Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
6s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14/09/2024, 12:51 UTC
Static task
static1
General
-
Target
FearstCheat.exe
-
Size
1.7MB
-
MD5
0588341217749d543c1d9808ae996a93
-
SHA1
b0597e54d0c9a9c031d2c4f04e154e4e329f829e
-
SHA256
137372fa011a0dd39cc61ef4924fbaf23ac1d2f256a1a121c6de8bc3e08cddbb
-
SHA512
acc4f8dd88f1cbe79c0e374eb60674c5ccc324d97bda85b392a26177566a6c24390c5511535da66a6871e1c0c2a4d2bec180c08785b6d22e5d2cf39426a36248
-
SSDEEP
49152:Jdn9ScjutnACJUB7ngHHZSlwM0iKcK7UBbquuRJ:Jd9S5ZRt7U
Malware Config
Extracted
xworm
192.168.223.129:4935
-
Install_directory
%AppData%
-
install_file
$77.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/4748-7-0x0000000000400000-0x0000000000416000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3440 powershell.exe -
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral1/memory/4944-1-0x0000000000E50000-0x0000000001000000-memory.dmp net_reactor -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk FearstCheat.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4944 set thread context of 4748 4944 FearstCheat.exe 75 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FearstCheat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3440 powershell.exe 3440 powershell.exe 3440 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4748 MSBuild.exe Token: SeDebugPrivilege 3440 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4944 wrote to memory of 4748 4944 FearstCheat.exe 75 PID 4944 wrote to memory of 4748 4944 FearstCheat.exe 75 PID 4944 wrote to memory of 4748 4944 FearstCheat.exe 75 PID 4944 wrote to memory of 4748 4944 FearstCheat.exe 75 PID 4944 wrote to memory of 4748 4944 FearstCheat.exe 75 PID 4944 wrote to memory of 4748 4944 FearstCheat.exe 75 PID 4944 wrote to memory of 4748 4944 FearstCheat.exe 75 PID 4944 wrote to memory of 4748 4944 FearstCheat.exe 75 PID 4748 wrote to memory of 3440 4748 MSBuild.exe 76 PID 4748 wrote to memory of 3440 4748 MSBuild.exe 76 PID 4748 wrote to memory of 3440 4748 MSBuild.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\FearstCheat.exe"C:\Users\Admin\AppData\Local\Temp\FearstCheat.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a