Analysis Overview
SHA256
aa64358a472b702ab5aff39145479b07595f1d2a2e538fd13d448211f9bbb2e5
Threat Level: Known bad
The file Roblox_Executor_Beta.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Xworm family
Executes dropped EXE
Loads dropped DLL
Drops startup file
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 15:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 15:11
Reported
2025-01-27 15:14
Platform
win7-20240903-en
Max time kernel
124s
Max time network
134s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3068 wrote to memory of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe |
| PID 3068 wrote to memory of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe |
| PID 3068 wrote to memory of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe |
| PID 3068 wrote to memory of 2712 | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | modern-educators.gl.at.ply.gg | udp |
| US | 147.185.221.20:23695 | modern-educators.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23695 | modern-educators.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23695 | modern-educators.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23695 | modern-educators.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23695 | modern-educators.gl.at.ply.gg | tcp |
Files
\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe
| MD5 | a60aaf03b5ec3e9b3893ae2f1a7f10e3 |
| SHA1 | fffdb19dcfe20db81d0d944d73266ea0eb4baf0c |
| SHA256 | 12299a9f7a3be287db04f822ab026dc94234a643118cac66d34ddbfa136736f6 |
| SHA512 | d2422d661ba7b27f17ce09653c3f839e72e1ac80a9a7e06ae5b5262d9c1e5f42346170722deb94436e48b72e4b2c0a7d4783406af4817a0f236757e34ac5dc87 |
memory/2712-15-0x000007FEF5A83000-0x000007FEF5A84000-memory.dmp
memory/2712-16-0x0000000001240000-0x0000000001250000-memory.dmp
memory/2712-21-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp
memory/2712-22-0x000007FEF5A83000-0x000007FEF5A84000-memory.dmp
memory/2712-23-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 15:11
Reported
2025-01-27 15:14
Platform
win10v2004-20241007-en
Max time kernel
136s
Max time network
141s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3080 wrote to memory of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe |
| PID 3080 wrote to memory of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox_Executor_Beta.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | modern-educators.gl.at.ply.gg | udp |
| US | 147.185.221.20:23695 | modern-educators.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 147.185.221.20:23695 | modern-educators.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23695 | modern-educators.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 147.185.221.20:23695 | modern-educators.gl.at.ply.gg | tcp |
| US | 147.185.221.20:23695 | modern-educators.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Discord Multi Tool.exe
| MD5 | a60aaf03b5ec3e9b3893ae2f1a7f10e3 |
| SHA1 | fffdb19dcfe20db81d0d944d73266ea0eb4baf0c |
| SHA256 | 12299a9f7a3be287db04f822ab026dc94234a643118cac66d34ddbfa136736f6 |
| SHA512 | d2422d661ba7b27f17ce09653c3f839e72e1ac80a9a7e06ae5b5262d9c1e5f42346170722deb94436e48b72e4b2c0a7d4783406af4817a0f236757e34ac5dc87 |
memory/916-12-0x00007FFE0C913000-0x00007FFE0C915000-memory.dmp
memory/916-13-0x0000000000DA0000-0x0000000000DB0000-memory.dmp
memory/916-18-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp
memory/916-19-0x00007FFE0C913000-0x00007FFE0C915000-memory.dmp
memory/916-20-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp