Malware Analysis Report

2024-09-11 14:48

Sample ID 240611-dv4leashmr
Target af9a6f5f38051152a45f8ed13920ba6a.bin
SHA256 73a25e9ea9ab8041e1cf327ec49c93fccb61b740c671342d0988b4aea4234a0f
Tags
xworm rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73a25e9ea9ab8041e1cf327ec49c93fccb61b740c671342d0988b4aea4234a0f

Threat Level: Known bad

The file af9a6f5f38051152a45f8ed13920ba6a.bin was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan

Detect Xworm Payload

Xworm family

Xworm

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-11 03:20

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 03:20

Reported

2024-06-11 03:23

Platform

win7-20240508-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af9a6f5f38051152a45f8ed13920ba6a.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\af9a6f5f38051152a45f8ed13920ba6a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\af9a6f5f38051152a45f8ed13920ba6a.exe

"C:\Users\Admin\AppData\Local\Temp\af9a6f5f38051152a45f8ed13920ba6a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.ip.gl.ply.gg udp

Files

memory/1276-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

memory/1276-1-0x0000000001030000-0x000000000103E000-memory.dmp

memory/1276-2-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

memory/1276-3-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

memory/1276-4-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 03:20

Reported

2024-06-11 03:23

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af9a6f5f38051152a45f8ed13920ba6a.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\af9a6f5f38051152a45f8ed13920ba6a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\af9a6f5f38051152a45f8ed13920ba6a.exe

"C:\Users\Admin\AppData\Local\Temp\af9a6f5f38051152a45f8ed13920ba6a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.ip.gl.ply.gg udp

Files

memory/4660-0-0x00007FF9A8013000-0x00007FF9A8015000-memory.dmp

memory/4660-1-0x0000000000A30000-0x0000000000A3E000-memory.dmp

memory/4660-2-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp

memory/4660-3-0x00007FF9A8010000-0x00007FF9A8AD1000-memory.dmp