xworm | 3708e11d66b51b2e3b8881e815ab53579ac1f864a158cea1011b1a943149de3e

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 12:30

Target

3708e11d66b51b2e3b8881e815ab53579ac1f864a158cea1011b1a943149de3eN.exe
Size

113KB
MD5

b645a9fd6e1d775085c66632c7550cf0
SHA1

0ff50b1f08985123888e205224ac7e4992e0ffdb
SHA256

3708e11d66b51b2e3b8881e815ab53579ac1f864a158cea1011b1a943149de3e
SHA512

daa3a72001a5d613cf646cfebd43faf8ca8c8e221ae1a3facb36b8eeada5da4024f8e2a24b471614b1cf5b6657aeb691851eb95f23f7a0f933ca6f9ceb65190d
SSDEEP

1536:GMlhc/2KCQ/KEoDOfigkZbt0wN6EO2Sdfdq5:PGHr/QOfirbthO2Ydq5

Score

10^/10

xworm rat trojan

Family

xworm

sell-oc.gl.at.ply.gg:48959

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2228-1-0x0000000000E70000-0x0000000000E92000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	3708e11d66b51b2e3b8881e815ab53579ac1f864a158cea1011b1a943149de3eN.exe

C:\Users\Admin\AppData\Local\Temp\3708e11d66b51b2e3b8881e815ab53579ac1f864a158cea1011b1a943149de3eN.exe
"C:\Users\Admin\AppData\Local\Temp\3708e11d66b51b2e3b8881e815ab53579ac1f864a158cea1011b1a943149de3eN.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

memory/2228-0-0x00007FFA81483000-0x00007FFA81485000-memory.dmp

Filesize
8KB

Download
memory/2228-1-0x0000000000E70000-0x0000000000E92000-memory.dmp

Filesize
136KB

Download
memory/2228-2-0x00007FFA81480000-0x00007FFA81F41000-memory.dmp

Filesize
10.8MB

Download
memory/2228-3-0x00007FFA81480000-0x00007FFA81F41000-memory.dmp

Filesize
10.8MB

Download