xworm | 62de8e9d8356c9f4ffe699f49b46b87f604c9e705bca06bf589d9d3a615876c8

Analysis

max time kernel
1879s
max time network
2602s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-11-2024 04:53

Target

XClient.exe
Size

174KB
MD5

8df6a0d67de286bef456b0356a789a1b
SHA1

85b4c2be7a0757e826b336b5b116cc77f51e1c11
SHA256

62de8e9d8356c9f4ffe699f49b46b87f604c9e705bca06bf589d9d3a615876c8
SHA512

c6473d07ccc5e904ea738ef76a6a95eaa3335813bdedd78b6395f21958db55375a3cdf19e1b4ec235d9cf391f45dede9ef16e11ab49d9bf3b9aea906064714e1
SSDEEP

3072:fdCUlJRbpm8TOaO16JGnBz65/M6If+3Js+3JFkKeTno:fdRl/bpdOoJGnxBt25

Score

10^/10

xworm rat trojan

Family

xworm

request-rapidly.gl.at.ply.gg:56303

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/232-1-0x0000000000EB0000-0x0000000000EE2000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	232	XClient.exe
Token: 33	3268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3268	AUDIODG.EXE

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x16c 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268

memory/232-0-0x00007FF891683000-0x00007FF891685000-memory.dmp

Filesize
8KB

Download
memory/232-1-0x0000000000EB0000-0x0000000000EE2000-memory.dmp

Filesize
200KB

Download
memory/232-2-0x00007FF891680000-0x00007FF892142000-memory.dmp

Filesize
10.8MB

Download
memory/232-3-0x00007FF891680000-0x00007FF892142000-memory.dmp

Filesize
10.8MB

Download