Analysis
-
max time kernel
118s -
max time network
306s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14/03/2024, 10:26
Behavioral task
behavioral1
Sample
Rino's Discord Account ToolKit/Rino's Discord Acount toolkit.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Rino's Discord Account ToolKit/Rino's Discord Acount toolkit.exe
Resource
win10-20240214-en
Behavioral task
behavioral3
Sample
Rino's Discord Account ToolKit/Rino's Discord Acount toolkit.exe
Resource
win11-20240221-en
Behavioral task
behavioral4
Sample
Rino's Discord Account ToolKit/Rinos_Discord_Account_ToolKit.exe
Resource
win7-20240221-en
Behavioral task
behavioral5
Sample
Rino's Discord Account ToolKit/Rinos_Discord_Account_ToolKit.exe
Resource
win10-20240221-en
General
-
Target
Rino's Discord Account ToolKit/Rinos_Discord_Account_ToolKit.exe
-
Size
4.3MB
-
MD5
a7553cc8ad2b91025f5bfb532090d2b6
-
SHA1
5326aeb29d57118faaad3af9946584b87ad7f0d0
-
SHA256
6aeee8b13c11c4157a2a92a38270c30af85fb060e5ccf3ef54994d2c3a1cf5b4
-
SHA512
1a62dec71262fcf6561cf6ea615f9cb0a4d9d495e8759ab62b5980f6ad4211effce2e3f0726e69afb55441999e264ea25512db0e6d584d4c7e3c949429c9b81c
-
SSDEEP
98304:XIPanxb7sGW9NcEJn5kKxGOd82SqTxaA/XjOqC1kIq9o8ha:Ys7sGqNcLGGOJSeV7L9o
Malware Config
Extracted
xworm
3.1
-
install_file
game.exe
Signatures
-
Detect Xworm Payload 3 IoCs
resource yara_rule behavioral4/files/0x0009000000014738-7.dat family_xworm behavioral4/memory/2860-9-0x000000013F6D0000-0x000000013F720000-memory.dmp family_xworm behavioral4/memory/2860-32-0x0000000000800000-0x0000000000814000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2860 created 424 2860 IntelCpHDCPSvc.exe 5 -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe Rinos_Discord_Account_ToolKit.exe -
Executes dropped EXE 2 IoCs
pid Process 2860 IntelCpHDCPSvc.exe 2484 Rino's Discord Account ToolKit.exe -
Loads dropped DLL 1 IoCs
pid Process 640 Rinos_Discord_Account_ToolKit.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2860 set thread context of 2616 2860 IntelCpHDCPSvc.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 IntelCpHDCPSvc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 IntelCpHDCPSvc.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2860 IntelCpHDCPSvc.exe 2616 dllhost.exe 2616 dllhost.exe 2372 powershell.exe 1664 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2860 IntelCpHDCPSvc.exe Token: SeDebugPrivilege 2860 IntelCpHDCPSvc.exe Token: SeDebugPrivilege 2616 dllhost.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 640 wrote to memory of 2860 640 Rinos_Discord_Account_ToolKit.exe 28 PID 640 wrote to memory of 2860 640 Rinos_Discord_Account_ToolKit.exe 28 PID 640 wrote to memory of 2860 640 Rinos_Discord_Account_ToolKit.exe 28 PID 640 wrote to memory of 2484 640 Rinos_Discord_Account_ToolKit.exe 29 PID 640 wrote to memory of 2484 640 Rinos_Discord_Account_ToolKit.exe 29 PID 640 wrote to memory of 2484 640 Rinos_Discord_Account_ToolKit.exe 29 PID 2860 wrote to memory of 2616 2860 IntelCpHDCPSvc.exe 30 PID 2860 wrote to memory of 2616 2860 IntelCpHDCPSvc.exe 30 PID 2860 wrote to memory of 2616 2860 IntelCpHDCPSvc.exe 30 PID 2860 wrote to memory of 2616 2860 IntelCpHDCPSvc.exe 30 PID 2860 wrote to memory of 2616 2860 IntelCpHDCPSvc.exe 30 PID 2860 wrote to memory of 2616 2860 IntelCpHDCPSvc.exe 30 PID 2860 wrote to memory of 2616 2860 IntelCpHDCPSvc.exe 30 PID 2860 wrote to memory of 2616 2860 IntelCpHDCPSvc.exe 30 PID 2860 wrote to memory of 2616 2860 IntelCpHDCPSvc.exe 30 PID 2860 wrote to memory of 2616 2860 IntelCpHDCPSvc.exe 30 PID 2860 wrote to memory of 2616 2860 IntelCpHDCPSvc.exe 30 PID 2860 wrote to memory of 2616 2860 IntelCpHDCPSvc.exe 30 PID 2860 wrote to memory of 2372 2860 IntelCpHDCPSvc.exe 31 PID 2860 wrote to memory of 2372 2860 IntelCpHDCPSvc.exe 31 PID 2860 wrote to memory of 2372 2860 IntelCpHDCPSvc.exe 31 PID 2860 wrote to memory of 1664 2860 IntelCpHDCPSvc.exe 33 PID 2860 wrote to memory of 1664 2860 IntelCpHDCPSvc.exe 33 PID 2860 wrote to memory of 1664 2860 IntelCpHDCPSvc.exe 33
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:424
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d8e2fd8d-cc80-422d-9c25-d074e476b539}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Users\Admin\AppData\Local\Temp\Rino's Discord Account ToolKit\Rinos_Discord_Account_ToolKit.exe"C:\Users\Admin\AppData\Local\Temp\Rino's Discord Account ToolKit\Rinos_Discord_Account_ToolKit.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'IntelCpHDCPSvc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
-
C:\TOOLS\Rino's Discord Account ToolKit.exe"C:\TOOLS\Rino's Discord Account ToolKit.exe"2⤵
- Executes dropped EXE
PID:2484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD51171e21cb134bbb7f12ae3e6140074fe
SHA17f882104470545ee1fe2adddc83dc971e42f8968
SHA2564305eea2c9577597fe5e9799585ab6567b89219191ffc246775a7aad2414f276
SHA512b68485534fedc29b6f7a4ad4f8e808694cefa662951e9043760e6eef184ec92b31c9933a1be3e5aa88c78b3a5ea5a0eb46cc0fc4d126e3cd09b0184c75de010d
-
Filesize
1.2MB
MD5a9b8c6b4b50b65014dcc0246f450d4db
SHA1ec2579aed806f2eb3e0d5899139145534b014e89
SHA2566568eb9ebab395c8e6a01995c0431ee367712784bf018018ee86ce40be4386b8
SHA51207e8bd7399f82bde5f0c02fbf7709c067999077415dfdb6ceb859cabe6f62e1cc973371d27955bf728dbb7fc556b61c9d02193700e2f83aad8cac8bab2264ff4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3S19USJ1NX92CKNDOGVC.temp
Filesize7KB
MD51f79c138874afc33d769e1f19e92b926
SHA1e6897a2c57b7dfb87ae7327848b0432a2bb5b55a
SHA2568488bb33d5f9d13ba32dee99bbf7c7f4596083d180749f787d22198f2d017221
SHA51258bc143261729cb8ae293b8a211a07fd2b6a2d719538f30e2ae1d1676016424566a1c4d745e7538a19b8a2ebd81c4ede1e3100ed57512fae15e5a265f5b269b9
-
Filesize
301KB
MD534613dee8aeb37cf39ea63ce5fdb47ea
SHA1c0c5816551614719bb79b7fc5f0092f3c6e50f6f
SHA2569a14d4f1fc797330557379e7fdec808cd3ef0ba5d372c02f8ce37a86b8bed214
SHA5120d11526487843c62fe0edf3fbba413ac6c035e8b3ce8d47f878daf9ab39e45aae4d7108e4a1652da144b8af6c38c20df354fd34850df51943748f6c21e7f36e2