Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

FPS_BY FILMGODX.exe

windows10-2004-x64

10

FPS_BY FILMGODX.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    66s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/11/2024, 00:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FPS_BY FILMGODX.exe

  • Size

    98KB

  • MD5

    20f5290def51514fefaed2b744ed961c

  • SHA1

    546f5c611c1d35c5104e2792c76934746f637987

  • SHA256

    3e6f0de70c94df15b3aecb8ce4370e26b62fa38a24bf3710d0d9f0a28b4da656

  • SHA512

    578c4cc3b0375587d13f4b6f28d063322aa4df1dc3a439bc2f22da57475d191b78f7cc6590483ba4462af5a70d7aa73fb6784ae527e46f8e64cb31b3274ef3e2

  • SSDEEP

    3072:gZtcSVYnM7ByozguHogUDqGB5xY7iBCYs9:gXFyaByoUuInqs0

Score
10/10
xwormdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

45.141.27.248:7777

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 8 IoCs
    discovery
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Power Settings 1 TTPs 3 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\FPS_BY FILMGODX.exe
    "C:\Users\Admin\AppData\Local\Temp\FPS_BY FILMGODX.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FPS_BY FILMGODX.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:380
      • C:\Windows\system32\mode.com
        Mode 100,25
        3⤵
          PID:3300
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:4216
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
            3⤵
              PID:4900
            • C:\Windows\system32\powercfg.exe
              powercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
              3⤵
              • Power Settings
              • Suspicious use of AdjustPrivilegeToken
              PID:1140
            • C:\Windows\system32\powercfg.exe
              powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e
              3⤵
              • Power Settings
              • Suspicious use of AdjustPrivilegeToken
              PID:756
            • C:\Windows\system32\powercfg.exe
              powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a
              3⤵
              • Power Settings
              • Suspicious use of AdjustPrivilegeToken
              PID:2856
            • C:\Windows\system32\takeown.exe
              takeown /f "C:\Users\Admin\AppData\Local\Temp" /r /d y
              3⤵
              • Modifies file permissions
              PID:2552
            • C:\Windows\system32\takeown.exe
              takeown /f "C:\Windows\Temp" /r /d y
              3⤵
              • Modifies file permissions
              PID:3980
            • C:\Windows\system32\takeown.exe
              takeown /f "C:\Windows\Temp" /r /d y
              3⤵
              • Modifies file permissions
              PID:1200
            • C:\Windows\system32\takeown.exe
              takeown /f C:\Users\Admin\AppData\Local\Temp /r /d y
              3⤵
              • Modifies file permissions
              PID:3672
            • C:\Windows\system32\takeown.exe
              takeown /f "C:\Users\Admin\AppData\Local\Temp" /r /d y
              3⤵
              • Modifies file permissions
              PID:1720
            • C:\Windows\system32\takeown.exe
              takeown /f "C:\Users\Admin\AppData\Local\Temp" /r /d y
              3⤵
              • Modifies file permissions
              PID:4976
            • C:\Windows\system32\takeown.exe
              takeown /f "C:\Windows\Temp" /r /d y
              3⤵
              • Modifies file permissions
              PID:4080
            • C:\Windows\system32\takeown.exe
              takeown /f "C:\Windows\Temp" /r /d y
              3⤵
              • Modifies file permissions
              PID:4940
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4676
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:440
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3692
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1616
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5012
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:3612
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3524

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Power Settings

        1
        T1653

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        File and Directory Permissions Modification

        1
        T1222

        Modify Registry

        1
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FPS_BY FILMGODX.exe.log
          Filesize

          654B

          MD5

          2ff39f6c7249774be85fd60a8f9a245e

          SHA1

          684ff36b31aedc1e587c8496c02722c6698c1c4e

          SHA256

          e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

          SHA512

          1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          bd5940f08d0be56e65e5f2aaf47c538e

          SHA1

          d7e31b87866e5e383ab5499da64aba50f03e8443

          SHA256

          2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

          SHA512

          c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          307f2ff88aa5285fefdac601d8e516b2

          SHA1

          adc77c4b60b0e3e0caf606cdfa12a14ac1114877

          SHA256

          0ab5bc86fe7d968023b8aefc17f229251ca596e4a7436581d921d762fdd6d569

          SHA512

          6cbd566c374841aae8a056dd83d570da5d583ee8c110a69e2cf840a4dc975a925e57f772449c7c805df51b8ecce2831e139509238bebe0b4b1d4a47d12182918

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          205f6010c033eefc37d63d8ce846bce4

          SHA1

          417b1aabb447765a2aa149529a1f4f52ded194ea

          SHA256

          993dbee9fb487dbdff56c09a1df360ea68b583bd8b28b2c315ec9d92639f3697

          SHA512

          c6bbd60c82ffbc3297d1d355ab3c6692de97da0b3bdd60ea4aacec6d27d360341cefa11a4411d7b8877d54d1177b48f4dc003e2a391031cc1a304b177689bfaf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Log.tmp
          Filesize

          1B

          MD5

          8277e0910d750195b448797616e091ad

          SHA1

          3c363836cf4e16666669a25da280a1865c2d2874

          SHA256

          18ac3e7343f016890c510e93f935261169d9e3f565436429830faf0934f4f8e4

          SHA512

          48fb10b15f3d44a09dc82d02b06581e0c0c69478c9fd2cf8f9093659019a1687baecdbb38c9e72b12169dc4148690f87467f9154f5931c5df665c6496cbfd5f5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Log.tmp
          Filesize

          53B

          MD5

          c6ec36c570d7088bf926449f5efcd352

          SHA1

          f778819a4da8c4df90e908a12d808328a4a0b07d

          SHA256

          9bccc169b00d530bfc1f516e364f0f4cffd3580cc8591734588235ec5b8c7318

          SHA512

          a916d81b4ae30663d0d2c9843de0ecc45af1ac80daebd65430399aa876e06f85a00b3a18a82c1db2cb9dd07e736394511fa92131b8aca2002dfaf5975e52ae3f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cz0swolr.tzm.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\FPS_BY FILMGODX.bat
          Filesize

          6KB

          MD5

          73fa858851ab9f0cb193111d183a3ba5

          SHA1

          3b6b20d02ce3e39a45b94984d150009e6ea501cb

          SHA256

          c63a1b8c63acb2c4cab3617934a7a88a7b7dc19a2a1144b7f1b1207ff95f26bb

          SHA512

          a08237eff698b5fee0909d1fc71a317d64408fd6cce378a259f7d3ac52577a927b553a10182d5d6552868d21a41a961760f49a987bbbaeadabefeee659457ba4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          77KB

          MD5

          a50564ade45c0a409bb38c06673d6ab9

          SHA1

          91fd3510c4ccdc50d0eb08249c945271171d5f9f

          SHA256

          120b13c9edbd9f2fff0ca2e31efb17cef3cac1ea1b4025e8bc7b512f74021a6e

          SHA512

          7fb99769609027e850c5d6d69912b5dfe82025f24947fa9bff8d88a966ffda315dee8c77086ef171cf75089b6b4d6cb98975b53cbba040c40af50248c4f65cd0

          Download Submit

        • memory/440-27-0x0000028B99FF0000-0x0000028B9A012000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2692-0-0x00007FF940713000-0x00007FF940715000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2692-1-0x0000000000350000-0x000000000036E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4676-19-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4676-67-0x00007FF940710000-0x00007FF9411D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4676-68-0x000000001EAB0000-0x000000001EABC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4676-17-0x0000000000F40000-0x0000000000F5A000-memory.dmp

          Filesize

          104KB

          Download