c3d8bc07e7c3e17121bc807
SSDEEP

384:L7wTA+5OfPgEBQqWvfcQLZe3sr0hYACSqRFYjY2uRugtFuBLTIOZw/WVnvn9IkVe:LrgECfLHrMYAoRF72uBFE9RIOqh+bU

Score

10^/10

xworm rat trojan

Family

xworm

Version

3.1

built-illegal.gl.at.ply.gg:51660

Mutex

Wb5UffKZlzIeq5KM

Attributes

aes.plain

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/228-1-0x00000000001E0000-0x00000000001EE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3464 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

XClienww.exe

description pid process

Token: SeDebugPrivilege 228 XClienww.exe

pid	process
3464	timeout.exe

description	pid	process
Token: SeDebugPrivilege	228	XClienww.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

XClienww.execmd.exe

description	pid	process	target process
PID 228 wrote to memory of 2668	228	XClienww.exe	cmd.exe
PID 228 wrote to memory of 2668	228	XClienww.exe	cmd.exe
PID 2668 wrote to memory of 3464	2668	cmd.exe	timeout.exe
PID 2668 wrote to memory of 3464	2668	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3CD5.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4020,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:8
1⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\tmp3CD5.tmp.bat
Filesize
160B

MD5
00f563e43af74a0dfb68818bec9ddbb3

SHA1
790f69e5c38eae06aea67662c43be0088453e55e

SHA256
65819b0525546e7bac97f2c614124c84c487572de3892ca94bbe423065c15447

SHA512
ef12758c20da5c785cc2e60dcba0ef5cbf06ef65bf9d5534406623ff7711e7110491503eb6aca27e39a72476af5e7d884ac0e832ddb96a69b00e6bee00581804

Download Submit
memory/228-0-0x00007FF990513000-0x00007FF990515000-memory.dmp

Filesize
8KB

Download
memory/228-1-0x00000000001E0000-0x00000000001EE000-memory.dmp

Filesize
56KB

Download
memory/228-2-0x00007FF990510000-0x00007FF990FD1000-memory.dmp

Filesize
10.8MB

Download
memory/228-3-0x000000001AF20000-0x000000001AF2A000-memory.dmp

Filesize
40KB

Download
memory/228-4-0x00007FF990513000-0x00007FF990515000-memory.dmp

Filesize
8KB

Download
memory/228-9-0x00007FF990510000-0x00007FF990FD1000-memory.dmp

Filesize
10.8MB

Download