Overview

overview

10

Static

static

10

msedge.exe

windows7-x64

10

msedge.exe

windows10-1703-x64

10

msedge.exe

windows10-2004-x64

10

msedge.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    22s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/09/2024, 17:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    msedge.exe

  • Size

    105KB

  • MD5

    7f63dba75cea8115a65daf651e73cbe4

  • SHA1

    c9c7238f490b7d9a3b370500741be79291d93918

  • SHA256

    393167c6887f41f1ab7339dbe1f0fedbefc0084a12c5b81c1050f21303db2c89

  • SHA512

    4c9bc83c6bc10c910d1ce8b1d4cba97112e253f047d35a1453ac6880c2069adce82a5324407d18d2b6566c84f0364a1dd78211e054f1ebe98c10d1e7178854c8

  • SSDEEP

    1536:DJRDFdGbFh9q06EOjf4GZjzQwK5WW7VCn6Ky7FAmu3wtBUniymeq07sZPSTlkOz/:DTFdUFh9qKOjJe5BV0WUniyimyg

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

86.99.228.173:2

Mutex

arJKoM4DP47o9wF9

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3684-0-0x00007FFCC79E3000-0x00007FFCC79E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3684-1-0x0000000000F30000-0x0000000000F4E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3684-2-0x00007FFCC79E0000-0x00007FFCC84A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3684-3-0x00007FFCC79E0000-0x00007FFCC84A1000-memory.dmp

    Filesize

    10.8MB

    Download