xworm | 01a5a8df28b0eca2202f47d64e1a473adba2cf69c439996c775de695e1d24298

Analysis

max time kernel
1151s
max time network
1152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MalwareBytes.rar
Size

85KB
MD5

2a1954bb781875bd0ce09644777ce6bc
SHA1

d3b4f61834ff96247af0691f2e7de579dafef87f
SHA256

01a5a8df28b0eca2202f47d64e1a473adba2cf69c439996c775de695e1d24298
SHA512

47102a3a8197fbd540e0e24ec5aec173f95129e751dcc7a6c9c34a937282769a59d9c8e048378c6e8a38e618ee3f5c80283afd4d729543cc305e2ff813dc444c
SSDEEP

1536:bGxh0uggSCj8mboooFJxjyME+lznDNmqkORCGd2lO29eHv6TSjp6gRKqW:80uLSCjSPJxjyolznDNVkOzaQHR16vX

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:52825

all-virtual.gl.at.ply.gg:52825

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c44-4.dat	family_xworm
behavioral1/memory/3836-6-0x00000000003F0000-0x000000000040A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 3 IoCs

pid	Process
3836	MalwareBytes Premum V2.exe
4116	MalwareBytes Premum V2.exe
1248	MalwareBytes Premum V2.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	ip-api.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1716	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	1716	7zFM.exe
Token: 35	1716	7zFM.exe
Token: SeRestorePrivilege	2232	7zG.exe
Token: 35	2232	7zG.exe
Token: SeSecurityPrivilege	2232	7zG.exe
Token: SeSecurityPrivilege	2232	7zG.exe
Token: SeDebugPrivilege	3836	MalwareBytes Premum V2.exe
Token: SeDebugPrivilege	4116	MalwareBytes Premum V2.exe
Token: SeDebugPrivilege	1248	MalwareBytes Premum V2.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1716	7zFM.exe
2232	7zG.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MalwareBytes.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1716

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\MalwareBytes\" -ad -an -ai#7zMap2519:82:7zEvent15802
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2312

C:\Users\Admin\Desktop\MalwareBytes\MalwareBytes\MalwareBytes Premum V2.exe
"C:\Users\Admin\Desktop\MalwareBytes\MalwareBytes\MalwareBytes Premum V2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\Users\Admin\Desktop\MalwareBytes\MalwareBytes\MalwareBytes Premum V2.exe
"C:\Users\Admin\Desktop\MalwareBytes\MalwareBytes\MalwareBytes Premum V2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Users\Admin\Desktop\MalwareBytes\MalwareBytes\MalwareBytes Premum V2.exe
"C:\Users\Admin\Desktop\MalwareBytes\MalwareBytes\MalwareBytes Premum V2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\MalwareBytes\MalwareBytes\MalwareBytes Premum V2.exe

Filesize
85KB

MD5
2eabda474bf63eed31ebcc8c5fa5b6dc

SHA1
7a058def031948a52e506c5f7825b567a074e4ca

SHA256
83c04059205c954b795fdc95f94c2801a2b183258545404696aeddb3d29aa9d8

SHA512
e91dca75c48250075db95acbfeb9bef66f452f00b175e0aa341bd46164a066aa8465391e43f2f18d2d463e14f4ebbcbdf79f54f39c249a36b732fa0d78efde32

Download Submit
memory/3836-6-0x00000000003F0000-0x000000000040A000-memory.dmp

Filesize
104KB

Download