xworm | 822c1751f5d8bf308fc69a6f0b1bb5614bf4eb0fe1415638d45c70ab626f9614

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:23

Target

822c1751f5d8bf308fc69a6f0b1bb5614bf4eb0fe1415638d45c70ab626f9614.exe
Size

84KB
MD5

11bff8d34e69b9e35855f51d37236b4a
SHA1

ba42805932d7ef37ff8560cd4f8bcc561abf86a6
SHA256

822c1751f5d8bf308fc69a6f0b1bb5614bf4eb0fe1415638d45c70ab626f9614
SHA512

2afe96dde6ad1218443bbce0fd90be6617be0d55b46cd7f29058aa3106c4c77632a5ed711cd6374fbbfb41249f66606278be6efcd914dfffa9e67f32a8a6e29f
SSDEEP

1536:LcM5lz+Dxn3KbGTkY/lRR6m+Mnkb5sMFj60/BOUqwYic93Sz3wygxx:p5lqeokY16mvkb5/JBO3iuSjE

Score

10^/10

xworm rat trojan

Family

xworm

45.156.30.9:1604

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2276-1-0x0000000000D20000-0x0000000000D3A000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	822c1751f5d8bf308fc69a6f0b1bb5614bf4eb0fe1415638d45c70ab626f9614.exe

C:\Users\Admin\AppData\Local\Temp\822c1751f5d8bf308fc69a6f0b1bb5614bf4eb0fe1415638d45c70ab626f9614.exe
"C:\Users\Admin\AppData\Local\Temp\822c1751f5d8bf308fc69a6f0b1bb5614bf4eb0fe1415638d45c70ab626f9614.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276

memory/2276-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmp

Filesize
4KB

Download
memory/2276-1-0x0000000000D20000-0x0000000000D3A000-memory.dmp

Filesize
104KB

Download
memory/2276-2-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

Filesize
9.9MB

Download
memory/2276-3-0x000007FEF5540000-0x000007FEF5F2C000-memory.dmp

Filesize
9.9MB

Download