xworm | 5a2d8236f0b085c15740c484cdcc4905cd72dd75e0b9af8d3c1566b6051bdf3f

Analysis

max time kernel
32s
max time network
33s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-11-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

freerobuxcr.exe
Size

300KB
MD5

b058cfccc6773c1bb61bf6b357beac93
SHA1

f5ac8e27bccac0ac28dd3fd4585e12f9801dc9fa
SHA256

5a2d8236f0b085c15740c484cdcc4905cd72dd75e0b9af8d3c1566b6051bdf3f
SHA512

ea677ebd803082435228fe4d1f43d84ee4f6f81782c159a93aa318adacaf8d2b3848385ab8826cd405eb93df7dd8713facc927c4d3d333e4073acf66be5c5de5
SSDEEP

3072:jhWu6gKlGmaC4CN8KI7inGK1uUg9SaJSgQ6pCtiFCzH:

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

23.ip.gl.ply.gg:7000

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000445e5-8.dat	family_xworm
behavioral1/memory/2776-10-0x0000000000810000-0x0000000000828000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
2776	.keepme

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	.keepme

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 3668	3340	freerobuxcr.exe	83
PID 3340 wrote to memory of 3668	3340	freerobuxcr.exe	83
PID 3668 wrote to memory of 2776	3668	cmd.exe	85
PID 3668 wrote to memory of 2776	3668	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\freerobuxcr.exe
"C:\Users\Admin\AppData\Local\Temp\freerobuxcr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\.shhh.bat" && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\.keepme
    "C:\Users\Admin\AppData\Local\Temp\.keepme"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.keepme

Filesize
73KB

MD5
d802ab864ac7306b5b9e68957fe2b419

SHA1
e77d54a944073a6f268b76985fcbf5ee7495eff2

SHA256
dcf8967f71a33d6ba5805fe4a4159b0ef2ddc3b25c90288fc0016520f9050ddd

SHA512
8d97bec2d5557e36abd1cd65a4b712254a19602399795cc53292ac9dbf51a3543aba3cec6b14ae8d2479c806f7adb0641760250bf2cc2ac71f216a5860cb88a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\.shhh.bat

Filesize
57B

MD5
cbade861cdb94418af59f05e2c2ba9d2

SHA1
b52c1e9152f513e1c5bfd0a7120d8eab5715c6fa

SHA256
690a862f8ba36d42573f9080aecd43eb6744b842cb382cee2bafdc493dae1ed4

SHA512
fbdea30ef08dfde692d7d55e6b847a49448f095ac0dc7f4cb2aa87d1a965f681397db9ff5f25beb9ad48bf61578ccefdf7191de12ea9e8faba376bca0fd89d70

Download Submit
memory/2776-10-0x0000000000810000-0x0000000000828000-memory.dmp

Filesize
96KB

Download
memory/2776-11-0x00007FFFA6AF0000-0x00007FFFA75B2000-memory.dmp

Filesize
10.8MB

Download
memory/2776-12-0x00007FFFA6AF0000-0x00007FFFA75B2000-memory.dmp

Filesize
10.8MB

Download
memory/2776-13-0x00007FFFA6AF0000-0x00007FFFA75B2000-memory.dmp

Filesize
10.8MB

Download
memory/3340-0-0x00007FFFA6AF3000-0x00007FFFA6AF5000-memory.dmp

Filesize
8KB

Download
memory/3340-1-0x0000000000540000-0x0000000000592000-memory.dmp

Filesize
328KB

Download