Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/04/2024, 13:12

General

  • Target

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe

  • Size

    7.0MB

  • MD5

    6b47add2cf208a988c57c8f00461de0b

  • SHA1

    cf9518f4bd3cf94ab7225423e4365f4a262a9c61

  • SHA256

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07

  • SHA512

    e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35

  • SSDEEP

    196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/

Score
10/10

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
    "C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1820
    • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
      "C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"
      2⤵
      • Drops file in Drivers directory
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblAuthManager
        3⤵
        • Executes dropped EXE
        PID:2564
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblGameSave
        3⤵
        • Executes dropped EXE
        PID:2480
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxGipSvc
        3⤵
        • Executes dropped EXE
        PID:1912
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxNetApiSvc
        3⤵
        • Executes dropped EXE
        PID:1396
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop xboxgip
        3⤵
        • Executes dropped EXE
        PID:1468
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblAuthManager
        3⤵
        • Executes dropped EXE
        PID:2776
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblGameSave
        3⤵
        • Executes dropped EXE
        PID:2136
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxNetApiSvc
        3⤵
        • Executes dropped EXE
        PID:1508
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxGipSvc
        3⤵
        • Executes dropped EXE
        PID:2320
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete xboxgip
        3⤵
        • Executes dropped EXE
        PID:2268
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop vgk
        3⤵
        • Executes dropped EXE
        PID:1044
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\xbgm" /f
        3⤵
        • Executes dropped EXE
        PID:1748
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
        3⤵
        • Executes dropped EXE
        PID:2168
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /disable
        3⤵
        • Executes dropped EXE
        PID:1604
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /disableL
        3⤵
        • Executes dropped EXE
        PID:2704
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe -Command "& {Get-AppxPackage -allusers *xbox* | Remove-AppxPackage}"
        3⤵
        • Executes dropped EXE
        PID:2440
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        3⤵
        • Executes dropped EXE
        PID:2008

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\XClient.exe

          Filesize

          87KB

          MD5

          626eb43e3611e3217f8602f7b8206889

          SHA1

          358935565a0a495a62559b204b7b41cbc365d8d9

          SHA256

          3c468ad439464cebe619052e06cf797b296ab0d9bcf88d475fb5c9b42b489573

          SHA512

          f4bf30eeadb557501362de71d4b6d58ab498d98e52b453f6e20309da36fe288d098dab9bb08cfcecf12787536ff20f0e649401ab6b0ff75e6671a4f3ebc4cd29

        • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

          Filesize

          6.8MB

          MD5

          233320478ce264f9e08d249244dc4fdb

          SHA1

          af46758a7c39b4edf4b5b0819f732abb5ad19e17

          SHA256

          edb57df920f62e6f1241695f8a46e420f104455a54fe91431db545834fd8d5ba

          SHA512

          b1c06e96cbabd58f8489a18c8c270718cea634a9bbd4fd67786cd5d31cfa475d4f97e2389f1ce2b5ddf10db9687b5cb5361e878d29427f9670f59343468d5967

        • memory/1044-185-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1044-184-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1396-81-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1396-72-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

          Filesize

          4KB

        • memory/1468-89-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

          Filesize

          4KB

        • memory/1468-97-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1508-141-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1508-140-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1604-225-0x0000000100000000-0x0000000100048000-memory.dmp

          Filesize

          288KB

        • memory/1604-224-0x0000000100000000-0x0000000100048000-memory.dmp

          Filesize

          288KB

        • memory/1628-246-0x000000013F710000-0x0000000140200000-memory.dmp

          Filesize

          10.9MB

        • memory/1628-78-0x000000013F710000-0x0000000140200000-memory.dmp

          Filesize

          10.9MB

        • memory/1628-15-0x000000013F710000-0x0000000140200000-memory.dmp

          Filesize

          10.9MB

        • memory/1628-80-0x0000000076FA0000-0x0000000077149000-memory.dmp

          Filesize

          1.7MB

        • memory/1628-18-0x0000000076FA0000-0x0000000077149000-memory.dmp

          Filesize

          1.7MB

        • memory/1628-23-0x00000000044A0000-0x0000000004F90000-memory.dmp

          Filesize

          10.9MB

        • memory/1628-247-0x0000000076FA0000-0x0000000077149000-memory.dmp

          Filesize

          1.7MB

        • memory/1628-93-0x000000013F710000-0x0000000140200000-memory.dmp

          Filesize

          10.9MB

        • memory/1628-96-0x00000000044A0000-0x0000000004F90000-memory.dmp

          Filesize

          10.9MB

        • memory/1628-77-0x000000013F710000-0x0000000140200000-memory.dmp

          Filesize

          10.9MB

        • memory/1736-14-0x000000013F710000-0x0000000140200000-memory.dmp

          Filesize

          10.9MB

        • memory/1736-16-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

          Filesize

          9.9MB

        • memory/1736-0-0x0000000000BF0000-0x00000000012FE000-memory.dmp

          Filesize

          7.1MB

        • memory/1736-1-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

          Filesize

          9.9MB

        • memory/1748-198-0x0000000100000000-0x0000000100056000-memory.dmp

          Filesize

          344KB

        • memory/1820-64-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

          Filesize

          9.9MB

        • memory/1820-60-0x000000001B020000-0x000000001B0A0000-memory.dmp

          Filesize

          512KB

        • memory/1820-7-0x0000000000940000-0x000000000095C000-memory.dmp

          Filesize

          112KB

        • memory/1820-8-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

          Filesize

          9.9MB

        • memory/1820-171-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

          Filesize

          9.9MB

        • memory/1912-63-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2136-125-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2136-126-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2168-211-0x0000000100000000-0x0000000100056000-memory.dmp

          Filesize

          344KB

        • memory/2268-169-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2320-155-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2480-48-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2480-42-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

          Filesize

          4KB

        • memory/2564-27-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2564-26-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2564-28-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

          Filesize

          4KB

        • memory/2564-24-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2564-25-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2564-22-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2564-30-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2564-21-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2564-20-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2564-33-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2564-34-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2704-238-0x0000000100000000-0x0000000100048000-memory.dmp

          Filesize

          288KB

        • memory/2776-111-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB