xworm | ef54499ab3090303e596e68913d9693590aa9984e076a2a61149eb65d57d8768

General

Target

FORNITECHEATS.exe
Size

110KB
MD5

75a8734fc3c824ca35076cf207464f3b
SHA1

b155f2ab391a48a201325f9b8cfca29f715c6278
SHA256

ef54499ab3090303e596e68913d9693590aa9984e076a2a61149eb65d57d8768
SHA512

76bcaf6d0314ab5e0636f4620c63d89b77e0d0cc030d227580bd90ec72fcbc74ffb6c020353186c8f0437e4647e11da8fdb231acd761ecf2bbda69a3d2d2a9a5
SSDEEP

3072:rYbI6yh0etRYheyF4rdzbKMxIrFvI5gcDMB:cb7HetRYhevdD+rFQ/Q

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

C2

kind-sofa.gl.at.ply.gg:31503

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018718-14.dat	family_xworm
behavioral1/memory/2848-18-0x0000000000B10000-0x0000000000B28000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup_x86.lnk	setup_x86.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setup_x86.lnk	setup_x86.exe

Executes dropped EXE 1 IoCs

pid	Process
2848	setup_x86.exe

Loads dropped DLL 1 IoCs

pid	Process
2164	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FORNITECHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S	FORNITECHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_XBOX&Prod_CD-ROM	FORNITECHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VBOX&Prod_HARDDISK	FORNITECHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD01	FORNITECHEATS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_NVMe&Prod_VMware_Virtual_N	FORNITECHEATS.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3004	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup_x86.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup_x86.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2564	FORNITECHEATS.exe
2564	FORNITECHEATS.exe
2564	FORNITECHEATS.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	FORNITECHEATS.exe
Token: SeDebugPrivilege	2848	setup_x86.exe
Token: SeDebugPrivilege	2848	setup_x86.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2164	2564	FORNITECHEATS.exe	30
PID 2564 wrote to memory of 2164	2564	FORNITECHEATS.exe	30
PID 2564 wrote to memory of 2164	2564	FORNITECHEATS.exe	30
PID 2564 wrote to memory of 2164	2564	FORNITECHEATS.exe	30
PID 2164 wrote to memory of 3004	2164	cmd.exe	32
PID 2164 wrote to memory of 3004	2164	cmd.exe	32
PID 2164 wrote to memory of 3004	2164	cmd.exe	32
PID 2164 wrote to memory of 3004	2164	cmd.exe	32
PID 2164 wrote to memory of 2848	2164	cmd.exe	33
PID 2164 wrote to memory of 2848	2164	cmd.exe	33
PID 2164 wrote to memory of 2848	2164	cmd.exe	33
PID 2164 wrote to memory of 2848	2164	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\FORNITECHEATS.exe
"C:\Users\Admin\AppData\Local\Temp\FORNITECHEATS.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\melt.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3004
- - C:\Users\Admin\AppData\Roaming\setup_x86.exe
    "C:\Users\Admin\AppData\Roaming\setup_x86.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\melt.bat

Filesize
146B

MD5
56a95060679b691ce409491ef87b29b5

SHA1
e3c404613fdc15565fa2224b365b5e4b27c40320

SHA256
b02cdaa2643bddc89f57baa1f2ce55a4d44e924c13522bd5bc94011a6807e6fb

SHA512
7c944417ec18d95649eab7518a02d350dbfa1d6a04063c9553188f8c4576e2300eadaa00fc3a155e10f5428bc307d02d987ec230f094845ba4974ce1ee2440b5

Download Submit
\Users\Admin\AppData\Roaming\setup_x86.exe

Filesize
68KB

MD5
0a1f42ae1cba0eca4a9f30a1e8afaa9e

SHA1
5fe21210113286d6e01669d36e6c767e8a0acfbc

SHA256
3a8ee51971cbd794a3e87c71e628108de2d87a750668b70c4baae3c0f8eda65a

SHA512
b41f50e5506725a1edbf0852ea96636717c016746fed23082c72510eb7f5cfaebe03e2d7a64b7b59921e72e2115dc8cd060457bbb3fe11d787c8dc01d1fd9f4d

Download Submit
memory/2564-0-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/2564-1-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/2564-2-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2564-12-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2848-17-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

Filesize
4KB

Download
memory/2848-18-0x0000000000B10000-0x0000000000B28000-memory.dmp

Filesize
96KB

Download
memory/2848-23-0x000007FEF5A03000-0x000007FEF5A04000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing