xworm | 5f6b7fac414c602989c14283e4bfd01a9dad04d84d178a4fd108d1e5d133eaf4

Resubmissions

18/10/2024, 00:32

241018-avtvesybqp 10

18/10/2024, 00:24

241018-ap6xssveqg 10

Analysis

max time kernel
51s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xeno-Executor-v1.0.8-main.zip
Size

4.1MB
MD5

5f092e0d074a1a45f22db0bd55c0931f
SHA1

9294aa768de3f0ef8a6468854e2d118c5a72d6fe
SHA256

5f6b7fac414c602989c14283e4bfd01a9dad04d84d178a4fd108d1e5d133eaf4
SHA512

346eae473dadbd7f05743ea02a49fc4c1fd7a92d8b7e09fa8f8291a5ddf3619e6c0ab1196e4d46a930e54c110abf461966fbf4dae5fff1cf6dfd756b46d2a0a0
SSDEEP

98304:4FP5+BAtOValm08CkdzmbjjgAPd1fJ+BOxbaYZ01dvpbN8:4L+B6O8lmNC4SbjjgM1fJ+S1UlS

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

like-minute.gl.at.ply.gg:57419

Attributes

Install_directory
%AppData%
install_file
antivirus.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c98-4.dat	family_xworm
behavioral1/memory/4916-13-0x00000000007A0000-0x00000000007B4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 3 IoCs

pid	Process
4916	Xeno.exe
4796	Xeno.exe
5056	Xeno.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ip-api.com

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1756	notepad.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2760	7zFM.exe
2760	7zFM.exe
2760	7zFM.exe
2760	7zFM.exe
2760	7zFM.exe
2760	7zFM.exe
2760	7zFM.exe
2760	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2760	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	2760	7zFM.exe
Token: 35	2760	7zFM.exe
Token: SeSecurityPrivilege	2760	7zFM.exe
Token: SeDebugPrivilege	4916	Xeno.exe
Token: SeSecurityPrivilege	2760	7zFM.exe
Token: SeDebugPrivilege	4796	Xeno.exe
Token: SeSecurityPrivilege	2760	7zFM.exe
Token: SeSecurityPrivilege	2760	7zFM.exe
Token: SeDebugPrivilege	5056	Xeno.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2760	7zFM.exe
2760	7zFM.exe
2760	7zFM.exe
2760	7zFM.exe
2760	7zFM.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 4916	2760	7zFM.exe	100
PID 2760 wrote to memory of 4916	2760	7zFM.exe	100
PID 2760 wrote to memory of 4796	2760	7zFM.exe	108
PID 2760 wrote to memory of 4796	2760	7zFM.exe	108
PID 2760 wrote to memory of 1756	2760	7zFM.exe	114
PID 2760 wrote to memory of 1756	2760	7zFM.exe	114
PID 2760 wrote to memory of 5056	2760	7zFM.exe	117
PID 2760 wrote to memory of 5056	2760	7zFM.exe	117

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Xeno-Executor-v1.0.8-main.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\7zO8CA4A997\Xeno.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8CA4A997\Xeno.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4916
- C:\Users\Admin\AppData\Local\Temp\7zO8CAEEAB7\Xeno.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8CAEEAB7\Xeno.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO8CA73D58\Xeno.exe"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\7zO8CAA1B08\Xeno.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8CAA1B08\Xeno.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO8CA4A997\Xeno.exe

Filesize
53KB

MD5
f181bd676c27c82a9041018a1b31cc34

SHA1
e5e146d152b5e0e1f533e99693d3226000a68816

SHA256
20919e71c5aa9728b8dbd5475b0efabf3a7aa730be17151a9bb2dd21fa1e1dce

SHA512
e7b089deb4d23087226f2d5377931466acded58e82f67f7a8bc8e0a20e5bf135c8ea7fce117fb0353357b0a08c3f474a906fe7774d65f9da720de3b19013451e

Download Submit
memory/4916-12-0x00007FFD63893000-0x00007FFD63895000-memory.dmp

Filesize
8KB

Download
memory/4916-13-0x00000000007A0000-0x00000000007B4000-memory.dmp

Filesize
80KB

Download
memory/4916-14-0x00007FFD63890000-0x00007FFD64351000-memory.dmp

Filesize
10.8MB

Download
memory/4916-15-0x00007FFD63890000-0x00007FFD64351000-memory.dmp

Filesize
10.8MB

Download