Analysis
-
max time kernel
865s -
max time network
1589s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-06-2024 20:25
Behavioral task
behavioral1
Sample
gjruheigerg.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
gjruheigerg.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
gjruheigerg.exe
Resource
win10v2004-20240508-en
General
-
Target
gjruheigerg.exe
-
Size
84KB
-
MD5
b5fbb4aec5eaf3f64a592e72ac30a1ab
-
SHA1
993b36feeb223032ec7a536687cfe37ddf2ffd39
-
SHA256
ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449
-
SHA512
8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53
-
SSDEEP
1536:Xb5H+OMwTEBrZ5idVjzXGbhpTw6DG6GiyoAOsjJKVV4yAETSAJ0iH:rgG0FkbH2bhpM6NAOsViyylyY
Malware Config
Extracted
xworm
79.202.250.5:80
-
Install_directory
%Temp%
-
install_file
discord_autoupdaterconfifm.exe
-
telegram
https://api.telegram.org/bot7345950584:AAH5ca8n_1S4bD12cZuSsr23SjFGXJYzRk0
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3780-0-0x00000000009E0000-0x00000000009FC000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3988 powershell.exe 3192 powershell.exe 2224 powershell.exe 1128 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
discord_autoupdaterconfifm.exepid process 4596 discord_autoupdaterconfifm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2024 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exegjruheigerg.exepid process 3988 powershell.exe 3988 powershell.exe 3988 powershell.exe 3192 powershell.exe 3192 powershell.exe 3192 powershell.exe 2224 powershell.exe 2224 powershell.exe 2224 powershell.exe 1128 powershell.exe 1128 powershell.exe 1128 powershell.exe 3780 gjruheigerg.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
gjruheigerg.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3780 gjruheigerg.exe Token: SeDebugPrivilege 3988 powershell.exe Token: SeIncreaseQuotaPrivilege 3988 powershell.exe Token: SeSecurityPrivilege 3988 powershell.exe Token: SeTakeOwnershipPrivilege 3988 powershell.exe Token: SeLoadDriverPrivilege 3988 powershell.exe Token: SeSystemProfilePrivilege 3988 powershell.exe Token: SeSystemtimePrivilege 3988 powershell.exe Token: SeProfSingleProcessPrivilege 3988 powershell.exe Token: SeIncBasePriorityPrivilege 3988 powershell.exe Token: SeCreatePagefilePrivilege 3988 powershell.exe Token: SeBackupPrivilege 3988 powershell.exe Token: SeRestorePrivilege 3988 powershell.exe Token: SeShutdownPrivilege 3988 powershell.exe Token: SeDebugPrivilege 3988 powershell.exe Token: SeSystemEnvironmentPrivilege 3988 powershell.exe Token: SeRemoteShutdownPrivilege 3988 powershell.exe Token: SeUndockPrivilege 3988 powershell.exe Token: SeManageVolumePrivilege 3988 powershell.exe Token: 33 3988 powershell.exe Token: 34 3988 powershell.exe Token: 35 3988 powershell.exe Token: 36 3988 powershell.exe Token: SeDebugPrivilege 3192 powershell.exe Token: SeIncreaseQuotaPrivilege 3192 powershell.exe Token: SeSecurityPrivilege 3192 powershell.exe Token: SeTakeOwnershipPrivilege 3192 powershell.exe Token: SeLoadDriverPrivilege 3192 powershell.exe Token: SeSystemProfilePrivilege 3192 powershell.exe Token: SeSystemtimePrivilege 3192 powershell.exe Token: SeProfSingleProcessPrivilege 3192 powershell.exe Token: SeIncBasePriorityPrivilege 3192 powershell.exe Token: SeCreatePagefilePrivilege 3192 powershell.exe Token: SeBackupPrivilege 3192 powershell.exe Token: SeRestorePrivilege 3192 powershell.exe Token: SeShutdownPrivilege 3192 powershell.exe Token: SeDebugPrivilege 3192 powershell.exe Token: SeSystemEnvironmentPrivilege 3192 powershell.exe Token: SeRemoteShutdownPrivilege 3192 powershell.exe Token: SeUndockPrivilege 3192 powershell.exe Token: SeManageVolumePrivilege 3192 powershell.exe Token: 33 3192 powershell.exe Token: 34 3192 powershell.exe Token: 35 3192 powershell.exe Token: 36 3192 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeIncreaseQuotaPrivilege 2224 powershell.exe Token: SeSecurityPrivilege 2224 powershell.exe Token: SeTakeOwnershipPrivilege 2224 powershell.exe Token: SeLoadDriverPrivilege 2224 powershell.exe Token: SeSystemProfilePrivilege 2224 powershell.exe Token: SeSystemtimePrivilege 2224 powershell.exe Token: SeProfSingleProcessPrivilege 2224 powershell.exe Token: SeIncBasePriorityPrivilege 2224 powershell.exe Token: SeCreatePagefilePrivilege 2224 powershell.exe Token: SeBackupPrivilege 2224 powershell.exe Token: SeRestorePrivilege 2224 powershell.exe Token: SeShutdownPrivilege 2224 powershell.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeSystemEnvironmentPrivilege 2224 powershell.exe Token: SeRemoteShutdownPrivilege 2224 powershell.exe Token: SeUndockPrivilege 2224 powershell.exe Token: SeManageVolumePrivilege 2224 powershell.exe Token: 33 2224 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
gjruheigerg.exepid process 3780 gjruheigerg.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
gjruheigerg.execmd.exedescription pid process target process PID 3780 wrote to memory of 3988 3780 gjruheigerg.exe powershell.exe PID 3780 wrote to memory of 3988 3780 gjruheigerg.exe powershell.exe PID 3780 wrote to memory of 3192 3780 gjruheigerg.exe powershell.exe PID 3780 wrote to memory of 3192 3780 gjruheigerg.exe powershell.exe PID 3780 wrote to memory of 2224 3780 gjruheigerg.exe powershell.exe PID 3780 wrote to memory of 2224 3780 gjruheigerg.exe powershell.exe PID 3780 wrote to memory of 1128 3780 gjruheigerg.exe powershell.exe PID 3780 wrote to memory of 1128 3780 gjruheigerg.exe powershell.exe PID 3780 wrote to memory of 4648 3780 gjruheigerg.exe schtasks.exe PID 3780 wrote to memory of 4648 3780 gjruheigerg.exe schtasks.exe PID 3780 wrote to memory of 4816 3780 gjruheigerg.exe schtasks.exe PID 3780 wrote to memory of 4816 3780 gjruheigerg.exe schtasks.exe PID 3780 wrote to memory of 3316 3780 gjruheigerg.exe cmd.exe PID 3780 wrote to memory of 3316 3780 gjruheigerg.exe cmd.exe PID 3316 wrote to memory of 2024 3316 cmd.exe timeout.exe PID 3316 wrote to memory of 2024 3316 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe"C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gjruheigerg.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord_autoupdaterconfifm.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord_autoupdaterconfifm" /tr "C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "discord_autoupdaterconfifm"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1BA1.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exeC:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b82eb6df632119fd00472c1dec2875ae
SHA18afd3e6ecf296376519e80b469390f36e17638dd
SHA256afdf2652c81bef3407777c8138512d7a59555759d4183b789b7ff26d13ab3db2
SHA512c9778203390db634d2122904491c3458cf8360ab23b1c36920b2a3c7b1169074917c2d151cc9face261f7d5fb449656c610679790d6a65f50d49da13d0ab9f2c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e76deb8792e5f8aee3a4bf3fa2033f54
SHA11450761c06fed4c359fde7493462447662a73da8
SHA2561df2e0c50d046fe4178517c95b57b3eddb6c45bada8367862351b19f305c3e14
SHA5126f55bf86cee069def1c8fb4d097b88270727485d4e0c08c4e85348ab0703c2997d212cafabda8f1636087fcbe7673f21f9869d0c4d2617c09f8de3fc4c96ef24
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51f7981a609b095a06d22cc80fea38e73
SHA1db0c8e085f6a794a20a0e523e1732f4e805ac2f3
SHA2565b371e9be3798897a3357cffe078d922a4a1db39de1847e8a1d4c1ce665a160b
SHA512130dd039d323321ec14d88ad4dd6875cd235ae0f86a688c8173e44ea17c32022ab4cf6b7b86617eb76e1a6a20451604e9a9577c1b3ebd57d4a5b6175f317eec1
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3oj1intk.ago.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exeFilesize
84KB
MD5b5fbb4aec5eaf3f64a592e72ac30a1ab
SHA1993b36feeb223032ec7a536687cfe37ddf2ffd39
SHA256ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449
SHA5128768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53
-
C:\Users\Admin\AppData\Local\Temp\tmp1BA1.tmp.batFilesize
163B
MD58cc3c375d66a7ceceffe5d0417b9bac4
SHA16f187e8d7c7f33e24f7ad4a24d01b49db391f4bb
SHA2562f7ff0e735bfa482fa7213205e960b71a2501b7be408934b2fb136c7ecf8d92e
SHA512edc666e5e457d0ea2e5acfbdbc6fd35ae4f3d329cb84c54f1c8030540b50885c44ed176abf463ec567530d0e68999fa263337b1f470f44c927723c40eb3fd691
-
memory/3780-186-0x00007FF8922E3000-0x00007FF8922E4000-memory.dmpFilesize
4KB
-
memory/3780-0-0x00000000009E0000-0x00000000009FC000-memory.dmpFilesize
112KB
-
memory/3780-2-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmpFilesize
9.9MB
-
memory/3780-1-0x00007FF8922E3000-0x00007FF8922E4000-memory.dmpFilesize
4KB
-
memory/3780-187-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmpFilesize
9.9MB
-
memory/3780-194-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmpFilesize
9.9MB
-
memory/3988-52-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmpFilesize
9.9MB
-
memory/3988-8-0x000002605EA70000-0x000002605EA92000-memory.dmpFilesize
136KB
-
memory/3988-7-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmpFilesize
9.9MB
-
memory/3988-9-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmpFilesize
9.9MB
-
memory/3988-13-0x000002605EC20000-0x000002605EC96000-memory.dmpFilesize
472KB
-
memory/3988-10-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmpFilesize
9.9MB