xworm | 170f9a45c7c994855a1e9d00170d6bf2d9ad2531ca1ee2f88787ad8e74b02012

Analysis

max time kernel
136s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2024, 19:56

Target

yesyes.exe
Size

80KB
MD5

449e611da0d5ef79840415ae1ebbaf04
SHA1

c722eba3fe33d7d7fbc89863951111ee772d5468
SHA256

170f9a45c7c994855a1e9d00170d6bf2d9ad2531ca1ee2f88787ad8e74b02012
SHA512

e310c3206b27b7ec43b80685e4252e40d109efdf3684dd4d05cd2e6543dfe482ff03645a8bbec5a95444edb1d02687621249ea3127997cdae10d1e0ffabdb661
SSDEEP

1536:yBIjlV6Gh32ecpdVm/vxT4OpDNmJuUqxb7lPqinX75z6lKa2OZkn1awK7Gq:y2jlid4x4y8grb75/X75KKa2OKn8Gq

Score

10^/10

xworm rat trojan

Family

xworm

includes-icon.gl.at.ply.gg:41717

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4380-1-0x00000000001F0000-0x000000000020A000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	yesyes.exe

C:\Users\Admin\AppData\Local\Temp\yesyes.exe
"C:\Users\Admin\AppData\Local\Temp\yesyes.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4380

memory/4380-0-0x00007FFE03253000-0x00007FFE03255000-memory.dmp

Filesize
8KB

Download
memory/4380-1-0x00000000001F0000-0x000000000020A000-memory.dmp

Filesize
104KB

Download
memory/4380-2-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download
memory/4380-3-0x00007FFE03250000-0x00007FFE03D11000-memory.dmp

Filesize
10.8MB

Download