Analysis
-
max time kernel
514s -
max time network
1587s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
30-06-2024 20:25
General
-
Target
gjruheigerg.exe
-
Size
84KB
-
MD5
b5fbb4aec5eaf3f64a592e72ac30a1ab
-
SHA1
993b36feeb223032ec7a536687cfe37ddf2ffd39
-
SHA256
ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449
-
SHA512
8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53
-
SSDEEP
1536:Xb5H+OMwTEBrZ5idVjzXGbhpTw6DG6GiyoAOsjJKVV4yAETSAJ0iH:rgG0FkbH2bhpM6NAOsViyylyY
Malware Config
Extracted
xworm
79.202.250.5:80
-
Install_directory
%Temp%
-
install_file
discord_autoupdaterconfifm.exe
-
telegram
https://api.telegram.org/bot7345950584:AAH5ca8n_1S4bD12cZuSsr23SjFGXJYzRk0
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe"C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gjruheigerg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord_autoupdaterconfifm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord_autoupdaterconfifm" /tr "C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "discord_autoupdaterconfifm"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBD2.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exeC:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD554a5ac41cb04add283ef259fe504095c
SHA197b5ee9de90628a804333eef4dfe362663686c0f
SHA2564fd0c23c7b985f961eca7ef0d6f051bfc870a99c573e6caf50a08de6b428855c
SHA512c31a14ba9d0a1d32c689f901b0874aa7d67d3fb5ee6065160c3c0b90bd4815d1ee1761a43905f658feb63156728c77095724f068ab23fc6c8e9d4d2ec23fb4ba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD521f9f2612a1cb11e24d7297d0ac337c3
SHA1caba8f855a993b6c2379e517657be9a22881066a
SHA25636a0f573f7b981b3ff7d498e916722ec782794e9b88cca6467ffcfe7b4f87237
SHA512ebad776bcf0427c447e8dac4df1d0d67155ffdc6966b19685a975f0049a617a50646dced40d4bfbe7ed56ca0e8a7fe558fff5e9026c46b5caf90d9e11e7e1d87
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD512363335d6ae86dabadb2cd5854b9666
SHA1443aa90e1c7d5f70e85f3019bf43a3ec8d67cede
SHA2566f2536b7393635bef978dbc6b0204c0c8e753f312c5c3736efe8a0d4f26ea4b0
SHA5126bb4d369511d02c3296915882aec33a0b926519cc674ab1cdfc63492b8cf4b0233041b6672bce7edaa0d14dbeb3e4eb6ff8752c6931683e987ce6cbaf3464b09
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fngzivea.fps.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exeFilesize
84KB
MD5b5fbb4aec5eaf3f64a592e72ac30a1ab
SHA1993b36feeb223032ec7a536687cfe37ddf2ffd39
SHA256ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449
SHA5128768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53
-
C:\Users\Admin\AppData\Local\Temp\tmpBD2.tmp.batFilesize
162B
MD58eb5d39a00645a958a9a7383e4feec22
SHA1fad36020eed3fb07a05af0ffbb3ed4633d8dffef
SHA256304a92739ced5c94334f088cdcd670f8701b631af31f3da04d6309210dc5a02d
SHA512e1fac68b9f21d255edeb61d7ab5bb23f1e111c6c920163cc0dc01687a94474d5bd4f18e52f118cbfc4955b172172072b099d3bda0a9899c7418b88d4b487ef16
-
memory/1388-12-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB
-
memory/1388-13-0x0000024927420000-0x0000024927496000-memory.dmpFilesize
472KB
-
memory/1388-9-0x0000024927120000-0x0000024927142000-memory.dmpFilesize
136KB
-
memory/1388-51-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB
-
memory/1388-8-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB
-
memory/1388-7-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB
-
memory/2912-0-0x00007FFBD5FE3000-0x00007FFBD5FE4000-memory.dmpFilesize
4KB
-
memory/2912-183-0x00007FFBD5FE3000-0x00007FFBD5FE4000-memory.dmpFilesize
4KB
-
memory/2912-184-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB
-
memory/2912-1-0x0000000000CE0000-0x0000000000CFC000-memory.dmpFilesize
112KB
-
memory/2912-2-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB
-
memory/2912-192-0x00007FFBD5FE0000-0x00007FFBD69CC000-memory.dmpFilesize
9.9MB