xworm | 4b14895a45058c34fb029d0b867412bba2ba76aceb444f28b3b312b98a5a73df

Resubmissions

14/03/2024, 10:26

240314-mgrjcsbh52 10

14/03/2024, 10:25

240314-mfxc8ahe7z 10

Analysis

max time kernel
3s
max time network
34s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rino's Discord Account ToolKit/Rinos_Discord_Account_ToolKit.exe
Size

4.3MB
MD5

a7553cc8ad2b91025f5bfb532090d2b6
SHA1

5326aeb29d57118faaad3af9946584b87ad7f0d0
SHA256

6aeee8b13c11c4157a2a92a38270c30af85fb060e5ccf3ef54994d2c3a1cf5b4
SHA512

1a62dec71262fcf6561cf6ea615f9cb0a4d9d495e8759ab62b5980f6ad4211effce2e3f0726e69afb55441999e264ea25512db0e6d584d4c7e3c949429c9b81c
SSDEEP

98304:XIPanxb7sGW9NcEJn5kKxGOd82SqTxaA/XjOqC1kIq9o8ha:Ys7sGqNcLGGOJSeV7L9o

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

install_file
game.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral17/files/0x000c00000001224c-5.dat	family_xworm
behavioral17/memory/2860-9-0x000000013F230000-0x000000013F280000-memory.dmp	family_xworm
behavioral17/memory/2860-30-0x0000000000700000-0x0000000000714000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe	Rinos_Discord_Account_ToolKit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\Rino's Discord Account ToolKit\Rinos_Discord_Account_ToolKit.exe
"C:\Users\Admin\AppData\Local\Temp\Rino's Discord Account ToolKit\Rinos_Discord_Account_ToolKit.exe"
1⤵
- Drops startup file
PID:640
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe"
  2⤵
  PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe'
    3⤵
    PID:1124
- C:\TOOLS\Rino's Discord Account ToolKit.exe
  "C:\TOOLS\Rino's Discord Account ToolKit.exe"
  2⤵
  PID:2484

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{08cc8eb7-4d71-40f4-b04a-1d7a223e0a46}
1⤵
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TOOLS\Rino's Discord Account ToolKit.exe

Filesize
1.9MB

MD5
d4c426bb931d4bc02ac03ce9c1c1093e

SHA1
f284f27a9c8ac3c762c84acad11f9e5b6b0a736b

SHA256
3fd3713e756fb17865e6b269c67d50235b731368825080a630dc473e3aaa3660

SHA512
508993257b42908b854bf0a2bf3e1f73fc98bcf1b31f6ad17074b145cdd00636669e7ddeac29223ad3b0df8497fab042cba668cb0cb19461532b6b270247d07a

Download Submit
C:\TOOLS\Rino's Discord Account ToolKit.exe

Filesize
1.3MB

MD5
8c9d22138ec5d48c43737fb7e3d07f75

SHA1
56fc0081e1b249305b922dbabf177891c28f9616

SHA256
be0f8bdd39e19f9646be83fc1139917fb76ac7ebe1b1b5f508ce41deb0898ffe

SHA512
f288b196e1cd311d4c8ceeba5996e684b5dc77d66f402180bac19d1813e02fa7cbf20a812baca27d3e8d73c2b6bb77e3375acca84e5500a6a6a5b4b2c6aada56

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe

Filesize
301KB

MD5
34613dee8aeb37cf39ea63ce5fdb47ea

SHA1
c0c5816551614719bb79b7fc5f0092f3c6e50f6f

SHA256
9a14d4f1fc797330557379e7fdec808cd3ef0ba5d372c02f8ce37a86b8bed214

SHA512
0d11526487843c62fe0edf3fbba413ac6c035e8b3ce8d47f878daf9ab39e45aae4d7108e4a1652da144b8af6c38c20df354fd34850df51943748f6c21e7f36e2

Download Submit
memory/424-41-0x000007FEBDA40000-0x000007FEBDA50000-memory.dmp

Filesize
64KB

Download
memory/424-42-0x0000000037840000-0x0000000037850000-memory.dmp

Filesize
64KB

Download
memory/424-40-0x0000000000800000-0x000000000082A000-memory.dmp

Filesize
168KB

Download
memory/424-35-0x00000000003F0000-0x0000000000413000-memory.dmp

Filesize
140KB

Download
memory/424-33-0x00000000003F0000-0x0000000000413000-memory.dmp

Filesize
140KB

Download
memory/472-45-0x000007FEBDA40000-0x000007FEBDA50000-memory.dmp

Filesize
64KB

Download
memory/472-43-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download
memory/640-2-0x000000001B840000-0x000000001B8C0000-memory.dmp

Filesize
512KB

Download
memory/640-1-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/640-0-0x00000000008B0000-0x0000000000D00000-memory.dmp

Filesize
4.3MB

Download
memory/640-19-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/1520-31-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1520-26-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1520-24-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1520-28-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1520-29-0x00000000775E0000-0x00000000776FF000-memory.dmp

Filesize
1.1MB

Download
memory/1520-27-0x0000000077800000-0x00000000779A9000-memory.dmp

Filesize
1.7MB

Download
memory/2484-16-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-38-0x000000001B8A0000-0x000000001BD54000-memory.dmp

Filesize
4.7MB

Download
memory/2484-17-0x0000000000F60000-0x0000000001364000-memory.dmp

Filesize
4.0MB

Download
memory/2484-46-0x0000000000B20000-0x0000000000BA0000-memory.dmp

Filesize
512KB

Download
memory/2860-23-0x000000001BEE0000-0x000000001BF60000-memory.dmp

Filesize
512KB

Download
memory/2860-21-0x0000000077800000-0x00000000779A9000-memory.dmp

Filesize
1.7MB

Download
memory/2860-22-0x00000000775E0000-0x00000000776FF000-memory.dmp

Filesize
1.1MB

Download
memory/2860-18-0x00000000006C0000-0x00000000006FE000-memory.dmp

Filesize
248KB

Download
memory/2860-30-0x0000000000700000-0x0000000000714000-memory.dmp

Filesize
80KB

Download
memory/2860-14-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2860-9-0x000000013F230000-0x000000013F280000-memory.dmp

Filesize
320KB

Download