xworm | f6b66de58a074f12a5e25b27f868701071124e088415c7ba44f81b41aa57f752

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2024, 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6b66de58a074f12a5e25b27f868701071124e088415c7ba44f81b41aa57f752.exe
Size

47KB
MD5

68ead50c6780f8cfcd34fc1c3d9d998a
SHA1

071b72b8496fa68983cb77b319de6c93d1c7929a
SHA256

f6b66de58a074f12a5e25b27f868701071124e088415c7ba44f81b41aa57f752
SHA512

9b08430d93ee0296e338d3f59b0a57c13a4f0faf2b1f4d10f6cc602843569d130dcaeb3929dce21ce00cf13b6ffb9b7de42bc3ac177fd6f029545240e2c4464c
SSDEEP

768:aBoVSTAPW9jllp0XMtd70hq30gzbGYxIXDZVpNf3SOwht7a1ehVY:eHL9jldFwszbGYuTpIOwL0EY

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.0

16.ip.gl.ply.gg:41909

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4712-1-0x00000000007A0000-0x00000000007B2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f6b66de58a074f12a5e25b27f868701071124e088415c7ba44f81b41aa57f752 = "C:\\Users\\Admin\\AppData\\Roaming\\f6b66de58a074f12a5e25b27f868701071124e088415c7ba44f81b41aa57f752.exe"	f6b66de58a074f12a5e25b27f868701071124e088415c7ba44f81b41aa57f752.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4712	f6b66de58a074f12a5e25b27f868701071124e088415c7ba44f81b41aa57f752.exe

C:\Users\Admin\AppData\Local\Temp\f6b66de58a074f12a5e25b27f868701071124e088415c7ba44f81b41aa57f752.exe
"C:\Users\Admin\AppData\Local\Temp\f6b66de58a074f12a5e25b27f868701071124e088415c7ba44f81b41aa57f752.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4712-0-0x00007FF982043000-0x00007FF982045000-memory.dmp

Filesize
8KB

Download
memory/4712-1-0x00000000007A0000-0x00000000007B2000-memory.dmp

Filesize
72KB

Download
memory/4712-3-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download
memory/4712-4-0x00007FF982040000-0x00007FF982B01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads