xworm | 468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a

Analysis

max time kernel
94s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a.exe
Size

293KB
MD5

857bfacd75f6fce15633c5c7d5e505c0
SHA1

90eb6c2c7deecfa9a543f498ae32cc7229ed029e
SHA256

468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a
SHA512

fcbb982c1e8301994054caf4fb887b4cce7e3c7ff514d9927cc2c542e5842edd588f8d00e279d89d5d606b6fb275bfb81a9ceae69dac74fc0b947eef763bfe84
SSDEEP

3072:GpkJuuEpKi6m/PJivSaAFOg7lkjcWVig058YbEASbod9btx:

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

23.ip.gl.ply.gg:7000

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cc0-8.dat	family_xworm
behavioral2/memory/4820-10-0x0000000000DC0000-0x0000000000DD8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
4820	.keepme

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	.keepme

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 2160	744	468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a.exe	85
PID 744 wrote to memory of 2160	744	468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a.exe	85
PID 2160 wrote to memory of 4820	2160	cmd.exe	86
PID 2160 wrote to memory of 4820	2160	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a.exe
"C:\Users\Admin\AppData\Local\Temp\468a5e025514fd974528d09e6bbef2d90b64c82cb99a7e849c8dc6ef09c2df1a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\.shhh.bat" && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\.keepme
    "C:\Users\Admin\AppData\Local\Temp\.keepme"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.keepme

Filesize
71KB

MD5
5dcabac99e75c26966103e37d2d34fff

SHA1
ee5ff56baaa7c854034a1952df3aebcb9051e2d9

SHA256
889f0dbaf5641f17b2fff411473f75c62b551d11bedf4bb16b191f78f38a99e2

SHA512
ec38e9bee65d3ad6ff31c1381a7e7b646544c44c3c944f387e02b7d1825cadf4fe0dfd7d914fa7872f8ba8b2862c0861eae91fce129ef30299afda639681f127

Download Submit
C:\Users\Admin\AppData\Local\Temp\.shhh.bat

Filesize
57B

MD5
cbade861cdb94418af59f05e2c2ba9d2

SHA1
b52c1e9152f513e1c5bfd0a7120d8eab5715c6fa

SHA256
690a862f8ba36d42573f9080aecd43eb6744b842cb382cee2bafdc493dae1ed4

SHA512
fbdea30ef08dfde692d7d55e6b847a49448f095ac0dc7f4cb2aa87d1a965f681397db9ff5f25beb9ad48bf61578ccefdf7191de12ea9e8faba376bca0fd89d70

Download Submit
memory/744-0-0x0000000000E80000-0x0000000000ED0000-memory.dmp

Filesize
320KB

Download
memory/744-1-0x00007FFEC7053000-0x00007FFEC7055000-memory.dmp

Filesize
8KB

Download
memory/4820-10-0x0000000000DC0000-0x0000000000DD8000-memory.dmp

Filesize
96KB

Download
memory/4820-11-0x00007FFEC7050000-0x00007FFEC7B11000-memory.dmp

Filesize
10.8MB

Download
memory/4820-12-0x00007FFEC7050000-0x00007FFEC7B11000-memory.dmp

Filesize
10.8MB

Download
memory/4820-13-0x00007FFEC7050000-0x00007FFEC7B11000-memory.dmp

Filesize
10.8MB

Download