Overview

overview

10

Static

static

3

GPU-UUID-Changer.exe

windows7-x64

10

GPU-UUID-Changer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2024, 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GPU-UUID-Changer.exe

  • Size

    9.1MB

  • MD5

    3f6c9384490a5eb88d9c6a1b258a9895

  • SHA1

    403e28d2656ed756ea0e8cb29dc2651820b3f208

  • SHA256

    935996d08fff589672a9b02b6b95378af257416620f289af520602136dcba3d2

  • SHA512

    2980ece94859d2c09cd03367e430ddf73a905c83598ed3b0f4cce6fa7b5b6a6e470221b6419b88def3a17d4702397a4f748406500e7bc3381efeab7ed7980aca

  • SSDEEP

    196608:3gJCvHuEdmzjKiQLYAsGcBzG5NF1TvdS7gW:ECPueiQxsANF1vdS7h

Score
10/10
xwormdefense_evasionexecutionimpactpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

aid-poly.at.ply.gg:13632

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\GPU-UUID-Changer.exe
    "C:\Users\Admin\AppData\Local\Temp\GPU-UUID-Changer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Users\Admin\AppData\Roaming\spoof.exe
      "C:\Users\Admin\AppData\Roaming\spoof.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "spoof" /tr "C:\Users\Admin\AppData\Local\Temp\spoof.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2612
    • C:\Users\Admin\AppData\Roaming\GPU-UUID-Changer.exe
      "C:\Users\Admin\AppData\Roaming\GPU-UUID-Changer.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3728
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /All /Quiet
          4⤵
          • Interacts with shadow copies
          PID:3024
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1880
        • C:\Windows\system32\net.exe
          net stop winmgmt /Y
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2408
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop winmgmt /Y
            5⤵
              PID:5012
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c exit
          3⤵
            PID:3104
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1312
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
        1⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1484
      • C:\Users\Admin\AppData\Local\Temp\spoof.exe
        C:\Users\Admin\AppData\Local\Temp\spoof.exe
        1⤵
        • Executes dropped EXE
        PID:1384
      • C:\Users\Admin\AppData\Local\Temp\spoof.exe
        C:\Users\Admin\AppData\Local\Temp\spoof.exe
        1⤵
        • Executes dropped EXE
        PID:2820

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoof.exe.log
        Filesize

        654B

        MD5

        2ff39f6c7249774be85fd60a8f9a245e

        SHA1

        684ff36b31aedc1e587c8496c02722c6698c1c4e

        SHA256

        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

        SHA512

        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\GPU-UUID-Changer.exe
        Filesize

        9.1MB

        MD5

        d017dce19ccb6058d97506dcea7a8d8e

        SHA1

        c2789af6e67fb530b64da82ced1355f4494ff1bd

        SHA256

        b4a5ac199048621eef42ad480aa9379a6ac76dbae08ca4b170da9e970b48e059

        SHA512

        04d504f551ab762b69174c01dfec82611a43125aea670d7070162268542b3dd95c519bc93e51e8490c122c834a87a85c76fed3c2bea601742b951713624405c3

        Download Submit

      • C:\Users\Admin\AppData\Roaming\spoof.exe
        Filesize

        68KB

        MD5

        3e1a0d74fd0db1063ca1497041470a32

        SHA1

        932b8d0954102add2461cf203ccb96a35b1ddef7

        SHA256

        1c655e32a859ce3fe86a6e9ebb810c4e848bebd2f83db91af991771639df76b6

        SHA512

        561e53db8bec69f6bb9029ba7a245067305ffcfc133a53b3b68c4d5d3f7b9acc71db60afff9f2e3fdfbb55e50ede13362fb2b2e8897b89f36f7543da9cc144cf

        Download Submit

      • memory/1260-32-0x00007FF736DE0000-0x00007FF737E41000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/1260-25-0x00007FF736E0D000-0x00007FF73752F000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/1260-24-0x00007FF87EA70000-0x00007FF87EA72000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1260-27-0x00007FF736DE0000-0x00007FF737E41000-memory.dmp

        Filesize

        16.4MB

        Download

      • memory/1260-33-0x00007FF736E0D000-0x00007FF73752F000-memory.dmp

        Filesize

        7.1MB

        Download

      • memory/1336-1-0x0000000000B50000-0x000000000147A000-memory.dmp

        Filesize

        9.2MB

        Download

      • memory/1336-0-0x00007FF860673000-0x00007FF860675000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1708-13-0x00000000009F0000-0x0000000000A08000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1708-29-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1708-40-0x00007FF860670000-0x00007FF861131000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1708-41-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1708-14-0x00007FF860670000-0x00007FF861131000-memory.dmp

        Filesize

        10.8MB

        Download