Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/04/2024, 13:37
Static task
static1
Behavioral task
behavioral1
Sample
b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
Resource
win7-20240221-en
General
-
Target
b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
-
Size
7.0MB
-
MD5
6b47add2cf208a988c57c8f00461de0b
-
SHA1
cf9518f4bd3cf94ab7225423e4365f4a262a9c61
-
SHA256
b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07
-
SHA512
e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35
-
SSDEEP
196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/
Malware Config
Extracted
xworm
210.246.215.82:7000
-
Install_directory
%ProgramData%
-
install_file
WindowsNT.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x000b000000012248-5.dat family_xworm behavioral1/memory/2080-7-0x0000000000980000-0x000000000099C000-memory.dmp family_xworm -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts xSpoofer-new.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xSpoofer-new.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xSpoofer-new.exe -
Executes dropped EXE 19 IoCs
pid Process 2080 XClient.exe 1756 xSpoofer-new.exe 2500 xSpoofer-new.exe 2748 xSpoofer-new.exe 1976 xSpoofer-new.exe 2820 xSpoofer-new.exe 1624 xSpoofer-new.exe 2904 xSpoofer-new.exe 1276 xSpoofer-new.exe 968 xSpoofer-new.exe 828 xSpoofer-new.exe 2188 xSpoofer-new.exe 1636 xSpoofer-new.exe 676 xSpoofer-new.exe 1816 xSpoofer-new.exe 2268 xSpoofer-new.exe 3060 xSpoofer-new.exe 2632 xSpoofer-new.exe 2744 xSpoofer-new.exe -
Loads dropped DLL 3 IoCs
pid Process 2420 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 1756 xSpoofer-new.exe 1756 xSpoofer-new.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 16 IoCs
description pid Process procid_target PID 1756 set thread context of 2500 1756 xSpoofer-new.exe 31 PID 1756 set thread context of 2748 1756 xSpoofer-new.exe 33 PID 1756 set thread context of 1976 1756 xSpoofer-new.exe 36 PID 1756 set thread context of 2820 1756 xSpoofer-new.exe 38 PID 1756 set thread context of 1624 1756 xSpoofer-new.exe 40 PID 1756 set thread context of 2904 1756 xSpoofer-new.exe 42 PID 1756 set thread context of 1276 1756 xSpoofer-new.exe 44 PID 1756 set thread context of 968 1756 xSpoofer-new.exe 46 PID 1756 set thread context of 828 1756 xSpoofer-new.exe 48 PID 1756 set thread context of 2188 1756 xSpoofer-new.exe 50 PID 1756 set thread context of 1636 1756 xSpoofer-new.exe 52 PID 1756 set thread context of 676 1756 xSpoofer-new.exe 54 PID 1756 set thread context of 1816 1756 xSpoofer-new.exe 56 PID 1756 set thread context of 2268 1756 xSpoofer-new.exe 58 PID 1756 set thread context of 3060 1756 xSpoofer-new.exe 60 PID 1756 set thread context of 2632 1756 xSpoofer-new.exe 62 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2632 xSpoofer-new.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2080 XClient.exe Token: SeDebugPrivilege 1756 xSpoofer-new.exe Token: SeDebugPrivilege 2632 xSpoofer-new.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2420 wrote to memory of 2080 2420 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 28 PID 2420 wrote to memory of 2080 2420 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 28 PID 2420 wrote to memory of 2080 2420 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 28 PID 2420 wrote to memory of 1756 2420 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 29 PID 2420 wrote to memory of 1756 2420 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 29 PID 2420 wrote to memory of 1756 2420 b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe 29 PID 1756 wrote to memory of 2500 1756 xSpoofer-new.exe 31 PID 1756 wrote to memory of 2500 1756 xSpoofer-new.exe 31 PID 1756 wrote to memory of 2500 1756 xSpoofer-new.exe 31 PID 1756 wrote to memory of 2500 1756 xSpoofer-new.exe 31 PID 1756 wrote to memory of 2500 1756 xSpoofer-new.exe 31 PID 1756 wrote to memory of 2500 1756 xSpoofer-new.exe 31 PID 1756 wrote to memory of 2500 1756 xSpoofer-new.exe 31 PID 1756 wrote to memory of 2500 1756 xSpoofer-new.exe 31 PID 1756 wrote to memory of 2500 1756 xSpoofer-new.exe 31 PID 1756 wrote to memory of 2500 1756 xSpoofer-new.exe 31 PID 1756 wrote to memory of 2500 1756 xSpoofer-new.exe 31 PID 1756 wrote to memory of 2748 1756 xSpoofer-new.exe 33 PID 1756 wrote to memory of 2748 1756 xSpoofer-new.exe 33 PID 1756 wrote to memory of 2748 1756 xSpoofer-new.exe 33 PID 1756 wrote to memory of 2748 1756 xSpoofer-new.exe 33 PID 1756 wrote to memory of 2748 1756 xSpoofer-new.exe 33 PID 1756 wrote to memory of 2748 1756 xSpoofer-new.exe 33 PID 1756 wrote to memory of 2748 1756 xSpoofer-new.exe 33 PID 1756 wrote to memory of 2748 1756 xSpoofer-new.exe 33 PID 1756 wrote to memory of 2748 1756 xSpoofer-new.exe 33 PID 1756 wrote to memory of 2748 1756 xSpoofer-new.exe 33 PID 1756 wrote to memory of 2748 1756 xSpoofer-new.exe 33 PID 1756 wrote to memory of 1976 1756 xSpoofer-new.exe 36 PID 1756 wrote to memory of 1976 1756 xSpoofer-new.exe 36 PID 1756 wrote to memory of 1976 1756 xSpoofer-new.exe 36 PID 1756 wrote to memory of 1976 1756 xSpoofer-new.exe 36 PID 1756 wrote to memory of 1976 1756 xSpoofer-new.exe 36 PID 1756 wrote to memory of 1976 1756 xSpoofer-new.exe 36 PID 1756 wrote to memory of 1976 1756 xSpoofer-new.exe 36 PID 1756 wrote to memory of 1976 1756 xSpoofer-new.exe 36 PID 1756 wrote to memory of 1976 1756 xSpoofer-new.exe 36 PID 1756 wrote to memory of 1976 1756 xSpoofer-new.exe 36 PID 1756 wrote to memory of 1976 1756 xSpoofer-new.exe 36 PID 1756 wrote to memory of 2820 1756 xSpoofer-new.exe 38 PID 1756 wrote to memory of 2820 1756 xSpoofer-new.exe 38 PID 1756 wrote to memory of 2820 1756 xSpoofer-new.exe 38 PID 1756 wrote to memory of 2820 1756 xSpoofer-new.exe 38 PID 1756 wrote to memory of 2820 1756 xSpoofer-new.exe 38 PID 1756 wrote to memory of 2820 1756 xSpoofer-new.exe 38 PID 1756 wrote to memory of 2820 1756 xSpoofer-new.exe 38 PID 1756 wrote to memory of 2820 1756 xSpoofer-new.exe 38 PID 1756 wrote to memory of 2820 1756 xSpoofer-new.exe 38 PID 1756 wrote to memory of 2820 1756 xSpoofer-new.exe 38 PID 1756 wrote to memory of 2820 1756 xSpoofer-new.exe 38 PID 1756 wrote to memory of 1624 1756 xSpoofer-new.exe 40 PID 1756 wrote to memory of 1624 1756 xSpoofer-new.exe 40 PID 1756 wrote to memory of 1624 1756 xSpoofer-new.exe 40 PID 1756 wrote to memory of 1624 1756 xSpoofer-new.exe 40 PID 1756 wrote to memory of 1624 1756 xSpoofer-new.exe 40 PID 1756 wrote to memory of 1624 1756 xSpoofer-new.exe 40 PID 1756 wrote to memory of 1624 1756 xSpoofer-new.exe 40 PID 1756 wrote to memory of 1624 1756 xSpoofer-new.exe 40 PID 1756 wrote to memory of 1624 1756 xSpoofer-new.exe 40 PID 1756 wrote to memory of 1624 1756 xSpoofer-new.exe 40 PID 1756 wrote to memory of 1624 1756 xSpoofer-new.exe 40 PID 1756 wrote to memory of 2904 1756 xSpoofer-new.exe 42 PID 1756 wrote to memory of 2904 1756 xSpoofer-new.exe 42 PID 1756 wrote to memory of 2904 1756 xSpoofer-new.exe 42 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"2⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblAuthManager3⤵
- Executes dropped EXE
PID:2500
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblGameSave3⤵
- Executes dropped EXE
PID:2748
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxGipSvc3⤵
- Executes dropped EXE
PID:1976
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxNetApiSvc3⤵
- Executes dropped EXE
PID:2820
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop xboxgip3⤵
- Executes dropped EXE
PID:1624
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblAuthManager3⤵
- Executes dropped EXE
PID:2904
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblGameSave3⤵
- Executes dropped EXE
PID:1276
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxNetApiSvc3⤵
- Executes dropped EXE
PID:968
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxGipSvc3⤵
- Executes dropped EXE
PID:828
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete xboxgip3⤵
- Executes dropped EXE
PID:2188
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop vgk3⤵
- Executes dropped EXE
PID:1636
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\xbgm" /f3⤵
- Executes dropped EXE
PID:676
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f3⤵
- Executes dropped EXE
PID:1816
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /disable3⤵
- Executes dropped EXE
PID:2268
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /disableL3⤵
- Executes dropped EXE
PID:3060
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe -Command "& {Get-AppxPackage -allusers *xbox* | Remove-AppxPackage}"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Users\Admin\AppData\Roaming\xSpoofer-new.exeC:\Users\Admin\AppData\Roaming\xSpoofer-new.exe3⤵
- Executes dropped EXE
PID:2744
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD5626eb43e3611e3217f8602f7b8206889
SHA1358935565a0a495a62559b204b7b41cbc365d8d9
SHA2563c468ad439464cebe619052e06cf797b296ab0d9bcf88d475fb5c9b42b489573
SHA512f4bf30eeadb557501362de71d4b6d58ab498d98e52b453f6e20309da36fe288d098dab9bb08cfcecf12787536ff20f0e649401ab6b0ff75e6671a4f3ebc4cd29
-
Filesize
6.6MB
MD501cc2635f0c521ea12f5ae582ae4beb9
SHA1c28945aa836d2b59913ff14754966f295470dc52
SHA256f17cc9f90639e7d3283b829fbeb8e7e944ba9df4839a25abf9a45b52180b2569
SHA512f078c58564d06c718ee4c279f9c6743038d2c19a2d827d670a3fb3f0ceaf83dba71bc29e965a7f7eca4e6300e9c69b26ff9b6a9e6000f16993b0f2ad184924c9
-
Filesize
2.7MB
MD5485e3b493d3e0843a255bb3c5340424e
SHA11daa7fc3e21c59dd0756d39ea35e09ab53e83aea
SHA256880d83c0ff985df0a3d9a454d2d861bc4018b0c6304040f53c29a6817a44871d
SHA512fa5ee9c11e74812acf5ecc9c473a8c52458250a7a709254878438ec287f5f34e90142e8db8ddd3de8848cfe74eae95929e98ded6369fc5809b8eb7d24f047d7d
-
Filesize
6.4MB
MD518dcfd641e2bd515bf3f583497e9f190
SHA1128c05d286d815ee61b31ba3c1a1d1aca1720583
SHA256d3a13414facd5974f187438584dc70b4a8eb265f534401f146180519412f8e1d
SHA512d249da60c7e0a5c097ee925d3d8bc343a4663d031900c4682d43821d322e59763af45e6cf2dd5d97ba6ef19e2f60ebcc67cfc99c5009b773f86a7f164644800e
-
Filesize
6.8MB
MD5b01ef26a47d9b3b2869ff8435f0673f4
SHA133b522e9e0eb1fdd2b4fc1129167f84f9be3c4fb
SHA256287b89409a8169e208eda6789b82052f85672b204773c85b78a1f5fce611e6e4
SHA5124f3222d61743e1a37fe11937bad8de456429f2bca58be2647acda387215082edff69b8764777994afba953d6517e675d681521c0887204606ae11b7b7158a9bd
-
Filesize
6.1MB
MD5156a4c2e3fb23e567834eeda09eb9b25
SHA1d2697ab15a3bb2776a48bc4ffab220874f0cc243
SHA256556cbd300605791e8b0d0c0cf2dedfd78e6da05123e18fef3900d10a1e47b55c
SHA512e5c2cf353e30f20d449a965b7d31a6248134aeee407fafd1fb1d5c15856b26bb4b40d1928898601426080601528da83e5d000361a163daa391c5e9b796ac5405
-
Filesize
6.8MB
MD5233320478ce264f9e08d249244dc4fdb
SHA1af46758a7c39b4edf4b5b0819f732abb5ad19e17
SHA256edb57df920f62e6f1241695f8a46e420f104455a54fe91431db545834fd8d5ba
SHA512b1c06e96cbabd58f8489a18c8c270718cea634a9bbd4fd67786cd5d31cfa475d4f97e2389f1ce2b5ddf10db9687b5cb5361e878d29427f9670f59343468d5967