xworm | ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449

Analysis

max time kernel
865s
max time network
1589s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gjruheigerg.exe
Size

84KB
MD5

b5fbb4aec5eaf3f64a592e72ac30a1ab
SHA1

993b36feeb223032ec7a536687cfe37ddf2ffd39
SHA256

ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449
SHA512

8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53
SSDEEP

1536:Xb5H+OMwTEBrZ5idVjzXGbhpTw6DG6GiyoAOsjJKVV4yAETSAJ0iH:rgG0FkbH2bhpM6NAOsViyylyY

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

79.202.250.5:80

Attributes

Install_directory
%Temp%
install_file
discord_autoupdaterconfifm.exe
telegram
https://api.telegram.org/bot7345950584:AAH5ca8n_1S4bD12cZuSsr23SjFGXJYzRk0

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/3780-0-0x00000000009E0000-0x00000000009FC000-memory.dmp family_xworm
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3988 powershell.exe
3192 powershell.exe
2224 powershell.exe
1128 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

discord_autoupdaterconfifm.exe

pid process

4596 discord_autoupdaterconfifm.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2024 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4648 schtasks.exe

resource	yara_rule
behavioral2/memory/3780-0-0x00000000009E0000-0x00000000009FC000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe	family_xworm

pid	process
4596	discord_autoupdaterconfifm.exe

flow	ioc
1	ip-api.com

pid	process
2024	timeout.exe

pid	process
4648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exegjruheigerg.exe

pid	process
3988	powershell.exe
3988	powershell.exe
3988	powershell.exe
3192	powershell.exe
3192	powershell.exe
3192	powershell.exe
2224	powershell.exe
2224	powershell.exe
2224	powershell.exe
1128	powershell.exe
1128	powershell.exe
1128	powershell.exe
3780	gjruheigerg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

gjruheigerg.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3780	gjruheigerg.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeIncreaseQuotaPrivilege	3988	powershell.exe
Token: SeSecurityPrivilege	3988	powershell.exe
Token: SeTakeOwnershipPrivilege	3988	powershell.exe
Token: SeLoadDriverPrivilege	3988	powershell.exe
Token: SeSystemProfilePrivilege	3988	powershell.exe
Token: SeSystemtimePrivilege	3988	powershell.exe
Token: SeProfSingleProcessPrivilege	3988	powershell.exe
Token: SeIncBasePriorityPrivilege	3988	powershell.exe
Token: SeCreatePagefilePrivilege	3988	powershell.exe
Token: SeBackupPrivilege	3988	powershell.exe
Token: SeRestorePrivilege	3988	powershell.exe
Token: SeShutdownPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeSystemEnvironmentPrivilege	3988	powershell.exe
Token: SeRemoteShutdownPrivilege	3988	powershell.exe
Token: SeUndockPrivilege	3988	powershell.exe
Token: SeManageVolumePrivilege	3988	powershell.exe
Token: 33	3988	powershell.exe
Token: 34	3988	powershell.exe
Token: 35	3988	powershell.exe
Token: 36	3988	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeIncreaseQuotaPrivilege	3192	powershell.exe
Token: SeSecurityPrivilege	3192	powershell.exe
Token: SeTakeOwnershipPrivilege	3192	powershell.exe
Token: SeLoadDriverPrivilege	3192	powershell.exe
Token: SeSystemProfilePrivilege	3192	powershell.exe
Token: SeSystemtimePrivilege	3192	powershell.exe
Token: SeProfSingleProcessPrivilege	3192	powershell.exe
Token: SeIncBasePriorityPrivilege	3192	powershell.exe
Token: SeCreatePagefilePrivilege	3192	powershell.exe
Token: SeBackupPrivilege	3192	powershell.exe
Token: SeRestorePrivilege	3192	powershell.exe
Token: SeShutdownPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeSystemEnvironmentPrivilege	3192	powershell.exe
Token: SeRemoteShutdownPrivilege	3192	powershell.exe
Token: SeUndockPrivilege	3192	powershell.exe
Token: SeManageVolumePrivilege	3192	powershell.exe
Token: 33	3192	powershell.exe
Token: 34	3192	powershell.exe
Token: 35	3192	powershell.exe
Token: 36	3192	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeIncreaseQuotaPrivilege	2224	powershell.exe
Token: SeSecurityPrivilege	2224	powershell.exe
Token: SeTakeOwnershipPrivilege	2224	powershell.exe
Token: SeLoadDriverPrivilege	2224	powershell.exe
Token: SeSystemProfilePrivilege	2224	powershell.exe
Token: SeSystemtimePrivilege	2224	powershell.exe
Token: SeProfSingleProcessPrivilege	2224	powershell.exe
Token: SeIncBasePriorityPrivilege	2224	powershell.exe
Token: SeCreatePagefilePrivilege	2224	powershell.exe
Token: SeBackupPrivilege	2224	powershell.exe
Token: SeRestorePrivilege	2224	powershell.exe
Token: SeShutdownPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeSystemEnvironmentPrivilege	2224	powershell.exe
Token: SeRemoteShutdownPrivilege	2224	powershell.exe
Token: SeUndockPrivilege	2224	powershell.exe
Token: SeManageVolumePrivilege	2224	powershell.exe
Token: 33	2224	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

gjruheigerg.exe

pid process

3780 gjruheigerg.exe

pid	process
3780	gjruheigerg.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

gjruheigerg.execmd.exe

description	pid	process	target process
PID 3780 wrote to memory of 3988	3780	gjruheigerg.exe	powershell.exe
PID 3780 wrote to memory of 3988	3780	gjruheigerg.exe	powershell.exe
PID 3780 wrote to memory of 3192	3780	gjruheigerg.exe	powershell.exe
PID 3780 wrote to memory of 3192	3780	gjruheigerg.exe	powershell.exe
PID 3780 wrote to memory of 2224	3780	gjruheigerg.exe	powershell.exe
PID 3780 wrote to memory of 2224	3780	gjruheigerg.exe	powershell.exe
PID 3780 wrote to memory of 1128	3780	gjruheigerg.exe	powershell.exe
PID 3780 wrote to memory of 1128	3780	gjruheigerg.exe	powershell.exe
PID 3780 wrote to memory of 4648	3780	gjruheigerg.exe	schtasks.exe
PID 3780 wrote to memory of 4648	3780	gjruheigerg.exe	schtasks.exe
PID 3780 wrote to memory of 4816	3780	gjruheigerg.exe	schtasks.exe
PID 3780 wrote to memory of 4816	3780	gjruheigerg.exe	schtasks.exe
PID 3780 wrote to memory of 3316	3780	gjruheigerg.exe	cmd.exe
PID 3780 wrote to memory of 3316	3780	gjruheigerg.exe	cmd.exe
PID 3316 wrote to memory of 2024	3316	cmd.exe	timeout.exe
PID 3316 wrote to memory of 2024	3316	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe
"C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gjruheigerg.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord_autoupdaterconfifm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord_autoupdaterconfifm" /tr "C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "discord_autoupdaterconfifm"
2⤵
PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1BA1.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2024

C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
1⤵
- Executes dropped EXE
PID:4596

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b82eb6df632119fd00472c1dec2875ae

SHA1
8afd3e6ecf296376519e80b469390f36e17638dd

SHA256
afdf2652c81bef3407777c8138512d7a59555759d4183b789b7ff26d13ab3db2

SHA512
c9778203390db634d2122904491c3458cf8360ab23b1c36920b2a3c7b1169074917c2d151cc9face261f7d5fb449656c610679790d6a65f50d49da13d0ab9f2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e76deb8792e5f8aee3a4bf3fa2033f54

SHA1
1450761c06fed4c359fde7493462447662a73da8

SHA256
1df2e0c50d046fe4178517c95b57b3eddb6c45bada8367862351b19f305c3e14

SHA512
6f55bf86cee069def1c8fb4d097b88270727485d4e0c08c4e85348ab0703c2997d212cafabda8f1636087fcbe7673f21f9869d0c4d2617c09f8de3fc4c96ef24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1f7981a609b095a06d22cc80fea38e73

SHA1
db0c8e085f6a794a20a0e523e1732f4e805ac2f3

SHA256
5b371e9be3798897a3357cffe078d922a4a1db39de1847e8a1d4c1ce665a160b

SHA512
130dd039d323321ec14d88ad4dd6875cd235ae0f86a688c8173e44ea17c32022ab4cf6b7b86617eb76e1a6a20451604e9a9577c1b3ebd57d4a5b6175f317eec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3oj1intk.ago.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
Filesize
84KB

MD5
b5fbb4aec5eaf3f64a592e72ac30a1ab

SHA1
993b36feeb223032ec7a536687cfe37ddf2ffd39

SHA256
ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449

SHA512
8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1BA1.tmp.bat
Filesize
163B

MD5
8cc3c375d66a7ceceffe5d0417b9bac4

SHA1
6f187e8d7c7f33e24f7ad4a24d01b49db391f4bb

SHA256
2f7ff0e735bfa482fa7213205e960b71a2501b7be408934b2fb136c7ecf8d92e

SHA512
edc666e5e457d0ea2e5acfbdbc6fd35ae4f3d329cb84c54f1c8030540b50885c44ed176abf463ec567530d0e68999fa263337b1f470f44c927723c40eb3fd691

Download Submit
memory/3780-186-0x00007FF8922E3000-0x00007FF8922E4000-memory.dmp

Filesize
4KB

Download
memory/3780-0-0x00000000009E0000-0x00000000009FC000-memory.dmp

Filesize
112KB

Download
memory/3780-2-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3780-1-0x00007FF8922E3000-0x00007FF8922E4000-memory.dmp

Filesize
4KB

Download
memory/3780-187-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3780-194-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3988-52-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3988-8-0x000002605EA70000-0x000002605EA92000-memory.dmp

Filesize
136KB

Download
memory/3988-7-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3988-9-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmp

Filesize
9.9MB

Download
memory/3988-13-0x000002605EC20000-0x000002605EC96000-memory.dmp

Filesize
472KB

Download
memory/3988-10-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmp

Filesize
9.9MB

Download