xworm | d5f3ade8dcf776d15cb8c0fa90ae775c650f89617a586817e1656d15279f0d3b

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:38

Target

d5f3ade8dcf776d15cb8c0fa90ae775c650f89617a586817e1656d15279f0d3b.exe
Size

84KB
MD5

7d367e5778501dd057e233dbbd917a48
SHA1

3fc55369d1f97ffe6ea236dd8878f923024a1dc0
SHA256

d5f3ade8dcf776d15cb8c0fa90ae775c650f89617a586817e1656d15279f0d3b
SHA512

c11e3a3bf96b43303cb4e2a8d5c91cb43c68f5a84d6ccc23bb2e5740bffde425ff73d747203d64f9aee66103fb9465e5284f64a57a7b9351080c8ed492b6e1be
SSDEEP

1536:rcM5lz+Dxn3KbGTkY/lRR6m+Mnkb5sMFj60/BOUqwYic93SznQygxx:J5lqeokY16mvkb5/JBO3iuSTk

Score

10^/10

xworm rat trojan

Family

xworm

45.156.30.9:1604

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4076-1-0x0000000000350000-0x000000000036A000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	d5f3ade8dcf776d15cb8c0fa90ae775c650f89617a586817e1656d15279f0d3b.exe

C:\Users\Admin\AppData\Local\Temp\d5f3ade8dcf776d15cb8c0fa90ae775c650f89617a586817e1656d15279f0d3b.exe
"C:\Users\Admin\AppData\Local\Temp\d5f3ade8dcf776d15cb8c0fa90ae775c650f89617a586817e1656d15279f0d3b.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076

memory/4076-0-0x00007FFB4E853000-0x00007FFB4E855000-memory.dmp

Filesize
8KB

Download
memory/4076-1-0x0000000000350000-0x000000000036A000-memory.dmp

Filesize
104KB

Download
memory/4076-2-0x00007FFB4E850000-0x00007FFB4F311000-memory.dmp

Filesize
10.8MB

Download
memory/4076-3-0x00007FFB4E850000-0x00007FFB4F311000-memory.dmp

Filesize
10.8MB

Download