xworm | ef54499ab3090303e596e68913d9693590aa9984e076a2a61149eb65d57d8768

General

Target

FORNITE CHEATS.exe
Size

110KB
MD5

75a8734fc3c824ca35076cf207464f3b
SHA1

b155f2ab391a48a201325f9b8cfca29f715c6278
SHA256

ef54499ab3090303e596e68913d9693590aa9984e076a2a61149eb65d57d8768
SHA512

76bcaf6d0314ab5e0636f4620c63d89b77e0d0cc030d227580bd90ec72fcbc74ffb6c020353186c8f0437e4647e11da8fdb231acd761ecf2bbda69a3d2d2a9a5
SSDEEP

3072:rYbI6yh0etRYheyF4rdzbKMxIrFvI5gcDMB:cb7HetRYhevdD+rFQ/Q

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

C2

kind-sofa.gl.at.ply.gg:31503

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023caa-16.dat	family_xworm
behavioral2/memory/2264-19-0x00000000000B0000-0x00000000000C8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	FORNITE CHEATS.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup_x86.lnk	setup_x86.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup_x86.lnk	setup_x86.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	setup_x86.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FORNITE CHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VBOX&Prod_HARDDISK	FORNITE CHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD01	FORNITE CHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_NVMe&Prod_VMware_Virtual_N	FORNITE CHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	FORNITE CHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_XBOX&Prod_CD-ROM	FORNITE CHEATS.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3676	timeout.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2480	FORNITE CHEATS.exe
2480	FORNITE CHEATS.exe
2480	FORNITE CHEATS.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	FORNITE CHEATS.exe
Token: SeDebugPrivilege	2264	setup_x86.exe
Token: SeDebugPrivilege	2264	setup_x86.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 3708	2480	FORNITE CHEATS.exe	83
PID 2480 wrote to memory of 3708	2480	FORNITE CHEATS.exe	83
PID 2480 wrote to memory of 3708	2480	FORNITE CHEATS.exe	83
PID 3708 wrote to memory of 3676	3708	cmd.exe	85
PID 3708 wrote to memory of 3676	3708	cmd.exe	85
PID 3708 wrote to memory of 3676	3708	cmd.exe	85
PID 3708 wrote to memory of 2264	3708	cmd.exe	94
PID 3708 wrote to memory of 2264	3708	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\FORNITE CHEATS.exe
"C:\Users\Admin\AppData\Local\Temp\FORNITE CHEATS.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\melt.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3676
- - C:\Users\Admin\AppData\Roaming\setup_x86.exe
    "C:\Users\Admin\AppData\Roaming\setup_x86.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.bat

Filesize
147B

MD5
0bc088b478e3f7e0da726928b1bf0ef7

SHA1
79424c0cd41292f7ad694f0891be7f2a20027df4

SHA256
7753884980250a8fd4bca4fa37efa7f9c6b5cd027cb034a3d891f6788bc322e5

SHA512
20b54eea4e88c6f133f807232d776e56d84dfeed0714b4f8083e5ce0500f16cdf6e68ab0a64e9dbd3050672f9e1cfd4b47ac2e930a09d22523ff10f9a823b30e

Download Submit
C:\Users\Admin\AppData\Roaming\setup_x86.exe

Filesize
68KB

MD5
0a1f42ae1cba0eca4a9f30a1e8afaa9e

SHA1
5fe21210113286d6e01669d36e6c767e8a0acfbc

SHA256
3a8ee51971cbd794a3e87c71e628108de2d87a750668b70c4baae3c0f8eda65a

SHA512
b41f50e5506725a1edbf0852ea96636717c016746fed23082c72510eb7f5cfaebe03e2d7a64b7b59921e72e2115dc8cd060457bbb3fe11d787c8dc01d1fd9f4d

Download Submit
memory/2264-26-0x00007FFAAB720000-0x00007FFAAC1E1000-memory.dmp

Filesize
10.8MB

Download
memory/2264-25-0x00007FFAAB723000-0x00007FFAAB725000-memory.dmp

Filesize
8KB

Download
memory/2264-20-0x00007FFAAB720000-0x00007FFAAC1E1000-memory.dmp

Filesize
10.8MB

Download
memory/2264-19-0x00000000000B0000-0x00000000000C8000-memory.dmp

Filesize
96KB

Download
memory/2264-18-0x00007FFAAB723000-0x00007FFAAB725000-memory.dmp

Filesize
8KB

Download
memory/2480-4-0x0000000004E50000-0x0000000004EE2000-memory.dmp

Filesize
584KB

Download
memory/2480-13-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2480-7-0x0000000004F50000-0x0000000004FA6000-memory.dmp

Filesize
344KB

Download
memory/2480-6-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2480-5-0x0000000004E10000-0x0000000004E1A000-memory.dmp

Filesize
40KB

Download
memory/2480-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/2480-3-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/2480-2-0x0000000004D10000-0x0000000004DAC000-memory.dmp

Filesize
624KB

Download
memory/2480-1-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads