xworm | c1284569276eee7aaf4b03a01b709a9e403eb23edd13c3b3f567e507b0129d9e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

chrome.exe
Size

147KB
MD5

8a0da8925b19d58db5a209deed075a5a
SHA1

4d9a2a9aaaad27beae22abe3c27cb2b22b682c90
SHA256

c1284569276eee7aaf4b03a01b709a9e403eb23edd13c3b3f567e507b0129d9e
SHA512

3af14fad4a8aa6583828afc3d24b5742bfe4f3ea3fe2d16e9cb1449bf29d32c21c074eefede1a2af1dd71cb3c77af13de6844730ea244d98e648af6e0a94734e
SSDEEP

3072:7OFE9eVOjX4NpVq8BxFRzaqF+o2GQJ7/JzqVfGvp:8E9TgVqwlL

Score

10^/10

xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

158.247.200.45:7033

Mutex

eZi6vzo05UjRpELo

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4240-1-0x00000000002D0000-0x00000000002FA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

chrome.exe

description pid process

Token: SeDebugPrivilege 4240 chrome.exe
Token: SeDebugPrivilege 4240 chrome.exe

description	pid	process
Token: SeDebugPrivilege	4240	chrome.exe
Token: SeDebugPrivilege	4240	chrome.exe

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4240-0-0x00007FFA20CC3000-0x00007FFA20CC5000-memory.dmp

Filesize
8KB

Download
memory/4240-1-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/4240-3-0x00007FFA20CC0000-0x00007FFA21781000-memory.dmp

Filesize
10.8MB

Download
memory/4240-4-0x00007FFA20CC3000-0x00007FFA20CC5000-memory.dmp

Filesize
8KB

Download
memory/4240-5-0x00007FFA20CC0000-0x00007FFA21781000-memory.dmp

Filesize
10.8MB

Download
memory/4240-6-0x0000000002380000-0x000000000238E000-memory.dmp

Filesize
56KB

Download