xworm | 4b14895a45058c34fb029d0b867412bba2ba76aceb444f28b3b312b98a5a73df

Resubmissions

14/03/2024, 10:26

240314-mgrjcsbh52 10

14/03/2024, 10:25

240314-mfxc8ahe7z 10

Analysis

max time kernel
118s
max time network
306s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rino's Discord Account ToolKit/Rinos_Discord_Account_ToolKit.exe
Size

4.3MB
MD5

a7553cc8ad2b91025f5bfb532090d2b6
SHA1

5326aeb29d57118faaad3af9946584b87ad7f0d0
SHA256

6aeee8b13c11c4157a2a92a38270c30af85fb060e5ccf3ef54994d2c3a1cf5b4
SHA512

1a62dec71262fcf6561cf6ea615f9cb0a4d9d495e8759ab62b5980f6ad4211effce2e3f0726e69afb55441999e264ea25512db0e6d584d4c7e3c949429c9b81c
SSDEEP

98304:XIPanxb7sGW9NcEJn5kKxGOd82SqTxaA/XjOqC1kIq9o8ha:Ys7sGqNcLGGOJSeV7L9o

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

Attributes

install_file
game.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral4/files/0x0009000000014738-7.dat	family_xworm
behavioral4/memory/2860-9-0x000000013F6D0000-0x000000013F720000-memory.dmp	family_xworm
behavioral4/memory/2860-32-0x0000000000800000-0x0000000000814000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2860 created 424	2860	IntelCpHDCPSvc.exe	5

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe	Rinos_Discord_Account_ToolKit.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	IntelCpHDCPSvc.exe
2484	Rino's Discord Account ToolKit.exe

Loads dropped DLL 1 IoCs

pid	Process
640	Rinos_Discord_Account_ToolKit.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 2616	2860	IntelCpHDCPSvc.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	IntelCpHDCPSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	IntelCpHDCPSvc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2860	IntelCpHDCPSvc.exe
2616	dllhost.exe
2616	dllhost.exe
2372	powershell.exe
1664	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	IntelCpHDCPSvc.exe
Token: SeDebugPrivilege	2860	IntelCpHDCPSvc.exe
Token: SeDebugPrivilege	2616	dllhost.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 2860	640	Rinos_Discord_Account_ToolKit.exe	28
PID 640 wrote to memory of 2860	640	Rinos_Discord_Account_ToolKit.exe	28
PID 640 wrote to memory of 2860	640	Rinos_Discord_Account_ToolKit.exe	28
PID 640 wrote to memory of 2484	640	Rinos_Discord_Account_ToolKit.exe	29
PID 640 wrote to memory of 2484	640	Rinos_Discord_Account_ToolKit.exe	29
PID 640 wrote to memory of 2484	640	Rinos_Discord_Account_ToolKit.exe	29
PID 2860 wrote to memory of 2616	2860	IntelCpHDCPSvc.exe	30
PID 2860 wrote to memory of 2616	2860	IntelCpHDCPSvc.exe	30
PID 2860 wrote to memory of 2616	2860	IntelCpHDCPSvc.exe	30
PID 2860 wrote to memory of 2616	2860	IntelCpHDCPSvc.exe	30
PID 2860 wrote to memory of 2616	2860	IntelCpHDCPSvc.exe	30
PID 2860 wrote to memory of 2616	2860	IntelCpHDCPSvc.exe	30
PID 2860 wrote to memory of 2616	2860	IntelCpHDCPSvc.exe	30
PID 2860 wrote to memory of 2616	2860	IntelCpHDCPSvc.exe	30
PID 2860 wrote to memory of 2616	2860	IntelCpHDCPSvc.exe	30
PID 2860 wrote to memory of 2616	2860	IntelCpHDCPSvc.exe	30
PID 2860 wrote to memory of 2616	2860	IntelCpHDCPSvc.exe	30
PID 2860 wrote to memory of 2616	2860	IntelCpHDCPSvc.exe	30
PID 2860 wrote to memory of 2372	2860	IntelCpHDCPSvc.exe	31
PID 2860 wrote to memory of 2372	2860	IntelCpHDCPSvc.exe	31
PID 2860 wrote to memory of 2372	2860	IntelCpHDCPSvc.exe	31
PID 2860 wrote to memory of 1664	2860	IntelCpHDCPSvc.exe	33
PID 2860 wrote to memory of 1664	2860	IntelCpHDCPSvc.exe	33
PID 2860 wrote to memory of 1664	2860	IntelCpHDCPSvc.exe	33

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d8e2fd8d-cc80-422d-9c25-d074e476b539}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616

C:\Users\Admin\AppData\Local\Temp\Rino's Discord Account ToolKit\Rinos_Discord_Account_ToolKit.exe
"C:\Users\Admin\AppData\Local\Temp\Rino's Discord Account ToolKit\Rinos_Discord_Account_ToolKit.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'IntelCpHDCPSvc.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- C:\TOOLS\Rino's Discord Account ToolKit.exe
  "C:\TOOLS\Rino's Discord Account ToolKit.exe"
  2⤵
  - Executes dropped EXE
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TOOLS\Rino's Discord Account ToolKit.exe

Filesize
1.2MB

MD5
1171e21cb134bbb7f12ae3e6140074fe

SHA1
7f882104470545ee1fe2adddc83dc971e42f8968

SHA256
4305eea2c9577597fe5e9799585ab6567b89219191ffc246775a7aad2414f276

SHA512
b68485534fedc29b6f7a4ad4f8e808694cefa662951e9043760e6eef184ec92b31c9933a1be3e5aa88c78b3a5ea5a0eb46cc0fc4d126e3cd09b0184c75de010d

Download Submit
C:\TOOLS\Rino's Discord Account ToolKit.exe

Filesize
1.2MB

MD5
a9b8c6b4b50b65014dcc0246f450d4db

SHA1
ec2579aed806f2eb3e0d5899139145534b014e89

SHA256
6568eb9ebab395c8e6a01995c0431ee367712784bf018018ee86ce40be4386b8

SHA512
07e8bd7399f82bde5f0c02fbf7709c067999077415dfdb6ceb859cabe6f62e1cc973371d27955bf728dbb7fc556b61c9d02193700e2f83aad8cac8bab2264ff4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3S19USJ1NX92CKNDOGVC.temp

Filesize
7KB

MD5
1f79c138874afc33d769e1f19e92b926

SHA1
e6897a2c57b7dfb87ae7327848b0432a2bb5b55a

SHA256
8488bb33d5f9d13ba32dee99bbf7c7f4596083d180749f787d22198f2d017221

SHA512
58bc143261729cb8ae293b8a211a07fd2b6a2d719538f30e2ae1d1676016424566a1c4d745e7538a19b8a2ebd81c4ede1e3100ed57512fae15e5a265f5b269b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelCpHDCPSvc.exe

Filesize
301KB

MD5
34613dee8aeb37cf39ea63ce5fdb47ea

SHA1
c0c5816551614719bb79b7fc5f0092f3c6e50f6f

SHA256
9a14d4f1fc797330557379e7fdec808cd3ef0ba5d372c02f8ce37a86b8bed214

SHA512
0d11526487843c62fe0edf3fbba413ac6c035e8b3ce8d47f878daf9ab39e45aae4d7108e4a1652da144b8af6c38c20df354fd34850df51943748f6c21e7f36e2

Download Submit
memory/640-1-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/640-2-0x000000001AC90000-0x000000001AD10000-memory.dmp

Filesize
512KB

Download
memory/640-0-0x00000000002A0000-0x00000000006F0000-memory.dmp

Filesize
4.3MB

Download
memory/640-17-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/1664-62-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/1664-65-0x000007FEECB80000-0x000007FEED51D000-memory.dmp

Filesize
9.6MB

Download
memory/1664-61-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/1664-63-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/1664-67-0x0000000002A60000-0x0000000002AE0000-memory.dmp

Filesize
512KB

Download
memory/1664-60-0x000007FEECB80000-0x000007FEED51D000-memory.dmp

Filesize
9.6MB

Download
memory/1664-59-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/1664-58-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/1664-68-0x000007FEECB80000-0x000007FEED51D000-memory.dmp

Filesize
9.6MB

Download
memory/2372-52-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp

Filesize
9.6MB

Download
memory/2372-51-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2372-48-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2372-47-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2372-46-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp

Filesize
9.6MB

Download
memory/2372-45-0x0000000002A70000-0x0000000002AF0000-memory.dmp

Filesize
512KB

Download
memory/2372-44-0x000007FEED520000-0x000007FEEDEBD000-memory.dmp

Filesize
9.6MB

Download
memory/2372-43-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/2372-42-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2484-37-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download
memory/2484-18-0x0000000001280000-0x0000000001684000-memory.dmp

Filesize
4.0MB

Download
memory/2484-35-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download
memory/2484-34-0x000000001B7D0000-0x000000001BC84000-memory.dmp

Filesize
4.7MB

Download
memory/2484-33-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download
memory/2484-72-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download
memory/2484-71-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download
memory/2484-70-0x0000000000B50000-0x0000000000BD0000-memory.dmp

Filesize
512KB

Download
memory/2484-49-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-16-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2616-24-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2616-29-0x00000000775E0000-0x00000000776FF000-memory.dmp

Filesize
1.1MB

Download
memory/2616-26-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2616-30-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2616-28-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2616-69-0x0000000077800000-0x00000000779A9000-memory.dmp

Filesize
1.7MB

Download
memory/2616-27-0x0000000077800000-0x00000000779A9000-memory.dmp

Filesize
1.7MB

Download
memory/2860-64-0x00000000775E0000-0x00000000776FF000-memory.dmp

Filesize
1.1MB

Download
memory/2860-19-0x0000000000750000-0x000000000078E000-memory.dmp

Filesize
248KB

Download
memory/2860-21-0x0000000077800000-0x00000000779A9000-memory.dmp

Filesize
1.7MB

Download
memory/2860-50-0x0000000077800000-0x00000000779A9000-memory.dmp

Filesize
1.7MB

Download
memory/2860-66-0x000000001C000000-0x000000001C080000-memory.dmp

Filesize
512KB

Download
memory/2860-14-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2860-9-0x000000013F6D0000-0x000000013F720000-memory.dmp

Filesize
320KB

Download
memory/2860-22-0x00000000775E0000-0x00000000776FF000-memory.dmp

Filesize
1.1MB

Download
memory/2860-23-0x000000001C000000-0x000000001C080000-memory.dmp

Filesize
512KB

Download
memory/2860-36-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2860-32-0x0000000000800000-0x0000000000814000-memory.dmp

Filesize
80KB

Download