Analysis

  • max time kernel
    98s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 23:39

General

  • Target

    9a63a14144f2bbaf883b43c46901542175d8dd2307b73f5ebb093862956ec623N.exe

  • Size

    46KB

  • MD5

    54fa6eae2fb6549957db7394336bca10

  • SHA1

    7bbcbe664d21783ad0cd1b6122769a5f190e0dd9

  • SHA256

    9a63a14144f2bbaf883b43c46901542175d8dd2307b73f5ebb093862956ec623

  • SHA512

    67ee16402021257455a40024eded654e70a3e911c453333c9a8a2453a1d775542587c22e8f158656fac7cbd5f9c1dc37bcb3002849a9ff0f3c582c636b152627

  • SSDEEP

    768:a0RbMun94y2fpX8BbmNm0Y/QL/r8bWgWzL4moXMnkbAj43/odKbD8O7h8SjvgC:3bMun94y2fSBbmYj/Q3aYr1kbAj43CKx

Score
10/10

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7777

leave-ages.gl.at.ply.gg:7777

Attributes
  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a63a14144f2bbaf883b43c46901542175d8dd2307b73f5ebb093862956ec623N.exe
    "C:\Users\Admin\AppData\Local\Temp\9a63a14144f2bbaf883b43c46901542175d8dd2307b73f5ebb093862956ec623N.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1868-0-0x00007FFEAEFA3000-0x00007FFEAEFA5000-memory.dmp

    Filesize

    8KB

  • memory/1868-1-0x00000000003B0000-0x00000000003C2000-memory.dmp

    Filesize

    72KB

  • memory/1868-2-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

    Filesize

    10.8MB

  • memory/1868-3-0x00007FFEAEFA0000-0x00007FFEAFA61000-memory.dmp

    Filesize

    10.8MB