Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/04/2024, 13:37

General

  • Target

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe

  • Size

    7.0MB

  • MD5

    6b47add2cf208a988c57c8f00461de0b

  • SHA1

    cf9518f4bd3cf94ab7225423e4365f4a262a9c61

  • SHA256

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07

  • SHA512

    e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35

  • SSDEEP

    196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/

Score
10/10

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
    "C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2080
    • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
      "C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"
      2⤵
      • Drops file in Drivers directory
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblAuthManager
        3⤵
        • Executes dropped EXE
        PID:2500
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblGameSave
        3⤵
        • Executes dropped EXE
        PID:2748
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxGipSvc
        3⤵
        • Executes dropped EXE
        PID:1976
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxNetApiSvc
        3⤵
        • Executes dropped EXE
        PID:2820
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop xboxgip
        3⤵
        • Executes dropped EXE
        PID:1624
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblAuthManager
        3⤵
        • Executes dropped EXE
        PID:2904
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblGameSave
        3⤵
        • Executes dropped EXE
        PID:1276
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxNetApiSvc
        3⤵
        • Executes dropped EXE
        PID:968
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxGipSvc
        3⤵
        • Executes dropped EXE
        PID:828
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete xboxgip
        3⤵
        • Executes dropped EXE
        PID:2188
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop vgk
        3⤵
        • Executes dropped EXE
        PID:1636
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\xbgm" /f
        3⤵
        • Executes dropped EXE
        PID:676
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
        3⤵
        • Executes dropped EXE
        PID:1816
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /disable
        3⤵
        • Executes dropped EXE
        PID:2268
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /disableL
        3⤵
        • Executes dropped EXE
        PID:3060
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe -Command "& {Get-AppxPackage -allusers *xbox* | Remove-AppxPackage}"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2632
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        3⤵
        • Executes dropped EXE
        PID:2744

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\XClient.exe

          Filesize

          87KB

          MD5

          626eb43e3611e3217f8602f7b8206889

          SHA1

          358935565a0a495a62559b204b7b41cbc365d8d9

          SHA256

          3c468ad439464cebe619052e06cf797b296ab0d9bcf88d475fb5c9b42b489573

          SHA512

          f4bf30eeadb557501362de71d4b6d58ab498d98e52b453f6e20309da36fe288d098dab9bb08cfcecf12787536ff20f0e649401ab6b0ff75e6671a4f3ebc4cd29

        • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

          Filesize

          6.6MB

          MD5

          01cc2635f0c521ea12f5ae582ae4beb9

          SHA1

          c28945aa836d2b59913ff14754966f295470dc52

          SHA256

          f17cc9f90639e7d3283b829fbeb8e7e944ba9df4839a25abf9a45b52180b2569

          SHA512

          f078c58564d06c718ee4c279f9c6743038d2c19a2d827d670a3fb3f0ceaf83dba71bc29e965a7f7eca4e6300e9c69b26ff9b6a9e6000f16993b0f2ad184924c9

        • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

          Filesize

          2.7MB

          MD5

          485e3b493d3e0843a255bb3c5340424e

          SHA1

          1daa7fc3e21c59dd0756d39ea35e09ab53e83aea

          SHA256

          880d83c0ff985df0a3d9a454d2d861bc4018b0c6304040f53c29a6817a44871d

          SHA512

          fa5ee9c11e74812acf5ecc9c473a8c52458250a7a709254878438ec287f5f34e90142e8db8ddd3de8848cfe74eae95929e98ded6369fc5809b8eb7d24f047d7d

        • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

          Filesize

          6.4MB

          MD5

          18dcfd641e2bd515bf3f583497e9f190

          SHA1

          128c05d286d815ee61b31ba3c1a1d1aca1720583

          SHA256

          d3a13414facd5974f187438584dc70b4a8eb265f534401f146180519412f8e1d

          SHA512

          d249da60c7e0a5c097ee925d3d8bc343a4663d031900c4682d43821d322e59763af45e6cf2dd5d97ba6ef19e2f60ebcc67cfc99c5009b773f86a7f164644800e

        • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

          Filesize

          6.8MB

          MD5

          b01ef26a47d9b3b2869ff8435f0673f4

          SHA1

          33b522e9e0eb1fdd2b4fc1129167f84f9be3c4fb

          SHA256

          287b89409a8169e208eda6789b82052f85672b204773c85b78a1f5fce611e6e4

          SHA512

          4f3222d61743e1a37fe11937bad8de456429f2bca58be2647acda387215082edff69b8764777994afba953d6517e675d681521c0887204606ae11b7b7158a9bd

        • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

          Filesize

          6.1MB

          MD5

          156a4c2e3fb23e567834eeda09eb9b25

          SHA1

          d2697ab15a3bb2776a48bc4ffab220874f0cc243

          SHA256

          556cbd300605791e8b0d0c0cf2dedfd78e6da05123e18fef3900d10a1e47b55c

          SHA512

          e5c2cf353e30f20d449a965b7d31a6248134aeee407fafd1fb1d5c15856b26bb4b40d1928898601426080601528da83e5d000361a163daa391c5e9b796ac5405

        • \Users\Admin\AppData\Roaming\xSpoofer-new.exe

          Filesize

          6.8MB

          MD5

          233320478ce264f9e08d249244dc4fdb

          SHA1

          af46758a7c39b4edf4b5b0819f732abb5ad19e17

          SHA256

          edb57df920f62e6f1241695f8a46e420f104455a54fe91431db545834fd8d5ba

          SHA512

          b1c06e96cbabd58f8489a18c8c270718cea634a9bbd4fd67786cd5d31cfa475d4f97e2389f1ce2b5ddf10db9687b5cb5361e878d29427f9670f59343468d5967

        • memory/676-197-0x0000000100000000-0x0000000100056000-memory.dmp

          Filesize

          344KB

        • memory/828-154-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/968-210-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/968-140-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1276-127-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1276-126-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1624-98-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1624-91-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

          Filesize

          4KB

        • memory/1636-184-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1756-112-0x0000000004280000-0x0000000004D70000-memory.dmp

          Filesize

          10.9MB

        • memory/1756-25-0x0000000004280000-0x0000000004D70000-memory.dmp

          Filesize

          10.9MB

        • memory/1756-283-0x000000013F360000-0x000000013FE50000-memory.dmp

          Filesize

          10.9MB

        • memory/1756-37-0x0000000004280000-0x0000000004D70000-memory.dmp

          Filesize

          10.9MB

        • memory/1756-284-0x00000000774C0000-0x0000000077669000-memory.dmp

          Filesize

          1.7MB

        • memory/1756-16-0x000000013F360000-0x000000013FE50000-memory.dmp

          Filesize

          10.9MB

        • memory/1756-18-0x00000000774C0000-0x0000000077669000-memory.dmp

          Filesize

          1.7MB

        • memory/1756-68-0x000000013F360000-0x000000013FE50000-memory.dmp

          Filesize

          10.9MB

        • memory/1756-41-0x000000013F360000-0x000000013FE50000-memory.dmp

          Filesize

          10.9MB

        • memory/1756-97-0x0000000004280000-0x0000000004D70000-memory.dmp

          Filesize

          10.9MB

        • memory/1756-82-0x00000000774C0000-0x0000000077669000-memory.dmp

          Filesize

          1.7MB

        • memory/1816-211-0x0000000100000000-0x0000000100056000-memory.dmp

          Filesize

          344KB

        • memory/1976-67-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1976-61-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

          Filesize

          4KB

        • memory/2080-7-0x0000000000980000-0x000000000099C000-memory.dmp

          Filesize

          112KB

        • memory/2080-39-0x0000000000900000-0x0000000000980000-memory.dmp

          Filesize

          512KB

        • memory/2080-8-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

          Filesize

          9.9MB

        • memory/2080-40-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

          Filesize

          9.9MB

        • memory/2188-169-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2188-170-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2268-224-0x0000000100000000-0x0000000100048000-memory.dmp

          Filesize

          288KB

        • memory/2420-0-0x0000000000380000-0x0000000000A8E000-memory.dmp

          Filesize

          7.1MB

        • memory/2420-17-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

          Filesize

          9.9MB

        • memory/2420-14-0x000000013F360000-0x000000013FE50000-memory.dmp

          Filesize

          10.9MB

        • memory/2420-1-0x000007FEF5860000-0x000007FEF624C000-memory.dmp

          Filesize

          9.9MB

        • memory/2500-20-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2500-28-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

          Filesize

          4KB

        • memory/2500-32-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2500-29-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2500-26-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2500-34-0x000000013F360000-0x000000013FE50000-memory.dmp

          Filesize

          10.9MB

        • memory/2500-22-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2500-23-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2500-21-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2500-24-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2500-33-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2500-27-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2632-258-0x0000000002CD0000-0x0000000002D50000-memory.dmp

          Filesize

          512KB

        • memory/2632-260-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

          Filesize

          9.6MB

        • memory/2632-253-0x0000000140000000-0x0000000140077000-memory.dmp

          Filesize

          476KB

        • memory/2632-255-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

          Filesize

          9.6MB

        • memory/2632-257-0x0000000001D90000-0x0000000001D98000-memory.dmp

          Filesize

          32KB

        • memory/2632-264-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

          Filesize

          9.6MB

        • memory/2632-254-0x000000001B720000-0x000000001BA02000-memory.dmp

          Filesize

          2.9MB

        • memory/2632-259-0x0000000002CD0000-0x0000000002D50000-memory.dmp

          Filesize

          512KB

        • memory/2632-263-0x0000000140000000-0x0000000140077000-memory.dmp

          Filesize

          476KB

        • memory/2632-261-0x0000000002CD0000-0x0000000002D50000-memory.dmp

          Filesize

          512KB

        • memory/2632-262-0x0000000002CD0000-0x0000000002D50000-memory.dmp

          Filesize

          512KB

        • memory/2748-53-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2748-47-0x000007FFFFFD4000-0x000007FFFFFD5000-memory.dmp

          Filesize

          4KB

        • memory/2820-76-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

          Filesize

          4KB

        • memory/2820-155-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2820-83-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2904-113-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/3060-237-0x0000000100000000-0x0000000100048000-memory.dmp

          Filesize

          288KB

        • memory/3060-280-0x000000013F360000-0x000000013FE50000-memory.dmp

          Filesize

          10.9MB