xworm | 468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a.exe
Size

293KB
MD5

857bfacd75f6fce15633c5c7d5e505c0
SHA1

90eb6c2c7deecfa9a543f498ae32cc7229ed029e
SHA256

468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a
SHA512

fcbb982c1e8301994054caf4fb887b4cce7e3c7ff514d9927cc2c542e5842edd588f8d00e279d89d5d606b6fb275bfb81a9ceae69dac74fc0b947eef763bfe84
SSDEEP

3072:GpkJuuEpKi6m/PJivSaAFOg7lkjcWVig058YbEASbod9btx:

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

23.ip.gl.ply.gg:7000

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000f000000012782-8.dat	family_xworm
behavioral1/memory/2216-10-0x0000000000B50000-0x0000000000B68000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
2216	.keepme

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	.keepme

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2864	2412	468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a.exe	33
PID 2412 wrote to memory of 2864	2412	468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a.exe	33
PID 2412 wrote to memory of 2864	2412	468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a.exe	33
PID 2864 wrote to memory of 2216	2864	cmd.exe	34
PID 2864 wrote to memory of 2216	2864	cmd.exe	34
PID 2864 wrote to memory of 2216	2864	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a.exe
"C:\Users\Admin\AppData\Local\Temp\468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\.shhh.bat" && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Users\Admin\AppData\Local\Temp\.keepme
    "C:\Users\Admin\AppData\Local\Temp\.keepme"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.keepme

Filesize
71KB

MD5
5dcabac99e75c26966103e37d2d34fff

SHA1
ee5ff56baaa7c854034a1952df3aebcb9051e2d9

SHA256
889f0dbaf5641f17b2fff411473f75c62b551d11bedf4bb16b191f78f38a99e2

SHA512
ec38e9bee65d3ad6ff31c1381a7e7b646544c44c3c944f387e02b7d1825cadf4fe0dfd7d914fa7872f8ba8b2862c0861eae91fce129ef30299afda639681f127

Download Submit
C:\Users\Admin\AppData\Local\Temp\.shhh.bat

Filesize
57B

MD5
cbade861cdb94418af59f05e2c2ba9d2

SHA1
b52c1e9152f513e1c5bfd0a7120d8eab5715c6fa

SHA256
690a862f8ba36d42573f9080aecd43eb6744b842cb382cee2bafdc493dae1ed4

SHA512
fbdea30ef08dfde692d7d55e6b847a49448f095ac0dc7f4cb2aa87d1a965f681397db9ff5f25beb9ad48bf61578ccefdf7191de12ea9e8faba376bca0fd89d70

Download Submit
memory/2216-10-0x0000000000B50000-0x0000000000B68000-memory.dmp

Filesize
96KB

Download
memory/2216-11-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2216-12-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2216-13-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

Filesize
4KB

Download
memory/2412-1-0x0000000000C80000-0x0000000000CD0000-memory.dmp

Filesize
320KB

Download