Analysis

  • max time kernel
    146s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/04/2024, 13:37

General

  • Target

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe

  • Size

    7.0MB

  • MD5

    6b47add2cf208a988c57c8f00461de0b

  • SHA1

    cf9518f4bd3cf94ab7225423e4365f4a262a9c61

  • SHA256

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07

  • SHA512

    e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35

  • SSDEEP

    196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 19 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
    "C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4304
    • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
      "C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"
      2⤵
      • Drops file in Drivers directory
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblAuthManager
        3⤵
        • Executes dropped EXE
        PID:4404
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblGameSave
        3⤵
        • Executes dropped EXE
        PID:1920
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxGipSvc
        3⤵
        • Executes dropped EXE
        PID:1996
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxNetApiSvc
        3⤵
        • Executes dropped EXE
        PID:2064
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop xboxgip
        3⤵
        • Executes dropped EXE
        PID:4892
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblAuthManager
        3⤵
        • Executes dropped EXE
        PID:2428
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblGameSave
        3⤵
        • Executes dropped EXE
        PID:4060
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxNetApiSvc
        3⤵
        • Executes dropped EXE
        PID:2380
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxGipSvc
        3⤵
        • Executes dropped EXE
        PID:3828
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete xboxgip
        3⤵
        • Executes dropped EXE
        PID:1360
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop vgk
        3⤵
        • Executes dropped EXE
        PID:4764
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\xbgm" /f
        3⤵
        • Executes dropped EXE
        PID:2136
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
        3⤵
        • Executes dropped EXE
        PID:512
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /disable
        3⤵
        • Executes dropped EXE
        PID:944
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /disableL
        3⤵
        • Executes dropped EXE
        PID:2232
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe -Command "& {Get-AppxPackage -allusers *xbox* | Remove-AppxPackage}"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4180
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:4308

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ycn2jevy.wne.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\XClient.exe

          Filesize

          87KB

          MD5

          626eb43e3611e3217f8602f7b8206889

          SHA1

          358935565a0a495a62559b204b7b41cbc365d8d9

          SHA256

          3c468ad439464cebe619052e06cf797b296ab0d9bcf88d475fb5c9b42b489573

          SHA512

          f4bf30eeadb557501362de71d4b6d58ab498d98e52b453f6e20309da36fe288d098dab9bb08cfcecf12787536ff20f0e649401ab6b0ff75e6671a4f3ebc4cd29

        • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

          Filesize

          6.8MB

          MD5

          233320478ce264f9e08d249244dc4fdb

          SHA1

          af46758a7c39b4edf4b5b0819f732abb5ad19e17

          SHA256

          edb57df920f62e6f1241695f8a46e420f104455a54fe91431db545834fd8d5ba

          SHA512

          b1c06e96cbabd58f8489a18c8c270718cea634a9bbd4fd67786cd5d31cfa475d4f97e2389f1ce2b5ddf10db9687b5cb5361e878d29427f9670f59343468d5967

        • memory/512-130-0x0000000140000000-0x0000000140057000-memory.dmp

          Filesize

          348KB

        • memory/944-137-0x0000000140000000-0x000000014003E000-memory.dmp

          Filesize

          248KB

        • memory/944-136-0x0000000140000000-0x000000014003E000-memory.dmp

          Filesize

          248KB

        • memory/1020-1-0x00007FF974490000-0x00007FF974F51000-memory.dmp

          Filesize

          10.8MB

        • memory/1020-28-0x00007FF974490000-0x00007FF974F51000-memory.dmp

          Filesize

          10.8MB

        • memory/1020-0-0x0000000000B50000-0x000000000125E000-memory.dmp

          Filesize

          7.1MB

        • memory/1360-111-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/1360-108-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/1360-110-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/1848-29-0x00007FF992450000-0x00007FF992645000-memory.dmp

          Filesize

          2.0MB

        • memory/1848-121-0x00007FF633440000-0x00007FF633F30000-memory.dmp

          Filesize

          10.9MB

        • memory/1848-25-0x00007FF633440000-0x00007FF633F30000-memory.dmp

          Filesize

          10.9MB

        • memory/1848-71-0x00007FF992450000-0x00007FF992645000-memory.dmp

          Filesize

          2.0MB

        • memory/1848-66-0x00007FF633440000-0x00007FF633F30000-memory.dmp

          Filesize

          10.9MB

        • memory/1920-42-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/1920-44-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/1920-46-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/1920-47-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/1920-48-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/1996-51-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/1996-55-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/1996-56-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/1996-57-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/1996-53-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/2064-67-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/2064-60-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/2064-63-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/2064-65-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/2064-64-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/2136-123-0x0000000140000000-0x0000000140057000-memory.dmp

          Filesize

          348KB

        • memory/2136-124-0x0000000140000000-0x0000000140057000-memory.dmp

          Filesize

          348KB

        • memory/2136-119-0x0000000140000000-0x0000000140057000-memory.dmp

          Filesize

          348KB

        • memory/2136-122-0x0000000140000000-0x0000000140057000-memory.dmp

          Filesize

          348KB

        • memory/2136-125-0x0000000140000000-0x0000000140057000-memory.dmp

          Filesize

          348KB

        • memory/2232-143-0x0000000140000000-0x000000014003E000-memory.dmp

          Filesize

          248KB

        • memory/2380-94-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/2380-98-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/2380-96-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/2428-80-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/2428-82-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/2428-84-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/3828-103-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/3828-105-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/3828-101-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4060-91-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4060-90-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4060-89-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4060-87-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4180-168-0x000001E4FE9D0000-0x000001E4FE9F6000-memory.dmp

          Filesize

          152KB

        • memory/4180-165-0x000001E4E48A0000-0x000001E4E48B0000-memory.dmp

          Filesize

          64KB

        • memory/4180-174-0x000001E4E48A0000-0x000001E4E48B0000-memory.dmp

          Filesize

          64KB

        • memory/4180-178-0x0000000140000000-0x0000000140071000-memory.dmp

          Filesize

          452KB

        • memory/4180-152-0x00007FF974490000-0x00007FF974F51000-memory.dmp

          Filesize

          10.8MB

        • memory/4180-172-0x000001E4E48A0000-0x000001E4E48B0000-memory.dmp

          Filesize

          64KB

        • memory/4180-171-0x00007FF974490000-0x00007FF974F51000-memory.dmp

          Filesize

          10.8MB

        • memory/4180-170-0x000001E4E48A0000-0x000001E4E48B0000-memory.dmp

          Filesize

          64KB

        • memory/4180-163-0x000001E4E6680000-0x000001E4E66A2000-memory.dmp

          Filesize

          136KB

        • memory/4180-167-0x000001E4FE930000-0x000001E4FE93A000-memory.dmp

          Filesize

          40KB

        • memory/4180-179-0x00007FF974490000-0x00007FF974F51000-memory.dmp

          Filesize

          10.8MB

        • memory/4180-153-0x000001E4E48A0000-0x000001E4E48B0000-memory.dmp

          Filesize

          64KB

        • memory/4180-151-0x0000000140000000-0x0000000140071000-memory.dmp

          Filesize

          452KB

        • memory/4180-175-0x000001E4E48A0000-0x000001E4E48B0000-memory.dmp

          Filesize

          64KB

        • memory/4180-166-0x000001E4FE940000-0x000001E4FE956000-memory.dmp

          Filesize

          88KB

        • memory/4304-14-0x00007FF974490000-0x00007FF974F51000-memory.dmp

          Filesize

          10.8MB

        • memory/4304-61-0x00007FF974490000-0x00007FF974F51000-memory.dmp

          Filesize

          10.8MB

        • memory/4304-34-0x000000001ADF0000-0x000000001AE00000-memory.dmp

          Filesize

          64KB

        • memory/4304-13-0x0000000000200000-0x000000000021C000-memory.dmp

          Filesize

          112KB

        • memory/4308-208-0x0000000140000000-0x0000000140AE7000-memory.dmp

          Filesize

          10.9MB

        • memory/4308-205-0x00000147CFE90000-0x00000147CFE91000-memory.dmp

          Filesize

          4KB

        • memory/4308-204-0x0000000140000000-0x0000000140AE7000-memory.dmp

          Filesize

          10.9MB

        • memory/4308-185-0x0000000140000000-0x0000000140AE7000-memory.dmp

          Filesize

          10.9MB

        • memory/4404-36-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4404-30-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4404-32-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4404-35-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4404-39-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4404-38-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4404-37-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4764-114-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4764-117-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4764-118-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4764-116-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4892-77-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4892-76-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4892-75-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4892-73-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB

        • memory/4892-70-0x0000000140000000-0x0000000140017000-memory.dmp

          Filesize

          92KB