xworm | 765cc7c9a8a553a1aee84ce84cdcc4706cc73d84c49b2c354ce864d53cbdba40

Analysis

max time kernel
6s
max time network
7s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-11-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

freerobux.exe
Size

300KB
MD5

271deddfd2e90b39dfd1f4990338f1ca
SHA1

b3f52883fdc471b35d21eeb7c99b42cbe16da16d
SHA256

765cc7c9a8a553a1aee84ce84cdcc4706cc73d84c49b2c354ce864d53cbdba40
SHA512

114d6e3a2106b16250ac0865dda14c6f9b8444b931c2fa749e84fca22ce6320ce3edeb07dc1dabf5a4dd02ae8a8e90ee737447f8bc012ea1d5020856105440a2
SSDEEP

3072:ehWu6gKlGmaC4CN8KI7inGK1uUg9SaJSgQ6pCtiFCz4:

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

23.ip.gl.ply.gg:7000

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000044794-8.dat	family_xworm
behavioral1/memory/2324-10-0x0000000000B80000-0x0000000000B98000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
2324	.keepme

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	.keepme

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 1512	572	freerobux.exe	84
PID 572 wrote to memory of 1512	572	freerobux.exe	84
PID 1512 wrote to memory of 2324	1512	cmd.exe	86
PID 1512 wrote to memory of 2324	1512	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\freerobux.exe
"C:\Users\Admin\AppData\Local\Temp\freerobux.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\.shhh.bat" && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\.keepme
    "C:\Users\Admin\AppData\Local\Temp\.keepme"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.keepme

Filesize
73KB

MD5
d802ab864ac7306b5b9e68957fe2b419

SHA1
e77d54a944073a6f268b76985fcbf5ee7495eff2

SHA256
dcf8967f71a33d6ba5805fe4a4159b0ef2ddc3b25c90288fc0016520f9050ddd

SHA512
8d97bec2d5557e36abd1cd65a4b712254a19602399795cc53292ac9dbf51a3543aba3cec6b14ae8d2479c806f7adb0641760250bf2cc2ac71f216a5860cb88a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\.shhh.bat

Filesize
57B

MD5
cbade861cdb94418af59f05e2c2ba9d2

SHA1
b52c1e9152f513e1c5bfd0a7120d8eab5715c6fa

SHA256
690a862f8ba36d42573f9080aecd43eb6744b842cb382cee2bafdc493dae1ed4

SHA512
fbdea30ef08dfde692d7d55e6b847a49448f095ac0dc7f4cb2aa87d1a965f681397db9ff5f25beb9ad48bf61578ccefdf7191de12ea9e8faba376bca0fd89d70

Download Submit
memory/572-1-0x00007FFC25E43000-0x00007FFC25E45000-memory.dmp

Filesize
8KB

Download
memory/572-0-0x00000000006D0000-0x0000000000722000-memory.dmp

Filesize
328KB

Download
memory/2324-10-0x0000000000B80000-0x0000000000B98000-memory.dmp

Filesize
96KB

Download
memory/2324-11-0x00007FFC25E40000-0x00007FFC26902000-memory.dmp

Filesize
10.8MB

Download
memory/2324-12-0x00007FFC25E40000-0x00007FFC26902000-memory.dmp

Filesize
10.8MB

Download
memory/2324-13-0x00007FFC25E40000-0x00007FFC26902000-memory.dmp

Filesize
10.8MB

Download