xworm | e1273e480ea564ccc1d037c9f47ee5a378aec0d196f434a3d99b687f547a83a9

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-10-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df.exe
Size

58KB
MD5

b194de4adb59afb5c4392f8a56fe25c0
SHA1

1f482bea8edc37c763901923d11adeda24946057
SHA256

e1273e480ea564ccc1d037c9f47ee5a378aec0d196f434a3d99b687f547a83a9
SHA512

687674f8f300c9352f8a35030307f433672749163cf43caece8bb7b46d3af9c22f9a93ff93b0c0e6fd74bbe4277527e9ffae10e581cf0b2551078d05521d49f8
SSDEEP

768:Hv8jto5Hcw3xwKFYwqNxghTaFjMYnGLppEzJL5Ykbo8fBuzfAUkBvmL8QnhUcAVJ:HgFyT/nENMHLTUJmkbNfYTAB3POvDE

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.16:40164

147.185.221.20:40164

Attributes

install_file
System Volume Information Prefetch.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2448-1-0x00000000000D0000-0x00000000000E4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Deletes itself 1 IoCs

pid	Process
2716	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
568	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	df.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2716	2448	df.exe	32
PID 2448 wrote to memory of 2716	2448	df.exe	32
PID 2448 wrote to memory of 2716	2448	df.exe	32
PID 2716 wrote to memory of 568	2716	cmd.exe	34
PID 2716 wrote to memory of 568	2716	cmd.exe	34
PID 2716 wrote to memory of 568	2716	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\df.exe
"C:\Users\Admin\AppData\Local\Temp\df.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp895B.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:568

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp895B.tmp.bat

Filesize
154B

MD5
1b59ce4732e00617b49d7446cf1c5b46

SHA1
afc2e77a959ae6771717bfa85f29eae1e2bccd13

SHA256
a481cecf95b55a78e34ce9e3f6ef114c9714161bfdca27f9fe0024a5abdd1c98

SHA512
0829547c2e077a9cb375a70a970335f6c03c27ae5563e8150b3625aca0cc3824c70f4085b9258649231365e9634a08152590725af01759002789653aeff06f36

Download Submit
memory/2448-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2448-1-0x00000000000D0000-0x00000000000E4000-memory.dmp

Filesize
80KB

Download
memory/2448-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2448-3-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2448-4-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download
memory/2448-5-0x000000001CDA0000-0x000000001D0F0000-memory.dmp

Filesize
3.3MB

Download
memory/2448-14-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

Filesize
9.9MB

Download