Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 20:21
Behavioral task
behavioral1
Sample
CHEATBLOXFRUIT.exe
Resource
win7-20240221-en
General
-
Target
CHEATBLOXFRUIT.exe
-
Size
68KB
-
MD5
041b235f33b97454664759841a374573
-
SHA1
1a05fc8c1f449566d3e30972fd9aaabc03dbc9d1
-
SHA256
ab7e274e5bb0eaf7d46c8e3bce83c13a2e0c5a170c463c16c074a428ff562d12
-
SHA512
36a8a6f41fbb74c63f4834c1d437a7a866da17645984671bd58194e6496113903888cd110b5608874801a133469707e14a3c0de356b380b086639befa8ae7a3b
-
SSDEEP
1536:zJXF29ReOjinvSXVVFDyYJf9z6mkcdrpeO+uZgGk8:9XF29ReOjqGVljz6mkcdrpsm
Malware Config
Extracted
xworm
3.0
et-hansen.gl.at.ply.gg:33635
prtv1Q5500cT7S76
-
Install_directory
%AppData%
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2076-1-0x0000000000920000-0x0000000000936000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
CHEATBLOXFRUIT.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHEATBLOXFRUIT.lnk CHEATBLOXFRUIT.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHEATBLOXFRUIT.lnk CHEATBLOXFRUIT.exe -
Executes dropped EXE 1 IoCs
Processes:
csucrw.exepid process 2292 csucrw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 1068 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
CHEATBLOXFRUIT.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 2076 CHEATBLOXFRUIT.exe Token: SeDebugPrivilege 1068 taskmgr.exe Token: SeSecurityPrivilege 1068 taskmgr.exe Token: SeTakeOwnershipPrivilege 1068 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msdt.exerundll32.exemsdt.exetaskmgr.exepid process 2772 msdt.exe 2700 rundll32.exe 2872 msdt.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe 1068 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
sdiagnhost.execsc.exeCHEATBLOXFRUIT.exedescription pid process target process PID 2592 wrote to memory of 2448 2592 sdiagnhost.exe csc.exe PID 2592 wrote to memory of 2448 2592 sdiagnhost.exe csc.exe PID 2592 wrote to memory of 2448 2592 sdiagnhost.exe csc.exe PID 2448 wrote to memory of 1772 2448 csc.exe cvtres.exe PID 2448 wrote to memory of 1772 2448 csc.exe cvtres.exe PID 2448 wrote to memory of 1772 2448 csc.exe cvtres.exe PID 2076 wrote to memory of 2292 2076 CHEATBLOXFRUIT.exe csucrw.exe PID 2076 wrote to memory of 2292 2076 CHEATBLOXFRUIT.exe csucrw.exe PID 2076 wrote to memory of 2292 2076 CHEATBLOXFRUIT.exe csucrw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CHEATBLOXFRUIT.exe"C:\Users\Admin\AppData\Local\Temp\CHEATBLOXFRUIT.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\csucrw.exe"C:\Users\Admin\AppData\Local\Temp\csucrw.exe"2⤵
- Executes dropped EXE
PID:2292
-
-
C:\Windows\System32\msdt.exe"C:\Windows\System32\msdt.exe" -skip TRUE -path C:\Windows\diagnostics\system\networking -ep NetworkDiagnosticsPNI1⤵
- Suspicious use of FindShellTrayWindow
PID:2772
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bhkx27no.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85F3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC85F2.tmp"3⤵PID:1772
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:2352
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" pnidui.dll,NwCategoryWiz {8df4808d-ed5f-4758-89d8-5580aafbda43} 01⤵
- Suspicious use of FindShellTrayWindow
PID:2700
-
C:\Windows\system32\msdt.exe-skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDFCDAB.tmp -ep NetworkDiagnosticsGenericNetConnection1⤵
- Suspicious use of FindShellTrayWindow
PID:2872
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵PID:1832
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062120.000\NetworkDiagnostics.0.debugreport.xml
Filesize63KB
MD5004f18e2700533240766cf07511ae08b
SHA13d8ef9f1d5753b878cde6737cf926b25d1967457
SHA256c4c5f503b5ad8496fddf6cc33072de3cbf92b1c88290600d7bc16533b280b48e
SHA5121fbed2820d447416471ae6329a052f9a4d89af96cf2e33a111663f74bf0378263658a1e2c9f8fe7c633573ce668c6ba14eedcbe11e4634693cd662da612e7983
-
Filesize
47KB
MD5310e1da2344ba6ca96666fb639840ea9
SHA1e8694edf9ee68782aa1de05470b884cc1a0e1ded
SHA25667401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c
SHA51262ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244
-
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062120.001\NetworkDiagnostics.0.debugreport.xml
Filesize63KB
MD5142872d4c517b9ef8f8bdd2807c49c98
SHA1a2c04f35034c316c05f7c78c63b7bb87cc147994
SHA256f975d3ea84ffa86ec875a1728ac2843ed9877213bba5eb78b6d530ae0e2b89e6
SHA512cb557260478aa3260aab07b4572c9329a7bf1e1e918cb44c0f0099381b965e4ace964cd2929156c320f608d85582ad42c4adc8733acd48efb8e13757323f7238
-
Filesize
15KB
MD5624f950e3f8f9e7b23a979f84e9013fb
SHA18a24f7dac5566e0ad6a552884a3a989b181e52dd
SHA25652886256b94b5998f0f748dd89081b3cce9570c5c6adb20eab145dbe952d08b5
SHA5120165cc790c2547d6ae702562da4c1b85c0088690caabb97c0c7801e3a6a7ad521c6edf979a322eee24a5a29be5276dee2a75fb0e1198df6bf178229495b77e47
-
Filesize
1KB
MD574822bca5e5eb9d820ae61ed8f7da0cd
SHA123c672cfc0df61721da7ef4008f92c4ad462a885
SHA25618c0d61a577e98a3059904d27c83ab18108a93cf1da523d421fd4bec56a9657a
SHA512fd85f63292dd501945c0afb29bf582ad3b97613fe086a2e399ab64ddea31dfddb603e1757b037ed9386e41bcddec2f53493ac8d2e8a357f2628c9ae665675e87
-
Filesize
3KB
MD5e963d332cfb8836665479fb46f051d4c
SHA1b14ecab56f8db2eea13f92dd2e95704d0bffff5b
SHA256c5826580a94ae7a30d241bf4b32eb14a533570bcb2a5c824b0fef5c27cb597ef
SHA5122fdeb175b929992013c051ee83e99f002e915121560377ae06856d7ea05c4f09a344d56eded06e2e2489a2b23a71720f8e9ec45d82bae9cceffe93e0dbacce77
-
Filesize
11KB
MD568e8de5a77588ed2939fb8a4bef35c20
SHA159fb912028aee51efcaa76d1b9861d57eb5f442a
SHA2563b18e66ca7a904f2e32f4c09421ffcf57e7ad9149b2fb81356dafe15dfecb115
SHA512f2785b3959064b825e5bb616b6f687be27b9fbe3c28c0581e32fa21eab7e47dbd74941dbf022b18f80bf50bdf72141bf76c1cff53fec5387bbcb300bdafdf1a0
-
Filesize
19.7MB
MD580c506da3df5e4580c06c48162bccbea
SHA143fbccf50f91cd8e1190869b0edc96d920519c14
SHA2565699b2e12f78b7eeca0633c6a5a93effe7187565eccd7668acccf93c61ab7acb
SHA512f4a424bf758bb48da944701397ac1e82bb72a15ea4e8818535f2e52199d37e9caf4361303fee4bd9d6db528e1c0171d1612aebc5f636ca9c4ee4fd795432b8c5
-
Filesize
23KB
MD51d192ce36953dbb7dc7ee0d04c57ad8d
SHA17008e759cb47bf74a4ea4cd911de158ef00ace84
SHA256935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756
SHA512e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129
-
Filesize
52KB
MD52f7c3db0c268cf1cf506fe6e8aecb8a0
SHA1fb35af6b329d60b0ec92e24230eafc8e12b0a9f9
SHA256886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3
SHA512322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45
-
Filesize
2KB
MD50c75ae5e75c3e181d13768909c8240ba
SHA1288403fc4bedaacebccf4f74d3073f082ef70eb9
SHA256de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f
SHA5128fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b
-
Filesize
5KB
MD5dc9be0fdf9a4e01693cfb7d8a0d49054
SHA174730fd9c9bd4537fd9a353fe4eafce9fcc105e6
SHA256944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440
SHA51292ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66
-
Filesize
478KB
MD54dae3266ab0bdb38766836008bf2c408
SHA11748737e777752491b2a147b7e5360eda4276364
SHA256d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a
SHA51291fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b
-
Filesize
13KB
MD51ccc67c44ae56a3b45cc256374e75ee1
SHA1bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f
SHA256030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367
SHA512b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6
-
Filesize
152KB
MD5c9fb87fa3460fae6d5d599236cfd77e2
SHA1a5bf8241156e8a9d6f34d70d467a9b5055e087e7
SHA256cde728c08a4e50a02fcff35c90ee2b3b33ab24c8b858f180b6a67bfa94def35f
SHA512f4f0cb1b1c823dcd91f6cfe8d473c41343ebf7ed0e43690eecc290e37cee10c20a03612440f1169eef08cc8059aaa23580aa76dd86c1704c4569e8139f9781b3
-
Filesize
652B
MD59a4f0251da12c3192a9dd16c95cd5106
SHA19d274ad5621cca97e5f71b7c8a69a93a93426f34
SHA256cf2e09d376471efa5db7af1a7941a62e0c62d11777ecb026c098c863fbfda309
SHA512b2ae147ae08bf8ba23918d2e884609c2567470611e10b1d89d663a3497e92e193b980d385db4cdba0f1e13686f7c6e0a156e67235a91de2dca4cc365489d65f3
-
Filesize
1007B
MD5bac2724be827ee042ff2b312050aa844
SHA1ca34fd2feb835c8746ad1bec6de9a24cc1368595
SHA2566901eb7b1a34580f7ae741d2a0d09bfa0e85e0b2cbd945d961291e6f4a02bd33
SHA5123e7b6d91ed41007b471c93015c7c8900c7141766d7a83b394fabceac93f91cb4b37ed06abc3371f96b314355aa4facf9e0214d7dfcb7faa0018db02ad0a970aa
-
Filesize
309B
MD527d9494a93d22ad372a73e41bbc6f4f4
SHA1c08c00460fdbd9739fc53d26da43bc2c26626897
SHA256da31cb81c59f8f77e3ec9b00d587f76e75a090546284d68afe97163098dc6d97
SHA512635494e5009c38e37756176703dd999b0557508482f9da7127230f7e3371d2bb174bdfeccc96603f3d187f3fa2f65c8528125d7b7c42b1f4ccba4fbf90b2ac72