xworm | 42fe451761518f07b10ce7bd46b7e769a1e5f81105eab2e26e70d6e7c7441715

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 21:54

Target

ewasredwqrd.exe
Size

78KB
MD5

4b81e8952225eca28b18db9d72b6b737
SHA1

6163fd2dee1ac164117c6a651faffab980acdfb4
SHA256

42fe451761518f07b10ce7bd46b7e769a1e5f81105eab2e26e70d6e7c7441715
SHA512

8d1366c4d074a78542d6a9803e847d9967e561217db8d1a2d869da704ecb0289f494daca572dc025a59dba9fa25a1b9115b28bd2ba2855e5fed720612dbb61e4
SSDEEP

1536:n69VlbvyAhLMKmlYkLfkrsb3Y83PlDAoO5CJWDRi:6VFRmPb3F3XO5CJki

Score

10^/10

xworm rat trojan

Family

xworm

10.0.0.97:7000

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2828-1-0x0000000001170000-0x000000000118A000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	ewasredwqrd.exe

C:\Users\Admin\AppData\Local\Temp\ewasredwqrd.exe
"C:\Users\Admin\AppData\Local\Temp\ewasredwqrd.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828

memory/2828-0-0x000007FEF5E33000-0x000007FEF5E34000-memory.dmp

Filesize
4KB

Download
memory/2828-1-0x0000000001170000-0x000000000118A000-memory.dmp

Filesize
104KB

Download
memory/2828-2-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download
memory/2828-3-0x000007FEF5E30000-0x000007FEF681C000-memory.dmp

Filesize
9.9MB

Download