xworm | 5190036ca62c036c6d773d65518a770630063e9c3b363239cb6ec9bbb3af09ac

Analysis

max time kernel
141s
max time network
144s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/11/2024, 12:22

Target

5190036ca62c036c6d773d65518a770630063e9c3b363239cb6ec9bbb3af09ac.exe
Size

30KB
MD5

7adac8dcb8de748fcfa6b423d1c73b3d
SHA1

17822c8195fb2faddbc3bf7268623d8dd4881c08
SHA256

5190036ca62c036c6d773d65518a770630063e9c3b363239cb6ec9bbb3af09ac
SHA512

ecba4616679f5d5f71e38a6b5d9bcf6f54130245af88e12753d44d09170b695296f7c6aeba3a84304c30c83d1c326a11e7ef4e275f53201854adea7613b6ea84
SSDEEP

384:f7wTA+5OfhxeelKn4MPLZhspJgXlYECwaipXQs5RugtFuBLTIOZw/WVwvn9IkVu2:3Fx7s4EQK1YETDpAs5BFR9RXOqhdbPt

Score

10^/10

xworm rat trojan

Family

xworm

Version

3.0

Mutex

3yTrMWQo0uAgbLo1

Attributes

aes.plain

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1072-1-0x0000000000210000-0x000000000021E000-memory.dmp	family_xworm

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	5190036ca62c036c6d773d65518a770630063e9c3b363239cb6ec9bbb3af09ac.exe

C:\Users\Admin\AppData\Local\Temp\5190036ca62c036c6d773d65518a770630063e9c3b363239cb6ec9bbb3af09ac.exe
"C:\Users\Admin\AppData\Local\Temp\5190036ca62c036c6d773d65518a770630063e9c3b363239cb6ec9bbb3af09ac.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072

memory/1072-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/1072-1-0x0000000000210000-0x000000000021E000-memory.dmp

Filesize
56KB

Download
memory/1072-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/1072-3-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download