Analysis
-
max time kernel
37s -
max time network
34s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
29-06-2024 16:20
General
-
Target
SCINSTALLER.exe
-
Size
15.8MB
-
MD5
9fef698c512d5661717f0bf5ad97c165
-
SHA1
8a04d3c0c42725efcb3895cfa6bb4e76065705ae
-
SHA256
f568aecb2053d8f96a1e9638a83308d9271088d793a8373955ae0915901afa33
-
SHA512
cf595ef7a2f0be6e45c41582189c632829839c09103c54c056c3628fc36de8fa50766711f37ac02af80e54acbe5aab4d62ef67a4d40c84ee0c69352eccdae799
-
SSDEEP
393216:EKjbZBCC8qxl0ARCxhApMeQaHsWWWlbjJtKhPM1JRh:EKnZtLl0ARCxK+4Hs+lihU73
Malware Config
Extracted
xworm
5.0
hardware-bands.gl.at.ply.gg:63257
GRHeRJRFnCzlkxGI
-
Install_directory
%AppData%
-
install_file
DiscordAutoUpdate.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SCINSTALLER.exe"C:\Users\Admin\AppData\Local\Temp\SCINSTALLER.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Update.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Updater.exeUpdater.exe -p1 -dC:\3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Updater.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Updater.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Updater.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Updater.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\DiscordAutoUpdate.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DiscordAutoUpdate.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DiscordAutoUpdate" /tr "C:\Users\Admin\AppData\Roaming\DiscordAutoUpdate.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\SCINSTALLER.exe"C:\SCINSTALLER.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 066B3E04D0FC4C7716E1CC03CB3E4156 C2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\DiscordAutoUpdate.exeC:\Users\Admin\AppData\Roaming\DiscordAutoUpdate.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SCINSTALLER.exeFilesize
17.6MB
MD5b0ea56470940e14501f3de3704ee3dfd
SHA1344a32cd672ae105a3d4d154c58c7c10345746a7
SHA256a08acf97b669ad3896c129066e8afaea4173ff8e6d49256475adb07491dc160b
SHA512ff3d9f9d9102f72daee17b86d30e6b6bb52c3b8b8f7f36e41d5bf656d3f1f8dc678bc41d446cde4519761942578bd16676dfe47797c7459cda3cd4420113708f
-
C:\Update.batFilesize
21B
MD56fa1a261757943e122328d51dc992db7
SHA1a4c5fe1d9fc86f3bf2beb6570ae91bbc23c90618
SHA2561eacacd2168cb166e116195b481f2040475597bc7bf6f65b48e46cc9f980f52d
SHA512431144790f5d34b1cc51d830032c3f013d261d2680b5ceb7261c55eff6714fd5e42b68697c297feb6aecdcba1c03651786fc1d745f13a5537eed1db0394f033f
-
C:\Updater.exeFilesize
471KB
MD5d4948d78b2f0090c8b648a01fbedbd09
SHA183d365b0740babd40d7e88e8a479e720a4369878
SHA256d742be12a3f9cec578354e3f4aeb85f6b577f03f8a6fee887602e23ede55b1c0
SHA51291eeeb7172a40409cef92e0e5d0ceb4e8f332e0aeabc9baa4666e4fe9c99842d5dd1b125ebf7a6e0f06639b8039c7fa45d7e652c066998fe4eae181854b3dfc8
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58ea384b0c019a0950b69e907d088c60f
SHA13f9d524e7c990e95ccffd1472b00a7289bd5b266
SHA2563d31424905e860b7ae9cc340bb9d13907c67afacd2a4a9d643ba606f30a8aae5
SHA5127ce37a06f68089fba0adc3f2ceddaff27ea971a45bf459ee15fa39b6b3135c6f51fee6148e74a65fa9360e5fbaa4030812c4f07c0e0b09ed1dd3e0a511055d41
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5dadcc9e35283dd99faec81f5f3e91b44
SHA179bf27b31d1c21a835debdf4548d69b34478c69a
SHA256f215b47ef63a168472fc0762e4eee499fd6c0677be9fbdda82e466ffe4c4ab4c
SHA5120c8215f9037104949445115524a61227bc1c235241bd5a9783b0e7769a454ba9572c68afbd1f3e0a53667451698f61875dc8e708a7b946bf6570be9aae739565
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f4a6bbae46563e50af7113175eb11641
SHA1d4785c965f2cedbeb7320908d15d0c2726d41883
SHA25626533f03eee838fba5251416dd3037b898feb126d825861e539ae4ea2ab07d5a
SHA512e678cda4bbc42b203749ff8fe3cca746930f61127cc168c9c046cc6eca3499384a56626f18a671bbb895c704d321e842249436cb68337e7183a0012fea1285db
-
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3772\aboutbtnFilesize
1KB
MD5b51b54b77e9cbfdb1063f7487c1c07ec
SHA18a8a7036cfbc86a537447bf71b9f6795923db8b9
SHA2569d7243c688264329a8cb9e22da00b651e0a9407741d722e03dd67cc8b3ee1335
SHA51204cef1aa3a530e7f03054369450eb42f36bf45c13c7445adf450ec4635a8601447c5bb6e978b3adabe9021019644681bf1609539eb548dd50ada973aac0c6555
-
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3772\backgroundFilesize
2KB
MD59e23da7c3cd3fb8113e698a12a3d3047
SHA16d021109495d77a53afe101f2b03a4da847e6d99
SHA256b671008e5d4a15409051d7b3d2aa40f7c028e1dab5876c2882976793abb9356c
SHA51265e885984681cee190764515f61bb8da3c29463b87f4371fff27ae4c4089af46c9b98910a847ec29d7368160d6aaf841fb93f1347c9abc47bce5cf997c8b4ef2
-
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3772\buttonimgsFilesize
1KB
MD56956ac5e9d5e47daeb7d147d67d9e526
SHA1427449cf08f0c78f1bf3850565201991828e278c
SHA256f8f4efdb34b00775638c95568761c93436812af56c8f41116f2f92a987ca9ae0
SHA512a82f9d199e36dfcdad7393761d1cf541d67b0b70d4b31cf71ad38dab3e95b351143c1aff4adea3207d1fd1e9c3523e9b7e3cea37cb61f9f2845894c60327651c
-
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_3772\checkernewicon.pngFilesize
3KB
MD5b1618ec6d5e7c1e293cb36ab87371615
SHA1a9c47241b1378bca3b541abb07aeb4b1feb0ccf4
SHA25676adccd20b35ba40b9be5ac4194941625826084f32a9c7c07090708946fc39c5
SHA512a45e20225fe4d5989f6f8891274a8ed07f27c2b33545458f36bbb3356124fbf83c6d1523155b4830e6bb78a96e4fd282a7f43ec3d3ce77fe488f8640ff49da2a
-
C:\Users\Admin\AppData\Local\Temp\MSI9898.tmpFilesize
587KB
MD59e0aef52f6c03b2fea067342d9d4f22f
SHA1d4431a858c8a7a79315829ec7aa82e838c2714f4
SHA25642b8adafcb4e8496d9822a0c504f449e56456528a9251c153381d3f63d197e5b
SHA51242858a6695d7906b3df4dc97f3b1fac737633a51ffb52e8ec8eddeb21f8cdb53c199bb698e54c4a931155eafd879de6fff114b84f298c84436b776e286ebeeb1
-
C:\Users\Admin\AppData\Local\Temp\MSI9A9F.tmpFilesize
1.1MB
MD5c04ed00ddcb3518e8cf6db24db294a50
SHA1cc98cc3ab9c4371f85ea227d9f761bab4aa76baa
SHA2563c21e1f3bb3ebeb5f0ff68658db8abd18b62f8b195288c4bf87936fc51f8ae9e
SHA512736946a3130f294878ea51145960017babcc1b8ac2c96afd8b9e2a4d120f173afb84bbd04b6f0113f286d4bc671befecd4e92c582f1de1a0d5bc8738c3cae9c5
-
C:\Users\Admin\AppData\Local\Temp\MSI9D11.tmpFilesize
709KB
MD5eb7811666ac7be6477e23af68511424f
SHA11623579c5a3710dcc694a2fd49defa27d56d9175
SHA256ad706739b04256b9215e80d2d030863a37f0d7fd0e4071d0a3a73d6704d8bd8f
SHA5123055baa15c92f476513c66a423043dc4b8c5f83f47643ad77665d6a2f823f4655bf4ae241d8af4bc34d53630df1c35989f0b11b934a631960668fcc7a8c81a7b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Updater.exeFilesize
57KB
MD590a6868b7ce2020387d453aa38668584
SHA17bde411bb0d7b6aa7a020266a61ce0d61ef0b362
SHA256d2b430a0c74ef2bd97c86d95c35fe964bd00ed17d2e6542be33cc7c99def9d5a
SHA512243c6010cbee28f5181383565a00c22375828f8b5293d35d9512adb249a4fadfd04eab3fb7b9789d6e1bea39f1cf513439e0f7d72ecb69e00a16e8f6d7f0efcc
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdsco1bz.b2s.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\SandeLLo CHECKER\install\51B5780\SandeLLoCHECKER_Installer.msiFilesize
4.7MB
MD569d9a69f84bc67feed975148b9e2ec7c
SHA1b4cd30ae6c20a0a5297589a4739d9b5a3fc5154f
SHA2562fc0bc7675b71742b759f44f00e23662f28ad3d04cc5e2956428e57cb61d55b7
SHA51263b5c471d372611b3936f9f2dba302b95490719f228b7362c99957162f92fb4fb31d82dc5c6a55cf1f793dca9f321d601439c7f61aa94c11cc25302e365a428f
-
memory/4380-26-0x00000000000B0000-0x00000000000C4000-memory.dmpFilesize
80KB
-
memory/4844-133-0x000001D7F5760000-0x000001D7F57D6000-memory.dmpFilesize
472KB
-
memory/4844-130-0x000001D7F55B0000-0x000001D7F55D2000-memory.dmpFilesize
136KB
