xworm | ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449

Analysis

max time kernel
1565s
max time network
1568s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gjruheigerg.exe
Size

84KB
MD5

b5fbb4aec5eaf3f64a592e72ac30a1ab
SHA1

993b36feeb223032ec7a536687cfe37ddf2ffd39
SHA256

ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449
SHA512

8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53
SSDEEP

1536:Xb5H+OMwTEBrZ5idVjzXGbhpTw6DG6GiyoAOsjJKVV4yAETSAJ0iH:rgG0FkbH2bhpM6NAOsViyylyY

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

79.202.250.5:80

Attributes

Install_directory
%Temp%
install_file
discord_autoupdaterconfifm.exe
telegram
https://api.telegram.org/bot7345950584:AAH5ca8n_1S4bD12cZuSsr23SjFGXJYzRk0

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2332-1-0x0000000000320000-0x000000000033C000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe	family_xworm
behavioral1/memory/1620-34-0x0000000000BC0000-0x0000000000BDC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2840 powershell.exe
2868 powershell.exe
2612 powershell.exe
2864 powershell.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

3032 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

discord_autoupdaterconfifm.exe

pid process

1620 discord_autoupdaterconfifm.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1176 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2964 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exegjruheigerg.exe

pid process

2840 powershell.exe
2868 powershell.exe
2612 powershell.exe
2864 powershell.exe
2332 gjruheigerg.exe

pid	process
2840	powershell.exe
2868	powershell.exe
2612	powershell.exe
2864	powershell.exe

pid	process
3032	cmd.exe

pid	process
1620	discord_autoupdaterconfifm.exe

flow	ioc
4	ip-api.com

pid	process
1176	timeout.exe

pid	process
2964	schtasks.exe

pid	process
2840	powershell.exe
2868	powershell.exe
2612	powershell.exe
2864	powershell.exe
2332	gjruheigerg.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

gjruheigerg.exepowershell.exepowershell.exepowershell.exepowershell.exediscord_autoupdaterconfifm.exe

description	pid	process
Token: SeDebugPrivilege	2332	gjruheigerg.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2332	gjruheigerg.exe
Token: SeDebugPrivilege	1620	discord_autoupdaterconfifm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

gjruheigerg.exe

pid process

2332 gjruheigerg.exe

pid	process
2332	gjruheigerg.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

gjruheigerg.exetaskeng.execmd.exe

description	pid	process	target process
PID 2332 wrote to memory of 2840	2332	gjruheigerg.exe	powershell.exe
PID 2332 wrote to memory of 2840	2332	gjruheigerg.exe	powershell.exe
PID 2332 wrote to memory of 2840	2332	gjruheigerg.exe	powershell.exe
PID 2332 wrote to memory of 2868	2332	gjruheigerg.exe	powershell.exe
PID 2332 wrote to memory of 2868	2332	gjruheigerg.exe	powershell.exe
PID 2332 wrote to memory of 2868	2332	gjruheigerg.exe	powershell.exe
PID 2332 wrote to memory of 2612	2332	gjruheigerg.exe	powershell.exe
PID 2332 wrote to memory of 2612	2332	gjruheigerg.exe	powershell.exe
PID 2332 wrote to memory of 2612	2332	gjruheigerg.exe	powershell.exe
PID 2332 wrote to memory of 2864	2332	gjruheigerg.exe	powershell.exe
PID 2332 wrote to memory of 2864	2332	gjruheigerg.exe	powershell.exe
PID 2332 wrote to memory of 2864	2332	gjruheigerg.exe	powershell.exe
PID 2332 wrote to memory of 2964	2332	gjruheigerg.exe	schtasks.exe
PID 2332 wrote to memory of 2964	2332	gjruheigerg.exe	schtasks.exe
PID 2332 wrote to memory of 2964	2332	gjruheigerg.exe	schtasks.exe
PID 1400 wrote to memory of 1620	1400	taskeng.exe	discord_autoupdaterconfifm.exe
PID 1400 wrote to memory of 1620	1400	taskeng.exe	discord_autoupdaterconfifm.exe
PID 1400 wrote to memory of 1620	1400	taskeng.exe	discord_autoupdaterconfifm.exe
PID 2332 wrote to memory of 2244	2332	gjruheigerg.exe	schtasks.exe
PID 2332 wrote to memory of 2244	2332	gjruheigerg.exe	schtasks.exe
PID 2332 wrote to memory of 2244	2332	gjruheigerg.exe	schtasks.exe
PID 2332 wrote to memory of 3032	2332	gjruheigerg.exe	cmd.exe
PID 2332 wrote to memory of 3032	2332	gjruheigerg.exe	cmd.exe
PID 2332 wrote to memory of 3032	2332	gjruheigerg.exe	cmd.exe
PID 3032 wrote to memory of 1176	3032	cmd.exe	timeout.exe
PID 3032 wrote to memory of 1176	3032	cmd.exe	timeout.exe
PID 3032 wrote to memory of 1176	3032	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe
"C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gjruheigerg.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord_autoupdaterconfifm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord_autoupdaterconfifm" /tr "C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "discord_autoupdaterconfifm"
2⤵
PID:2244

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.bat""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1176

C:\Windows\system32\taskeng.exe
taskeng.exe {E71BE0D5-9268-4F07-A017-8AC4B55444C8} S-1-5-21-2812790648-3157963462-487717889-1000:JAFTUVRJ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
Filesize
84KB

MD5
b5fbb4aec5eaf3f64a592e72ac30a1ab

SHA1
993b36feeb223032ec7a536687cfe37ddf2ffd39

SHA256
ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449

SHA512
8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp.bat
Filesize
163B

MD5
156795b1fad54878a34689617b92ce0a

SHA1
224d5cfdf2ab6ec5e3d580567c83a87bcd808cc3

SHA256
9957c7c4f8797b5f4e3a85a779a3b531e140ab178e768b970425a8f2099cbae8

SHA512
3747e2d0d11487deab160da537709b877d5b7874a255c20ffd88776b920e74b8eb031a544c7bc807c317998a1a2977f4d869fa2f10e52380049edc7628dab526

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
969372574560feacd603d446e1e9326d

SHA1
88ea88e420430c9f57afee6fb73b0bd0f60e764a

SHA256
f3b9e4cbd35d77d39ed0259059aa2443c28367e26a648ac0cf0fc0fb42b82b7c

SHA512
a2bac3f8ad9e3dd8387de72b370137e31b2b2a6df5ba2b6abe06b0995a1536e4d2690a1584eb943ffd893b013f4036b8227327ad6cf2af5f8cfd8bfc756e9b43

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1620-34-0x0000000000BC0000-0x0000000000BDC000-memory.dmp

Filesize
112KB

Download
memory/2332-30-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

Filesize
9.9MB

Download
memory/2332-1-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/2332-2-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

Filesize
9.9MB

Download
memory/2332-43-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

Filesize
9.9MB

Download
memory/2332-0-0x000007FEF5843000-0x000007FEF5844000-memory.dmp

Filesize
4KB

Download
memory/2332-29-0x000007FEF5843000-0x000007FEF5844000-memory.dmp

Filesize
4KB

Download
memory/2840-8-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2840-9-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2840-7-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2868-16-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2868-15-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download