xworm | 4b14895a45058c34fb029d0b867412bba2ba76aceb444f28b3b312b98a5a73df

Resubmissions

14/03/2024, 10:26

240314-mgrjcsbh52 10

14/03/2024, 10:25

240314-mfxc8ahe7z 10

Analysis

max time kernel
3s
max time network
28s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
14/03/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rino's Discord Account ToolKit/Rinos_Discord_Account_ToolKit.exe
Size

4.3MB
MD5

a7553cc8ad2b91025f5bfb532090d2b6
SHA1

5326aeb29d57118faaad3af9946584b87ad7f0d0
SHA256

6aeee8b13c11c4157a2a92a38270c30af85fb060e5ccf3ef54994d2c3a1cf5b4
SHA512

1a62dec71262fcf6561cf6ea615f9cb0a4d9d495e8759ab62b5980f6ad4211effce2e3f0726e69afb55441999e264ea25512db0e6d584d4c7e3c949429c9b81c
SSDEEP

98304:XIPanxb7sGW9NcEJn5kKxGOd82SqTxaA/XjOqC1kIq9o8ha:Ys7sGqNcLGGOJSeV7L9o

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

install_file
game.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral18/memory/4948-8-0x0000023728740000-0x0000023728790000-memory.dmp	family_xworm
behavioral18/files/0x000800000001ab07-7.dat	family_xworm
behavioral18/memory/4948-26-0x000002372A300000-0x000002372A314000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe	Rinos_Discord_Account_ToolKit.exe

Executes dropped EXE 2 IoCs

pid	Process
4948	IntelCpHDCPSvc.exe
4804	Rino's Discord Account ToolKit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	IntelCpHDCPSvc.exe
Token: SeDebugPrivilege	4948	IntelCpHDCPSvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4948	4796	Rinos_Discord_Account_ToolKit.exe	72
PID 4796 wrote to memory of 4948	4796	Rinos_Discord_Account_ToolKit.exe	72
PID 4796 wrote to memory of 4804	4796	Rinos_Discord_Account_ToolKit.exe	73
PID 4796 wrote to memory of 4804	4796	Rinos_Discord_Account_ToolKit.exe	73

C:\Users\Admin\AppData\Local\Temp\Rino's Discord Account ToolKit\Rinos_Discord_Account_ToolKit.exe
"C:\Users\Admin\AppData\Local\Temp\Rino's Discord Account ToolKit\Rinos_Discord_Account_ToolKit.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe'
    3⤵
    PID:4492
- C:\TOOLS\Rino's Discord Account ToolKit.exe
  "C:\TOOLS\Rino's Discord Account ToolKit.exe"
  2⤵
  - Executes dropped EXE
  PID:4804

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{3cd6e95c-73b4-4104-898e-76ffd0b6398f}
1⤵
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TOOLS\Rino's Discord Account ToolKit.exe

Filesize
1.2MB

MD5
3d286f72d5f76083035d71b63312bdcf

SHA1
a60ce64eb8b99eb1937dea4ded872e596acdf8a9

SHA256
b94bdc69fce96ab13e6068c6af544c9fcee44bec0b960624ca629aea295fee3b

SHA512
459037fef413c20bd51837aa75b34ae5919faeffb790fc70c73d957c1ae3c63f0f2d7b0cc7c6f2ca76d58dd31be3e52a7b9868c645f7207e6f56092f0d779a0b

Download Submit
C:\TOOLS\Rino's Discord Account ToolKit.exe

Filesize
116KB

MD5
4b8fda586088860c2514b4c4fd4d8de4

SHA1
66a3dfd3ae4fdb2f9f8584db88d2dd95802cb480

SHA256
4c15e794d2ebe8dd14a871070ec010351b19fbce817dae2b116eff1b372a7d08

SHA512
66224b0543616e5a2eb6cb3e9f2d793d89bca8da633e7e02852c3df1ded78f7ea455dfb3d876007e4aa0dfd1d99eccca80350c3e7524256839e2324f00ccc027

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe

Filesize
301KB

MD5
34613dee8aeb37cf39ea63ce5fdb47ea

SHA1
c0c5816551614719bb79b7fc5f0092f3c6e50f6f

SHA256
9a14d4f1fc797330557379e7fdec808cd3ef0ba5d372c02f8ce37a86b8bed214

SHA512
0d11526487843c62fe0edf3fbba413ac6c035e8b3ce8d47f878daf9ab39e45aae4d7108e4a1652da144b8af6c38c20df354fd34850df51943748f6c21e7f36e2

Download Submit
memory/380-62-0x000001D6AEBC0000-0x000001D6AEBEA000-memory.dmp

Filesize
168KB

Download
memory/380-69-0x000001D6AEBC0000-0x000001D6AEBEA000-memory.dmp

Filesize
168KB

Download
memory/380-66-0x00007FFC9ACD0000-0x00007FFC9ACE0000-memory.dmp

Filesize
64KB

Download
memory/492-74-0x000002517B6D0000-0x000002517B6FA000-memory.dmp

Filesize
168KB

Download
memory/492-67-0x000002517B6D0000-0x000002517B6FA000-memory.dmp

Filesize
168KB

Download
memory/492-72-0x00007FFC9ACD0000-0x00007FFC9ACE0000-memory.dmp

Filesize
64KB

Download
memory/588-37-0x000001E7E2350000-0x000001E7E2373000-memory.dmp

Filesize
140KB

Download
memory/588-40-0x000001E7E2380000-0x000001E7E23AA000-memory.dmp

Filesize
168KB

Download
memory/588-42-0x00007FFC9ACD0000-0x00007FFC9ACE0000-memory.dmp

Filesize
64KB

Download
memory/588-49-0x00007FFCDACE5000-0x00007FFCDACE6000-memory.dmp

Filesize
4KB

Download
memory/608-75-0x00007FFC9ACD0000-0x00007FFC9ACE0000-memory.dmp

Filesize
64KB

Download
memory/608-78-0x000001DC84DC0000-0x000001DC84DEA000-memory.dmp

Filesize
168KB

Download
memory/608-71-0x000001DC84DC0000-0x000001DC84DEA000-memory.dmp

Filesize
168KB

Download
memory/640-45-0x00007FFC9ACD0000-0x00007FFC9ACE0000-memory.dmp

Filesize
64KB

Download
memory/640-43-0x00000174CA230000-0x00000174CA25A000-memory.dmp

Filesize
168KB

Download
memory/720-53-0x00007FFC9ACD0000-0x00007FFC9ACE0000-memory.dmp

Filesize
64KB

Download
memory/720-52-0x0000025C82F90000-0x0000025C82FBA000-memory.dmp

Filesize
168KB

Download
memory/900-59-0x00007FFC9ACD0000-0x00007FFC9ACE0000-memory.dmp

Filesize
64KB

Download
memory/900-57-0x0000026184EF0000-0x0000026184F1A000-memory.dmp

Filesize
168KB

Download
memory/992-55-0x0000019D1D350000-0x0000019D1D37A000-memory.dmp

Filesize
168KB

Download
memory/992-61-0x0000019D1D350000-0x0000019D1D37A000-memory.dmp

Filesize
168KB

Download
memory/992-65-0x00007FFCDACE5000-0x00007FFCDACE6000-memory.dmp

Filesize
4KB

Download
memory/1072-83-0x000001E770560000-0x000001E77058A000-memory.dmp

Filesize
168KB

Download
memory/1072-76-0x000001E770560000-0x000001E77058A000-memory.dmp

Filesize
168KB

Download
memory/1072-81-0x00007FFC9ACD0000-0x00007FFC9ACE0000-memory.dmp

Filesize
64KB

Download
memory/1088-89-0x000001CF740A0000-0x000001CF740CA000-memory.dmp

Filesize
168KB

Download
memory/1088-85-0x00007FFC9ACD0000-0x00007FFC9ACE0000-memory.dmp

Filesize
64KB

Download
memory/1088-82-0x000001CF740A0000-0x000001CF740CA000-memory.dmp

Filesize
168KB

Download
memory/1196-94-0x000002DB782B0000-0x000002DB782DA000-memory.dmp

Filesize
168KB

Download
memory/1196-87-0x000002DB782B0000-0x000002DB782DA000-memory.dmp

Filesize
168KB

Download
memory/1196-92-0x00007FFC9ACD0000-0x00007FFC9ACE0000-memory.dmp

Filesize
64KB

Download
memory/1216-95-0x00007FFC9ACD0000-0x00007FFC9ACE0000-memory.dmp

Filesize
64KB

Download
memory/1216-98-0x000001DF7A400000-0x000001DF7A42A000-memory.dmp

Filesize
168KB

Download
memory/1216-91-0x000001DF7A400000-0x000001DF7A42A000-memory.dmp

Filesize
168KB

Download
memory/1228-101-0x00007FFC9ACD0000-0x00007FFC9ACE0000-memory.dmp

Filesize
64KB

Download
memory/1228-97-0x000001596CEB0000-0x000001596CEDA000-memory.dmp

Filesize
168KB

Download
memory/1236-105-0x000001BAC7C90000-0x000001BAC7CBA000-memory.dmp

Filesize
168KB

Download
memory/1424-106-0x000001BA8C580000-0x000001BA8C5AA000-memory.dmp

Filesize
168KB

Download
memory/1444-117-0x000001F5B96F0000-0x000001F5B971A000-memory.dmp

Filesize
168KB

Download
memory/1480-122-0x000002081E4D0000-0x000002081E4FA000-memory.dmp

Filesize
168KB

Download
memory/1564-129-0x00000258F6140000-0x00000258F616A000-memory.dmp

Filesize
168KB

Download
memory/1580-136-0x000002801F8E0000-0x000002801F90A000-memory.dmp

Filesize
168KB

Download
memory/1608-150-0x000001E61D2D0000-0x000001E61D2FA000-memory.dmp

Filesize
168KB

Download
memory/3184-31-0x00007FFCD91A0000-0x00007FFCD924E000-memory.dmp

Filesize
696KB

Download
memory/3184-24-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3184-28-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3184-32-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3184-33-0x00007FFCDAC40000-0x00007FFCDAE1B000-memory.dmp

Filesize
1.9MB

Download
memory/3184-35-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3184-27-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3184-30-0x00007FFCDAC40000-0x00007FFCDAE1B000-memory.dmp

Filesize
1.9MB

Download
memory/4492-145-0x00007FFCCD2F0000-0x00007FFCCDCDC000-memory.dmp

Filesize
9.9MB

Download
memory/4796-2-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/4796-1-0x00007FFCCD2F0000-0x00007FFCCDCDC000-memory.dmp

Filesize
9.9MB

Download
memory/4796-0-0x00000000007E0000-0x0000000000C30000-memory.dmp

Filesize
4.3MB

Download
memory/4796-20-0x00007FFCCD2F0000-0x00007FFCCDCDC000-memory.dmp

Filesize
9.9MB

Download
memory/4804-29-0x000002A1B7BF0000-0x000002A1B7C00000-memory.dmp

Filesize
64KB

Download
memory/4804-21-0x000002A19D310000-0x000002A19D714000-memory.dmp

Filesize
4.0MB

Download
memory/4804-22-0x00007FFCCD2F0000-0x00007FFCCDCDC000-memory.dmp

Filesize
9.9MB

Download
memory/4804-34-0x000002A1B7DA0000-0x000002A1B8254000-memory.dmp

Filesize
4.7MB

Download
memory/4804-102-0x000002A1B7BF0000-0x000002A1B7C00000-memory.dmp

Filesize
64KB

Download
memory/4948-11-0x000002372A2C0000-0x000002372A2FE000-memory.dmp

Filesize
248KB

Download
memory/4948-114-0x00007FFCCD2F0000-0x00007FFCCDCDC000-memory.dmp

Filesize
9.9MB

Download
memory/4948-8-0x0000023728740000-0x0000023728790000-memory.dmp

Filesize
320KB

Download
memory/4948-18-0x00007FFCDAC40000-0x00007FFCDAE1B000-memory.dmp

Filesize
1.9MB

Download
memory/4948-19-0x00007FFCD91A0000-0x00007FFCD924E000-memory.dmp

Filesize
696KB

Download
memory/4948-13-0x00007FFCCD2F0000-0x00007FFCCDCDC000-memory.dmp

Filesize
9.9MB

Download
memory/4948-25-0x00007FFCD91A0000-0x00007FFCD924E000-memory.dmp

Filesize
696KB

Download
memory/4948-23-0x0000023743010000-0x0000023743020000-memory.dmp

Filesize
64KB

Download
memory/4948-26-0x000002372A300000-0x000002372A314000-memory.dmp

Filesize
80KB

Download