xworm | 2c524e8d66efbb3ab6918c97a21cb8a2a5b4ae3cec3e29212384597c56c1f1b8

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 14:53

Target

COuRt.exe
Size

33KB
MD5

6288b5d55cae147b10d8116d0a103f61
SHA1

5d6ebbffbfbc5e7a9e773051b66957b079d57e79
SHA256

2c524e8d66efbb3ab6918c97a21cb8a2a5b4ae3cec3e29212384597c56c1f1b8
SHA512

96f440e75817e3623c4771389559eecb5bb093e92a3ad0b764963ca648ffeaee58f08943939f10901d7deb40b8f1aa97df01402e4689b0323fd72070fa67cbbd
SSDEEP

384:kl+PkjD9+E5MFs7iui8L7zdM42pfL3iB7OxVqW9SRApkFXBLTsOZwpGN2v99Ikuv:Q+CD93W03C42JiB70qVF49jWBOjhEbv

Score

10^/10

xworm rat trojan

Family

xworm

Version

5.0

six-usb.gl.at.ply.gg:49722

Mutex

Ph531DZXeuDBo12H

Attributes

aes.plain

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4304-1-0x0000000000270000-0x000000000027E000-memory.dmp	family_xworm

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4304	COuRt.exe

C:\Users\Admin\AppData\Local\Temp\COuRt.exe
"C:\Users\Admin\AppData\Local\Temp\COuRt.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4304

memory/4304-0-0x00007FF9CFC03000-0x00007FF9CFC05000-memory.dmp

Filesize
8KB

Download
memory/4304-1-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/4304-2-0x00007FF9CFC00000-0x00007FF9D06C1000-memory.dmp

Filesize
10.8MB

Download
memory/4304-3-0x00007FF9CFC00000-0x00007FF9D06C1000-memory.dmp

Filesize
10.8MB

Download
memory/4304-4-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download