Analysis
-
max time kernel
1374s -
max time network
1433s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
10-11-2024 19:31
General
-
Target
j.exe
-
Size
71KB
-
MD5
6d55a0493e6e8f1a2e0ec995c324ab29
-
SHA1
ed80ed33d8a734781ef08c910e003cdcd91e4aa1
-
SHA256
a7b8576266881ec2590c44442a926775d33a625d16b8d0fe44a1395b0f280940
-
SHA512
0a499ea53cc5988045e03988e94b2feaaf8c4cf0bcad3ef4d3db576baa366e0d2780a2c251a7878afc695fe2204651605a930662708ea49f338c1f649b584fda
-
SSDEEP
1536:/0MIMB+eYmFquclqb5xvNFrXjA+6BA2AONfNbgiz:8M1YmFaqb5VXjvONNDz
Malware Config
Extracted
Family
xworm
C2
127.0.0.1:15863
Attributes
-
Install_directory
%AppData%
-
install_file
client.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/472-1-0x0000000000940000-0x0000000000958000-memory.dmp family_xworm -
Xworm family
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 472 j.exe