Overview

overview

10

Static

static

3

Spotify do...er.exe

windows7-x64

10

Spotify do...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Spotify downloader.exe

  • Size

    1.2MB

  • MD5

    45de2e252c5ede9b5217d5958e9031f8

  • SHA1

    d2082c95b96dbdf321fc506aad60c38842f28a6b

  • SHA256

    5041a474f1409fe971f2ee415cd67072f0f3e65fe15b720276ad9e8c14c37620

  • SHA512

    5e87dbe79f9c335b4ed4860eb7ed1b8363708454693308f455f5b52afb601e315500f41d81e22d51b969c6a0d48c1f61481aec9b1e57232a859b4b4455d8a23a

  • SSDEEP

    24576:lveTmPpTg+S2/50+YyN1jcaVJOdLIhHBlpV0+jos+7EH1DLA:l2TJyLfJONIhHn0+jt+0

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:1337

93.208.247.124:1337

93.208.240.7:1337
Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Spotify downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\Spotify downloader.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Users\Admin\AppData\Roaming\SpotifySetup (1).exe
      "C:\Users\Admin\AppData\Roaming\SpotifySetup (1).exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2788
    • C:\Users\Admin\AppData\Roaming\Spotify downloader.exe
      "C:\Users\Admin\AppData\Roaming\Spotify downloader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Spotify downloader.exe
    Filesize

    181KB

    MD5

    660c78f925d6ddcca634042883bdd956

    SHA1

    373bb462c8b640126b597475b41d388e9b6de7be

    SHA256

    4bc2c3a8c206b9beaaeb56ee28cdf7dc5bf9b5b62e2e1d3b52053017742c37f9

    SHA512

    372841df239ec8d5fbd39e6599340d4fc3d65c12b8c6cc913d8160cc4ca9978cb086d7fd8dda810260b97b47fcdfcb17079efcb1b7bb12d237f59ec3546cd31e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\SpotifySetup (1).exe
    Filesize

    1010KB

    MD5

    b10f6fefd3e1000f950323b961108bb2

    SHA1

    26dfa48343464c574102607e75e9deb6d92e01c9

    SHA256

    56b68adbeb6085189ec52a7f8c3d70f6946505e2c778e0efbcf5a501dd7e1938

    SHA512

    541af6f3db8c662b81a94518b4371b19441249608d35e92c45b36b3a207969d1bd5fe0cfd7e5271c946b337e2ce1737add082804b5a59dc91ac99b4c2df0ddc5

    Download Submit

  • memory/1072-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1072-1-0x0000000001080000-0x00000000011B4000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2676-12-0x0000000000E90000-0x0000000000EC2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2676-13-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2676-14-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

    Filesize

    9.9MB

    Download