xworm | 1a0415b183819e7aab0e90aaa797c5dd3538319657d72e7f07eda0bf4fba7022

Analysis

max time kernel
101s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 14:45

Target

674498d7efc61696666dfb65f019ef50N.exe
Size

119KB
MD5

674498d7efc61696666dfb65f019ef50
SHA1

3ab2475c34f51e31defbc87179dccaebea81649b
SHA256

1a0415b183819e7aab0e90aaa797c5dd3538319657d72e7f07eda0bf4fba7022
SHA512

d20a1ae850f9545c49d702cb18fa166e1062e9ee78ddd326242d04db848fd6c3a034fa283e52eba4fd18e90e89944fd21d9606a2e43eee65a07ab763550146a3
SSDEEP

1536:4Cr2lfwjzwGc5eIfwbzhnrSHlsCIOUNrhfSw/joT3/4D:4CrSczcKblrCspOUNrcw7oL8

Score

10^/10

xworm rat trojan

Family

xworm

176.96.233.233:7432

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/736-1-0x0000000000EE0000-0x0000000000F04000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	736	674498d7efc61696666dfb65f019ef50N.exe
Token: SeDebugPrivilege	736	674498d7efc61696666dfb65f019ef50N.exe

C:\Users\Admin\AppData\Local\Temp\674498d7efc61696666dfb65f019ef50N.exe
"C:\Users\Admin\AppData\Local\Temp\674498d7efc61696666dfb65f019ef50N.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:736

memory/736-0-0x00007FF8FF573000-0x00007FF8FF575000-memory.dmp

Filesize
8KB

Download
memory/736-1-0x0000000000EE0000-0x0000000000F04000-memory.dmp

Filesize
144KB

Download
memory/736-2-0x00007FF8FF570000-0x00007FF900031000-memory.dmp

Filesize
10.8MB

Download
memory/736-3-0x00007FF8FF573000-0x00007FF8FF575000-memory.dmp

Filesize
8KB

Download
memory/736-4-0x00007FF8FF570000-0x00007FF900031000-memory.dmp

Filesize
10.8MB

Download