xworm | 3c15ad7d87d745c85329bea741a39952288bd6432bf376b6d8404026d70925fc

Analysis

max time kernel
148s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 04:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3c15ad7d87d745c85329bea741a39952288bd6432bf376b6d8404026d70925fc.exe
Size

88KB
MD5

2754f2c1b905c6f382bc18f10ca84220
SHA1

f14be7d64ae1c53b6158a36a3c36ddfbc028f16b
SHA256

3c15ad7d87d745c85329bea741a39952288bd6432bf376b6d8404026d70925fc
SHA512

fc01c8596804c0b23a3b4cbec3aa7f980e557cf8b326329ee5d20bdd260befd8b34d2f5249bc2c6f7b798258f30bbad45826d8e1684fc4708a74dd3881bd0127
SSDEEP

1536:Q7JQIkawLJJkxWZ6sh6I8/7MOLwuUStWHqQeN8kOhpi/:6JQPQw+/7brNtWKQeGNv

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

127.0.0.1:7000

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001226b-6.dat	family_xworm
behavioral1/memory/2200-8-0x0000000000A20000-0x0000000000A34000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 1 IoCs

pid	Process
2200	0.dll

Loads dropped DLL 1 IoCs

pid	Process
2972	3c15ad7d87d745c85329bea741a39952288bd6432bf376b6d8404026d70925fc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	0.dll

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2972	3c15ad7d87d745c85329bea741a39952288bd6432bf376b6d8404026d70925fc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2200	2972	3c15ad7d87d745c85329bea741a39952288bd6432bf376b6d8404026d70925fc.exe	28
PID 2972 wrote to memory of 2200	2972	3c15ad7d87d745c85329bea741a39952288bd6432bf376b6d8404026d70925fc.exe	28
PID 2972 wrote to memory of 2200	2972	3c15ad7d87d745c85329bea741a39952288bd6432bf376b6d8404026d70925fc.exe	28
PID 2972 wrote to memory of 2200	2972	3c15ad7d87d745c85329bea741a39952288bd6432bf376b6d8404026d70925fc.exe	28

C:\Users\Admin\AppData\Local\Temp\3c15ad7d87d745c85329bea741a39952288bd6432bf376b6d8404026d70925fc.exe
"C:\Users\Admin\AppData\Local\Temp\3c15ad7d87d745c85329bea741a39952288bd6432bf376b6d8404026d70925fc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\0.dll
  C:\Users\Admin\AppData\Local\Temp\0.dll
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.dll

Filesize
54KB

MD5
2a949e33c63584c60768b01eb3a6f93d

SHA1
ccfb4ae443f7c8cdc9b426c7e3ba22087eeafbed

SHA256
1ffe448c6aacb5e35ee6571922685b16ddf54e7e6dfd756391345381ebf6a860

SHA512
e29258ff04bf85d0b58626ecbe48ed9153e5a6ea2dcfa108bda8db7e6bf8b3e22007c1c3b7a8ab11e1726a1da1a5dad91d50c2787d95505581471543f0c8ec86

Download Submit
memory/2200-7-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/2200-8-0x0000000000A20000-0x0000000000A34000-memory.dmp

Filesize
80KB

Download
memory/2200-9-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2200-10-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/2200-11-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download