Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/04/2025, 12:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
tmpxtllxmbq.exe
Resource
win10v2004-20250410-en
7 signatures
150 seconds
General
-
Target
tmpxtllxmbq.exe
-
Size
1.3MB
-
MD5
74fd34ea47e881219cfd18503eae5a7b
-
SHA1
eedb8636972d435dc593a2a4eed4c248175af4f2
-
SHA256
1fcaf14c2bf8df5d8fa0e8efcf728ba06f2d1fb7ef213d00d7b763031ff9a536
-
SHA512
5f90523c044fac81d5e102182233bccfca057c31a90047e7460474fca35c5f441e4770c8d89934a2ac63742aa14d65e4313cf517df4e4982eac5c25df5611006
-
SSDEEP
24576:DjXw5i2hE1x/ofE/3XvWBqlIKxvFZuDSJUo0/db1mEOFZhc:nXw5i2C1x/wE2BIIMvzuDSJ8db1mEOFc
Malware Config
Extracted
Family
xworm
Attributes
-
install_file
MasonUSB.exe
Extracted
Family
latentbot
C2
cryptoghost.zapto.org
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/5932-3-0x000000001B780000-0x000000001B792000-memory.dmp family_xworm -
Latentbot family
-
Xworm family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 raw.githubusercontent.com 2 raw.githubusercontent.com -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe 5932 tmpxtllxmbq.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5932 tmpxtllxmbq.exe