xworm | 1cf27bfcdb279bd23c72faac71d8c6383348cbe16171902a81f17e2bcede7306

Analysis

max time kernel
94s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 20:13

Target

svhost.exe
Size

61KB
MD5

8d6f357911a99d9fa734802276bf7f1e
SHA1

354259028bbe3dd1dc856cbe04fc1ddd2790d18a
SHA256

1cf27bfcdb279bd23c72faac71d8c6383348cbe16171902a81f17e2bcede7306
SHA512

e810e9fae0035342e18e0204015502d90f2c0a4713b74a19682c59c5cd537a691ad5e941ea2b47e89f9cfaa672ec95cb02a405cff75efe2be819673284befdfe
SSDEEP

1536:9Zg/XaUy6lFxxXf9bjJDDGndC6NeDOAw3J:Qys9XVbR+dgOAY

Score

10^/10

xworm rat trojan

Family

xworm

127.0.0.1:55437

22.ip.gl.ply.gg:55437

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2572-1-0x0000000000F60000-0x0000000000F76000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	svhost.exe

C:\Users\Admin\AppData\Local\Temp\svhost.exe
"C:\Users\Admin\AppData\Local\Temp\svhost.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

memory/2572-0-0x00007FFC37523000-0x00007FFC37525000-memory.dmp

Filesize
8KB

Download
memory/2572-1-0x0000000000F60000-0x0000000000F76000-memory.dmp

Filesize
88KB

Download
memory/2572-2-0x00007FFC37520000-0x00007FFC37FE1000-memory.dmp

Filesize
10.8MB

Download
memory/2572-3-0x00007FFC37520000-0x00007FFC37FE1000-memory.dmp

Filesize
10.8MB

Download