Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

FearstCheat.exe

windows10-1703-x64

10

Resubmissions

14/09/2024, 12:51 UTC

240914-p3vt1svark 10

14/09/2024, 12:51 UTC

240914-p3gbmaveja 10

Analysis

  • max time kernel
    6s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14/09/2024, 12:51 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FearstCheat.exe

  • Size

    1.7MB

  • MD5

    0588341217749d543c1d9808ae996a93

  • SHA1

    b0597e54d0c9a9c031d2c4f04e154e4e329f829e

  • SHA256

    137372fa011a0dd39cc61ef4924fbaf23ac1d2f256a1a121c6de8bc3e08cddbb

  • SHA512

    acc4f8dd88f1cbe79c0e374eb60674c5ccc324d97bda85b392a26177566a6c24390c5511535da66a6871e1c0c2a4d2bec180c08785b6d22e5d2cf39426a36248

  • SSDEEP

    49152:Jdn9ScjutnACJUB7ngHHZSlwM0iKcK7UBbquuRJ:Jd9S5ZRt7U

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

192.168.223.129:4935

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FearstCheat.exe
    "C:\Users\Admin\AppData\Local\Temp\FearstCheat.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4748
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i0252kpl.d5x.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit

  • memory/3440-14-0x0000000006C40000-0x0000000007268000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3440-21-0x0000000007B00000-0x0000000007B76000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3440-20-0x0000000007DD0000-0x0000000007E1B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3440-19-0x00000000073A0000-0x00000000073BC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3440-18-0x00000000074C0000-0x0000000007810000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3440-17-0x0000000007450000-0x00000000074B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3440-16-0x0000000006B90000-0x0000000006BF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3440-15-0x0000000006A70000-0x0000000006A92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3440-13-0x0000000004140000-0x0000000004176000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4748-10-0x0000000073400000-0x0000000073AEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4748-7-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4944-0-0x000000007340E000-0x000000007340F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4944-9-0x0000000073400000-0x0000000073AEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4944-6-0x00000000060A0000-0x0000000006156000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4944-4-0x0000000006520000-0x0000000006A1E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4944-3-0x0000000005900000-0x000000000599C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4944-2-0x0000000073400000-0x0000000073AEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4944-1-0x0000000000E50000-0x0000000001000000-memory.dmp

    Filesize

    1.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.