Analysis

  • max time kernel
    142s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    02/04/2024, 11:28

General

  • Target

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe

  • Size

    7.0MB

  • MD5

    6b47add2cf208a988c57c8f00461de0b

  • SHA1

    cf9518f4bd3cf94ab7225423e4365f4a262a9c61

  • SHA256

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07

  • SHA512

    e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35

  • SSDEEP

    196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/

Score
10/10

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
    "C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2920
    • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
      "C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblAuthManager
        3⤵
        • Executes dropped EXE
        PID:2756
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblGameSave
        3⤵
        • Executes dropped EXE
        PID:2420
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxGipSvc
        3⤵
        • Executes dropped EXE
        PID:2176
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxNetApiSvc
        3⤵
        • Executes dropped EXE
        PID:2520
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop xboxgip
        3⤵
        • Executes dropped EXE
        PID:2820
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblAuthManager
        3⤵
        • Executes dropped EXE
        PID:2668
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblGameSave
        3⤵
          PID:2196

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\XClient.exe

            Filesize

            87KB

            MD5

            626eb43e3611e3217f8602f7b8206889

            SHA1

            358935565a0a495a62559b204b7b41cbc365d8d9

            SHA256

            3c468ad439464cebe619052e06cf797b296ab0d9bcf88d475fb5c9b42b489573

            SHA512

            f4bf30eeadb557501362de71d4b6d58ab498d98e52b453f6e20309da36fe288d098dab9bb08cfcecf12787536ff20f0e649401ab6b0ff75e6671a4f3ebc4cd29

          • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

            Filesize

            6.8MB

            MD5

            233320478ce264f9e08d249244dc4fdb

            SHA1

            af46758a7c39b4edf4b5b0819f732abb5ad19e17

            SHA256

            edb57df920f62e6f1241695f8a46e420f104455a54fe91431db545834fd8d5ba

            SHA512

            b1c06e96cbabd58f8489a18c8c270718cea634a9bbd4fd67786cd5d31cfa475d4f97e2389f1ce2b5ddf10db9687b5cb5361e878d29427f9670f59343468d5967

          • memory/2176-57-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

            Filesize

            4KB

          • memory/2176-63-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2324-0-0x0000000000090000-0x000000000079E000-memory.dmp

            Filesize

            7.1MB

          • memory/2324-1-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

            Filesize

            9.9MB

          • memory/2324-77-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

            Filesize

            9.9MB

          • memory/2420-49-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2420-43-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

            Filesize

            4KB

          • memory/2520-78-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2520-71-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

            Filesize

            4KB

          • memory/2668-111-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2744-37-0x0000000004430000-0x0000000004F20000-memory.dmp

            Filesize

            10.9MB

          • memory/2744-16-0x0000000077C80000-0x0000000077E29000-memory.dmp

            Filesize

            1.7MB

          • memory/2744-96-0x0000000004430000-0x0000000004F20000-memory.dmp

            Filesize

            10.9MB

          • memory/2744-95-0x0000000077C80000-0x0000000077E29000-memory.dmp

            Filesize

            1.7MB

          • memory/2744-94-0x000000013FB20000-0x0000000140610000-memory.dmp

            Filesize

            10.9MB

          • memory/2744-14-0x000000013FB20000-0x0000000140610000-memory.dmp

            Filesize

            10.9MB

          • memory/2744-31-0x0000000004430000-0x0000000004F20000-memory.dmp

            Filesize

            10.9MB

          • memory/2756-20-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2756-22-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2756-19-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2756-18-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2756-24-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2756-25-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

            Filesize

            4KB

          • memory/2756-27-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2756-32-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2756-21-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2756-30-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2756-23-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2756-33-0x000000013FB20000-0x0000000140610000-memory.dmp

            Filesize

            10.9MB

          • memory/2820-87-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

            Filesize

            4KB

          • memory/2820-93-0x0000000100000000-0x000000010000F000-memory.dmp

            Filesize

            60KB

          • memory/2920-80-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

            Filesize

            9.9MB

          • memory/2920-7-0x0000000000870000-0x000000000088C000-memory.dmp

            Filesize

            112KB

          • memory/2920-98-0x000000001B1A0000-0x000000001B220000-memory.dmp

            Filesize

            512KB

          • memory/2920-8-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

            Filesize

            9.9MB

          • memory/2920-120-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

            Filesize

            9.9MB