Analysis
-
max time kernel
147s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
02/03/2025, 22:44
General
-
Target
discordnukerv3.exe
-
Size
35KB
-
MD5
ec09727a0ebaf761bcaf7c5f3b799008
-
SHA1
d6aa602f2e7883d0fe79585ddf2093b1b513f05a
-
SHA256
b412ff0701b365206f9da406214e5dccf883f77a00b750658fad687e95a4e2a6
-
SHA512
01a113512eaa04af6f2493a24806054bb4050e1273e6fd2eacc86457df0b414e9bdd2f841b040c17cfa2c19244423a262b0a71220e1bb1861148eada44148cbc
-
SSDEEP
768:mo7zWVFe5fzEky1TxVPemVFyw9brVO/h6yIL:X7zWVFe6Rq8Fr9b5O/oBL
Malware Config
Extracted
xworm
5.0
127.0.0.1:38571
0KgKOnJZ1WSTbd2d
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 4 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\discordnukerv3.exe"C:\Users\Admin\AppData\Local\Temp\discordnukerv3.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1B6B1CB7-1DD8-455D-B39B-E499ECB7B60E} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD5ec09727a0ebaf761bcaf7c5f3b799008
SHA1d6aa602f2e7883d0fe79585ddf2093b1b513f05a
SHA256b412ff0701b365206f9da406214e5dccf883f77a00b750658fad687e95a4e2a6
SHA51201a113512eaa04af6f2493a24806054bb4050e1273e6fd2eacc86457df0b414e9bdd2f841b040c17cfa2c19244423a262b0a71220e1bb1861148eada44148cbc
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB