xworm | 137372fa011a0dd39cc61ef4924fbaf23ac1d2f256a1a121c6de8bc3e08cddbb

General

Target

FearstCheat.exe
Size

1.7MB
MD5

0588341217749d543c1d9808ae996a93
SHA1

b0597e54d0c9a9c031d2c4f04e154e4e329f829e
SHA256

137372fa011a0dd39cc61ef4924fbaf23ac1d2f256a1a121c6de8bc3e08cddbb
SHA512

acc4f8dd88f1cbe79c0e374eb60674c5ccc324d97bda85b392a26177566a6c24390c5511535da66a6871e1c0c2a4d2bec180c08785b6d22e5d2cf39426a36248
SSDEEP

49152:Jdn9ScjutnACJUB7ngHHZSlwM0iKcK7UBbquuRJ:Jd9S5ZRt7U

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

192.168.223.129:4935

Attributes

Install_directory
%AppData%
install_file
$77.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1404-7-0x0000000000400000-0x0000000000416000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4380	powershell.exe
2004	powershell.exe
4736	powershell.exe
4480	powershell.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1496-1-0x0000000000C80000-0x0000000000E30000-memory.dmp	net_reactor

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	FearstCheat.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77 = "C:\\Users\\Admin\\AppData\\Roaming\\$77.exe"	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1496 set thread context of 1404	1496	FearstCheat.exe	72

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FearstCheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4380	powershell.exe
4380	powershell.exe
4380	powershell.exe
2004	powershell.exe
2004	powershell.exe
2004	powershell.exe
4736	powershell.exe
4736	powershell.exe
4736	powershell.exe
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	MSBuild.exe
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	1404	MSBuild.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1404	1496	FearstCheat.exe	72
PID 1496 wrote to memory of 1404	1496	FearstCheat.exe	72
PID 1496 wrote to memory of 1404	1496	FearstCheat.exe	72
PID 1496 wrote to memory of 1404	1496	FearstCheat.exe	72
PID 1496 wrote to memory of 1404	1496	FearstCheat.exe	72
PID 1496 wrote to memory of 1404	1496	FearstCheat.exe	72
PID 1496 wrote to memory of 1404	1496	FearstCheat.exe	72
PID 1496 wrote to memory of 1404	1496	FearstCheat.exe	72
PID 1404 wrote to memory of 4380	1404	MSBuild.exe	74
PID 1404 wrote to memory of 4380	1404	MSBuild.exe	74
PID 1404 wrote to memory of 4380	1404	MSBuild.exe	74
PID 1404 wrote to memory of 2004	1404	MSBuild.exe	76
PID 1404 wrote to memory of 2004	1404	MSBuild.exe	76
PID 1404 wrote to memory of 2004	1404	MSBuild.exe	76
PID 1404 wrote to memory of 4736	1404	MSBuild.exe	78
PID 1404 wrote to memory of 4736	1404	MSBuild.exe	78
PID 1404 wrote to memory of 4736	1404	MSBuild.exe	78
PID 1404 wrote to memory of 4480	1404	MSBuild.exe	80
PID 1404 wrote to memory of 4480	1404	MSBuild.exe	80
PID 1404 wrote to memory of 4480	1404	MSBuild.exe	80
PID 1404 wrote to memory of 1840	1404	MSBuild.exe	82
PID 1404 wrote to memory of 1840	1404	MSBuild.exe	82
PID 1404 wrote to memory of 1840	1404	MSBuild.exe	82

C:\Users\Admin\AppData\Local\Temp\FearstCheat.exe
"C:\Users\Admin\AppData\Local\Temp\FearstCheat.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4380
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MSBuild.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$77.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4736
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77" /tr "C:\Users\Admin\AppData\Roaming\$77.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3db0de783af600eeba0913c24748a72a

SHA1
713cd9bb8ddc4abffe540ee4ddc03a11908bca2f

SHA256
643eeefbea26b727f28dd35cb097dff5d8d607ae3c31b8be97ab032d37ed7edc

SHA512
dbe72dc08841a647e9e5cd800b4342a0d64f784d8e8dda68d3f8426e26e794b0ae82cc5f84f0ada168382a8cc619e55c4f69ff8bbb41dff3e93b8aa5d28a6e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2821074d4ee07170c720f0ccdfcbde79

SHA1
fd3c8d9f981bb1989a01494797c7a0556cb86fa2

SHA256
4d569eff063c7845b9d6061d7c06962d1113fed2217442bf12fb8ed7b64ce1d0

SHA512
5d323a480cff2d347842d8c80f2a1b13be0a3473a6287746c38802bc5df3e7d8c83b4d4c3b5328648b7240c433766608d241e36eba993956646e084a495ef8aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ada0431564cb7c7234bfbd8b6d0529a5

SHA1
697be4d8a88744f12ed3f6da7ba828584a70dc86

SHA256
40d00e089e8a7582d6adf6b6546d32b96f26e6947437d3bc323c17a0dee93e19

SHA512
503bd6d338061d2c249f7bb439b47e953a108b212410c19fee27a2cf6c2c05ccdd0ddcda97bc380b36a83f409e870c51d0ac2cf3089d05984bbd5ce4c5341ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u55ohdvu.eg2.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1404-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1404-10-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/1404-966-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/1404-743-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/1496-0-0x00000000731EE000-0x00000000731EF000-memory.dmp

Filesize
4KB

Download
memory/1496-9-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/1496-1-0x0000000000C80000-0x0000000000E30000-memory.dmp

Filesize
1.7MB

Download
memory/1496-6-0x0000000005ED0000-0x0000000005F86000-memory.dmp

Filesize
728KB

Download
memory/1496-2-0x00000000731E0000-0x00000000738CE000-memory.dmp

Filesize
6.9MB

Download
memory/1496-3-0x00000000057A0000-0x000000000583C000-memory.dmp

Filesize
624KB

Download
memory/1496-4-0x0000000006350000-0x000000000684E000-memory.dmp

Filesize
5.0MB

Download
memory/2004-280-0x000000006F1C0000-0x000000006F20B000-memory.dmp

Filesize
300KB

Download
memory/4380-16-0x00000000075C0000-0x0000000007626000-memory.dmp

Filesize
408KB

Download
memory/4380-20-0x0000000008190000-0x00000000081DB000-memory.dmp

Filesize
300KB

Download
memory/4380-38-0x0000000008E40000-0x0000000008E73000-memory.dmp

Filesize
204KB

Download
memory/4380-39-0x000000006F1C0000-0x000000006F20B000-memory.dmp

Filesize
300KB

Download
memory/4380-40-0x0000000008E20000-0x0000000008E3E000-memory.dmp

Filesize
120KB

Download
memory/4380-45-0x0000000008F80000-0x0000000009025000-memory.dmp

Filesize
660KB

Download
memory/4380-46-0x0000000009360000-0x00000000093F4000-memory.dmp

Filesize
592KB

Download
memory/4380-239-0x0000000009300000-0x000000000931A000-memory.dmp

Filesize
104KB

Download
memory/4380-244-0x00000000092F0000-0x00000000092F8000-memory.dmp

Filesize
32KB

Download
memory/4380-21-0x0000000007F60000-0x0000000007FD6000-memory.dmp

Filesize
472KB

Download
memory/4380-19-0x0000000007690000-0x00000000076AC000-memory.dmp

Filesize
112KB

Download
memory/4380-18-0x0000000007880000-0x0000000007BD0000-memory.dmp

Filesize
3.3MB

Download
memory/4380-17-0x0000000007710000-0x0000000007776000-memory.dmp

Filesize
408KB

Download
memory/4380-13-0x0000000004450000-0x0000000004486000-memory.dmp

Filesize
216KB

Download
memory/4380-14-0x0000000006F90000-0x00000000075B8000-memory.dmp

Filesize
6.2MB

Download
memory/4380-15-0x0000000006DE0000-0x0000000006E02000-memory.dmp

Filesize
136KB

Download
memory/4480-731-0x00000000077C0000-0x0000000007B10000-memory.dmp

Filesize
3.3MB

Download
memory/4480-750-0x000000006F1C0000-0x000000006F20B000-memory.dmp

Filesize
300KB

Download
memory/4736-514-0x000000006F1C0000-0x000000006F20B000-memory.dmp

Filesize
300KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads