Analysis Overview
SHA256
a8a87fd10b2ec331e92792626073a6d42a9844663b80c680bfb8fabd27ccbcf9
Threat Level: Known bad
The file discord updater.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm family
Xworm
Drops startup file
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:08
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:08
Reported
2024-06-01 07:14
Platform
win7-20240215-en
Max time kernel
276s
Max time network
286s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord updater.lnk | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord updater.lnk | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord updater = "C:\\Users\\Admin\\AppData\\Roaming\\discord updater" | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1728 wrote to memory of 2544 | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | C:\Windows\System32\schtasks.exe |
| PID 1728 wrote to memory of 2544 | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | C:\Windows\System32\schtasks.exe |
| PID 1728 wrote to memory of 2544 | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\discord updater.exe
"C:\Users\Admin\AppData\Local\Temp\discord updater.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord updater" /tr "C:\Users\Admin\AppData\Roaming\discord updater"
C:\Windows\system32\taskeng.exe
taskeng.exe {9096D9FF-B294-4693-8850-4DC4021ED937} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1728-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp
memory/1728-1-0x0000000000A00000-0x0000000000A10000-memory.dmp
memory/1728-2-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp
memory/1728-6-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp
memory/1728-7-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:08
Reported
2024-06-01 07:14
Platform
win10v2004-20240508-en
Max time kernel
298s
Max time network
300s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord updater.lnk | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord updater.lnk | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\discord updater | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\discord updater | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\discord updater | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\discord updater | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\discord updater | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord updater = "C:\\Users\\Admin\\AppData\\Roaming\\discord updater" | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\discord updater | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\discord updater | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\discord updater | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\discord updater | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\discord updater | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3872 wrote to memory of 404 | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | C:\Windows\System32\schtasks.exe |
| PID 3872 wrote to memory of 404 | N/A | C:\Users\Admin\AppData\Local\Temp\discord updater.exe | C:\Windows\System32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\discord updater.exe
"C:\Users\Admin\AppData\Local\Temp\discord updater.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord updater" /tr "C:\Users\Admin\AppData\Roaming\discord updater"
C:\Users\Admin\AppData\Roaming\discord updater
"C:\Users\Admin\AppData\Roaming\discord updater"
C:\Users\Admin\AppData\Roaming\discord updater
"C:\Users\Admin\AppData\Roaming\discord updater"
C:\Users\Admin\AppData\Roaming\discord updater
"C:\Users\Admin\AppData\Roaming\discord updater"
C:\Users\Admin\AppData\Roaming\discord updater
"C:\Users\Admin\AppData\Roaming\discord updater"
C:\Users\Admin\AppData\Roaming\discord updater
"C:\Users\Admin\AppData\Roaming\discord updater"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/3872-0-0x00007FF800FD3000-0x00007FF800FD5000-memory.dmp
memory/3872-1-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/3872-2-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp
memory/3872-6-0x00007FF800FD3000-0x00007FF800FD5000-memory.dmp
memory/3872-7-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp
C:\Users\Admin\AppData\Roaming\discord updater
| MD5 | 52cb1586ef4a1d08648d2c3deb2dba93 |
| SHA1 | 24ffbd5cbb9ab104c95d60c0c7bc3cc209552ac5 |
| SHA256 | a8a87fd10b2ec331e92792626073a6d42a9844663b80c680bfb8fabd27ccbcf9 |
| SHA512 | d740049efd0eb697577481c0b52aaf8e588a574f40c620c0bd26dc0bbbabf98642d85c22b042555f965004f1c6f88e35cd94d7be4409f05bffe1ca7cff31a390 |
memory/4552-10-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp
memory/4552-13-0x00007FF800FD0000-0x00007FF801A91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\discord updater.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |