Analysis

  • max time kernel
    14s
  • max time network
    14s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    29/10/2024, 22:04

General

  • Target

    SPOILER_Nextzus_V.8.exe

  • Size

    114KB

  • MD5

    9a960c4436689eca6d2fba6e25378416

  • SHA1

    24597aede4f1c4cefb5da2d581771f294eda21d9

  • SHA256

    2b15edfc12f281ececc9e3e26ef466bc37f07b28b15d3f60bcaa77732caf4707

  • SHA512

    4b9ef3d8156b81690cc8232a7050c58861bac57c76de24fa20389091423d788f3d08a8970c4dd496cbca54f93c39e43b06b40858a6a1deba9e9fb3ab7c027e63

  • SSDEEP

    3072:5S/JCF+HYlSHjQmws4Kfu3EaVZ4g7UiRTwKURLkpf:53F+HY8HjLws4MuUKeg4iRTw1La

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 23 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SPOILER_Nextzus_V.8.exe
    "C:\Users\Admin\AppData\Local\Temp\SPOILER_Nextzus_V.8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SPOILER_Nextzus_V.8.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Windows\system32\PING.EXE
        ping -n 2 -w 700 google.com
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3272
      • C:\Windows\System32\chcp.com
        chcp 65001
        3⤵
          PID:2224
        • C:\Windows\System32\mode.com
          Mode 120,30
          3⤵
            PID:2004
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
            3⤵
              PID:2184
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic /namespace:\\root\default path systemrestore call createrestorepoint "Optimizer by Nextzus V.8", 100, 12
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2172
            • C:\Windows\System32\reg.exe
              reg export HKEY_LOCAL_MACHINE "C:\Users\Admin\desktop\Nextzus Registry Backup\HKEY_LOCAL_MACHINE_backup.reg"
              3⤵
              • Checks BIOS information in registry
              • Checks processor information in registry
              • Enumerates system info in registry
              PID:3720
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1780
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious use of AdjustPrivilegeToken
          PID:2032
        • C:\Windows\system32\srtasks.exe
          C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:932

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\SPOILER_Nextzus_V.8.bat

                Filesize

                29KB

                MD5

                493070c1a7aa9cba136e822e2a78d0d2

                SHA1

                388b8bde171b0c63c4ec651336afd94ccb418d2b

                SHA256

                ac285288aac599931709c42d152ba4006b14059634d830dd81431d625ef9f63c

                SHA512

                6eeb9a00dd124de7e3fdf52a9e0bdcf5c59361f750e4840bb19768fb60a5f842181fa48e9213fce9c0b27f6879feb95e6dffac4a1cb7a9c30206b8ad03e54c3e

              • C:\Users\Admin\AppData\Roaming\svchost.exe

                Filesize

                70KB

                MD5

                ae702d156a2ee10aa0df4e5a365654a1

                SHA1

                bad92787d53da53bda2f180f770752e679ba80c0

                SHA256

                07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716

                SHA512

                3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c

              • memory/1780-23-0x0000000000450000-0x0000000000468000-memory.dmp

                Filesize

                96KB

              • memory/1780-25-0x00007FFBE1B30000-0x00007FFBE25F2000-memory.dmp

                Filesize

                10.8MB

              • memory/1780-26-0x00007FFBE1B30000-0x00007FFBE25F2000-memory.dmp

                Filesize

                10.8MB

              • memory/4612-0-0x00007FFBE1B33000-0x00007FFBE1B35000-memory.dmp

                Filesize

                8KB

              • memory/4612-1-0x0000000000BB0000-0x0000000000BD2000-memory.dmp

                Filesize

                136KB