xworm | 1c07f6e689a5f9e86c35ffd119a7d48e5b88dfa2139a8567a9cbd789688e4543

Analysis

max time kernel
4s
max time network
11s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-11-2024 13:03

Target

Bootstrapper.exe
Size

66KB
MD5

7be8713de8514848c0550e5e85fd4142
SHA1

a87cab2a8144a1039f35499f0aec2ee3e429c657
SHA256

1c07f6e689a5f9e86c35ffd119a7d48e5b88dfa2139a8567a9cbd789688e4543
SHA512

8273a387c05d89ce5da88d0c237f96b07c4d31aa450917395ec3c6c2aa4658e97a97d3e127f0221a98cd44229822d9cf0d257a5f265d698393e0703a241674a5
SSDEEP

1536:/BH0I/3zWQYgmUTX+xsmzN9bnCicAi9zAn7HW62e5OI91Y:5H0INmUKd9bnCc+z2OqOIrY

Score

10^/10

xworm rat trojan

Family

xworm

127.0.0.1:12000

23.ip.gl.ply.gg:12000

Attributes

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2332-1-0x00000000007C0000-0x00000000007D6000-memory.dmp	family_xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2332	Bootstrapper.exe

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

memory/2332-0-0x00007FFB882F3000-0x00007FFB882F5000-memory.dmp

Filesize
8KB

Download
memory/2332-1-0x00000000007C0000-0x00000000007D6000-memory.dmp

Filesize
88KB

Download
memory/2332-2-0x00007FFB882F0000-0x00007FFB88DB2000-memory.dmp

Filesize
10.8MB

Download
memory/2332-3-0x00007FFB882F0000-0x00007FFB88DB2000-memory.dmp

Filesize
10.8MB

Download