xworm | 6b74151930702bbabe7511fb4b73ccdc543734bad541f3a5e482912c7530bdca

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 00:28

Target

cmd.exe
Size

67KB
MD5

7928407f9279ea20ae811608e85e9f24
SHA1

be0414ecfcda4fe76dd12c571e5c01e99a26ea57
SHA256

6b74151930702bbabe7511fb4b73ccdc543734bad541f3a5e482912c7530bdca
SHA512

9f8f3d304ccedac5705367f02ddab38c096dd65e54089eefabd21a410ba031d364c780475f8a36fcb55290d64b0a09bec83c158fd9a8e97e746f12f21572319e
SSDEEP

1536:2Jk2hB79w7NjEH3rvblWiTCj6hO9wglXS:2Jk2CpgXTblHCIOSgNS

Score

10^/10

xworm rat trojan

Family

xworm

completed-rally.gl.at.ply.gg:28996

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2808-1-0x0000000000B30000-0x0000000000B48000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	cmd.exe

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2808

memory/2808-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2808-1-0x0000000000B30000-0x0000000000B48000-memory.dmp

Filesize
96KB

Download
memory/2808-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2808-3-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download