Analysis
-
max time kernel
151s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 13:12
Static task
static1
Behavioral task
behavioral1
Sample
b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
Resource
win7-20240221-en
General
-
Target
b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
-
Size
7.0MB
-
MD5
6b47add2cf208a988c57c8f00461de0b
-
SHA1
cf9518f4bd3cf94ab7225423e4365f4a262a9c61
-
SHA256
b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07
-
SHA512
e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35
-
SSDEEP
196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/
Malware Config
Extracted
xworm
210.246.215.82:7000
-
Install_directory
%ProgramData%
-
install_file
WindowsNT.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0008000000023272-6.dat family_xworm behavioral2/memory/3912-14-0x00000000003A0000-0x00000000003BC000-memory.dmp family_xworm -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ xSpoofer-new.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts xSpoofer-new.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xSpoofer-new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xSpoofer-new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xSpoofer-new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xSpoofer-new.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe -
Executes dropped EXE 19 IoCs
pid Process 3912 XClient.exe 4344 xSpoofer-new.exe 3808 xSpoofer-new.exe 2984 xSpoofer-new.exe 2636 xSpoofer-new.exe 404 xSpoofer-new.exe 4152 xSpoofer-new.exe 4468 xSpoofer-new.exe 4304 xSpoofer-new.exe 4460 xSpoofer-new.exe 32 xSpoofer-new.exe 832 xSpoofer-new.exe 4056 xSpoofer-new.exe 412 xSpoofer-new.exe 3916 xSpoofer-new.exe 2224 xSpoofer-new.exe 3620 xSpoofer-new.exe 1496 xSpoofer-new.exe 3952 xSpoofer-new.exe -
resource yara_rule behavioral2/memory/3952-183-0x0000000140000000-0x0000000140AE7000-memory.dmp themida behavioral2/memory/3952-201-0x0000000140000000-0x0000000140AE7000-memory.dmp themida behavioral2/memory/3952-206-0x0000000140000000-0x0000000140AE7000-memory.dmp themida behavioral2/memory/3952-207-0x0000000140000000-0x0000000140AE7000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xSpoofer-new.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3952 xSpoofer-new.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3952 xSpoofer-new.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 4344 set thread context of 3808 4344 xSpoofer-new.exe 98 PID 4344 set thread context of 2984 4344 xSpoofer-new.exe 100 PID 4344 set thread context of 2636 4344 xSpoofer-new.exe 102 PID 4344 set thread context of 404 4344 xSpoofer-new.exe 104 PID 4344 set thread context of 4152 4344 xSpoofer-new.exe 106 PID 4344 set thread context of 4468 4344 xSpoofer-new.exe 108 PID 4344 set thread context of 4304 4344 xSpoofer-new.exe 110 PID 4344 set thread context of 4460 4344 xSpoofer-new.exe 113 PID 4344 set thread context of 32 4344 xSpoofer-new.exe 115 PID 4344 set thread context of 832 4344 xSpoofer-new.exe 117 PID 4344 set thread context of 4056 4344 xSpoofer-new.exe 119 PID 4344 set thread context of 412 4344 xSpoofer-new.exe 121 PID 4344 set thread context of 3916 4344 xSpoofer-new.exe 123 PID 4344 set thread context of 2224 4344 xSpoofer-new.exe 144 PID 4344 set thread context of 3620 4344 xSpoofer-new.exe 127 PID 4344 set thread context of 1496 4344 xSpoofer-new.exe 130 PID 4344 set thread context of 3952 4344 xSpoofer-new.exe 136 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1496 xSpoofer-new.exe 1496 xSpoofer-new.exe 1496 xSpoofer-new.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3912 XClient.exe Token: SeDebugPrivilege 4344 xSpoofer-new.exe Token: SeDebugPrivilege 1496 xSpoofer-new.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4424 wrote to memory of 3912 4424 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 94 PID 4424 wrote to memory of 3912 4424 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 94 PID 4424 wrote to memory of 4344 4424 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 95 PID 4424 wrote to memory of 4344 4424 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 95 PID 4344 wrote to memory of 3808 4344 xSpoofer-new.exe 98 PID 4344 wrote to memory of 3808 4344 xSpoofer-new.exe 98 PID 4344 wrote to memory of 3808 4344 xSpoofer-new.exe 98 PID 4344 wrote to memory of 3808 4344 xSpoofer-new.exe 98 PID 4344 wrote to memory of 3808 4344 xSpoofer-new.exe 98 PID 4344 wrote to memory of 3808 4344 xSpoofer-new.exe 98 PID 4344 wrote to memory of 3808 4344 xSpoofer-new.exe 98 PID 4344 wrote to memory of 3808 4344 xSpoofer-new.exe 98 PID 4344 wrote to memory of 3808 4344 xSpoofer-new.exe 98 PID 4344 wrote to memory of 3808 4344 xSpoofer-new.exe 98 PID 4344 wrote to memory of 3808 4344 xSpoofer-new.exe 98 PID 4344 wrote to memory of 2984 4344 xSpoofer-new.exe 100 PID 4344 wrote to memory of 2984 4344 xSpoofer-new.exe 100 PID 4344 wrote to memory of 2984 4344 xSpoofer-new.exe 100 PID 4344 wrote to memory of 2984 4344 xSpoofer-new.exe 100 PID 4344 wrote to memory of 2984 4344 xSpoofer-new.exe 100 PID 4344 wrote to memory of 2984 4344 xSpoofer-new.exe 100 PID 4344 wrote to memory of 2984 4344 xSpoofer-new.exe 100 PID 4344 wrote to memory of 2984 4344 xSpoofer-new.exe 100 PID 4344 wrote to memory of 2984 4344 xSpoofer-new.exe 100 PID 4344 wrote to memory of 2984 4344 xSpoofer-new.exe 100 PID 4344 wrote to memory of 2984 4344 xSpoofer-new.exe 100 PID 4344 wrote to memory of 2636 4344 xSpoofer-new.exe 102 PID 4344 wrote to memory of 2636 4344 xSpoofer-new.exe 102 PID 4344 wrote to memory of 2636 4344 xSpoofer-new.exe 102 PID 4344 wrote to memory of 2636 4344 xSpoofer-new.exe 102 PID 4344 wrote to memory of 2636 4344 xSpoofer-new.exe 102 PID 4344 wrote to memory of 2636 4344 xSpoofer-new.exe 102 PID 4344 wrote to memory of 2636 4344 xSpoofer-new.exe 102 PID 4344 wrote to memory of 2636 4344 xSpoofer-new.exe 102 PID 4344 wrote to memory of 2636 4344 xSpoofer-new.exe 102 PID 4344 wrote to memory of 2636 4344 xSpoofer-new.exe 102 PID 4344 wrote to memory of 2636 4344 xSpoofer-new.exe 102 PID 4344 wrote to memory of 404 4344 xSpoofer-new.exe 104 PID 4344 wrote to memory of 404 4344 xSpoofer-new.exe 104 PID 4344 wrote to memory of 404 4344 xSpoofer-new.exe 104 PID 4344 wrote to memory of 404 4344 xSpoofer-new.exe 104 PID 4344 wrote to memory of 404 4344 xSpoofer-new.exe 104 PID 4344 wrote to memory of 404 4344 xSpoofer-new.exe 104 PID 4344 wrote to memory of 404 4344 xSpoofer-new.exe 104 PID 4344 wrote to memory of 404 4344 xSpoofer-new.exe 104 PID 4344 wrote to memory of 404 4344 xSpoofer-new.exe 104 PID 4344 wrote to memory of 404 4344 xSpoofer-new.exe 104 PID 4344 wrote to memory of 404 4344 xSpoofer-new.exe 104 PID 4344 wrote to memory of 4152 4344 xSpoofer-new.exe 106 PID 4344 wrote to memory of 4152 4344 xSpoofer-new.exe 106 PID 4344 wrote to memory of 4152 4344 xSpoofer-new.exe 106 PID 4344 wrote to memory of 4152 4344 xSpoofer-new.exe 106 PID 4344 wrote to memory of 4152 4344 xSpoofer-new.exe 106 PID 4344 wrote to memory of 4152 4344 xSpoofer-new.exe 106 PID 4344 wrote to memory of 4152 4344 xSpoofer-new.exe 106 PID 4344 wrote to memory of 4152 4344 xSpoofer-new.exe 106 PID 4344 wrote to memory of 4152 4344 xSpoofer-new.exe 106 PID 4344 wrote to memory of 4152 4344 xSpoofer-new.exe 106 PID 4344 wrote to memory of 4152 4344 xSpoofer-new.exe 106 PID 4344 wrote to memory of 4468 4344 xSpoofer-new.exe 108 PID 4344 wrote to memory of 4468 4344 xSpoofer-new.exe 108 PID 4344 wrote to memory of 4468 4344 xSpoofer-new.exe 108 PID 4344 wrote to memory of 4468 4344 xSpoofer-new.exe 108 PID 4344 wrote to memory of 4468 4344 xSpoofer-new.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3912
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"2⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblAuthManager3⤵
- Executes dropped EXE
PID:3808
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblGameSave3⤵
- Executes dropped EXE
PID:2984
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxGipSvc3⤵
- Executes dropped EXE
PID:2636
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxNetApiSvc3⤵
- Executes dropped EXE
PID:404
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop xboxgip3⤵
- Executes dropped EXE
PID:4152
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblAuthManager3⤵
- Executes dropped EXE
PID:4468
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblGameSave3⤵
- Executes dropped EXE
PID:4304
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxNetApiSvc3⤵
- Executes dropped EXE
PID:4460
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxGipSvc3⤵
- Executes dropped EXE
PID:32
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete xboxgip3⤵
- Executes dropped EXE
PID:832
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop vgk3⤵
- Executes dropped EXE
PID:4056
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\xbgm" /f3⤵
- Executes dropped EXE
PID:412
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f3⤵
- Executes dropped EXE
PID:3916
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /disable3⤵
- Executes dropped EXE
PID:2224
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /disableL3⤵
- Executes dropped EXE
PID:3620
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe -Command "& {Get-AppxPackage -allusers *xbox* | Remove-AppxPackage}"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3952
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1792 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:81⤵PID:5004
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:2224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
87KB
MD5626eb43e3611e3217f8602f7b8206889
SHA1358935565a0a495a62559b204b7b41cbc365d8d9
SHA2563c468ad439464cebe619052e06cf797b296ab0d9bcf88d475fb5c9b42b489573
SHA512f4bf30eeadb557501362de71d4b6d58ab498d98e52b453f6e20309da36fe288d098dab9bb08cfcecf12787536ff20f0e649401ab6b0ff75e6671a4f3ebc4cd29
-
Filesize
6.8MB
MD5233320478ce264f9e08d249244dc4fdb
SHA1af46758a7c39b4edf4b5b0819f732abb5ad19e17
SHA256edb57df920f62e6f1241695f8a46e420f104455a54fe91431db545834fd8d5ba
SHA512b1c06e96cbabd58f8489a18c8c270718cea634a9bbd4fd67786cd5d31cfa475d4f97e2389f1ce2b5ddf10db9687b5cb5361e878d29427f9670f59343468d5967