Analysis
-
max time kernel
514s -
max time network
1587s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-06-2024 20:25
Behavioral task
behavioral1
Sample
gjruheigerg.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
gjruheigerg.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
gjruheigerg.exe
Resource
win10v2004-20240508-en
General
-
Target
gjruheigerg.exe
-
Size
84KB
-
MD5
b5fbb4aec5eaf3f64a592e72ac30a1ab
-
SHA1
993b36feeb223032ec7a536687cfe37ddf2ffd39
-
SHA256
ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449
-
SHA512
8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53
-
SSDEEP
1536:Xb5H+OMwTEBrZ5idVjzXGbhpTw6DG6GiyoAOsjJKVV4yAETSAJ0iH:rgG0FkbH2bhpM6NAOsViyylyY
Malware Config
Extracted
xworm
79.202.250.5:80
-
Install_directory
%Temp%
-
install_file
discord_autoupdaterconfifm.exe
-
telegram
https://api.telegram.org/bot7345950584:AAH5ca8n_1S4bD12cZuSsr23SjFGXJYzRk0
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2912-1-0x0000000000CE0000-0x0000000000CFC000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2852 powershell.exe 2660 powershell.exe 1388 powershell.exe 2144 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
discord_autoupdaterconfifm.exepid process 3564 discord_autoupdaterconfifm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3604 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exegjruheigerg.exepid process 1388 powershell.exe 1388 powershell.exe 1388 powershell.exe 2144 powershell.exe 2144 powershell.exe 2144 powershell.exe 2852 powershell.exe 2852 powershell.exe 2852 powershell.exe 2660 powershell.exe 2660 powershell.exe 2660 powershell.exe 2912 gjruheigerg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
gjruheigerg.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2912 gjruheigerg.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeIncreaseQuotaPrivilege 1388 powershell.exe Token: SeSecurityPrivilege 1388 powershell.exe Token: SeTakeOwnershipPrivilege 1388 powershell.exe Token: SeLoadDriverPrivilege 1388 powershell.exe Token: SeSystemProfilePrivilege 1388 powershell.exe Token: SeSystemtimePrivilege 1388 powershell.exe Token: SeProfSingleProcessPrivilege 1388 powershell.exe Token: SeIncBasePriorityPrivilege 1388 powershell.exe Token: SeCreatePagefilePrivilege 1388 powershell.exe Token: SeBackupPrivilege 1388 powershell.exe Token: SeRestorePrivilege 1388 powershell.exe Token: SeShutdownPrivilege 1388 powershell.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeSystemEnvironmentPrivilege 1388 powershell.exe Token: SeRemoteShutdownPrivilege 1388 powershell.exe Token: SeUndockPrivilege 1388 powershell.exe Token: SeManageVolumePrivilege 1388 powershell.exe Token: 33 1388 powershell.exe Token: 34 1388 powershell.exe Token: 35 1388 powershell.exe Token: 36 1388 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeIncreaseQuotaPrivilege 2144 powershell.exe Token: SeSecurityPrivilege 2144 powershell.exe Token: SeTakeOwnershipPrivilege 2144 powershell.exe Token: SeLoadDriverPrivilege 2144 powershell.exe Token: SeSystemProfilePrivilege 2144 powershell.exe Token: SeSystemtimePrivilege 2144 powershell.exe Token: SeProfSingleProcessPrivilege 2144 powershell.exe Token: SeIncBasePriorityPrivilege 2144 powershell.exe Token: SeCreatePagefilePrivilege 2144 powershell.exe Token: SeBackupPrivilege 2144 powershell.exe Token: SeRestorePrivilege 2144 powershell.exe Token: SeShutdownPrivilege 2144 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeSystemEnvironmentPrivilege 2144 powershell.exe Token: SeRemoteShutdownPrivilege 2144 powershell.exe Token: SeUndockPrivilege 2144 powershell.exe Token: SeManageVolumePrivilege 2144 powershell.exe Token: 33 2144 powershell.exe Token: 34 2144 powershell.exe Token: 35 2144 powershell.exe Token: 36 2144 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeIncreaseQuotaPrivilege 2852 powershell.exe Token: SeSecurityPrivilege 2852 powershell.exe Token: SeTakeOwnershipPrivilege 2852 powershell.exe Token: SeLoadDriverPrivilege 2852 powershell.exe Token: SeSystemProfilePrivilege 2852 powershell.exe Token: SeSystemtimePrivilege 2852 powershell.exe Token: SeProfSingleProcessPrivilege 2852 powershell.exe Token: SeIncBasePriorityPrivilege 2852 powershell.exe Token: SeCreatePagefilePrivilege 2852 powershell.exe Token: SeBackupPrivilege 2852 powershell.exe Token: SeRestorePrivilege 2852 powershell.exe Token: SeShutdownPrivilege 2852 powershell.exe Token: SeDebugPrivilege 2852 powershell.exe Token: SeSystemEnvironmentPrivilege 2852 powershell.exe Token: SeRemoteShutdownPrivilege 2852 powershell.exe Token: SeUndockPrivilege 2852 powershell.exe Token: SeManageVolumePrivilege 2852 powershell.exe Token: 33 2852 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
gjruheigerg.exepid process 2912 gjruheigerg.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
gjruheigerg.execmd.exedescription pid process target process PID 2912 wrote to memory of 1388 2912 gjruheigerg.exe powershell.exe PID 2912 wrote to memory of 1388 2912 gjruheigerg.exe powershell.exe PID 2912 wrote to memory of 2144 2912 gjruheigerg.exe powershell.exe PID 2912 wrote to memory of 2144 2912 gjruheigerg.exe powershell.exe PID 2912 wrote to memory of 2852 2912 gjruheigerg.exe powershell.exe PID 2912 wrote to memory of 2852 2912 gjruheigerg.exe powershell.exe PID 2912 wrote to memory of 2660 2912 gjruheigerg.exe powershell.exe PID 2912 wrote to memory of 2660 2912 gjruheigerg.exe powershell.exe PID 2912 wrote to memory of 3276 2912 gjruheigerg.exe schtasks.exe PID 2912 wrote to memory of 3276 2912 gjruheigerg.exe schtasks.exe PID 2912 wrote to memory of 3204 2912 gjruheigerg.exe schtasks.exe PID 2912 wrote to memory of 3204 2912 gjruheigerg.exe schtasks.exe PID 2912 wrote to memory of 2092 2912 gjruheigerg.exe cmd.exe PID 2912 wrote to memory of 2092 2912 gjruheigerg.exe cmd.exe PID 2092 wrote to memory of 3604 2092 cmd.exe timeout.exe PID 2092 wrote to memory of 3604 2092 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe"C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gjruheigerg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord_autoupdaterconfifm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord_autoupdaterconfifm" /tr "C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "discord_autoupdaterconfifm"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD2.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exeC:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD554a5ac41cb04add283ef259fe504095c
SHA197b5ee9de90628a804333eef4dfe362663686c0f
SHA2564fd0c23c7b985f961eca7ef0d6f051bfc870a99c573e6caf50a08de6b428855c
SHA512c31a14ba9d0a1d32c689f901b0874aa7d67d3fb5ee6065160c3c0b90bd4815d1ee1761a43905f658feb63156728c77095724f068ab23fc6c8e9d4d2ec23fb4ba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD521f9f2612a1cb11e24d7297d0ac337c3
SHA1caba8f855a993b6c2379e517657be9a22881066a
SHA25636a0f573f7b981b3ff7d498e916722ec782794e9b88cca6467ffcfe7b4f87237
SHA512ebad776bcf0427c447e8dac4df1d0d67155ffdc6966b19685a975f0049a617a50646dced40d4bfbe7ed56ca0e8a7fe558fff5e9026c46b5caf90d9e11e7e1d87
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD512363335d6ae86dabadb2cd5854b9666
SHA1443aa90e1c7d5f70e85f3019bf43a3ec8d67cede
SHA2566f2536b7393635bef978dbc6b0204c0c8e753f312c5c3736efe8a0d4f26ea4b0
SHA5126bb4d369511d02c3296915882aec33a0b926519cc674ab1cdfc63492b8cf4b0233041b6672bce7edaa0d14dbeb3e4eb6ff8752c6931683e987ce6cbaf3464b09
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fngzivea.fps.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exeFilesize
84KB
MD5b5fbb4aec5eaf3f64a592e72ac30a1ab
SHA1993b36feeb223032ec7a536687cfe37ddf2ffd39
SHA256ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449
SHA5128768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53
-
C:\Users\Admin\AppData\Local\Temp\tmpBD2.tmp.batFilesize
162B
MD58eb5d39a00645a958a9a7383e4feec22
SHA1fad36020eed3fb07a05af0ffbb3ed4633d8dffef
SHA256304a92739ced5c94334f088cdcd670f8701b631af31f3da04d6309210dc5a02d
SHA512e1fac68b9f21d255edeb61d7ab5bb23f1e111c6c920163cc0dc01687a94474d5bd4f18e52f118cbfc4955b172172072b099d3bda0a9899c7418b88d4b487ef16
-
memory/1388-12-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB
-
memory/1388-13-0x0000024927420000-0x0000024927496000-memory.dmpFilesize
472KB
-
memory/1388-9-0x0000024927120000-0x0000024927142000-memory.dmpFilesize
136KB
-
memory/1388-51-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB
-
memory/1388-8-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB
-
memory/1388-7-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB
-
memory/2912-0-0x00007FFBD5FE3000-0x00007FFBD5FE4000-memory.dmpFilesize
4KB
-
memory/2912-183-0x00007FFBD5FE3000-0x00007FFBD5FE4000-memory.dmpFilesize
4KB
-
memory/2912-184-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB
-
memory/2912-1-0x0000000000CE0000-0x0000000000CFC000-memory.dmpFilesize
112KB
-
memory/2912-2-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB
-
memory/2912-192-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB