xworm | ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449

Analysis

max time kernel
54s
max time network
53s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gjruheigerg.exe
Size

84KB
MD5

b5fbb4aec5eaf3f64a592e72ac30a1ab
SHA1

993b36feeb223032ec7a536687cfe37ddf2ffd39
SHA256

ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449
SHA512

8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53
SSDEEP

1536:Xb5H+OMwTEBrZ5idVjzXGbhpTw6DG6GiyoAOsjJKVV4yAETSAJ0iH:rgG0FkbH2bhpM6NAOsViyylyY

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

79.202.250.5:80

Attributes

Install_directory
%Temp%
install_file
discord_autoupdaterconfifm.exe
telegram
https://api.telegram.org/bot7345950584:AAH5ca8n_1S4bD12cZuSsr23SjFGXJYzRk0

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral2/memory/2024-0-0x0000000000480000-0x000000000049C000-memory.dmp family_xworm
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4648 powershell.exe
2716 powershell.exe
1744 powershell.exe
5092 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

discord_autoupdaterconfifm.exe

pid process

3340 discord_autoupdaterconfifm.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4416 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4496 schtasks.exe

resource	yara_rule
behavioral2/memory/2024-0-0x0000000000480000-0x000000000049C000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe	family_xworm

pid	process
4648	powershell.exe
2716	powershell.exe
1744	powershell.exe
5092	powershell.exe

pid	process
3340	discord_autoupdaterconfifm.exe

flow	ioc
1	ip-api.com

pid	process
4416	timeout.exe

pid	process
4496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exegjruheigerg.exe

pid	process
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
1744	powershell.exe
1744	powershell.exe
1744	powershell.exe
5092	powershell.exe
5092	powershell.exe
5092	powershell.exe
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
2024	gjruheigerg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

gjruheigerg.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2024	gjruheigerg.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeIncreaseQuotaPrivilege	2716	powershell.exe
Token: SeSecurityPrivilege	2716	powershell.exe
Token: SeTakeOwnershipPrivilege	2716	powershell.exe
Token: SeLoadDriverPrivilege	2716	powershell.exe
Token: SeSystemProfilePrivilege	2716	powershell.exe
Token: SeSystemtimePrivilege	2716	powershell.exe
Token: SeProfSingleProcessPrivilege	2716	powershell.exe
Token: SeIncBasePriorityPrivilege	2716	powershell.exe
Token: SeCreatePagefilePrivilege	2716	powershell.exe
Token: SeBackupPrivilege	2716	powershell.exe
Token: SeRestorePrivilege	2716	powershell.exe
Token: SeShutdownPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeSystemEnvironmentPrivilege	2716	powershell.exe
Token: SeRemoteShutdownPrivilege	2716	powershell.exe
Token: SeUndockPrivilege	2716	powershell.exe
Token: SeManageVolumePrivilege	2716	powershell.exe
Token: 33	2716	powershell.exe
Token: 34	2716	powershell.exe
Token: 35	2716	powershell.exe
Token: 36	2716	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeIncreaseQuotaPrivilege	1744	powershell.exe
Token: SeSecurityPrivilege	1744	powershell.exe
Token: SeTakeOwnershipPrivilege	1744	powershell.exe
Token: SeLoadDriverPrivilege	1744	powershell.exe
Token: SeSystemProfilePrivilege	1744	powershell.exe
Token: SeSystemtimePrivilege	1744	powershell.exe
Token: SeProfSingleProcessPrivilege	1744	powershell.exe
Token: SeIncBasePriorityPrivilege	1744	powershell.exe
Token: SeCreatePagefilePrivilege	1744	powershell.exe
Token: SeBackupPrivilege	1744	powershell.exe
Token: SeRestorePrivilege	1744	powershell.exe
Token: SeShutdownPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeSystemEnvironmentPrivilege	1744	powershell.exe
Token: SeRemoteShutdownPrivilege	1744	powershell.exe
Token: SeUndockPrivilege	1744	powershell.exe
Token: SeManageVolumePrivilege	1744	powershell.exe
Token: 33	1744	powershell.exe
Token: 34	1744	powershell.exe
Token: 35	1744	powershell.exe
Token: 36	1744	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeIncreaseQuotaPrivilege	5092	powershell.exe
Token: SeSecurityPrivilege	5092	powershell.exe
Token: SeTakeOwnershipPrivilege	5092	powershell.exe
Token: SeLoadDriverPrivilege	5092	powershell.exe
Token: SeSystemProfilePrivilege	5092	powershell.exe
Token: SeSystemtimePrivilege	5092	powershell.exe
Token: SeProfSingleProcessPrivilege	5092	powershell.exe
Token: SeIncBasePriorityPrivilege	5092	powershell.exe
Token: SeCreatePagefilePrivilege	5092	powershell.exe
Token: SeBackupPrivilege	5092	powershell.exe
Token: SeRestorePrivilege	5092	powershell.exe
Token: SeShutdownPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeSystemEnvironmentPrivilege	5092	powershell.exe
Token: SeRemoteShutdownPrivilege	5092	powershell.exe
Token: SeUndockPrivilege	5092	powershell.exe
Token: SeManageVolumePrivilege	5092	powershell.exe
Token: 33	5092	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

gjruheigerg.exe

pid process

2024 gjruheigerg.exe

pid	process
2024	gjruheigerg.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

gjruheigerg.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 2716	2024	gjruheigerg.exe	powershell.exe
PID 2024 wrote to memory of 2716	2024	gjruheigerg.exe	powershell.exe
PID 2024 wrote to memory of 1744	2024	gjruheigerg.exe	powershell.exe
PID 2024 wrote to memory of 1744	2024	gjruheigerg.exe	powershell.exe
PID 2024 wrote to memory of 5092	2024	gjruheigerg.exe	powershell.exe
PID 2024 wrote to memory of 5092	2024	gjruheigerg.exe	powershell.exe
PID 2024 wrote to memory of 4648	2024	gjruheigerg.exe	powershell.exe
PID 2024 wrote to memory of 4648	2024	gjruheigerg.exe	powershell.exe
PID 2024 wrote to memory of 4496	2024	gjruheigerg.exe	schtasks.exe
PID 2024 wrote to memory of 4496	2024	gjruheigerg.exe	schtasks.exe
PID 2024 wrote to memory of 4716	2024	gjruheigerg.exe	schtasks.exe
PID 2024 wrote to memory of 4716	2024	gjruheigerg.exe	schtasks.exe
PID 2024 wrote to memory of 1176	2024	gjruheigerg.exe	cmd.exe
PID 2024 wrote to memory of 1176	2024	gjruheigerg.exe	cmd.exe
PID 1176 wrote to memory of 4416	1176	cmd.exe	timeout.exe
PID 1176 wrote to memory of 4416	1176	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe
"C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gjruheigerg.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord_autoupdaterconfifm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4648

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord_autoupdaterconfifm" /tr "C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "discord_autoupdaterconfifm"
2⤵
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2FE5.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4416

C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
1⤵
- Executes dropped EXE
PID:3340

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6e95a4c17420177ac092e69f02ef9631

SHA1
cc2f58ea7e0a776997821c11c481f378f7127a0c

SHA256
76195db50d5b712922cb375386be8f919fd80dead8f531dec46d4f942cc58342

SHA512
308d844a1733a4227972a399dade8642e66dfe10683644dec85e29d79d1f7cfc824ef2d11844044821a2ea22f80d65aa991014eff2f4af2d2f0540409ee5a560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1904b939ca1fe44637040594ad29bcdf

SHA1
6502e3c04ed6d4b607be841b1b16d9fdb829ae63

SHA256
338382183bba1888b4e71858cd3663ce194f8f15d64b96cbb2aaa35756016eca

SHA512
95273c03b4fb5c74986c93f60a2a6e166315dcd797df5de6db5828fd6a6212f649df6a2eeebbab7e0fdb955b2fe010c7e21b5ce6b600c6fb7db0bdda78f61cbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
794b3d4abb90736ecb991f569ae37b7d

SHA1
e5563634931b869a7ca2fe7f08c05bd82823aa84

SHA256
f7a99bc76b3d9ef1e049f65455813ee28c10e643b66c3f6eb45574479afeabc5

SHA512
511fb40c12c3335221998d4f1fde036b12f3f3d4486024947dde3d773cafc0f56eda4b9dcacc7fc51bc4d4bf02bb61e616505adc54269ceeb593180a4d494214

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_he5u0ovk.tox.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
Filesize
84KB

MD5
b5fbb4aec5eaf3f64a592e72ac30a1ab

SHA1
993b36feeb223032ec7a536687cfe37ddf2ffd39

SHA256
ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449

SHA512
8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2FE5.tmp.bat
Filesize
163B

MD5
d0de51bc48399edcd23fb59cda27226c

SHA1
e0acf6570a45880857aad288e731514b3eb00d1b

SHA256
168c7f5da48c8743f7e57a7d732ab80c458010496281067c908fb4dc5de713c1

SHA512
38a7751b79b47410f6aef11983bae7ea20dee54e3e0feeb245f93e8b790ba45ce83d5d0df61aa6449d18d24f679ee2d2e53d986da9c1e0953a8496831286ae01

Download Submit
memory/2024-183-0x00007FFBF4EC3000-0x00007FFBF4EC4000-memory.dmp

Filesize
4KB

Download
memory/2024-0-0x0000000000480000-0x000000000049C000-memory.dmp

Filesize
112KB

Download
memory/2024-2-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/2024-1-0x00007FFBF4EC3000-0x00007FFBF4EC4000-memory.dmp

Filesize
4KB

Download
memory/2024-184-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/2024-192-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-51-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-7-0x000001E8CCA50000-0x000001E8CCA72000-memory.dmp

Filesize
136KB

Download
memory/2716-8-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-11-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-12-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-13-0x000001E8CCC00000-0x000001E8CCC76000-memory.dmp

Filesize
472KB

Download