Analysis
-
max time kernel
251s -
max time network
252s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 15:43
Behavioral task
behavioral1
Sample
1337.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1337.exe
Resource
win10v2004-20240508-en
General
-
Target
1337.exe
-
Size
74KB
-
MD5
4880e259288281b779f968d9d552b315
-
SHA1
8aa3e6f23d31a7eb7bca0955f1bba24aea551acb
-
SHA256
5f96a54f202bb7650aff16e8ecbda7ea18f491c0420e1f5b9412d3d19b89fd08
-
SHA512
26881d50a7338e111f6739eec99d2bcde3292977e3170072451742896fef3b988fc2c0b0f6a52e38af58bf654f6251de6892fec2fc24a85c81c0fbdc0fb45326
-
SSDEEP
1536:u8v6znhAVi37wMHgqSSv3J9b6Xe7exXkU/O66O2uIAdrP:ue+nmVi34gPJ9bYie/SO2rAR
Malware Config
Extracted
xworm
help-wt.gl.at.ply.gg:60294
-
Install_directory
%AppData%
-
install_file
Cheat.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/1920-41-0x000000001A640000-0x000000001A64E000-memory.dmp disable_win_def -
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1920-1-0x0000000000D60000-0x0000000000D78000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Cheat.exe family_xworm behavioral1/memory/1844-37-0x00000000012D0000-0x00000000012E8000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1804 powershell.exe 2684 powershell.exe 2652 powershell.exe 2544 powershell.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 924 netsh.exe -
Drops startup file 2 IoCs
Processes:
1337.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cheat.lnk 1337.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cheat.lnk 1337.exe -
Executes dropped EXE 4 IoCs
Processes:
Cheat.exeCheat.exeCheat.exeCheat.exepid process 1844 Cheat.exe 2232 Cheat.exe 832 Cheat.exe 3036 Cheat.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1337.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cheat = "C:\\Users\\Admin\\AppData\\Roaming\\Cheat.exe" 1337.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 1648 sc.exe 1608 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
1337.exepid process 1920 1337.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe1337.exepid process 1804 powershell.exe 2684 powershell.exe 2652 powershell.exe 2544 powershell.exe 1920 1337.exe 1920 1337.exe 1920 1337.exe 1920 1337.exe 1920 1337.exe 1920 1337.exe 1920 1337.exe 1920 1337.exe 1920 1337.exe 1920 1337.exe 1920 1337.exe 1920 1337.exe 1920 1337.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
1337.exepowershell.exepowershell.exepowershell.exepowershell.exeCheat.exeCheat.exeCheat.exeCheat.exedescription pid process Token: SeDebugPrivilege 1920 1337.exe Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 1920 1337.exe Token: SeDebugPrivilege 1844 Cheat.exe Token: SeDebugPrivilege 2232 Cheat.exe Token: SeDebugPrivilege 832 Cheat.exe Token: SeDebugPrivilege 3036 Cheat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1337.exepid process 1920 1337.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
1337.exetaskeng.execmd.exedescription pid process target process PID 1920 wrote to memory of 1804 1920 1337.exe powershell.exe PID 1920 wrote to memory of 1804 1920 1337.exe powershell.exe PID 1920 wrote to memory of 1804 1920 1337.exe powershell.exe PID 1920 wrote to memory of 2684 1920 1337.exe powershell.exe PID 1920 wrote to memory of 2684 1920 1337.exe powershell.exe PID 1920 wrote to memory of 2684 1920 1337.exe powershell.exe PID 1920 wrote to memory of 2652 1920 1337.exe powershell.exe PID 1920 wrote to memory of 2652 1920 1337.exe powershell.exe PID 1920 wrote to memory of 2652 1920 1337.exe powershell.exe PID 1920 wrote to memory of 2544 1920 1337.exe powershell.exe PID 1920 wrote to memory of 2544 1920 1337.exe powershell.exe PID 1920 wrote to memory of 2544 1920 1337.exe powershell.exe PID 1920 wrote to memory of 2548 1920 1337.exe schtasks.exe PID 1920 wrote to memory of 2548 1920 1337.exe schtasks.exe PID 1920 wrote to memory of 2548 1920 1337.exe schtasks.exe PID 2380 wrote to memory of 1844 2380 taskeng.exe Cheat.exe PID 2380 wrote to memory of 1844 2380 taskeng.exe Cheat.exe PID 2380 wrote to memory of 1844 2380 taskeng.exe Cheat.exe PID 2380 wrote to memory of 2232 2380 taskeng.exe Cheat.exe PID 2380 wrote to memory of 2232 2380 taskeng.exe Cheat.exe PID 2380 wrote to memory of 2232 2380 taskeng.exe Cheat.exe PID 1920 wrote to memory of 1648 1920 1337.exe sc.exe PID 1920 wrote to memory of 1648 1920 1337.exe sc.exe PID 1920 wrote to memory of 1648 1920 1337.exe sc.exe PID 1920 wrote to memory of 1608 1920 1337.exe sc.exe PID 1920 wrote to memory of 1608 1920 1337.exe sc.exe PID 1920 wrote to memory of 1608 1920 1337.exe sc.exe PID 2380 wrote to memory of 832 2380 taskeng.exe Cheat.exe PID 2380 wrote to memory of 832 2380 taskeng.exe Cheat.exe PID 2380 wrote to memory of 832 2380 taskeng.exe Cheat.exe PID 1920 wrote to memory of 2312 1920 1337.exe cmd.exe PID 1920 wrote to memory of 2312 1920 1337.exe cmd.exe PID 1920 wrote to memory of 2312 1920 1337.exe cmd.exe PID 2312 wrote to memory of 1040 2312 cmd.exe netsh.exe PID 2312 wrote to memory of 1040 2312 cmd.exe netsh.exe PID 2312 wrote to memory of 1040 2312 cmd.exe netsh.exe PID 1920 wrote to memory of 924 1920 1337.exe netsh.exe PID 1920 wrote to memory of 924 1920 1337.exe netsh.exe PID 1920 wrote to memory of 924 1920 1337.exe netsh.exe PID 2380 wrote to memory of 3036 2380 taskeng.exe Cheat.exe PID 2380 wrote to memory of 3036 2380 taskeng.exe Cheat.exe PID 2380 wrote to memory of 3036 2380 taskeng.exe Cheat.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1337.exe"C:\Users\Admin\AppData\Local\Temp\1337.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1337.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1337.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Cheat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Cheat.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Cheat" /tr "C:\Users\Admin\AppData\Roaming\Cheat.exe"2⤵
- Creates scheduled task(s)
PID:2548
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" stop wuauserv2⤵
- Launches sc.exe
PID:1648
-
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config wuauserv start=disabled2⤵
- Launches sc.exe
PID:1608
-
-
C:\Windows\system32\cmd.exe"cmd"2⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\system32\netsh.exenetsh wlan show profiles3⤵PID:1040
-
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:924
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {325B1EAA-0951-431C-8767-FB97A463AFEA} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Roaming\Cheat.exeC:\Users\Admin\AppData\Roaming\Cheat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
C:\Users\Admin\AppData\Roaming\Cheat.exeC:\Users\Admin\AppData\Roaming\Cheat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Users\Admin\AppData\Roaming\Cheat.exeC:\Users\Admin\AppData\Roaming\Cheat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
C:\Users\Admin\AppData\Roaming\Cheat.exeC:\Users\Admin\AppData\Roaming\Cheat.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1912
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD54880e259288281b779f968d9d552b315
SHA18aa3e6f23d31a7eb7bca0955f1bba24aea551acb
SHA2565f96a54f202bb7650aff16e8ecbda7ea18f491c0420e1f5b9412d3d19b89fd08
SHA51226881d50a7338e111f6739eec99d2bcde3292977e3170072451742896fef3b988fc2c0b0f6a52e38af58bf654f6251de6892fec2fc24a85c81c0fbdc0fb45326
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A028DLLHR1GJLX53TTU6.temp
Filesize7KB
MD5ba37c146862f3b676addbfcaa74e1c6f
SHA1c441435db2ba7b59d2e43dbcc1277b6f086c2711
SHA25659b6cf869a3f792987e432d481a5b1e18a4979c602bf87acdd70d2a66bdcbf7e
SHA512d948c68b5cd0871e0527913429b4e8352797fa24c9ed0eb651edc52c1d4788c52fc34ea132d37132c6c13a646672f6c1a68d020302620e0dff8bd046c19a70d6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e