Analysis Overview
SHA256
ab7e274e5bb0eaf7d46c8e3bce83c13a2e0c5a170c463c16c074a428ff562d12
Threat Level: Known bad
The file CHEATBLOXFRUIT.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Xworm
Detect Xworm Payload
Drops startup file
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 20:21
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 20:21
Reported
2024-06-21 20:25
Platform
win7-20240221-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHEATBLOXFRUIT.lnk | C:\Users\Admin\AppData\Local\Temp\CHEATBLOXFRUIT.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHEATBLOXFRUIT.lnk | C:\Users\Admin\AppData\Local\Temp\CHEATBLOXFRUIT.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csucrw.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CHEATBLOXFRUIT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CHEATBLOXFRUIT.exe
"C:\Users\Admin\AppData\Local\Temp\CHEATBLOXFRUIT.exe"
C:\Windows\System32\msdt.exe
"C:\Windows\System32\msdt.exe" -skip TRUE -path C:\Windows\diagnostics\system\networking -ep NetworkDiagnosticsPNI
C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bhkx27no.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85F3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC85F2.tmp"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" pnidui.dll,NwCategoryWiz {8df4808d-ed5f-4758-89d8-5580aafbda43} 0
C:\Windows\system32\msdt.exe
-skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDFCDAB.tmp -ep NetworkDiagnosticsGenericNetConnection
C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\csucrw.exe
"C:\Users\Admin\AppData\Local\Temp\csucrw.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | et-hansen.gl.at.ply.gg | udp |
| US | 147.185.221.20:33635 | et-hansen.gl.at.ply.gg | tcp |
| US | 147.185.221.20:33635 | et-hansen.gl.at.ply.gg | tcp |
Files
memory/2076-0-0x000007FEF51A3000-0x000007FEF51A4000-memory.dmp
memory/2076-1-0x0000000000920000-0x0000000000936000-memory.dmp
memory/2076-6-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp
memory/2076-7-0x000007FEF51A3000-0x000007FEF51A4000-memory.dmp
C:\Windows\Temp\SDIAG_5593f67c-1605-4c32-92e3-295fdcd171ed\en-US\DiagPackage.dll.mui
| MD5 | 1ccc67c44ae56a3b45cc256374e75ee1 |
| SHA1 | bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f |
| SHA256 | 030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367 |
| SHA512 | b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6 |
C:\Windows\Temp\SDIAG_5593f67c-1605-4c32-92e3-295fdcd171ed\DiagPackage.dll
| MD5 | 4dae3266ab0bdb38766836008bf2c408 |
| SHA1 | 1748737e777752491b2a147b7e5360eda4276364 |
| SHA256 | d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a |
| SHA512 | 91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b |
memory/2076-362-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp
memory/2772-363-0x0000000000420000-0x0000000000421000-memory.dmp
C:\Windows\TEMP\SDIAG_5593f67c-1605-4c32-92e3-295fdcd171ed\NetworkDiagnosticsTroubleshoot.ps1
| MD5 | 1d192ce36953dbb7dc7ee0d04c57ad8d |
| SHA1 | 7008e759cb47bf74a4ea4cd911de158ef00ace84 |
| SHA256 | 935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756 |
| SHA512 | e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129 |
C:\Windows\TEMP\SDIAG_5593f67c-1605-4c32-92e3-295fdcd171ed\UtilityFunctions.ps1
| MD5 | 2f7c3db0c268cf1cf506fe6e8aecb8a0 |
| SHA1 | fb35af6b329d60b0ec92e24230eafc8e12b0a9f9 |
| SHA256 | 886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3 |
| SHA512 | 322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45 |
C:\Windows\TEMP\SDIAG_5593f67c-1605-4c32-92e3-295fdcd171ed\UtilitySetConstants.ps1
| MD5 | 0c75ae5e75c3e181d13768909c8240ba |
| SHA1 | 288403fc4bedaacebccf4f74d3073f082ef70eb9 |
| SHA256 | de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f |
| SHA512 | 8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b |
C:\Windows\TEMP\SDIAG_5593f67c-1605-4c32-92e3-295fdcd171ed\en-US\LocalizationData.psd1
| MD5 | dc9be0fdf9a4e01693cfb7d8a0d49054 |
| SHA1 | 74730fd9c9bd4537fd9a353fe4eafce9fcc105e6 |
| SHA256 | 944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440 |
| SHA512 | 92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66 |
\??\c:\Users\Admin\AppData\Local\Temp\bhkx27no.cmdline
| MD5 | 27d9494a93d22ad372a73e41bbc6f4f4 |
| SHA1 | c08c00460fdbd9739fc53d26da43bc2c26626897 |
| SHA256 | da31cb81c59f8f77e3ec9b00d587f76e75a090546284d68afe97163098dc6d97 |
| SHA512 | 635494e5009c38e37756176703dd999b0557508482f9da7127230f7e3371d2bb174bdfeccc96603f3d187f3fa2f65c8528125d7b7c42b1f4ccba4fbf90b2ac72 |
\??\c:\Users\Admin\AppData\Local\Temp\bhkx27no.0.cs
| MD5 | bac2724be827ee042ff2b312050aa844 |
| SHA1 | ca34fd2feb835c8746ad1bec6de9a24cc1368595 |
| SHA256 | 6901eb7b1a34580f7ae741d2a0d09bfa0e85e0b2cbd945d961291e6f4a02bd33 |
| SHA512 | 3e7b6d91ed41007b471c93015c7c8900c7141766d7a83b394fabceac93f91cb4b37ed06abc3371f96b314355aa4facf9e0214d7dfcb7faa0018db02ad0a970aa |
C:\Users\Admin\AppData\Local\Temp\bhkx27no.dll
| MD5 | e963d332cfb8836665479fb46f051d4c |
| SHA1 | b14ecab56f8db2eea13f92dd2e95704d0bffff5b |
| SHA256 | c5826580a94ae7a30d241bf4b32eb14a533570bcb2a5c824b0fef5c27cb597ef |
| SHA512 | 2fdeb175b929992013c051ee83e99f002e915121560377ae06856d7ea05c4f09a344d56eded06e2e2489a2b23a71720f8e9ec45d82bae9cceffe93e0dbacce77 |
C:\Users\Admin\AppData\Local\Temp\RES85F3.tmp
| MD5 | 74822bca5e5eb9d820ae61ed8f7da0cd |
| SHA1 | 23c672cfc0df61721da7ef4008f92c4ad462a885 |
| SHA256 | 18c0d61a577e98a3059904d27c83ab18108a93cf1da523d421fd4bec56a9657a |
| SHA512 | fd85f63292dd501945c0afb29bf582ad3b97613fe086a2e399ab64ddea31dfddb603e1757b037ed9386e41bcddec2f53493ac8d2e8a357f2628c9ae665675e87 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC85F2.tmp
| MD5 | 9a4f0251da12c3192a9dd16c95cd5106 |
| SHA1 | 9d274ad5621cca97e5f71b7c8a69a93a93426f34 |
| SHA256 | cf2e09d376471efa5db7af1a7941a62e0c62d11777ecb026c098c863fbfda309 |
| SHA512 | b2ae147ae08bf8ba23918d2e884609c2567470611e10b1d89d663a3497e92e193b980d385db4cdba0f1e13686f7c6e0a156e67235a91de2dca4cc365489d65f3 |
C:\Users\Admin\AppData\Local\Temp\bhkx27no.pdb
| MD5 | 68e8de5a77588ed2939fb8a4bef35c20 |
| SHA1 | 59fb912028aee51efcaa76d1b9861d57eb5f442a |
| SHA256 | 3b18e66ca7a904f2e32f4c09421ffcf57e7ad9149b2fb81356dafe15dfecb115 |
| SHA512 | f2785b3959064b825e5bb616b6f687be27b9fbe3c28c0581e32fa21eab7e47dbd74941dbf022b18f80bf50bdf72141bf76c1cff53fec5387bbcb300bdafdf1a0 |
memory/2592-381-0x00000000023D0000-0x00000000023D8000-memory.dmp
C:\Windows\Temp\SDIAG_f137a898-80c0-4399-a545-b4d33506b858\DiagPackage.diagpkg
| MD5 | c9fb87fa3460fae6d5d599236cfd77e2 |
| SHA1 | a5bf8241156e8a9d6f34d70d467a9b5055e087e7 |
| SHA256 | cde728c08a4e50a02fcff35c90ee2b3b33ab24c8b858f180b6a67bfa94def35f |
| SHA512 | f4f0cb1b1c823dcd91f6cfe8d473c41343ebf7ed0e43690eecc290e37cee10c20a03612440f1169eef08cc8059aaa23580aa76dd86c1704c4569e8139f9781b3 |
memory/2772-742-0x0000000000420000-0x0000000000421000-memory.dmp
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062120.000\NetworkDiagnostics.0.debugreport.xml
| MD5 | 004f18e2700533240766cf07511ae08b |
| SHA1 | 3d8ef9f1d5753b878cde6737cf926b25d1967457 |
| SHA256 | c4c5f503b5ad8496fddf6cc33072de3cbf92b1c88290600d7bc16533b280b48e |
| SHA512 | 1fbed2820d447416471ae6329a052f9a4d89af96cf2e33a111663f74bf0378263658a1e2c9f8fe7c633573ce668c6ba14eedcbe11e4634693cd662da612e7983 |
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062120.000\results.xsl
| MD5 | 310e1da2344ba6ca96666fb639840ea9 |
| SHA1 | e8694edf9ee68782aa1de05470b884cc1a0e1ded |
| SHA256 | 67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c |
| SHA512 | 62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244 |
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\latest.cab
| MD5 | 624f950e3f8f9e7b23a979f84e9013fb |
| SHA1 | 8a24f7dac5566e0ad6a552884a3a989b181e52dd |
| SHA256 | 52886256b94b5998f0f748dd89081b3cce9570c5c6adb20eab145dbe952d08b5 |
| SHA512 | 0165cc790c2547d6ae702562da4c1b85c0088690caabb97c0c7801e3a6a7ad521c6edf979a322eee24a5a29be5276dee2a75fb0e1198df6bf178229495b77e47 |
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024062120.001\NetworkDiagnostics.0.debugreport.xml
| MD5 | 142872d4c517b9ef8f8bdd2807c49c98 |
| SHA1 | a2c04f35034c316c05f7c78c63b7bb87cc147994 |
| SHA256 | f975d3ea84ffa86ec875a1728ac2843ed9877213bba5eb78b6d530ae0e2b89e6 |
| SHA512 | cb557260478aa3260aab07b4572c9329a7bf1e1e918cb44c0f0099381b965e4ace964cd2929156c320f608d85582ad42c4adc8733acd48efb8e13757323f7238 |
memory/1068-823-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1068-824-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2076-825-0x0000000000520000-0x000000000052A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csucrw.exe
| MD5 | 80c506da3df5e4580c06c48162bccbea |
| SHA1 | 43fbccf50f91cd8e1190869b0edc96d920519c14 |
| SHA256 | 5699b2e12f78b7eeca0633c6a5a93effe7187565eccd7668acccf93c61ab7acb |
| SHA512 | f4a424bf758bb48da944701397ac1e82bb72a15ea4e8818535f2e52199d37e9caf4361303fee4bd9d6db528e1c0171d1612aebc5f636ca9c4ee4fd795432b8c5 |
memory/2292-831-0x00000000013D0000-0x0000000002794000-memory.dmp
memory/1068-832-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1068-833-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2076-834-0x000007FEF51A0000-0x000007FEF5B8C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 20:21
Reported
2024-06-21 20:25
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHEATBLOXFRUIT.lnk | C:\Users\Admin\AppData\Local\Temp\CHEATBLOXFRUIT.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHEATBLOXFRUIT.lnk | C:\Users\Admin\AppData\Local\Temp\CHEATBLOXFRUIT.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CHEATBLOXFRUIT.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CHEATBLOXFRUIT.exe
"C:\Users\Admin\AppData\Local\Temp\CHEATBLOXFRUIT.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | et-hansen.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | et-hansen.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | et-hansen.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | et-hansen.gl.at.ply.gg | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | et-hansen.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | et-hansen.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | et-hansen.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | et-hansen.gl.at.ply.gg | udp |
Files
memory/4584-0-0x00007FFBF81B3000-0x00007FFBF81B5000-memory.dmp
memory/4584-1-0x0000000000890000-0x00000000008A6000-memory.dmp
memory/4584-6-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp
memory/4584-7-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp