xworm | 4b14895a45058c34fb029d0b867412bba2ba76aceb444f28b3b312b98a5a73df

Resubmissions

14/03/2024, 10:26

240314-mgrjcsbh52 10

14/03/2024, 10:25

240314-mfxc8ahe7z 10

Analysis

max time kernel
29s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rino's Discord Account ToolKit/Rinos_Discord_Account_ToolKit.exe
Size

4.3MB
MD5

a7553cc8ad2b91025f5bfb532090d2b6
SHA1

5326aeb29d57118faaad3af9946584b87ad7f0d0
SHA256

6aeee8b13c11c4157a2a92a38270c30af85fb060e5ccf3ef54994d2c3a1cf5b4
SHA512

1a62dec71262fcf6561cf6ea615f9cb0a4d9d495e8759ab62b5980f6ad4211effce2e3f0726e69afb55441999e264ea25512db0e6d584d4c7e3c949429c9b81c
SSDEEP

98304:XIPanxb7sGW9NcEJn5kKxGOd82SqTxaA/XjOqC1kIq9o8ha:Ys7sGqNcLGGOJSeV7L9o

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

install_file
game.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral19/files/0x0002000000022875-7.dat	family_xworm
behavioral19/files/0x0002000000022875-15.dat	family_xworm
behavioral19/memory/4532-16-0x0000024DDEE50000-0x0000024DDEEA0000-memory.dmp	family_xworm
behavioral19/memory/4532-39-0x0000024DDF230000-0x0000024DDF244000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4532 created 616	4532	IntelCpHDCPSvc.exe	5

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	Rinos_Discord_Account_ToolKit.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe	Rinos_Discord_Account_ToolKit.exe

Executes dropped EXE 2 IoCs

pid	Process
4532	IntelCpHDCPSvc.exe
216	Rino's Discord Account ToolKit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4532 set thread context of 2924	4532	IntelCpHDCPSvc.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4532	IntelCpHDCPSvc.exe
2924	dllhost.exe
2924	dllhost.exe
2924	dllhost.exe
2924	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4532	IntelCpHDCPSvc.exe
Token: SeDebugPrivilege	4532	IntelCpHDCPSvc.exe
Token: SeDebugPrivilege	2924	dllhost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 4532	2940	Rinos_Discord_Account_ToolKit.exe	92
PID 2940 wrote to memory of 4532	2940	Rinos_Discord_Account_ToolKit.exe	92
PID 2940 wrote to memory of 216	2940	Rinos_Discord_Account_ToolKit.exe	93
PID 2940 wrote to memory of 216	2940	Rinos_Discord_Account_ToolKit.exe	93
PID 4532 wrote to memory of 2924	4532	IntelCpHDCPSvc.exe	94
PID 4532 wrote to memory of 2924	4532	IntelCpHDCPSvc.exe	94
PID 4532 wrote to memory of 2924	4532	IntelCpHDCPSvc.exe	94
PID 4532 wrote to memory of 2924	4532	IntelCpHDCPSvc.exe	94
PID 4532 wrote to memory of 2924	4532	IntelCpHDCPSvc.exe	94
PID 4532 wrote to memory of 2924	4532	IntelCpHDCPSvc.exe	94
PID 4532 wrote to memory of 2924	4532	IntelCpHDCPSvc.exe	94
PID 4532 wrote to memory of 2924	4532	IntelCpHDCPSvc.exe	94
PID 4532 wrote to memory of 2924	4532	IntelCpHDCPSvc.exe	94
PID 4532 wrote to memory of 2924	4532	IntelCpHDCPSvc.exe	94
PID 4532 wrote to memory of 2924	4532	IntelCpHDCPSvc.exe	94
PID 2924 wrote to memory of 616	2924	dllhost.exe	5
PID 2924 wrote to memory of 676	2924	dllhost.exe	7
PID 2924 wrote to memory of 952	2924	dllhost.exe	12
PID 676 wrote to memory of 2612	676	lsass.exe	47
PID 2924 wrote to memory of 60	2924	dllhost.exe	13
PID 2924 wrote to memory of 516	2924	dllhost.exe	14
PID 676 wrote to memory of 2612	676	lsass.exe	47
PID 676 wrote to memory of 2612	676	lsass.exe	47
PID 2924 wrote to memory of 896	2924	dllhost.exe	17

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9a486edd-e12c-4e27-be36-f5340b97c035}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:896

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\Rino's Discord Account ToolKit\Rinos_Discord_Account_ToolKit.exe
"C:\Users\Admin\AppData\Local\Temp\Rino's Discord Account ToolKit\Rinos_Discord_Account_ToolKit.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe'
    3⤵
    PID:2384
- C:\TOOLS\Rino's Discord Account ToolKit.exe
  "C:\TOOLS\Rino's Discord Account ToolKit.exe"
  2⤵
  - Executes dropped EXE
  PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TOOLS\Rino's Discord Account ToolKit.exe

Filesize
576KB

MD5
e1986f736b8be3737681f0005a832080

SHA1
700b6b6fbf92cf08d1bc74c522a82851044cea18

SHA256
e0b8c9cc62e55f9f22f73006419c253bb7c8b0c3141c538951cd9090d0be5a82

SHA512
fc1f0c8c7241d24ba6658fa445b13c8f8a63de61e4ed7bffb24be3d2e0b8ad5c85361d98a0ed5d7849ba5ce69200685dba15556894076053cd1192493217ce92

Download Submit
C:\TOOLS\Rino's Discord Account ToolKit.exe

Filesize
1024KB

MD5
c83ebb6b6c1bb95db54421bd85ed5595

SHA1
44e8613b9fcf7aea8a422e32fd1d58658ddec865

SHA256
480c22be3aaa01ec6e10ced27c5d9a09149b84072f0ae6ed27598f78d8eacf92

SHA512
f3bc2af35ec3b2be820e60a417d65877c21d53940162c575cbbc0c3e1c9e2b76b12de2f26502b6b56f933e17d2048401278992455bce8237bc22b50225197867

Download Submit
C:\TOOLS\Rino's Discord Account ToolKit.exe

Filesize
320KB

MD5
9c4689e4c53e5a1f48617f0b2295eeea

SHA1
f2bde7d634bd3089d84347dff805086be96be856

SHA256
82ef70d433247e3eed696fbc3a4c279b3b25dbbab63f692c5809fdd61b67fa4e

SHA512
2f31d5f8d3dd66736c9fceb59ef3210b2c61a55d823d26caec78a6793f4a648ff3b97c5cff879268c23e2ba2ccd191675f794c1a209e62c7c1bf389c8a56c3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yz40ltwm.mru.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe

Filesize
301KB

MD5
34613dee8aeb37cf39ea63ce5fdb47ea

SHA1
c0c5816551614719bb79b7fc5f0092f3c6e50f6f

SHA256
9a14d4f1fc797330557379e7fdec808cd3ef0ba5d372c02f8ce37a86b8bed214

SHA512
0d11526487843c62fe0edf3fbba413ac6c035e8b3ce8d47f878daf9ab39e45aae4d7108e4a1652da144b8af6c38c20df354fd34850df51943748f6c21e7f36e2

Download Submit
memory/60-70-0x000002338D400000-0x000002338D42A000-memory.dmp

Filesize
168KB

Download
memory/60-64-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/60-60-0x000002338D400000-0x000002338D42A000-memory.dmp

Filesize
168KB

Download
memory/216-42-0x0000018E72490000-0x0000018E72944000-memory.dmp

Filesize
4.7MB

Download
memory/216-99-0x0000018E59A80000-0x0000018E59A90000-memory.dmp

Filesize
64KB

Download
memory/216-98-0x00007FFAE0740000-0x00007FFAE1201000-memory.dmp

Filesize
10.8MB

Download
memory/216-36-0x0000018E57A10000-0x0000018E57E14000-memory.dmp

Filesize
4.0MB

Download
memory/216-105-0x0000018E59A80000-0x0000018E59A90000-memory.dmp

Filesize
64KB

Download
memory/216-34-0x00007FFAE0740000-0x00007FFAE1201000-memory.dmp

Filesize
10.8MB

Download
memory/216-40-0x0000018E59A80000-0x0000018E59A90000-memory.dmp

Filesize
64KB

Download
memory/516-72-0x0000023C11F70000-0x0000023C11F9A000-memory.dmp

Filesize
168KB

Download
memory/516-67-0x0000023C11F70000-0x0000023C11F9A000-memory.dmp

Filesize
168KB

Download
memory/516-69-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/616-107-0x0000028542800000-0x000002854282A000-memory.dmp

Filesize
168KB

Download
memory/616-48-0x00000285427D0000-0x00000285427F3000-memory.dmp

Filesize
140KB

Download
memory/616-57-0x00007FFAFF26F000-0x00007FFAFF270000-memory.dmp

Filesize
4KB

Download
memory/616-51-0x0000028542800000-0x000002854282A000-memory.dmp

Filesize
168KB

Download
memory/616-109-0x0000028542800000-0x000002854282A000-memory.dmp

Filesize
168KB

Download
memory/616-108-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/616-54-0x00007FFAFF26D000-0x00007FFAFF26E000-memory.dmp

Filesize
4KB

Download
memory/676-52-0x0000019B492F0000-0x0000019B4931A000-memory.dmp

Filesize
168KB

Download
memory/676-62-0x0000019B492F0000-0x0000019B4931A000-memory.dmp

Filesize
168KB

Download
memory/676-55-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/676-65-0x00007FFAFF26C000-0x00007FFAFF26D000-memory.dmp

Filesize
4KB

Download
memory/896-76-0x0000012D0B8B0000-0x0000012D0B8DA000-memory.dmp

Filesize
168KB

Download
memory/896-160-0x0000012D0B8B0000-0x0000012D0B8DA000-memory.dmp

Filesize
168KB

Download
memory/896-78-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/952-68-0x000001B5355F0000-0x000001B53561A000-memory.dmp

Filesize
168KB

Download
memory/952-59-0x000001B5355F0000-0x000001B53561A000-memory.dmp

Filesize
168KB

Download
memory/952-63-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/1084-83-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/1084-80-0x000001E173B40000-0x000001E173B6A000-memory.dmp

Filesize
168KB

Download
memory/1084-167-0x000001E173B40000-0x000001E173B6A000-memory.dmp

Filesize
168KB

Download
memory/1092-87-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/1092-84-0x000002A9B0460000-0x000002A9B048A000-memory.dmp

Filesize
168KB

Download
memory/1152-92-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/1152-97-0x00000247D2700000-0x00000247D272A000-memory.dmp

Filesize
168KB

Download
memory/1152-88-0x00000247D2700000-0x00000247D272A000-memory.dmp

Filesize
168KB

Download
memory/1180-91-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/1180-96-0x00000257F5340000-0x00000257F536A000-memory.dmp

Filesize
168KB

Download
memory/1180-89-0x00000257F5340000-0x00000257F536A000-memory.dmp

Filesize
168KB

Download
memory/1260-104-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/1260-103-0x00000271793D0000-0x00000271793FA000-memory.dmp

Filesize
168KB

Download
memory/1280-125-0x0000017716CC0000-0x0000017716CEA000-memory.dmp

Filesize
168KB

Download
memory/1280-115-0x0000017716CC0000-0x0000017716CEA000-memory.dmp

Filesize
168KB

Download
memory/1280-119-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/1308-129-0x000001EA6C970000-0x000001EA6C99A000-memory.dmp

Filesize
168KB

Download
memory/1308-120-0x00007FFABF250000-0x00007FFABF260000-memory.dmp

Filesize
64KB

Download
memory/1308-116-0x000001EA6C970000-0x000001EA6C99A000-memory.dmp

Filesize
168KB

Download
memory/1468-143-0x000001CA52FA0000-0x000001CA52FCA000-memory.dmp

Filesize
168KB

Download
memory/1468-124-0x000001CA52FA0000-0x000001CA52FCA000-memory.dmp

Filesize
168KB

Download
memory/1476-155-0x000002256EF90000-0x000002256EFBA000-memory.dmp

Filesize
168KB

Download
memory/1492-148-0x000001A55D650000-0x000001A55D67A000-memory.dmp

Filesize
168KB

Download
memory/1500-162-0x0000017D036F0000-0x0000017D0371A000-memory.dmp

Filesize
168KB

Download
memory/1632-152-0x000001FC520D0000-0x000001FC520FA000-memory.dmp

Filesize
168KB

Download
memory/1668-164-0x000001AA43360000-0x000001AA4338A000-memory.dmp

Filesize
168KB

Download
memory/1708-171-0x0000027305390000-0x00000273053BA000-memory.dmp

Filesize
168KB

Download
memory/2384-114-0x00007FFAE0740000-0x00007FFAE1201000-memory.dmp

Filesize
10.8MB

Download
memory/2384-121-0x0000023EDB8C0000-0x0000023EDB8D0000-memory.dmp

Filesize
64KB

Download
memory/2384-117-0x0000023EDB8C0000-0x0000023EDB8D0000-memory.dmp

Filesize
64KB

Download
memory/2924-37-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2924-45-0x00007FFAFDC30000-0x00007FFAFDCEE000-memory.dmp

Filesize
760KB

Download
memory/2924-46-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2924-38-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2924-41-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2924-44-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2924-43-0x00007FFAFF1D0000-0x00007FFAFF3C5000-memory.dmp

Filesize
2.0MB

Download
memory/2940-1-0x00007FFAE0740000-0x00007FFAE1201000-memory.dmp

Filesize
10.8MB

Download
memory/2940-0-0x0000000000010000-0x0000000000460000-memory.dmp

Filesize
4.3MB

Download
memory/2940-2-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/2940-33-0x00007FFAE0740000-0x00007FFAE1201000-memory.dmp

Filesize
10.8MB

Download
memory/4532-21-0x0000024DDF2A0000-0x0000024DDF2DE000-memory.dmp

Filesize
248KB

Download
memory/4532-93-0x00007FFAE0740000-0x00007FFAE1201000-memory.dmp

Filesize
10.8MB

Download
memory/4532-101-0x0000024DF96A0000-0x0000024DF96B0000-memory.dmp

Filesize
64KB

Download
memory/4532-17-0x00007FFAE0740000-0x00007FFAE1201000-memory.dmp

Filesize
10.8MB

Download
memory/4532-16-0x0000024DDEE50000-0x0000024DDEEA0000-memory.dmp

Filesize
320KB

Download
memory/4532-30-0x00007FFAFF1D0000-0x00007FFAFF3C5000-memory.dmp

Filesize
2.0MB

Download
memory/4532-39-0x0000024DDF230000-0x0000024DDF244000-memory.dmp

Filesize
80KB

Download
memory/4532-32-0x00007FFAFDC30000-0x00007FFAFDCEE000-memory.dmp

Filesize
760KB

Download
memory/4532-35-0x0000024DF96A0000-0x0000024DF96B0000-memory.dmp

Filesize
64KB

Download