xworm | d96ba77a6038e8ee3d5a03fd69affbdfe0b36ab074b92320d263da75b1b2d32a

Analysis

max time kernel
93s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Impulse Spoof.exe
Size

33KB
MD5

c295fde2ff84c9adbf62426ffa094265
SHA1

e37a13c0d53726526df331d9c5013514bbe6f18b
SHA256

d96ba77a6038e8ee3d5a03fd69affbdfe0b36ab074b92320d263da75b1b2d32a
SHA512

5332daac116fc882ab6427681c2418abcfe507df6e0d1e73cf97748b3ad1a1fb46097cfaae552fcf7d5b7fbb4f87ea4c6f4e7b221b6bd83850b6f7504cad063f
SSDEEP

384:Sl8UlK/V9FoBZ9aZV0NLx7o92lKZaJZvf/95ApkFy7BLT/OZwpGmTv99Ikciszjo:aO/VMOGxwgJZvn9dFyJ9FCj4LOjhwJV

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

sep-framing.gl.at.ply.gg:61526

Mutex

Q67Vx5bQ2jgfNOaG

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/916-1-0x00000000007D0000-0x00000000007DE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2284	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	Impulse Spoof.exe
Token: SeDebugPrivilege	916	Impulse Spoof.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 536	916	Impulse Spoof.exe	96
PID 916 wrote to memory of 536	916	Impulse Spoof.exe	96
PID 536 wrote to memory of 2284	536	cmd.exe	98
PID 536 wrote to memory of 2284	536	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\Impulse Spoof.exe
"C:\Users\Admin\AppData\Local\Temp\Impulse Spoof.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA42A.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA42A.tmp.bat

Filesize
165B

MD5
c043b1e706fa8e79f05540891bf6b353

SHA1
a7e0731dd7774b9d89d490b59cd780fd2102f986

SHA256
f86aa13b95699ff3c42c4959e2bb5ba18532ccef7fecc17f8618d62a91ee0fdd

SHA512
f47ed9cb8b9e9b3139a7fee5a0ff29df67c5f12d3cd3fab6d60f5b60740f1ddde900d8d0811710e47f5302becf9ee098dd69bba0a0e0d503758941e7823ca253

Download Submit
memory/916-0-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp

Filesize
8KB

Download
memory/916-1-0x00000000007D0000-0x00000000007DE000-memory.dmp

Filesize
56KB

Download
memory/916-2-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/916-3-0x00007FFB39E23000-0x00007FFB39E25000-memory.dmp

Filesize
8KB

Download
memory/916-4-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download
memory/916-9-0x00007FFB39E20000-0x00007FFB3A8E1000-memory.dmp

Filesize
10.8MB

Download