xworm | f09865a6131f85f939a92745531a23d9c6638a4e4d63e98dea5660ad86378894 | Triage

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 09:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

50dba3ff74554784188cfd0378fab8f6.exe
Size

62KB
MD5

50dba3ff74554784188cfd0378fab8f6
SHA1

a7ae36030735d467941fef67fc15287502eb1e44
SHA256

f09865a6131f85f939a92745531a23d9c6638a4e4d63e98dea5660ad86378894
SHA512

39f1d8acca12514cee7f6f9aad41ccdf38a674379c2d2e9008447e232b065afed59e82c7c59b6bdda5b02b1824af5f31e5e807576069eb266526f2f3af83e4e7
SSDEEP

1536:3mxP2qSKiiVQlyZrMkbKj7SdnAORTla6x:3loiBVkbKKKORTlRx

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

194.59.30.91:4040

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2888-1-0x0000000000D30000-0x0000000000D46000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	50dba3ff74554784188cfd0378fab8f6.exe
Token: SeDebugPrivilege	2888	50dba3ff74554784188cfd0378fab8f6.exe

C:\Users\Admin\AppData\Local\Temp\50dba3ff74554784188cfd0378fab8f6.exe
"C:\Users\Admin\AppData\Local\Temp\50dba3ff74554784188cfd0378fab8f6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2888-0-0x00007FFAF9093000-0x00007FFAF9095000-memory.dmp

Filesize
8KB

Download
memory/2888-1-0x0000000000D30000-0x0000000000D46000-memory.dmp

Filesize
88KB

Download
memory/2888-2-0x00007FFAF9090000-0x00007FFAF9B51000-memory.dmp

Filesize
10.8MB

Download
memory/2888-3-0x00007FFAF9090000-0x00007FFAF9B51000-memory.dmp

Filesize
10.8MB

Download