xworm | ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449

Analysis

max time kernel
1563s
max time network
1564s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gjruheigerg.exe
Size

84KB
MD5

b5fbb4aec5eaf3f64a592e72ac30a1ab
SHA1

993b36feeb223032ec7a536687cfe37ddf2ffd39
SHA256

ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449
SHA512

8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53
SSDEEP

1536:Xb5H+OMwTEBrZ5idVjzXGbhpTw6DG6GiyoAOsjJKVV4yAETSAJ0iH:rgG0FkbH2bhpM6NAOsViyylyY

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

79.202.250.5:80

Attributes

Install_directory
%Temp%
install_file
discord_autoupdaterconfifm.exe
telegram
https://api.telegram.org/bot7345950584:AAH5ca8n_1S4bD12cZuSsr23SjFGXJYzRk0

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2244-1-0x00000000010C0000-0x00000000010DC000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe	family_xworm
behavioral1/memory/2796-33-0x0000000000F00000-0x0000000000F1C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2896 powershell.exe
2512 powershell.exe
2548 powershell.exe
1916 powershell.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1168 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

discord_autoupdaterconfifm.exe

pid process

2796 discord_autoupdaterconfifm.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1892 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1904 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exegjruheigerg.exe

pid process

2896 powershell.exe
2512 powershell.exe
2548 powershell.exe
1916 powershell.exe
2244 gjruheigerg.exe

pid	process
2896	powershell.exe
2512	powershell.exe
2548	powershell.exe
1916	powershell.exe

pid	process
1168	cmd.exe

pid	process
2796	discord_autoupdaterconfifm.exe

flow	ioc
4	ip-api.com

pid	process
1892	timeout.exe

pid	process
1904	schtasks.exe

pid	process
2896	powershell.exe
2512	powershell.exe
2548	powershell.exe
1916	powershell.exe
2244	gjruheigerg.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

gjruheigerg.exepowershell.exepowershell.exepowershell.exepowershell.exediscord_autoupdaterconfifm.exe

description	pid	process
Token: SeDebugPrivilege	2244	gjruheigerg.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2244	gjruheigerg.exe
Token: SeDebugPrivilege	2796	discord_autoupdaterconfifm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

gjruheigerg.exe

pid process

2244 gjruheigerg.exe

pid	process
2244	gjruheigerg.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

gjruheigerg.exetaskeng.execmd.exe

description	pid	process	target process
PID 2244 wrote to memory of 2896	2244	gjruheigerg.exe	powershell.exe
PID 2244 wrote to memory of 2896	2244	gjruheigerg.exe	powershell.exe
PID 2244 wrote to memory of 2896	2244	gjruheigerg.exe	powershell.exe
PID 2244 wrote to memory of 2512	2244	gjruheigerg.exe	powershell.exe
PID 2244 wrote to memory of 2512	2244	gjruheigerg.exe	powershell.exe
PID 2244 wrote to memory of 2512	2244	gjruheigerg.exe	powershell.exe
PID 2244 wrote to memory of 2548	2244	gjruheigerg.exe	powershell.exe
PID 2244 wrote to memory of 2548	2244	gjruheigerg.exe	powershell.exe
PID 2244 wrote to memory of 2548	2244	gjruheigerg.exe	powershell.exe
PID 2244 wrote to memory of 1916	2244	gjruheigerg.exe	powershell.exe
PID 2244 wrote to memory of 1916	2244	gjruheigerg.exe	powershell.exe
PID 2244 wrote to memory of 1916	2244	gjruheigerg.exe	powershell.exe
PID 2244 wrote to memory of 1904	2244	gjruheigerg.exe	schtasks.exe
PID 2244 wrote to memory of 1904	2244	gjruheigerg.exe	schtasks.exe
PID 2244 wrote to memory of 1904	2244	gjruheigerg.exe	schtasks.exe
PID 1456 wrote to memory of 2796	1456	taskeng.exe	discord_autoupdaterconfifm.exe
PID 1456 wrote to memory of 2796	1456	taskeng.exe	discord_autoupdaterconfifm.exe
PID 1456 wrote to memory of 2796	1456	taskeng.exe	discord_autoupdaterconfifm.exe
PID 2244 wrote to memory of 1436	2244	gjruheigerg.exe	schtasks.exe
PID 2244 wrote to memory of 1436	2244	gjruheigerg.exe	schtasks.exe
PID 2244 wrote to memory of 1436	2244	gjruheigerg.exe	schtasks.exe
PID 2244 wrote to memory of 1168	2244	gjruheigerg.exe	cmd.exe
PID 2244 wrote to memory of 1168	2244	gjruheigerg.exe	cmd.exe
PID 2244 wrote to memory of 1168	2244	gjruheigerg.exe	cmd.exe
PID 1168 wrote to memory of 1892	1168	cmd.exe	timeout.exe
PID 1168 wrote to memory of 1892	1168	cmd.exe	timeout.exe
PID 1168 wrote to memory of 1892	1168	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe
"C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gjruheigerg.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord_autoupdaterconfifm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord_autoupdaterconfifm" /tr "C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "discord_autoupdaterconfifm"
2⤵
PID:1436

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC996.tmp.bat""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1892

C:\Windows\system32\taskeng.exe
taskeng.exe {7714ECBF-2E89-48D2-A176-49C6EF7F0CA9} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
Filesize
84KB

MD5
b5fbb4aec5eaf3f64a592e72ac30a1ab

SHA1
993b36feeb223032ec7a536687cfe37ddf2ffd39

SHA256
ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449

SHA512
8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC996.tmp.bat
Filesize
163B

MD5
5d7c9f75761a39d5be63a26944776829

SHA1
8e5178f37a1bc54a0ca5605e8cc723e85467e380

SHA256
18bff178b889a9dde2b32e927c2d73727a18b9792bb395bac2f7a31a235a33c5

SHA512
3c72eb749bc2e4e23a65b6faf0d2ac2bd9255f61c1e442374a9191cd15732f2c1b3cecc187cae6d2c94f617d4668945535da85c52d73db0b44f452389d18041e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
2485597e4a74cae307aa94e3fc5c9e13

SHA1
68be93c4551ffbd0d009f0779c12753d590bc309

SHA256
b8e673f3bd1813a392c24c6ca979b8193629241f68e952e4c73ea1e239db5d3c

SHA512
98872c7a07b60739748173d07eecd6e1ddda5faf67ca190520099862a4da5a0061be793029c1e7050e8ce42dc77d34a7f88f51c84636a1e6c71d15053101689b

Download Submit
memory/2244-28-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2244-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

Filesize
4KB

Download
memory/2244-29-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-2-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2244-1-0x00000000010C0000-0x00000000010DC000-memory.dmp

Filesize
112KB

Download
memory/2244-42-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Filesize
9.9MB

Download
memory/2512-15-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/2512-16-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2796-33-0x0000000000F00000-0x0000000000F1C000-memory.dmp

Filesize
112KB

Download
memory/2896-8-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2896-9-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/2896-7-0x0000000001E40000-0x0000000001EC0000-memory.dmp

Filesize
512KB

Download