xworm | 7c970e9a98fe6637451e1532fab7e45951b397190ca654fd90e599c81ffacf4e

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 19:38

Target

WizClient.exe
Size

82KB
MD5

4087de8484432215c4002db82dee2c5e
SHA1

9326991dc95ccc0c91e10076f590c6b7a422bab4
SHA256

7c970e9a98fe6637451e1532fab7e45951b397190ca654fd90e599c81ffacf4e
SHA512

aa4645dcea249bf729f226234f205955ed7c4c2d85d63bc15e1788bee7ba1128f83842eacf6d14cdbf4f9a1bb961ca1ef89c6b68e7604471103d0baffcd67cd9
SSDEEP

1536:JK+IcjTt3GY591bDfK3L6cRPawONRjayu1a2N:JK+r2YxbDaPawONRja/3N

Score

10^/10

xworm rat trojan

Family

xworm

point-get.gl.at.ply.gg:3583

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2520-1-0x0000000000B50000-0x0000000000B6A000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	WizClient.exe

C:\Users\Admin\AppData\Local\Temp\WizClient.exe
"C:\Users\Admin\AppData\Local\Temp\WizClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520

memory/2520-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

Filesize
4KB

Download
memory/2520-1-0x0000000000B50000-0x0000000000B6A000-memory.dmp

Filesize
104KB

Download
memory/2520-2-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2520-3-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download