xworm | ef54499ab3090303e596e68913d9693590aa9984e076a2a61149eb65d57d8768

General

Target

FORNITE CHEATS.exe
Size

110KB
MD5

75a8734fc3c824ca35076cf207464f3b
SHA1

b155f2ab391a48a201325f9b8cfca29f715c6278
SHA256

ef54499ab3090303e596e68913d9693590aa9984e076a2a61149eb65d57d8768
SHA512

76bcaf6d0314ab5e0636f4620c63d89b77e0d0cc030d227580bd90ec72fcbc74ffb6c020353186c8f0437e4647e11da8fdb231acd761ecf2bbda69a3d2d2a9a5
SSDEEP

3072:rYbI6yh0etRYheyF4rdzbKMxIrFvI5gcDMB:cb7HetRYhevdD+rFQ/Q

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

C2

kind-sofa.gl.at.ply.gg:31503

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001923e-14.dat	family_xworm
behavioral1/memory/1644-18-0x0000000000B20000-0x0000000000B38000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Deletes itself 1 IoCs

pid	Process
2256	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup_x86.lnk	setup_x86.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup_x86.lnk	setup_x86.exe

Executes dropped EXE 1 IoCs

pid	Process
1644	setup_x86.exe

Loads dropped DLL 1 IoCs

pid	Process
2256	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FORNITE CHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_XBOX&Prod_CD-ROM	FORNITE CHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VBOX&Prod_HARDDISK	FORNITE CHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD01	FORNITE CHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_NVMe&Prod_VMware_Virtual_N	FORNITE CHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	FORNITE CHEATS.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2300	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup_x86.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup_x86.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2192	FORNITE CHEATS.exe
2192	FORNITE CHEATS.exe
2192	FORNITE CHEATS.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	FORNITE CHEATS.exe
Token: SeDebugPrivilege	1644	setup_x86.exe
Token: SeDebugPrivilege	1644	setup_x86.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2256	2192	FORNITE CHEATS.exe	28
PID 2192 wrote to memory of 2256	2192	FORNITE CHEATS.exe	28
PID 2192 wrote to memory of 2256	2192	FORNITE CHEATS.exe	28
PID 2192 wrote to memory of 2256	2192	FORNITE CHEATS.exe	28
PID 2256 wrote to memory of 2300	2256	cmd.exe	30
PID 2256 wrote to memory of 2300	2256	cmd.exe	30
PID 2256 wrote to memory of 2300	2256	cmd.exe	30
PID 2256 wrote to memory of 2300	2256	cmd.exe	30
PID 2256 wrote to memory of 1644	2256	cmd.exe	33
PID 2256 wrote to memory of 1644	2256	cmd.exe	33
PID 2256 wrote to memory of 1644	2256	cmd.exe	33
PID 2256 wrote to memory of 1644	2256	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\FORNITE CHEATS.exe
"C:\Users\Admin\AppData\Local\Temp\FORNITE CHEATS.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\melt.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2300
- - C:\Users\Admin\AppData\Roaming\setup_x86.exe
    "C:\Users\Admin\AppData\Roaming\setup_x86.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.bat

Filesize
147B

MD5
0bc088b478e3f7e0da726928b1bf0ef7

SHA1
79424c0cd41292f7ad694f0891be7f2a20027df4

SHA256
7753884980250a8fd4bca4fa37efa7f9c6b5cd027cb034a3d891f6788bc322e5

SHA512
20b54eea4e88c6f133f807232d776e56d84dfeed0714b4f8083e5ce0500f16cdf6e68ab0a64e9dbd3050672f9e1cfd4b47ac2e930a09d22523ff10f9a823b30e

Download Submit
\Users\Admin\AppData\Roaming\setup_x86.exe

Filesize
68KB

MD5
0a1f42ae1cba0eca4a9f30a1e8afaa9e

SHA1
5fe21210113286d6e01669d36e6c767e8a0acfbc

SHA256
3a8ee51971cbd794a3e87c71e628108de2d87a750668b70c4baae3c0f8eda65a

SHA512
b41f50e5506725a1edbf0852ea96636717c016746fed23082c72510eb7f5cfaebe03e2d7a64b7b59921e72e2115dc8cd060457bbb3fe11d787c8dc01d1fd9f4d

Download Submit
memory/1644-17-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/1644-18-0x0000000000B20000-0x0000000000B38000-memory.dmp

Filesize
96KB

Download
memory/1644-23-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/2192-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

Filesize
4KB

Download
memory/2192-1-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/2192-2-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download
memory/2192-13-0x0000000074CC0000-0x00000000753AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing