xworm | 32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
Size

2.1MB
MD5

3b5757f632446842aac3ecd3f1c28366
SHA1

4e00b5c8670c8a184632bdd48eedb3f90fdd4f19
SHA256

32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2
SHA512

bee2b4ea1025ba5fd47ace7b3d9d72527ec6511aeb113f1d709c3df0debcb09405e20c5d746719d2bd91b7f304469c2c7dc9f8b746bec953947bbb9583601c6d
SSDEEP

49152:UqwmCCmvuorNkZQfE8UoGH3pRKl9+VvHu7fAws5Q:b8u8kainHPxVvHW3s5Q

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2288-1-0x0000000000CC0000-0x0000000000EE0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 880	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	31
PID 2288 wrote to memory of 880	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	31
PID 2288 wrote to memory of 880	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	31
PID 2288 wrote to memory of 880	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	31
PID 2288 wrote to memory of 2792	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	32
PID 2288 wrote to memory of 2792	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	32
PID 2288 wrote to memory of 2792	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	32
PID 2288 wrote to memory of 2792	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	32
PID 2288 wrote to memory of 2160	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	33
PID 2288 wrote to memory of 2160	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	33
PID 2288 wrote to memory of 2160	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	33
PID 2288 wrote to memory of 2160	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	33
PID 2288 wrote to memory of 1844	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	34
PID 2288 wrote to memory of 1844	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	34
PID 2288 wrote to memory of 1844	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	34
PID 2288 wrote to memory of 1844	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	34
PID 2288 wrote to memory of 2348	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	35
PID 2288 wrote to memory of 2348	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	35
PID 2288 wrote to memory of 2348	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	35
PID 2288 wrote to memory of 2348	2288	32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe	35

C:\Users\Admin\AppData\Local\Temp\32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe
"C:\Users\Admin\AppData\Local\Temp\32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  sad
  2⤵
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  sad
  2⤵
  PID:2792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  sad
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  sad
  2⤵
  PID:1844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  sad
  2⤵
  PID:2348

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2288-0-0x000007FEF5CF3000-0x000007FEF5CF4000-memory.dmp

Filesize
4KB

Download
memory/2288-1-0x0000000000CC0000-0x0000000000EE0000-memory.dmp

Filesize
2.1MB

Download
memory/2288-2-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-3-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-4-0x000007FEF5CF3000-0x000007FEF5CF4000-memory.dmp

Filesize
4KB

Download
memory/2288-5-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-6-0x000000001D090000-0x000000001D178000-memory.dmp

Filesize
928KB

Download
memory/2288-48-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-66-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-68-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-64-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-62-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-60-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-58-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-278-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-56-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-54-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-52-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-50-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-46-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-44-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-42-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-40-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-38-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-36-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-34-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-32-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-30-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-26-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-24-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-277-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download
memory/2288-23-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-20-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-18-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-16-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-70-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-28-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-14-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-12-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-10-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-8-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-7-0x000000001D090000-0x000000001D171000-memory.dmp

Filesize
900KB

Download
memory/2288-279-0x000007FEF5CF0000-0x000007FEF66DC000-memory.dmp

Filesize
9.9MB

Download