xworm | ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449

Analysis

max time kernel
5s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gjruheigerg.exe
Size

84KB
MD5

b5fbb4aec5eaf3f64a592e72ac30a1ab
SHA1

993b36feeb223032ec7a536687cfe37ddf2ffd39
SHA256

ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449
SHA512

8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53
SSDEEP

1536:Xb5H+OMwTEBrZ5idVjzXGbhpTw6DG6GiyoAOsjJKVV4yAETSAJ0iH:rgG0FkbH2bhpM6NAOsViyylyY

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

79.202.250.5:80

Attributes

Install_directory
%Temp%
install_file
discord_autoupdaterconfifm.exe
telegram
https://api.telegram.org/bot7345950584:AAH5ca8n_1S4bD12cZuSsr23SjFGXJYzRk0

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral3/memory/3660-1-0x0000000000AB0000-0x0000000000ACC000-memory.dmp family_xworm
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4152 powershell.exe
3684 powershell.exe
2260 powershell.exe
4224 powershell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2880 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3520 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

gjruheigerg.exe

description pid process

Token: SeDebugPrivilege 3660 gjruheigerg.exe

resource	yara_rule
behavioral3/memory/3660-1-0x0000000000AB0000-0x0000000000ACC000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe	family_xworm

pid	process
4152	powershell.exe
3684	powershell.exe
2260	powershell.exe
4224	powershell.exe

flow	ioc
7	ip-api.com

pid	process
2880	timeout.exe

pid	process
3520	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	3660	gjruheigerg.exe

C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe
"C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gjruheigerg.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord_autoupdaterconfifm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4224

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord_autoupdaterconfifm" /tr "C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "discord_autoupdaterconfifm"
2⤵
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5BF6.tmp.bat""
2⤵
PID:4832

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2880

C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
1⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3376 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:4460

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d3e8199b4634731cf0a0c26c1f14f588

SHA1
7f8fae27eb80055a436a6b5457978f32673d9ad4

SHA256
ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a

SHA512
806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
b3bc9ca267ea2969eb6201d77e58560c

SHA1
78f83a443aa1ca235edcab2da9e2fda6fecc1da4

SHA256
7ea18b6f900f2c30a5c34845d62d4fe9fc1f11e40714b3dbd69592cbfb5dc695

SHA512
8cc70e4f88f3d9f59beec22dafdb403144f7f390250205e08279a2f8e01e783af44ae31aa4a8a7ea05865b05303ac5e5048f7fb44488be538d9701b6195e9b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avbodd4c.fax.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe
Filesize
84KB

MD5
b5fbb4aec5eaf3f64a592e72ac30a1ab

SHA1
993b36feeb223032ec7a536687cfe37ddf2ffd39

SHA256
ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449

SHA512
8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5BF6.tmp.bat
Filesize
163B

MD5
84b8e05b354066d5edbb7d3a92b71916

SHA1
1b4e7d48d07dfeca489339f8898afd4311892b94

SHA256
6477799c622acf0f3c84149400d73a616636229f905a20eae0f3f4271f56d876

SHA512
6ea52847c0190e25690337f5e08441e1386568b14ff077f906fb8318cdc8bb4688ecc5b5b72446681d681141027083667ed8c477e30c6f41ddd3de7fc28e146e

Download Submit
memory/3660-65-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3660-57-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3660-56-0x00007FFE94223000-0x00007FFE94225000-memory.dmp

Filesize
8KB

Download
memory/3660-0-0x00007FFE94223000-0x00007FFE94225000-memory.dmp

Filesize
8KB

Download
memory/3660-2-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/3660-1-0x0000000000AB0000-0x0000000000ACC000-memory.dmp

Filesize
112KB

Download
memory/4152-13-0x000001B098980000-0x000001B0989A2000-memory.dmp

Filesize
136KB

Download
memory/4152-20-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4152-17-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4152-16-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4152-15-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4152-14-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download
memory/4152-8-0x00007FFE94220000-0x00007FFE94CE1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads