Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cdn.discorda...

windows10-2004-x64

10

Analysis

  • max time kernel
    29s
  • max time network
    29s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 12:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://cdn.discordapp.com/attachments/1301997451787636836/1332431194129961050/svchost.rar?ex=6795e380&is=67949200&hm=41a82d7a2ca2df9b24f69c7eaba51d5699d4536bad94fa6a1bcb4b84e060768e&

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

3.0

Mutex

DxjlFF3yhb2dInDl

Attributes
  • Install_directory

    %Public%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/pv132qGS

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1301997451787636836/1332431194129961050/svchost.rar?ex=6795e380&is=67949200&hm=41a82d7a2ca2df9b24f69c7eaba51d5699d4536bad94fa6a1bcb4b84e060768e&
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffad15346f8,0x7ffad1534708,0x7ffad1534718
      2⤵
        PID:2672
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9568658898366711461,15562343837129055811,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        2⤵
          PID:2676
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,9568658898366711461,15562343837129055811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4756
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,9568658898366711461,15562343837129055811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
          2⤵
            PID:2708
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9568658898366711461,15562343837129055811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
            2⤵
              PID:3184
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9568658898366711461,15562343837129055811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
              2⤵
                PID:1416
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9568658898366711461,15562343837129055811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
                2⤵
                  PID:1568
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9568658898366711461,15562343837129055811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:668
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,9568658898366711461,15562343837129055811,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5136 /prefetch:8
                  2⤵
                    PID:4320
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9568658898366711461,15562343837129055811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
                    2⤵
                      PID:364
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,9568658898366711461,15562343837129055811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:376
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:3128
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:5056
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:4844
                        • C:\Program Files\7-Zip\7zG.exe
                          "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap325:76:7zEvent1833
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          PID:1800
                        • C:\Users\Admin\Downloads\svchost.exe
                          "C:\Users\Admin\Downloads\svchost.exe"
                          1⤵
                          • Checks computer location settings
                          • Drops startup file
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2424
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\svchost.exe'
                            2⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2952
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                            2⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4932
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'
                            2⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3128
                        • C:\Users\Admin\Downloads\svchost.exe
                          "C:\Users\Admin\Downloads\svchost.exe"
                          1⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3556

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Filesize

                          2KB

                          MD5

                          d85ba6ff808d9e5444a4b369f5bc2730

                          SHA1

                          31aa9d96590fff6981b315e0b391b575e4c0804a

                          SHA256

                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                          SHA512

                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                          Filesize

                          152B

                          MD5

                          8749e21d9d0a17dac32d5aa2027f7a75

                          SHA1

                          a5d555f8b035c7938a4a864e89218c0402ab7cde

                          SHA256

                          915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

                          SHA512

                          c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                          Filesize

                          152B

                          MD5

                          34d2c4f40f47672ecdf6f66fea242f4a

                          SHA1

                          4bcad62542aeb44cae38a907d8b5a8604115ada2

                          SHA256

                          b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

                          SHA512

                          50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                          Filesize

                          5KB

                          MD5

                          e506a8cac2e171bf613aa6f651ea55f9

                          SHA1

                          1907a7c10c7895855da371c758f35107f8efaf6c

                          SHA256

                          2de093dd002c619d462a738d699015c520b4bc108551d9c58cbc6685c5938996

                          SHA512

                          908036939f3493fcf4a7ded5dbd1a1bb97e801e07a21de1b018ae577794e75e7ef52c23d6407ea58651d8a7be425443a50eef594c3b313ece3ca371010406822

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                          Filesize

                          6KB

                          MD5

                          acca3aaeeafa5538afbcb0c7896f4125

                          SHA1

                          b315eeae0188f3d04ae86d649332391343e5ec20

                          SHA256

                          23283cb88783ad259c1a1bb6a5560ab93ffa48240565d9e9a82a4fc09c3866a9

                          SHA512

                          656c1bd601b05d8fb3730363212cd5992a699feaeefb872e286aad0956264642b44c5749ec7fb083f47a05fa5f0cd77e0cf0e09f51c6f14e88a06f8aa49fa0e3

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                          Filesize

                          16B

                          MD5

                          6752a1d65b201c13b62ea44016eb221f

                          SHA1

                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                          SHA256

                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                          SHA512

                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                          Filesize

                          10KB

                          MD5

                          ca05d4bc40fbbded2662830ec2137633

                          SHA1

                          6f22a4875e2f7b7d3d0561bd0e992206b24a31cb

                          SHA256

                          18b5f73e17f9a76bf87ad7a140a1c1acd4cae40caead7911092fb7743363722f

                          SHA512

                          628a88973c21dae147c733002cf7f88d062fe479e9d8fb0662e76f8d2cf7e6d117487816a4260f2047f82746911d4f785568e61a9bc5a8a85b04c4ae2e4632f1

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                          Filesize

                          10KB

                          MD5

                          95817d1779002f545e224e11b7a37a29

                          SHA1

                          2d50cce2e06ac7088108e5bffe7a0df06ce81eca

                          SHA256

                          10160835c826a541eb6e415d77cd428b73f9b364bbbdd7e5c318097f1e783f97

                          SHA512

                          0e13b86882905901be4a407cb0943eec500759f826d5023853a9f94de42c2fe99241ca84f1ee547bd56d06de96e46810273baea4769087dc30385f381737766a

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          77d622bb1a5b250869a3238b9bc1402b

                          SHA1

                          d47f4003c2554b9dfc4c16f22460b331886b191b

                          SHA256

                          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                          SHA512

                          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          bec9b2f587647112fd8f7649b017614e

                          SHA1

                          b7fbcff9eaa080e1aa7a4409b2e4e94413df9056

                          SHA256

                          3aaf0c1884db6704ec1729bf0042e5b8fbfe77415fa48b376ea24b49169f8b3f

                          SHA512

                          9d3e81a1c3b48839e98bcfc07c496e619930a61812db92efc05ef6a1f1f00e0c9bbd77657ba9904943407148b75ecf00013c5ba0d52d963745af2920834d45b7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ie3clxxm.elk.ps1
                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          Download Submit

                        • C:\Users\Admin\Downloads\svchost.exe
                          Filesize

                          37KB

                          MD5

                          3284294a10ec08e093a07287e0d45387

                          SHA1

                          ecd24a08604ec2f4c369d342d06492e48315b99c

                          SHA256

                          bf039bd5af60fe70d3b7c0e63084d616fb6c51b6e0a090819c48b0efcc258d5a

                          SHA512

                          bf0b3f658b33aae2d17b91d3c23c95444ae311f4db49c39a3fdc13bc8cdbe3f7eda2aa9debfc2bdccabc3b2a09e27fefba65a098a197583c37d76ad401ee9049

                          Download Submit

                        • C:\Users\Admin\Downloads\svchost.rar
                          Filesize

                          17KB

                          MD5

                          7b6b084ad2e6986b8dd1a34638f8a744

                          SHA1

                          db8d0d48dd49e14a8749df5c41df98ca23fa1c7a

                          SHA256

                          1a8aca68ad5e7986bb28efb5fb31388cd417659927d8352ab54d72b9abe27ad1

                          SHA512

                          1432920b7e5528056a97569b51c26140cdec3fb21c81b84790fb9bf802a9358d89800b02721c7b578aac2c70fe427ca5682df631957d957adf4b89d41b860500

                          Download Submit

                        • memory/2424-58-0x0000000000790000-0x00000000007A0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2952-82-0x0000025CFB080000-0x0000025CFB0A2000-memory.dmp

                          Filesize

                          136KB

                          Download