xworm | d247cef9a16acfbe133b01295412093b56ef0d26d8a10f6e9b72cb31d6e8db10

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d247cef9a16acfbe133b01295412093b56ef0d26d8a10f6e9b72cb31d6e8db10.exe
Size

292KB
MD5

a25ea5ab2a959e8fbefe0724f1bb5b5b
SHA1

49208ffd7c4a5a6df5336f1269f2fa7aeef5fe18
SHA256

d247cef9a16acfbe133b01295412093b56ef0d26d8a10f6e9b72cb31d6e8db10
SHA512

4870b56c286516bf97e4ca8cd232a5978f423c2d3a971218866ad8ce50e68fd382b7d97f5fe8fb443a99d5d99971f75a09524526536e292d258831abd12d88b4
SSDEEP

3072:MpkJuuEpKi6m/PJivSaAFOg7lkjcWVig058YbEASbod9btH:

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

23.ip.gl.ply.gg:7000

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b8e-9.dat	family_xworm
behavioral2/memory/4832-10-0x0000000000D20000-0x0000000000D38000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
4832	.keepme

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	.keepme

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3848	2524	d247cef9a16acfbe133b01295412093b56ef0d26d8a10f6e9b72cb31d6e8db10.exe	85
PID 2524 wrote to memory of 3848	2524	d247cef9a16acfbe133b01295412093b56ef0d26d8a10f6e9b72cb31d6e8db10.exe	85
PID 3848 wrote to memory of 4832	3848	cmd.exe	86
PID 3848 wrote to memory of 4832	3848	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\d247cef9a16acfbe133b01295412093b56ef0d26d8a10f6e9b72cb31d6e8db10.exe
"C:\Users\Admin\AppData\Local\Temp\d247cef9a16acfbe133b01295412093b56ef0d26d8a10f6e9b72cb31d6e8db10.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\.shhh.bat" && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Users\Admin\AppData\Local\Temp\.keepme
    "C:\Users\Admin\AppData\Local\Temp\.keepme"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.keepme

Filesize
71KB

MD5
5dcabac99e75c26966103e37d2d34fff

SHA1
ee5ff56baaa7c854034a1952df3aebcb9051e2d9

SHA256
889f0dbaf5641f17b2fff411473f75c62b551d11bedf4bb16b191f78f38a99e2

SHA512
ec38e9bee65d3ad6ff31c1381a7e7b646544c44c3c944f387e02b7d1825cadf4fe0dfd7d914fa7872f8ba8b2862c0861eae91fce129ef30299afda639681f127

Download Submit
C:\Users\Admin\AppData\Local\Temp\.shhh.bat

Filesize
57B

MD5
cbade861cdb94418af59f05e2c2ba9d2

SHA1
b52c1e9152f513e1c5bfd0a7120d8eab5715c6fa

SHA256
690a862f8ba36d42573f9080aecd43eb6744b842cb382cee2bafdc493dae1ed4

SHA512
fbdea30ef08dfde692d7d55e6b847a49448f095ac0dc7f4cb2aa87d1a965f681397db9ff5f25beb9ad48bf61578ccefdf7191de12ea9e8faba376bca0fd89d70

Download Submit
memory/2524-0-0x00007FF868443000-0x00007FF868445000-memory.dmp

Filesize
8KB

Download
memory/2524-1-0x00000000005D0000-0x0000000000620000-memory.dmp

Filesize
320KB

Download
memory/4832-10-0x0000000000D20000-0x0000000000D38000-memory.dmp

Filesize
96KB

Download
memory/4832-11-0x00007FF868440000-0x00007FF868F01000-memory.dmp

Filesize
10.8MB

Download
memory/4832-12-0x00007FF868440000-0x00007FF868F01000-memory.dmp

Filesize
10.8MB

Download
memory/4832-13-0x00007FF868440000-0x00007FF868F01000-memory.dmp

Filesize
10.8MB

Download