xworm | c1bb62643465be92b8fec645004bacf1f7ea0709f60c116a153f10f5e1856cea

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 12:33

Target

Nursultan.exe
Size

70KB
MD5

f4de079f64577635c8404dcec009b1fa
SHA1

89663b0b9fa16e73889e10e33a258decae8c2709
SHA256

393052f438e1ed16b3218afd780370ad6df6e04b2af6bc20428d66b9f133440d
SHA512

36dac74a2ca921790532328954c109f589979d8a78cda50c292801391da77fbaf6202567b6333f14037de27737ac8618780c6c72dcc645e760e97aca51e47157
SSDEEP

1536:UbmNTNwxuVoPGfEfcIhX8JbE2d5AlZFm6Ew7XWiOtapfJgx:bNTNRwGfEfvhabE2IFsw7XFOgwx

Score

10^/10

xworm rat trojan

Family

xworm

various-significance.gl.at.ply.gg:43319

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/772-1-0x00000000010F0000-0x0000000001108000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	772	Nursultan.exe

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:772

memory/772-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/772-1-0x00000000010F0000-0x0000000001108000-memory.dmp

Filesize
96KB

Download
memory/772-2-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/772-3-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download