xworm | d0bfdd6edc8dcadd18684351edbd1c517d1bf16645efa8ab7c42cf6c831307e8

Analysis

max time kernel
94s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0bfdd6edc8dcadd18684351edbd1c517d1bf16645efa8ab7c42cf6c831307e8.exe
Size

292KB
MD5

a6af62488d46c4546b3b9db4ce117ea6
SHA1

ee3fbb6d6490450500ce960fa311f4582ec16b99
SHA256

d0bfdd6edc8dcadd18684351edbd1c517d1bf16645efa8ab7c42cf6c831307e8
SHA512

e1af114a25882a1dd1691ffca31f9bf263b6264b45b06cb2c90ea7d9229c66b43ea232f9c7c2daaf8b5bc173bd65e7cdfe5927d4d7ec3f0531ef74b2da6edae7
SSDEEP

3072:CbpkJuuEpKi6m/PJivSaAFOg7lkjcWVig058YbEASbod9bt/:C

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

23.ip.gl.ply.gg:7000

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023c68-8.dat	family_xworm
behavioral2/memory/4664-10-0x0000000000210000-0x0000000000228000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
4664	.keepme

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	.keepme

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 2544	4324	d0bfdd6edc8dcadd18684351edbd1c517d1bf16645efa8ab7c42cf6c831307e8.exe	84
PID 4324 wrote to memory of 2544	4324	d0bfdd6edc8dcadd18684351edbd1c517d1bf16645efa8ab7c42cf6c831307e8.exe	84
PID 2544 wrote to memory of 4664	2544	cmd.exe	85
PID 2544 wrote to memory of 4664	2544	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\d0bfdd6edc8dcadd18684351edbd1c517d1bf16645efa8ab7c42cf6c831307e8.exe
"C:\Users\Admin\AppData\Local\Temp\d0bfdd6edc8dcadd18684351edbd1c517d1bf16645efa8ab7c42cf6c831307e8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\.shhh.bat" && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\.keepme
    "C:\Users\Admin\AppData\Local\Temp\.keepme"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.keepme

Filesize
71KB

MD5
5dcabac99e75c26966103e37d2d34fff

SHA1
ee5ff56baaa7c854034a1952df3aebcb9051e2d9

SHA256
889f0dbaf5641f17b2fff411473f75c62b551d11bedf4bb16b191f78f38a99e2

SHA512
ec38e9bee65d3ad6ff31c1381a7e7b646544c44c3c944f387e02b7d1825cadf4fe0dfd7d914fa7872f8ba8b2862c0861eae91fce129ef30299afda639681f127

Download Submit
C:\Users\Admin\AppData\Local\Temp\.shhh.bat

Filesize
57B

MD5
cbade861cdb94418af59f05e2c2ba9d2

SHA1
b52c1e9152f513e1c5bfd0a7120d8eab5715c6fa

SHA256
690a862f8ba36d42573f9080aecd43eb6744b842cb382cee2bafdc493dae1ed4

SHA512
fbdea30ef08dfde692d7d55e6b847a49448f095ac0dc7f4cb2aa87d1a965f681397db9ff5f25beb9ad48bf61578ccefdf7191de12ea9e8faba376bca0fd89d70

Download Submit
memory/4324-0-0x00007FFFE13C3000-0x00007FFFE13C5000-memory.dmp

Filesize
8KB

Download
memory/4324-1-0x00000000005B0000-0x0000000000600000-memory.dmp

Filesize
320KB

Download
memory/4664-10-0x0000000000210000-0x0000000000228000-memory.dmp

Filesize
96KB

Download
memory/4664-11-0x00007FFFE13C0000-0x00007FFFE1E81000-memory.dmp

Filesize
10.8MB

Download
memory/4664-12-0x00007FFFE13C0000-0x00007FFFE1E81000-memory.dmp

Filesize
10.8MB

Download
memory/4664-13-0x00007FFFE13C0000-0x00007FFFE1E81000-memory.dmp

Filesize
10.8MB

Download