xworm | 5cc211a9596ae27be5cf99949a2dc7c1953140569c83848dd5628a1799479c2f

Analysis

max time kernel
97s
max time network
144s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03-11-2024 05:47

Target

BootStrapper.exe
Size

63KB
MD5

c0fd9d3438390b8805ee4c259f2e4515
SHA1

d00f9e027be92d9df954818e69605a65c72d3e67
SHA256

5cc211a9596ae27be5cf99949a2dc7c1953140569c83848dd5628a1799479c2f
SHA512

1603fbf5409a0b5037573570f0ebeaa90be38953166535e3ab51d96760577011d64bd7aeb3798f805daca971cca67b141b00b215504589f5c8ddcf112fe7c38f
SSDEEP

1536:h5MY1tGpAzDlx/Ya5HbusBJu062uOCrMLdPm:XMYDrnbueurOCrQm

Score

10^/10

xworm rat trojan

Family

xworm

where-reverse.gl.at.ply.gg:18649

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3736-1-0x0000000000750000-0x0000000000766000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	BootStrapper.exe

C:\Users\Admin\AppData\Local\Temp\BootStrapper.exe
"C:\Users\Admin\AppData\Local\Temp\BootStrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3736

memory/3736-0-0x00007FFB92FB3000-0x00007FFB92FB5000-memory.dmp

Filesize
8KB

Download
memory/3736-1-0x0000000000750000-0x0000000000766000-memory.dmp

Filesize
88KB

Download
memory/3736-2-0x00007FFB92FB0000-0x00007FFB93A72000-memory.dmp

Filesize
10.8MB

Download
memory/3736-3-0x00007FFB92FB0000-0x00007FFB93A72000-memory.dmp

Filesize
10.8MB

Download