xworm | ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449

Analysis

max time kernel
29s
max time network
25s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gjruheigerg.exe
Size

84KB
MD5

b5fbb4aec5eaf3f64a592e72ac30a1ab
SHA1

993b36feeb223032ec7a536687cfe37ddf2ffd39
SHA256

ca608f15c34d7526591d75a76d1a29ef03e17c133ef2dfb7dda09be631d0e449
SHA512

8768a68783e11654da0815b574e7e20c3cdaa4b4f710b6d288f9a69082f040177d32b2fdaf34b42239308ea21d4e3fc4319b67145b0f2b8126a4fc7a007dcc53
SSDEEP

1536:Xb5H+OMwTEBrZ5idVjzXGbhpTw6DG6GiyoAOsjJKVV4yAETSAJ0iH:rgG0FkbH2bhpM6NAOsViyylyY

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

79.202.250.5:80

Attributes

Install_directory
%Temp%
install_file
discord_autoupdaterconfifm.exe
telegram
https://api.telegram.org/bot7345950584:AAH5ca8n_1S4bD12cZuSsr23SjFGXJYzRk0

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2088-1-0x0000000000EC0000-0x0000000000EDC000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2364 powershell.exe
2824 powershell.exe
2788 powershell.exe
1464 powershell.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2000 cmd.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1864 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2136 schtasks.exe

resource	yara_rule
behavioral1/memory/2088-1-0x0000000000EC0000-0x0000000000EDC000-memory.dmp	family_xworm

pid	process
2364	powershell.exe
2824	powershell.exe
2788	powershell.exe
1464	powershell.exe

pid	process
2000	cmd.exe

flow	ioc
2	ip-api.com

pid	process
1864	timeout.exe

pid	process
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

taskmgr.exepowershell.exepowershell.exepowershell.exepowershell.exegjruheigerg.exe

pid	process
2680	taskmgr.exe
2680	taskmgr.exe
2788	powershell.exe
1464	powershell.exe
2364	powershell.exe
2680	taskmgr.exe
2824	powershell.exe
2680	taskmgr.exe
2088	gjruheigerg.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2680 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

gjruheigerg.exetaskmgr.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2088	gjruheigerg.exe
Token: SeDebugPrivilege	2680	taskmgr.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2088	gjruheigerg.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

taskmgr.exe

pid	process
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe

Suspicious use of SendNotifyMessage 39 IoCs

Processes:

taskmgr.exe

pid	process
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

gjruheigerg.exe

pid process

2088 gjruheigerg.exe

pid	process
2088	gjruheigerg.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

gjruheigerg.execmd.exe

description	pid	process	target process
PID 2088 wrote to memory of 2788	2088	gjruheigerg.exe	powershell.exe
PID 2088 wrote to memory of 2788	2088	gjruheigerg.exe	powershell.exe
PID 2088 wrote to memory of 2788	2088	gjruheigerg.exe	powershell.exe
PID 2088 wrote to memory of 1464	2088	gjruheigerg.exe	powershell.exe
PID 2088 wrote to memory of 1464	2088	gjruheigerg.exe	powershell.exe
PID 2088 wrote to memory of 1464	2088	gjruheigerg.exe	powershell.exe
PID 2088 wrote to memory of 2364	2088	gjruheigerg.exe	powershell.exe
PID 2088 wrote to memory of 2364	2088	gjruheigerg.exe	powershell.exe
PID 2088 wrote to memory of 2364	2088	gjruheigerg.exe	powershell.exe
PID 2088 wrote to memory of 2824	2088	gjruheigerg.exe	powershell.exe
PID 2088 wrote to memory of 2824	2088	gjruheigerg.exe	powershell.exe
PID 2088 wrote to memory of 2824	2088	gjruheigerg.exe	powershell.exe
PID 2088 wrote to memory of 2136	2088	gjruheigerg.exe	schtasks.exe
PID 2088 wrote to memory of 2136	2088	gjruheigerg.exe	schtasks.exe
PID 2088 wrote to memory of 2136	2088	gjruheigerg.exe	schtasks.exe
PID 2088 wrote to memory of 2336	2088	gjruheigerg.exe	schtasks.exe
PID 2088 wrote to memory of 2336	2088	gjruheigerg.exe	schtasks.exe
PID 2088 wrote to memory of 2336	2088	gjruheigerg.exe	schtasks.exe
PID 2088 wrote to memory of 2000	2088	gjruheigerg.exe	cmd.exe
PID 2088 wrote to memory of 2000	2088	gjruheigerg.exe	cmd.exe
PID 2088 wrote to memory of 2000	2088	gjruheigerg.exe	cmd.exe
PID 2000 wrote to memory of 1864	2000	cmd.exe	timeout.exe
PID 2000 wrote to memory of 1864	2000	cmd.exe	timeout.exe
PID 2000 wrote to memory of 1864	2000	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe
"C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\gjruheigerg.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gjruheigerg.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord_autoupdaterconfifm.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord_autoupdaterconfifm" /tr "C:\Users\Admin\AppData\Local\Temp\discord_autoupdaterconfifm.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "discord_autoupdaterconfifm"
2⤵
PID:2336

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp70DC.tmp.bat""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1864

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp70DC.tmp.bat
Filesize
163B

MD5
950b65b7614a092ed84c13010cbb3e4d

SHA1
0dbba7cd14b08ad73c65553233e940c908adf6f3

SHA256
76cb47477d886056fa848b7dd08d96947483f15e5b9c7aeb87f97eb7507f35a1

SHA512
966394d60c9ce32293dfcba0fffff0d55ebd2337b7e7b95a9f10522f8633baf3428d09856cdef2ca08ec7c6dc57fba91ac1a18b20f4c3124399426f1f89e7601

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
091e9e84427d6cdabe80ffba7dece2b2

SHA1
04cf66f2fe385f1012efe95b94e51d8084925ae0

SHA256
8ec0a325a67859f9f3e9e1d5079ea0e9280eefeacbe5ca4f51f21292a287eb70

SHA512
379b1cc2b2c09c9668e94a05f9b4af562ccc990e9efa018388f8d250ac43e3e732d9705ac640af0db0e8bbf941006288579d6de3d681d5db074262c7075c145e

Download Submit
memory/1464-17-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1464-16-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2088-1-0x0000000000EC0000-0x0000000000EDC000-memory.dmp

Filesize
112KB

Download
memory/2088-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2088-40-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2088-30-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2680-3-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2680-29-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/2680-4-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2680-41-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2788-10-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2788-9-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download