Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 13:34
Static task
static1
Behavioral task
behavioral1
Sample
b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
Resource
win7-20240221-en
General
-
Target
b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
-
Size
7.0MB
-
MD5
6b47add2cf208a988c57c8f00461de0b
-
SHA1
cf9518f4bd3cf94ab7225423e4365f4a262a9c61
-
SHA256
b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07
-
SHA512
e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35
-
SSDEEP
196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/
Malware Config
Extracted
xworm
210.246.215.82:7000
-
Install_directory
%ProgramData%
-
install_file
WindowsNT.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x000800000002320d-6.dat family_xworm behavioral2/memory/1488-13-0x0000000000A30000-0x0000000000A4C000-memory.dmp family_xworm -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ xSpoofer-new.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts xSpoofer-new.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xSpoofer-new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xSpoofer-new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xSpoofer-new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xSpoofer-new.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe -
Executes dropped EXE 19 IoCs
pid Process 1488 XClient.exe 5092 xSpoofer-new.exe 3816 xSpoofer-new.exe 5024 xSpoofer-new.exe 3332 xSpoofer-new.exe 2112 xSpoofer-new.exe 4060 xSpoofer-new.exe 2340 xSpoofer-new.exe 5096 xSpoofer-new.exe 3260 xSpoofer-new.exe 3032 xSpoofer-new.exe 1180 xSpoofer-new.exe 1452 xSpoofer-new.exe 4392 xSpoofer-new.exe 4572 xSpoofer-new.exe 2328 xSpoofer-new.exe 1652 xSpoofer-new.exe 4956 xSpoofer-new.exe 2148 xSpoofer-new.exe -
resource yara_rule behavioral2/memory/2148-179-0x0000000140000000-0x0000000140AE7000-memory.dmp themida behavioral2/memory/2148-196-0x0000000140000000-0x0000000140AE7000-memory.dmp themida behavioral2/memory/2148-201-0x0000000140000000-0x0000000140AE7000-memory.dmp themida behavioral2/memory/2148-202-0x0000000140000000-0x0000000140AE7000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xSpoofer-new.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2148 xSpoofer-new.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2148 xSpoofer-new.exe -
Suspicious use of SetThreadContext 17 IoCs
description pid Process procid_target PID 5092 set thread context of 3816 5092 xSpoofer-new.exe 126 PID 5092 set thread context of 5024 5092 xSpoofer-new.exe 92 PID 5092 set thread context of 3332 5092 xSpoofer-new.exe 94 PID 5092 set thread context of 2112 5092 xSpoofer-new.exe 96 PID 5092 set thread context of 4060 5092 xSpoofer-new.exe 98 PID 5092 set thread context of 2340 5092 xSpoofer-new.exe 100 PID 5092 set thread context of 5096 5092 xSpoofer-new.exe 102 PID 5092 set thread context of 3260 5092 xSpoofer-new.exe 105 PID 5092 set thread context of 3032 5092 xSpoofer-new.exe 107 PID 5092 set thread context of 1180 5092 xSpoofer-new.exe 114 PID 5092 set thread context of 1452 5092 xSpoofer-new.exe 116 PID 5092 set thread context of 4392 5092 xSpoofer-new.exe 118 PID 5092 set thread context of 4572 5092 xSpoofer-new.exe 121 PID 5092 set thread context of 2328 5092 xSpoofer-new.exe 123 PID 5092 set thread context of 1652 5092 xSpoofer-new.exe 125 PID 5092 set thread context of 4956 5092 xSpoofer-new.exe 127 PID 5092 set thread context of 2148 5092 xSpoofer-new.exe 130 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4956 xSpoofer-new.exe 4956 xSpoofer-new.exe 4956 xSpoofer-new.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1488 XClient.exe Token: SeDebugPrivilege 5092 xSpoofer-new.exe Token: SeDebugPrivilege 4956 xSpoofer-new.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3640 wrote to memory of 1488 3640 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 86 PID 3640 wrote to memory of 1488 3640 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 86 PID 3640 wrote to memory of 5092 3640 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 87 PID 3640 wrote to memory of 5092 3640 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 87 PID 5092 wrote to memory of 3816 5092 xSpoofer-new.exe 126 PID 5092 wrote to memory of 3816 5092 xSpoofer-new.exe 126 PID 5092 wrote to memory of 3816 5092 xSpoofer-new.exe 126 PID 5092 wrote to memory of 3816 5092 xSpoofer-new.exe 126 PID 5092 wrote to memory of 3816 5092 xSpoofer-new.exe 126 PID 5092 wrote to memory of 3816 5092 xSpoofer-new.exe 126 PID 5092 wrote to memory of 3816 5092 xSpoofer-new.exe 126 PID 5092 wrote to memory of 3816 5092 xSpoofer-new.exe 126 PID 5092 wrote to memory of 3816 5092 xSpoofer-new.exe 126 PID 5092 wrote to memory of 3816 5092 xSpoofer-new.exe 126 PID 5092 wrote to memory of 3816 5092 xSpoofer-new.exe 126 PID 5092 wrote to memory of 5024 5092 xSpoofer-new.exe 92 PID 5092 wrote to memory of 5024 5092 xSpoofer-new.exe 92 PID 5092 wrote to memory of 5024 5092 xSpoofer-new.exe 92 PID 5092 wrote to memory of 5024 5092 xSpoofer-new.exe 92 PID 5092 wrote to memory of 5024 5092 xSpoofer-new.exe 92 PID 5092 wrote to memory of 5024 5092 xSpoofer-new.exe 92 PID 5092 wrote to memory of 5024 5092 xSpoofer-new.exe 92 PID 5092 wrote to memory of 5024 5092 xSpoofer-new.exe 92 PID 5092 wrote to memory of 5024 5092 xSpoofer-new.exe 92 PID 5092 wrote to memory of 5024 5092 xSpoofer-new.exe 92 PID 5092 wrote to memory of 5024 5092 xSpoofer-new.exe 92 PID 5092 wrote to memory of 3332 5092 xSpoofer-new.exe 94 PID 5092 wrote to memory of 3332 5092 xSpoofer-new.exe 94 PID 5092 wrote to memory of 3332 5092 xSpoofer-new.exe 94 PID 5092 wrote to memory of 3332 5092 xSpoofer-new.exe 94 PID 5092 wrote to memory of 3332 5092 xSpoofer-new.exe 94 PID 5092 wrote to memory of 3332 5092 xSpoofer-new.exe 94 PID 5092 wrote to memory of 3332 5092 xSpoofer-new.exe 94 PID 5092 wrote to memory of 3332 5092 xSpoofer-new.exe 94 PID 5092 wrote to memory of 3332 5092 xSpoofer-new.exe 94 PID 5092 wrote to memory of 3332 5092 xSpoofer-new.exe 94 PID 5092 wrote to memory of 3332 5092 xSpoofer-new.exe 94 PID 5092 wrote to memory of 2112 5092 xSpoofer-new.exe 96 PID 5092 wrote to memory of 2112 5092 xSpoofer-new.exe 96 PID 5092 wrote to memory of 2112 5092 xSpoofer-new.exe 96 PID 5092 wrote to memory of 2112 5092 xSpoofer-new.exe 96 PID 5092 wrote to memory of 2112 5092 xSpoofer-new.exe 96 PID 5092 wrote to memory of 2112 5092 xSpoofer-new.exe 96 PID 5092 wrote to memory of 2112 5092 xSpoofer-new.exe 96 PID 5092 wrote to memory of 2112 5092 xSpoofer-new.exe 96 PID 5092 wrote to memory of 2112 5092 xSpoofer-new.exe 96 PID 5092 wrote to memory of 2112 5092 xSpoofer-new.exe 96 PID 5092 wrote to memory of 2112 5092 xSpoofer-new.exe 96 PID 5092 wrote to memory of 4060 5092 xSpoofer-new.exe 98 PID 5092 wrote to memory of 4060 5092 xSpoofer-new.exe 98 PID 5092 wrote to memory of 4060 5092 xSpoofer-new.exe 98 PID 5092 wrote to memory of 4060 5092 xSpoofer-new.exe 98 PID 5092 wrote to memory of 4060 5092 xSpoofer-new.exe 98 PID 5092 wrote to memory of 4060 5092 xSpoofer-new.exe 98 PID 5092 wrote to memory of 4060 5092 xSpoofer-new.exe 98 PID 5092 wrote to memory of 4060 5092 xSpoofer-new.exe 98 PID 5092 wrote to memory of 4060 5092 xSpoofer-new.exe 98 PID 5092 wrote to memory of 4060 5092 xSpoofer-new.exe 98 PID 5092 wrote to memory of 4060 5092 xSpoofer-new.exe 98 PID 5092 wrote to memory of 2340 5092 xSpoofer-new.exe 100 PID 5092 wrote to memory of 2340 5092 xSpoofer-new.exe 100 PID 5092 wrote to memory of 2340 5092 xSpoofer-new.exe 100 PID 5092 wrote to memory of 2340 5092 xSpoofer-new.exe 100 PID 5092 wrote to memory of 2340 5092 xSpoofer-new.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"2⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblAuthManager3⤵
- Executes dropped EXE
PID:3816
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblGameSave3⤵
- Executes dropped EXE
PID:5024
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxGipSvc3⤵
- Executes dropped EXE
PID:3332
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxNetApiSvc3⤵
- Executes dropped EXE
PID:2112
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop xboxgip3⤵
- Executes dropped EXE
PID:4060
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblAuthManager3⤵
- Executes dropped EXE
PID:2340
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblGameSave3⤵
- Executes dropped EXE
PID:5096
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxNetApiSvc3⤵
- Executes dropped EXE
PID:3260
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxGipSvc3⤵
- Executes dropped EXE
PID:3032
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete xboxgip3⤵
- Executes dropped EXE
PID:1180
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop vgk3⤵
- Executes dropped EXE
PID:1452
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\xbgm" /f3⤵
- Executes dropped EXE
PID:4392
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f3⤵
- Executes dropped EXE
PID:4572
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /disable3⤵
- Executes dropped EXE
PID:2328
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /disableL3⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3816
-
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe -Command "& {Get-AppxPackage -allusers *xbox* | Remove-AppxPackage}"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2148
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
87KB
MD5626eb43e3611e3217f8602f7b8206889
SHA1358935565a0a495a62559b204b7b41cbc365d8d9
SHA2563c468ad439464cebe619052e06cf797b296ab0d9bcf88d475fb5c9b42b489573
SHA512f4bf30eeadb557501362de71d4b6d58ab498d98e52b453f6e20309da36fe288d098dab9bb08cfcecf12787536ff20f0e649401ab6b0ff75e6671a4f3ebc4cd29
-
Filesize
6.8MB
MD5233320478ce264f9e08d249244dc4fdb
SHA1af46758a7c39b4edf4b5b0819f732abb5ad19e17
SHA256edb57df920f62e6f1241695f8a46e420f104455a54fe91431db545834fd8d5ba
SHA512b1c06e96cbabd58f8489a18c8c270718cea634a9bbd4fd67786cd5d31cfa475d4f97e2389f1ce2b5ddf10db9687b5cb5361e878d29427f9670f59343468d5967