xworm | 3708e11d66b51b2e3b8881e815ab53579ac1f864a158cea1011b1a943149de3e

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/11/2024, 12:30

Target

3708e11d66b51b2e3b8881e815ab53579ac1f864a158cea1011b1a943149de3eN.exe
Size

113KB
MD5

b645a9fd6e1d775085c66632c7550cf0
SHA1

0ff50b1f08985123888e205224ac7e4992e0ffdb
SHA256

3708e11d66b51b2e3b8881e815ab53579ac1f864a158cea1011b1a943149de3e
SHA512

daa3a72001a5d613cf646cfebd43faf8ca8c8e221ae1a3facb36b8eeada5da4024f8e2a24b471614b1cf5b6657aeb691851eb95f23f7a0f933ca6f9ceb65190d
SSDEEP

1536:GMlhc/2KCQ/KEoDOfigkZbt0wN6EO2Sdfdq5:PGHr/QOfirbthO2Ydq5

Score

10^/10

xworm rat trojan

Family

xworm

sell-oc.gl.at.ply.gg:48959

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2544-1-0x0000000001370000-0x0000000001392000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	3708e11d66b51b2e3b8881e815ab53579ac1f864a158cea1011b1a943149de3eN.exe

C:\Users\Admin\AppData\Local\Temp\3708e11d66b51b2e3b8881e815ab53579ac1f864a158cea1011b1a943149de3eN.exe
"C:\Users\Admin\AppData\Local\Temp\3708e11d66b51b2e3b8881e815ab53579ac1f864a158cea1011b1a943149de3eN.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544

memory/2544-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/2544-1-0x0000000001370000-0x0000000001392000-memory.dmp

Filesize
136KB

Download
memory/2544-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/2544-3-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download