Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

FearstCheat.exe

windows10-1703-x64

10

Resubmissions

14/09/2024, 12:51

240914-p3vt1svark 10

14/09/2024, 12:51

240914-p3gbmaveja 10

Analysis

  • max time kernel
    6s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14/09/2024, 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FearstCheat.exe

  • Size

    1.7MB

  • MD5

    0588341217749d543c1d9808ae996a93

  • SHA1

    b0597e54d0c9a9c031d2c4f04e154e4e329f829e

  • SHA256

    137372fa011a0dd39cc61ef4924fbaf23ac1d2f256a1a121c6de8bc3e08cddbb

  • SHA512

    acc4f8dd88f1cbe79c0e374eb60674c5ccc324d97bda85b392a26177566a6c24390c5511535da66a6871e1c0c2a4d2bec180c08785b6d22e5d2cf39426a36248

  • SSDEEP

    49152:Jdn9ScjutnACJUB7ngHHZSlwM0iKcK7UBbquuRJ:Jd9S5ZRt7U

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

192.168.223.129:4935

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FearstCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\FearstCheat.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4748
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i0252kpl.d5x.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/3440-14-0x0000000006C40000-0x0000000007268000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3440-21-0x0000000007B00000-0x0000000007B76000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3440-20-0x0000000007DD0000-0x0000000007E1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3440-19-0x00000000073A0000-0x00000000073BC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3440-18-0x00000000074C0000-0x0000000007810000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3440-17-0x0000000007450000-0x00000000074B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3440-16-0x0000000006B90000-0x0000000006BF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3440-15-0x0000000006A70000-0x0000000006A92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3440-13-0x0000000004140000-0x0000000004176000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4748-10-0x0000000073400000-0x0000000073AEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4748-7-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4944-0-0x000000007340E000-0x000000007340F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4944-9-0x0000000073400000-0x0000000073AEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4944-6-0x00000000060A0000-0x0000000006156000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4944-4-0x0000000006520000-0x0000000006A1E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4944-3-0x0000000005900000-0x000000000599C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4944-2-0x0000000073400000-0x0000000073AEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4944-1-0x0000000000E50000-0x0000000001000000-memory.dmp

    Filesize

    1.7MB

    Download