xworm | a0756ab29accc2be2e7635acc8940e3220cd7dd9eb45885e9c8c84c820af7218

Analysis

max time kernel
1798s
max time network
1805s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
30-09-2024 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

why-so-serious.exe
Size

34KB
MD5

075e5dfc2e2877d810d9eb361d0dfe33
SHA1

3b4c8856d50de13242bbfd25324c16b6c6500d8d
SHA256

a0756ab29accc2be2e7635acc8940e3220cd7dd9eb45885e9c8c84c820af7218
SHA512

c0f6426a3acd4d2283724b3f86426efb91fd9f4d2dcb8b5dcc714a30652802277d46784bafda0151954101ac3c49aaba4acd33e9ef90218f8d3952573fc12429
SSDEEP

384:gSyXlquOae6oKoBmoDnnGvBLmlVCwvHixdTD2VR8pkFTBLTIZwYGDcvw9Ikuistt:XyXiBDAtYVC4CaV9FZ9jAPOjhj/4/

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

lefferek-42016.portmap.host:61672

budget-compiled.gl.at.ply.gg:61672

Mutex

KvL0ZeqSklQx7juN

Attributes

Install_directory
%AppData%
install_file
DiscordClient.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4152-1-0x0000000000970000-0x000000000097E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiscordClient.lnk	why-so-serious.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DiscordClient.lnk	why-so-serious.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	why-so-serious.exe

C:\Users\Admin\AppData\Local\Temp\why-so-serious.exe
"C:\Users\Admin\AppData\Local\Temp\why-so-serious.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:4152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4152-0-0x00007FFD951C3000-0x00007FFD951C5000-memory.dmp

Filesize
8KB

Download
memory/4152-1-0x0000000000970000-0x000000000097E000-memory.dmp

Filesize
56KB

Download
memory/4152-6-0x00007FFD951C0000-0x00007FFD95C82000-memory.dmp

Filesize
10.8MB

Download
memory/4152-7-0x00007FFD951C3000-0x00007FFD951C5000-memory.dmp

Filesize
8KB

Download
memory/4152-8-0x00007FFD951C0000-0x00007FFD95C82000-memory.dmp

Filesize
10.8MB

Download