xworm | 039a630b2f6139fd5f1db717f03e372a12c489ec22c1a92d750fbfcb83c17069

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31/10/2024, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DeadPayload.exe
Size

500KB
MD5

d6aa8be4d3e01013711974b9e0213600
SHA1

9d26eccfb6d7455a76c0a41eba38578aaf2d41c0
SHA256

039a630b2f6139fd5f1db717f03e372a12c489ec22c1a92d750fbfcb83c17069
SHA512

a95e7edb2a0cda6c7d06b84ac165d843c64c6a1e344319ba3cf3d7d7f2790ae56f7d02f21c9e082d50604493479c0eca5f5b1cc2cd8cdfbc21aa9b65b3079ca3
SSDEEP

12288:83DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sdzO:2kGTy

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

QgVg78qW15uIsQ4H

Attributes

Install_directory
%Public%
install_file
ohh.exe
pastebin_url
https://pastebin.com/raw/J09JweeH

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000018f85-6.dat	family_xworm
behavioral1/memory/2920-8-0x0000000000A90000-0x0000000000A9E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
2920	DeadMan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	DeadMan.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2920	2904	DeadPayload.exe	31
PID 2904 wrote to memory of 2920	2904	DeadPayload.exe	31
PID 2904 wrote to memory of 2920	2904	DeadPayload.exe	31

C:\Users\Admin\AppData\Local\Temp\DeadPayload.exe
"C:\Users\Admin\AppData\Local\Temp\DeadPayload.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Users\Public\DeadMan.exe
  "C:\Users\Public\DeadMan.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\DeadMan.exe

Filesize
34KB

MD5
86596f8f255ec89d279b0824435e99ad

SHA1
828d881cd4e693004ef8285aec99ef741b7f12ea

SHA256
be04723ba31eb34aafe705d2ae69a8b76cd717f3d378c49eee960a86112b7a58

SHA512
ed8429cf751326a5b646e35c59c61b2b3a0fdd7179f6a9a33e0bc70526dd96a72e02c2456d480cb26a8c0cd5f641842a73073bd2dc246d038d3642cec14f4672

Download Submit
memory/2904-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2904-1-0x00000000000E0000-0x0000000000164000-memory.dmp

Filesize
528KB

Download
memory/2920-8-0x0000000000A90000-0x0000000000A9E000-memory.dmp

Filesize
56KB

Download
memory/2920-9-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2920-10-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download