Overview

overview

10

Static

static

3

MythoxCheats.exe

windows7-x64

10

MythoxCheats.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2024, 20:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MythoxCheats.exe

  • Size

    3.9MB

  • MD5

    0a237b5441585a97c5be411c8c255fb4

  • SHA1

    5996a18a2702b37a4a90a2e5a5a36bb2ea468b0c

  • SHA256

    775d1aedd10e9b235c016071c063b31f03c30e5ec665b45bab20c91f9f7f2e24

  • SHA512

    8201ffd7fd7351f20788bd96388a7e2073d368f380ada45ccb3aa574ac1f2fd7f1a3d6568096734cc0e7bc9cadda42b2d6253b0872fd8d43e0f4ae43a4739402

  • SSDEEP

    98304:b4FY5aHCXBgMsW9fYfdGpZ8WPfotjICkvunySH:06Q8iM/9lqCfoxz

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:28019

chilhoek-28019.portmap.host:28019

lijaligibidu-35558.portmap.host:35558
Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

  • telegram

    https://api.telegram.org/bot7460505018:AAGtMNP89kfVCbpYBPLkO5O4JcFb8YqssUk

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MythoxCheats.exe
    "C:\Users\Admin\AppData\Local\Temp\MythoxCheats.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Roaming\XClient (1).exe
      "C:\Users\Admin\AppData\Roaming\XClient (1).exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3036
    • C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
      "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Users\Admin\AppData\Roaming\NovaManagerInstaller.exe
      "C:\Users\Admin\AppData\Roaming\NovaManagerInstaller.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates system info in registry
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NovaManagerInstaller.exe
    Filesize

    3.8MB

    MD5

    4d0438297aedcf3351e2399ee7b9a034

    SHA1

    6b37d1a0f585c6b056b98196c13662a588d3f5e6

    SHA256

    fe4845b2f864fa1f62d04e185237aa7434d031072e601a1b5e3acee09dc66e91

    SHA512

    60d85bf1ad55302ab94baa30137a00eff52d08faaffe18f0a098998d11fd79cfd4ad4bc220f2565b076bd44022ae44532cc78035d46dc8bddbf6f461ab16c5a0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
    Filesize

    75KB

    MD5

    cf219a189dae4a022f26dd58cd5367e6

    SHA1

    76c2e7b756e894afc4e5fd7267fce398d58c518f

    SHA256

    725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe

    SHA512

    21dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\XClient (1).exe
    Filesize

    81KB

    MD5

    c1b7e4e3a25be04cc93a44017bd58298

    SHA1

    b40e7d99a41bd49172cd23470ccb4387b3351942

    SHA256

    9f36f62ffb252f041490ccf9faf344e03a7987a566cc399f0be06e4e5e60fbcb

    SHA512

    4192250e78e0a3440e2b5d1b7782566a55d96fa8a68877ff8869f617ce3095374289c78ea3d200082fb91efb8fcbce8fea946fcfea08cef05265a2c3512f99cf

    Download Submit

  • memory/2092-14-0x0000000000F70000-0x0000000000F88000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2384-1-0x0000000000C30000-0x0000000001022000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2384-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2800-23-0x000000001B960000-0x000000001BAAE000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2800-21-0x0000000001270000-0x0000000001638000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2800-24-0x0000000000240000-0x0000000000254000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2800-25-0x000000001BCB0000-0x000000001BEC6000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3036-22-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3036-15-0x00000000002C0000-0x00000000002DA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3036-26-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

    Filesize

    9.9MB

    Download