xworm | dedd4c249a6a78e8e2603e7bf8227bbcd1dcca0e0f272ec204cf4a1a61dae7d9

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07/11/2024, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FullOption_2.1Xenos.exe
Size

4.0MB
MD5

c442a9b9299246b2e5683641a4341641
SHA1

31f41c27ceacc503f33ea72c1ac7c077bc5d9235
SHA256

dedd4c249a6a78e8e2603e7bf8227bbcd1dcca0e0f272ec204cf4a1a61dae7d9
SHA512

fc605adcf43c6f4ae4b4903cf1ba43bc447ddecbbaa8e412845b0ddfee4b36be55e32b42b3005c7c67bb59f5f2a4c9271baa97eb497c4998883f7e69ec8bdd36
SSDEEP

98304:mer3mJdJ0Gz+yQ3zkgHC3lD1qhPEeXkZGRaGxOJx1/q:jSJdJrz+yOkg8BQPfXYoI1

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

45.141.27.248:7777

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015d41-9.dat	family_xworm
behavioral1/memory/2760-12-0x0000000000150000-0x0000000000168000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 2 IoCs

pid	Process
1912	FullOption_2.1Xenos.exe
2760	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
2592	FullOption_2.1Xenos.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 1912	2592	FullOption_2.1Xenos.exe	30
PID 2592 wrote to memory of 1912	2592	FullOption_2.1Xenos.exe	30
PID 2592 wrote to memory of 1912	2592	FullOption_2.1Xenos.exe	30
PID 2592 wrote to memory of 2760	2592	FullOption_2.1Xenos.exe	31
PID 2592 wrote to memory of 2760	2592	FullOption_2.1Xenos.exe	31
PID 2592 wrote to memory of 2760	2592	FullOption_2.1Xenos.exe	31

C:\Users\Admin\AppData\Local\Temp\FullOption_2.1Xenos.exe
"C:\Users\Admin\AppData\Local\Temp\FullOption_2.1Xenos.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Roaming\FullOption_2.1Xenos.exe
  "C:\Users\Admin\AppData\Roaming\FullOption_2.1Xenos.exe"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
73KB

MD5
12b722899c9a6b517d52b8de2c7c3e2e

SHA1
a92dbc8edd02adeeab5fa9c0e2a884a84a315fe5

SHA256
57ec7bca087dd678bef5aeaaa52f4f393d63613976701e6a111015fb7f9f1b6c

SHA512
f7b56b96a2dcda223668d82bc8dd7c5a0e7e5786aacad6a0bec809e8525e383b9a85f9e834cf29636fcdb84cce97cf4ad996f9d2cc827c189a2c06baec661a53

Download Submit
\Users\Admin\AppData\Roaming\FullOption_2.1Xenos.exe

Filesize
3.9MB

MD5
2f6e9c0dd1c6859a9d6e7acea1db9ac0

SHA1
b0dcd2be62b6a559e479de7745ab0988b8b30522

SHA256
122e3cb0f2ad233d1a364911d433667e7778f00d9a7d10b954c994f4e8093d1f

SHA512
fe3634f46afd5b45f0ffc721a18b5ef1b1344b548f90b8c54ea6995e3d64b7394b56c681b1a0522b67e862fce9d8333b621612a2f03708e7dbc917a28c58c15d

Download Submit
memory/2592-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/2592-1-0x0000000001320000-0x000000000171E000-memory.dmp

Filesize
4.0MB

Download
memory/2760-12-0x0000000000150000-0x0000000000168000-memory.dmp

Filesize
96KB

Download
memory/2760-13-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2760-14-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/2760-15-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download