Analysis
-
max time kernel
165s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 11:28
Static task
static1
Behavioral task
behavioral1
Sample
b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
Resource
win7-20240319-en
General
-
Target
b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
-
Size
7.0MB
-
MD5
6b47add2cf208a988c57c8f00461de0b
-
SHA1
cf9518f4bd3cf94ab7225423e4365f4a262a9c61
-
SHA256
b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07
-
SHA512
e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35
-
SSDEEP
196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/
Malware Config
Extracted
xworm
210.246.215.82:7000
-
Install_directory
%ProgramData%
-
install_file
WindowsNT.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000800000002322b-7.dat family_xworm behavioral2/memory/4952-14-0x0000000000810000-0x000000000082C000-memory.dmp family_xworm -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ xSpoofer-new.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts xSpoofer-new.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xSpoofer-new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xSpoofer-new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xSpoofer-new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xSpoofer-new.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe -
Executes dropped EXE 19 IoCs
pid Process 4952 XClient.exe 1576 xSpoofer-new.exe 4724 xSpoofer-new.exe 1996 xSpoofer-new.exe 868 xSpoofer-new.exe 3504 xSpoofer-new.exe 3116 xSpoofer-new.exe 532 xSpoofer-new.exe 5112 xSpoofer-new.exe 4576 xSpoofer-new.exe 4944 xSpoofer-new.exe 4416 xSpoofer-new.exe 2568 xSpoofer-new.exe 3288 xSpoofer-new.exe 4800 xSpoofer-new.exe 3588 xSpoofer-new.exe 488 xSpoofer-new.exe 1048 xSpoofer-new.exe 560 xSpoofer-new.exe -
resource yara_rule behavioral2/memory/560-187-0x0000000140000000-0x0000000140AE7000-memory.dmp themida behavioral2/memory/560-206-0x0000000140000000-0x0000000140AE7000-memory.dmp themida behavioral2/memory/560-210-0x0000000140000000-0x0000000140AE7000-memory.dmp themida behavioral2/memory/560-211-0x0000000140000000-0x0000000140AE7000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xSpoofer-new.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 560 xSpoofer-new.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 560 xSpoofer-new.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 1576 set thread context of 4724 1576 xSpoofer-new.exe 90 PID 1576 set thread context of 1996 1576 xSpoofer-new.exe 92 PID 1576 set thread context of 868 1576 xSpoofer-new.exe 94 PID 1576 set thread context of 3504 1576 xSpoofer-new.exe 96 PID 1576 set thread context of 3116 1576 xSpoofer-new.exe 98 PID 1576 set thread context of 532 1576 xSpoofer-new.exe 101 PID 1576 set thread context of 5112 1576 xSpoofer-new.exe 103 PID 1576 set thread context of 4576 1576 xSpoofer-new.exe 107 PID 1576 set thread context of 4944 1576 xSpoofer-new.exe 109 PID 1576 set thread context of 4416 1576 xSpoofer-new.exe 111 PID 1576 set thread context of 2568 1576 xSpoofer-new.exe 113 PID 1576 set thread context of 3288 1576 xSpoofer-new.exe 116 PID 1576 set thread context of 4800 1576 xSpoofer-new.exe 119 PID 1576 set thread context of 3588 1576 xSpoofer-new.exe 121 PID 1576 set thread context of 488 1576 xSpoofer-new.exe 123 PID 1576 set thread context of 1048 1576 xSpoofer-new.exe 125 PID 1576 set thread context of 560 1576 xSpoofer-new.exe 134 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1048 xSpoofer-new.exe 1048 xSpoofer-new.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4952 XClient.exe Token: SeDebugPrivilege 1576 xSpoofer-new.exe Token: SeDebugPrivilege 1048 xSpoofer-new.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 4952 2420 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 87 PID 2420 wrote to memory of 4952 2420 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 87 PID 2420 wrote to memory of 1576 2420 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 88 PID 2420 wrote to memory of 1576 2420 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 88 PID 1576 wrote to memory of 4724 1576 xSpoofer-new.exe 90 PID 1576 wrote to memory of 4724 1576 xSpoofer-new.exe 90 PID 1576 wrote to memory of 4724 1576 xSpoofer-new.exe 90 PID 1576 wrote to memory of 4724 1576 xSpoofer-new.exe 90 PID 1576 wrote to memory of 4724 1576 xSpoofer-new.exe 90 PID 1576 wrote to memory of 4724 1576 xSpoofer-new.exe 90 PID 1576 wrote to memory of 4724 1576 xSpoofer-new.exe 90 PID 1576 wrote to memory of 4724 1576 xSpoofer-new.exe 90 PID 1576 wrote to memory of 4724 1576 xSpoofer-new.exe 90 PID 1576 wrote to memory of 4724 1576 xSpoofer-new.exe 90 PID 1576 wrote to memory of 4724 1576 xSpoofer-new.exe 90 PID 1576 wrote to memory of 1996 1576 xSpoofer-new.exe 92 PID 1576 wrote to memory of 1996 1576 xSpoofer-new.exe 92 PID 1576 wrote to memory of 1996 1576 xSpoofer-new.exe 92 PID 1576 wrote to memory of 1996 1576 xSpoofer-new.exe 92 PID 1576 wrote to memory of 1996 1576 xSpoofer-new.exe 92 PID 1576 wrote to memory of 1996 1576 xSpoofer-new.exe 92 PID 1576 wrote to memory of 1996 1576 xSpoofer-new.exe 92 PID 1576 wrote to memory of 1996 1576 xSpoofer-new.exe 92 PID 1576 wrote to memory of 1996 1576 xSpoofer-new.exe 92 PID 1576 wrote to memory of 1996 1576 xSpoofer-new.exe 92 PID 1576 wrote to memory of 1996 1576 xSpoofer-new.exe 92 PID 1576 wrote to memory of 868 1576 xSpoofer-new.exe 94 PID 1576 wrote to memory of 868 1576 xSpoofer-new.exe 94 PID 1576 wrote to memory of 868 1576 xSpoofer-new.exe 94 PID 1576 wrote to memory of 868 1576 xSpoofer-new.exe 94 PID 1576 wrote to memory of 868 1576 xSpoofer-new.exe 94 PID 1576 wrote to memory of 868 1576 xSpoofer-new.exe 94 PID 1576 wrote to memory of 868 1576 xSpoofer-new.exe 94 PID 1576 wrote to memory of 868 1576 xSpoofer-new.exe 94 PID 1576 wrote to memory of 868 1576 xSpoofer-new.exe 94 PID 1576 wrote to memory of 868 1576 xSpoofer-new.exe 94 PID 1576 wrote to memory of 868 1576 xSpoofer-new.exe 94 PID 1576 wrote to memory of 3504 1576 xSpoofer-new.exe 96 PID 1576 wrote to memory of 3504 1576 xSpoofer-new.exe 96 PID 1576 wrote to memory of 3504 1576 xSpoofer-new.exe 96 PID 1576 wrote to memory of 3504 1576 xSpoofer-new.exe 96 PID 1576 wrote to memory of 3504 1576 xSpoofer-new.exe 96 PID 1576 wrote to memory of 3504 1576 xSpoofer-new.exe 96 PID 1576 wrote to memory of 3504 1576 xSpoofer-new.exe 96 PID 1576 wrote to memory of 3504 1576 xSpoofer-new.exe 96 PID 1576 wrote to memory of 3504 1576 xSpoofer-new.exe 96 PID 1576 wrote to memory of 3504 1576 xSpoofer-new.exe 96 PID 1576 wrote to memory of 3504 1576 xSpoofer-new.exe 96 PID 1576 wrote to memory of 3116 1576 xSpoofer-new.exe 98 PID 1576 wrote to memory of 3116 1576 xSpoofer-new.exe 98 PID 1576 wrote to memory of 3116 1576 xSpoofer-new.exe 98 PID 1576 wrote to memory of 3116 1576 xSpoofer-new.exe 98 PID 1576 wrote to memory of 3116 1576 xSpoofer-new.exe 98 PID 1576 wrote to memory of 3116 1576 xSpoofer-new.exe 98 PID 1576 wrote to memory of 3116 1576 xSpoofer-new.exe 98 PID 1576 wrote to memory of 3116 1576 xSpoofer-new.exe 98 PID 1576 wrote to memory of 3116 1576 xSpoofer-new.exe 98 PID 1576 wrote to memory of 3116 1576 xSpoofer-new.exe 98 PID 1576 wrote to memory of 3116 1576 xSpoofer-new.exe 98 PID 1576 wrote to memory of 532 1576 xSpoofer-new.exe 101 PID 1576 wrote to memory of 532 1576 xSpoofer-new.exe 101 PID 1576 wrote to memory of 532 1576 xSpoofer-new.exe 101 PID 1576 wrote to memory of 532 1576 xSpoofer-new.exe 101 PID 1576 wrote to memory of 532 1576 xSpoofer-new.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"2⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblAuthManager3⤵
- Executes dropped EXE
PID:4724
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblGameSave3⤵
- Executes dropped EXE
PID:1996
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxGipSvc3⤵
- Executes dropped EXE
PID:868
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxNetApiSvc3⤵
- Executes dropped EXE
PID:3504
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop xboxgip3⤵
- Executes dropped EXE
PID:3116
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblAuthManager3⤵
- Executes dropped EXE
PID:532
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblGameSave3⤵
- Executes dropped EXE
PID:5112
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxNetApiSvc3⤵
- Executes dropped EXE
PID:4576
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxGipSvc3⤵
- Executes dropped EXE
PID:4944
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete xboxgip3⤵
- Executes dropped EXE
PID:4416
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop vgk3⤵
- Executes dropped EXE
PID:2568
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\xbgm" /f3⤵
- Executes dropped EXE
PID:3288
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f3⤵
- Executes dropped EXE
PID:4800
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /disable3⤵
- Executes dropped EXE
PID:3588
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /disableL3⤵
- Executes dropped EXE
PID:488
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe -Command "& {Get-AppxPackage -allusers *xbox* | Remove-AppxPackage}"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
87KB
MD5626eb43e3611e3217f8602f7b8206889
SHA1358935565a0a495a62559b204b7b41cbc365d8d9
SHA2563c468ad439464cebe619052e06cf797b296ab0d9bcf88d475fb5c9b42b489573
SHA512f4bf30eeadb557501362de71d4b6d58ab498d98e52b453f6e20309da36fe288d098dab9bb08cfcecf12787536ff20f0e649401ab6b0ff75e6671a4f3ebc4cd29
-
Filesize
6.8MB
MD5233320478ce264f9e08d249244dc4fdb
SHA1af46758a7c39b4edf4b5b0819f732abb5ad19e17
SHA256edb57df920f62e6f1241695f8a46e420f104455a54fe91431db545834fd8d5ba
SHA512b1c06e96cbabd58f8489a18c8c270718cea634a9bbd4fd67786cd5d31cfa475d4f97e2389f1ce2b5ddf10db9687b5cb5361e878d29427f9670f59343468d5967