xworm | 1364e3f0b350e7b83a82e9d75745a14b1d88ee737583dcf3450ec719fadf6ad8

Analysis

max time kernel
117s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09a344d3dad53e34501fb523f1c35f2f.exe
Size

85KB
MD5

09a344d3dad53e34501fb523f1c35f2f
SHA1

152917574da9739fe354e19ecf0bc24c68bac2bd
SHA256

a3cb2bc97c93afbd75583a7bf3eab46179ee7233ebebdc32c3e46b8fd062956d
SHA512

34930bb741f3d24e780f3bbe7821d20c3bdb0e11456da39e44abc0332b9068541170f4c6e244ed50abc22529cc2984b02734ffe209fd564ad4a393df42cdca80
SSDEEP

1536:j0nPVmOiyMChXYxrg94Ko//xNB/yim/1y1ejY6yFOBOXj9:4nvdPhXYxrg9zet/yjgf6yFOBMJ

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

request-busy.gl.at.ply.gg:6728

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral9/memory/1212-5-0x0000000003D50000-0x0000000003D62000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.lnk	Explorer.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.lnk	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
1212	Explorer.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyApplication = "C:\\Users\\Admin\\AppData\\Local\\Temp\\09a344d3dad53e34501fb523f1c35f2f.exe"	09a344d3dad53e34501fb523f1c35f2f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = "C:\\Users\\Admin\\AppData\\Roaming\\Explorer.EXE"	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2276	09a344d3dad53e34501fb523f1c35f2f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	Explorer.EXE

Suspicious use of WriteProcessMemory 1 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1212	2276	09a344d3dad53e34501fb523f1c35f2f.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1212
- C:\Users\Admin\AppData\Local\Temp\09a344d3dad53e34501fb523f1c35f2f.exe
  "C:\Users\Admin\AppData\Local\Temp\09a344d3dad53e34501fb523f1c35f2f.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Explorer.EXE

Filesize
2.7MB

MD5
ac4c51eb24aa95b77f705ab159189e24

SHA1
4583daf9442880204730fb2c8a060430640494b1

SHA256
6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a

SHA512
011bfe19bd15dcc0f9850575e20d7f2c01160ec98ba461ad59a51b9417049e6475648b9056990247699624b080cf609ec7b5409231cfb46a012d723f7db08d81

Download Submit
memory/1212-8-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1212-17-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1212-3-0x0000000002F50000-0x0000000002F64000-memory.dmp

Filesize
80KB

Download
memory/1212-4-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1212-5-0x0000000003D50000-0x0000000003D62000-memory.dmp

Filesize
72KB

Download
memory/1212-6-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1212-2-0x0000000002F50000-0x0000000002F64000-memory.dmp

Filesize
80KB

Download
memory/1212-22-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1212-7-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1212-21-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1212-20-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1212-19-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2276-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2276-16-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2276-1-0x0000000000D80000-0x0000000000D9C000-memory.dmp

Filesize
112KB

Download