xworm | 81513a82573e2a72bf3b56b6b309ea2f73716f602e1f00d0ee957abd3408b6a3

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

invoice.exe
Size

2.3MB
MD5

5bc392a75e9f0c3b36f344096f0183cc
SHA1

a2f48b659efa913e5ed17d1621f517c21a9305a6
SHA256

81513a82573e2a72bf3b56b6b309ea2f73716f602e1f00d0ee957abd3408b6a3
SHA512

f9224d1f9818b2a4c93276467719e535f3f66c5f4a9d6f2287669307ecb276dfb9f202007cd9c801a0ea1ef63630eac4ca03ce9de4aab6086b9d941e54c017eb
SSDEEP

12288:z5DIexdM4iE+o+OKtDY2z1ZWtpMo4mSUvIZAg+GSsgHU:1DIexgo+OKtDYq12MqSUv8Ag+tY

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:7733

104.161.80.204:7733

Mutex

R4c17KU2odlSGK04

Attributes

Install_directory
%AppData%
install_file
System.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2952-4-0x0000000000400000-0x0000000000422000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Suspicious use of SetThreadContext 1 IoCs

Processes:

invoice.exe

description pid process target process

PID 2416 set thread context of 2952 2416 invoice.exe iexplore.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

invoice.exe

description pid process

Token: SeDebugPrivilege 2416 invoice.exe

resource	yara_rule
behavioral1/memory/2952-4-0x0000000000400000-0x0000000000422000-memory.dmp	family_xworm

description	pid	process	target process
PID 2416 set thread context of 2952	2416	invoice.exe	iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2416	invoice.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

invoice.exe

description	pid	process	target process
PID 2416 wrote to memory of 2952	2416	invoice.exe	iexplore.exe
PID 2416 wrote to memory of 2952	2416	invoice.exe	iexplore.exe
PID 2416 wrote to memory of 2952	2416	invoice.exe	iexplore.exe
PID 2416 wrote to memory of 2952	2416	invoice.exe	iexplore.exe
PID 2416 wrote to memory of 2952	2416	invoice.exe	iexplore.exe
PID 2416 wrote to memory of 2952	2416	invoice.exe	iexplore.exe
PID 2416 wrote to memory of 2952	2416	invoice.exe	iexplore.exe
PID 2416 wrote to memory of 2952	2416	invoice.exe	iexplore.exe
PID 2416 wrote to memory of 2952	2416	invoice.exe	iexplore.exe
PID 2416 wrote to memory of 3044	2416	invoice.exe	WerFault.exe
PID 2416 wrote to memory of 3044	2416	invoice.exe	WerFault.exe
PID 2416 wrote to memory of 3044	2416	invoice.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\invoice.exe
"C:\Users\Admin\AppData\Local\Temp\invoice.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
2⤵
PID:2952

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2416 -s 644
2⤵
PID:3044

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2416-0-0x000007FEF5BF3000-0x000007FEF5BF4000-memory.dmp

Filesize
4KB

Download
memory/2416-1-0x0000000000B40000-0x0000000000B5E000-memory.dmp

Filesize
120KB

Download
memory/2416-2-0x0000000000AA0000-0x0000000000B14000-memory.dmp

Filesize
464KB

Download
memory/2416-3-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-5-0x000007FEF5BF3000-0x000007FEF5BF4000-memory.dmp

Filesize
4KB

Download
memory/2416-6-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/2952-4-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads