Overview

overview

10

Static

static

10

9ca4695aa5...36.exe

windows7-x64

10

9ca4695aa5...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ca4695aa52e3bf468c2bfe36ecc105c730157a6927e4d96f5ca148c51534c36.exe

  • Size

    89KB

  • MD5

    0ee20a416c4c752806bb696e44e7085e

  • SHA1

    54dae877a748a236f12f2d0a3eb34c63a8aa7a73

  • SHA256

    9ca4695aa52e3bf468c2bfe36ecc105c730157a6927e4d96f5ca148c51534c36

  • SHA512

    78f3c7b275893fe55e03cedfa929403b704bcb123f0cb13850cfed002a72cb6a4572ad3e376508e999406d0e408ca32cc65b11a9d7dca48265735a42da85bde7

  • SSDEEP

    1536:kcqdeKNDJYmE2YgAtHlwGSduaCCf4AMbXbnGQ3/aMclu6ZVcaOzaZPz:j0eKNDqmFGZaPgXbXbn/cXVOOZ

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

f8terat.ddns.net:7000

78.70.235.238:7000
Attributes
  • Install_directory

    %Temp%

  • install_file

    updater.exe

  • telegram

    https://api.telegram.org/bot7084570776:AAHWfPRjpebc_dUAwpwOYQjDqVKGe1YgIxw/sendMessage?chat_id=5456205643

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ca4695aa52e3bf468c2bfe36ecc105c730157a6927e4d96f5ca148c51534c36.exe
    "C:\Users\Admin\AppData\Local\Temp\9ca4695aa52e3bf468c2bfe36ecc105c730157a6927e4d96f5ca148c51534c36.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2096
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4424,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
    1⤵
      PID:1204

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2096-0-0x00007FF9CE303000-0x00007FF9CE305000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2096-1-0x00000000001E0000-0x00000000001FC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2096-2-0x00007FF9CE300000-0x00007FF9CEDC1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2096-3-0x00007FF9CE300000-0x00007FF9CEDC1000-memory.dmp

      Filesize

      10.8MB

      Download