xworm | e000083fbb34cf231e37d9d5c86ba40c8266efe106eb1a8b7e80cf1c0cc4768e

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e000083fbb34cf231e37d9d5c86ba40c8266efe106eb1a8b7e80cf1c0cc4768e.exe
Size

1.1MB
MD5

4a38f76b967f388a213ff4955d504ecc
SHA1

8749c398b6ae571994d0db8a86c9f13dd739c9bf
SHA256

e000083fbb34cf231e37d9d5c86ba40c8266efe106eb1a8b7e80cf1c0cc4768e
SHA512

2da9ceb255c1f1149d0439fdf83be08dba9d292836fd4352c410778d59ea9c08e24c564a8b76af79d089e30a110ac144c1d93dac19d50d43c8036d610313a56a
SSDEEP

24576:sqDEvCTbMWu7rQYlBQcBiT6rprG8aZ0tmEbmZpA:sTvC/MTQYxsWR7aZ9eom

Score

10^/10

xworm discovery rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/948-13-0x0000000000F90000-0x0000000000FBC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/948-13-0x0000000000F90000-0x0000000000FBC000-memory.dmp	net_reactor

Legitimate hosting services abused for malware hosting/C2 1 TTPs 37 IoCs

Web Service

T1102

flow	ioc
62	pastebin.com
64	pastebin.com
76	pastebin.com
89	pastebin.com
32	pastebin.com
58	pastebin.com
61	pastebin.com
68	pastebin.com
77	pastebin.com
83	pastebin.com
82	pastebin.com
90	pastebin.com
60	pastebin.com
71	pastebin.com
73	pastebin.com
75	pastebin.com
35	pastebin.com
55	pastebin.com
69	pastebin.com
88	pastebin.com
4	drive.google.com
28	pastebin.com
63	pastebin.com
87	pastebin.com
84	pastebin.com
85	pastebin.com
86	pastebin.com
27	pastebin.com
34	pastebin.com
57	pastebin.com
78	pastebin.com
72	pastebin.com
74	pastebin.com
3	drive.google.com
41	pastebin.com
47	pastebin.com
59	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3676 set thread context of 948	3676	e000083fbb34cf231e37d9d5c86ba40c8266efe106eb1a8b7e80cf1c0cc4768e.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e000083fbb34cf231e37d9d5c86ba40c8266efe106eb1a8b7e80cf1c0cc4768e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	RegSvcs.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 948	3676	e000083fbb34cf231e37d9d5c86ba40c8266efe106eb1a8b7e80cf1c0cc4768e.exe	84
PID 3676 wrote to memory of 948	3676	e000083fbb34cf231e37d9d5c86ba40c8266efe106eb1a8b7e80cf1c0cc4768e.exe	84
PID 3676 wrote to memory of 948	3676	e000083fbb34cf231e37d9d5c86ba40c8266efe106eb1a8b7e80cf1c0cc4768e.exe	84
PID 3676 wrote to memory of 948	3676	e000083fbb34cf231e37d9d5c86ba40c8266efe106eb1a8b7e80cf1c0cc4768e.exe	84
PID 3676 wrote to memory of 948	3676	e000083fbb34cf231e37d9d5c86ba40c8266efe106eb1a8b7e80cf1c0cc4768e.exe	84

C:\Users\Admin\AppData\Local\Temp\e000083fbb34cf231e37d9d5c86ba40c8266efe106eb1a8b7e80cf1c0cc4768e.exe
"C:\Users\Admin\AppData\Local\Temp\e000083fbb34cf231e37d9d5c86ba40c8266efe106eb1a8b7e80cf1c0cc4768e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-13-0x0000000000F90000-0x0000000000FBC000-memory.dmp

Filesize
176KB

Download
memory/948-14-0x0000000072D5E000-0x0000000072D5F000-memory.dmp

Filesize
4KB

Download
memory/948-15-0x00000000055B0000-0x000000000564C000-memory.dmp

Filesize
624KB

Download
memory/948-16-0x0000000072D50000-0x0000000073500000-memory.dmp

Filesize
7.7MB

Download
memory/948-17-0x0000000072D5E000-0x0000000072D5F000-memory.dmp

Filesize
4KB

Download
memory/948-18-0x0000000072D50000-0x0000000073500000-memory.dmp

Filesize
7.7MB

Download