xworm | cf72e60bc72abd3c24aaeaf3382f2ca4d9c78fad4f0e4c0e766eb999fa4fd11d

Analysis

max time kernel
95s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sex.exe
Size

108KB
MD5

172786ddde922ef8c738488188957be6
SHA1

d3ac8d959d7ed442c91759ce4f6d1fd1bd271512
SHA256

cf72e60bc72abd3c24aaeaf3382f2ca4d9c78fad4f0e4c0e766eb999fa4fd11d
SHA512

105289eb9c168dc859e31b9b37e76c80b000960e88b6e6f0df7ade3a8938b94ccfb087272564af28fc7d56b2bf6681b414cc59d866f9f0ad17afd208bdb430b3
SSDEEP

1536:v2SENAgpuW+LpyOQGTrePk5QgKYXsIpsd0tiA/EdipjNd+FXwD+X4vBr52WBHPsH:OSENABoCoonMyBBzvBXvWjO+L

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

any-attraction.gl.at.ply.gg:27770

Mutex

B33wn5oKUxMok1Li

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3452-5-0x000001D41A200000-0x000001D41A20E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1636	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3452	sex.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 2132	3452	sex.exe	96
PID 3452 wrote to memory of 2132	3452	sex.exe	96
PID 2132 wrote to memory of 1636	2132	cmd.exe	98
PID 2132 wrote to memory of 1636	2132	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\sex.exe
"C:\Users\Admin\AppData\Local\Temp\sex.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp616.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp616.tmp.bat

Filesize
154B

MD5
604d91ec26dd2ae28bb7bc2821e21287

SHA1
3afd25527ad7c644c16f51a503673f99e80bfe15

SHA256
aeb548818a4ecb806465556df54729eb4945b143211698b5c46b9a09c5e4bbc9

SHA512
161177154399062bf396a7d941baa61235e9dbcabb3845077f041e8e87ce59d55629257bcf91403dbde42508a2da30bc38cfb7ee250eabd7465bbd3eb10709d0

Download Submit
memory/3452-0-0x00007FFED0353000-0x00007FFED0355000-memory.dmp

Filesize
8KB

Download
memory/3452-1-0x000001D47F410000-0x000001D47F432000-memory.dmp

Filesize
136KB

Download
memory/3452-2-0x00007FFED0350000-0x00007FFED0E11000-memory.dmp

Filesize
10.8MB

Download
memory/3452-3-0x00007FFED0350000-0x00007FFED0E11000-memory.dmp

Filesize
10.8MB

Download
memory/3452-4-0x00007FFED0350000-0x00007FFED0E11000-memory.dmp

Filesize
10.8MB

Download
memory/3452-5-0x000001D41A200000-0x000001D41A20E000-memory.dmp

Filesize
56KB

Download
memory/3452-6-0x00007FFED0353000-0x00007FFED0355000-memory.dmp

Filesize
8KB

Download
memory/3452-7-0x00007FFED0350000-0x00007FFED0E11000-memory.dmp

Filesize
10.8MB

Download
memory/3452-12-0x00007FFED0350000-0x00007FFED0E11000-memory.dmp

Filesize
10.8MB

Download