Analysis

  • max time kernel
    251s
  • max time network
    252s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 15:43

General

  • Target

    1337.exe

  • Size

    74KB

  • MD5

    4880e259288281b779f968d9d552b315

  • SHA1

    8aa3e6f23d31a7eb7bca0955f1bba24aea551acb

  • SHA256

    5f96a54f202bb7650aff16e8ecbda7ea18f491c0420e1f5b9412d3d19b89fd08

  • SHA512

    26881d50a7338e111f6739eec99d2bcde3292977e3170072451742896fef3b988fc2c0b0f6a52e38af58bf654f6251de6892fec2fc24a85c81c0fbdc0fb45326

  • SSDEEP

    1536:u8v6znhAVi37wMHgqSSv3J9b6Xe7exXkU/O66O2uIAdrP:ue+nmVi34gPJ9bYie/SO2rAR

Malware Config

Extracted

Family

xworm

C2

help-wt.gl.at.ply.gg:60294

Attributes
  • Install_directory

    %AppData%

  • install_file

    Cheat.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Stops running service(s) 4 TTPs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\1337.exe
    "C:\Users\Admin\AppData\Local\Temp\1337.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1337.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1337.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Cheat.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Cheat.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Cheat" /tr "C:\Users\Admin\AppData\Roaming\Cheat.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2548
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" stop wuauserv
      2⤵
      • Launches sc.exe
      PID:1648
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" config wuauserv start=disabled
      2⤵
      • Launches sc.exe
      PID:1608
    • C:\Windows\system32\cmd.exe
      "cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\system32\netsh.exe
        netsh wlan show profiles
        3⤵
          PID:1040
      • C:\Windows\System32\netsh.exe
        "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
        2⤵
        • Modifies Windows Firewall
        PID:924
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {325B1EAA-0951-431C-8767-FB97A463AFEA} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Users\Admin\AppData\Roaming\Cheat.exe
        C:\Users\Admin\AppData\Roaming\Cheat.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1844
      • C:\Users\Admin\AppData\Roaming\Cheat.exe
        C:\Users\Admin\AppData\Roaming\Cheat.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2232
      • C:\Users\Admin\AppData\Roaming\Cheat.exe
        C:\Users\Admin\AppData\Roaming\Cheat.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:832
      • C:\Users\Admin\AppData\Roaming\Cheat.exe
        C:\Users\Admin\AppData\Roaming\Cheat.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3036
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:1912

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Cheat.exe

        Filesize

        74KB

        MD5

        4880e259288281b779f968d9d552b315

        SHA1

        8aa3e6f23d31a7eb7bca0955f1bba24aea551acb

        SHA256

        5f96a54f202bb7650aff16e8ecbda7ea18f491c0420e1f5b9412d3d19b89fd08

        SHA512

        26881d50a7338e111f6739eec99d2bcde3292977e3170072451742896fef3b988fc2c0b0f6a52e38af58bf654f6251de6892fec2fc24a85c81c0fbdc0fb45326

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A028DLLHR1GJLX53TTU6.temp

        Filesize

        7KB

        MD5

        ba37c146862f3b676addbfcaa74e1c6f

        SHA1

        c441435db2ba7b59d2e43dbcc1277b6f086c2711

        SHA256

        59b6cf869a3f792987e432d481a5b1e18a4979c602bf87acdd70d2a66bdcbf7e

        SHA512

        d948c68b5cd0871e0527913429b4e8352797fa24c9ed0eb651edc52c1d4788c52fc34ea132d37132c6c13a646672f6c1a68d020302620e0dff8bd046c19a70d6

      • \??\PIPE\srvsvc

        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      • memory/1804-7-0x000000001B760000-0x000000001BA42000-memory.dmp

        Filesize

        2.9MB

      • memory/1804-6-0x00000000028E0000-0x0000000002960000-memory.dmp

        Filesize

        512KB

      • memory/1804-8-0x0000000001F70000-0x0000000001F78000-memory.dmp

        Filesize

        32KB

      • memory/1844-37-0x00000000012D0000-0x00000000012E8000-memory.dmp

        Filesize

        96KB

      • memory/1920-38-0x0000000000B30000-0x0000000000B3A000-memory.dmp

        Filesize

        40KB

      • memory/1920-32-0x000000001B090000-0x000000001B110000-memory.dmp

        Filesize

        512KB

      • memory/1920-33-0x000007FEF5263000-0x000007FEF5264000-memory.dmp

        Filesize

        4KB

      • memory/1920-1-0x0000000000D60000-0x0000000000D78000-memory.dmp

        Filesize

        96KB

      • memory/1920-0-0x000007FEF5263000-0x000007FEF5264000-memory.dmp

        Filesize

        4KB

      • memory/1920-41-0x000000001A640000-0x000000001A64E000-memory.dmp

        Filesize

        56KB

      • memory/1920-43-0x000000001DBB0000-0x000000001DF00000-memory.dmp

        Filesize

        3.3MB

      • memory/1920-44-0x000000001B210000-0x000000001B21A000-memory.dmp

        Filesize

        40KB

      • memory/1920-46-0x000000001B230000-0x000000001B23A000-memory.dmp

        Filesize

        40KB

      • memory/2684-15-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

        Filesize

        32KB

      • memory/2684-14-0x000000001B680000-0x000000001B962000-memory.dmp

        Filesize

        2.9MB