Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
08-12-2024 14:12
General
-
Target
spoolsv.exe
-
Size
125KB
-
MD5
02201ab0ffca3905fbf110296fd58298
-
SHA1
4068eb4c09f6e09637588ee3cf62bf7229a25faa
-
SHA256
4d0f2f8fd89fec7e4f1348b5b6a0ea528d2b391f48e69df140b91845c0989abe
-
SHA512
4f2d86d8dbdb6946bdd982b7c48aea803eccd99c51ddbd6edcb1f7301f9a8f255953210b5b47ecd6e6a8f1bf93269bb519b3a83548f7d3ea63ded3980bef3705
-
SSDEEP
1536:Rn7TvjnE1RowM/gZbgjx1LAYivy6sDOsyrXdtyVt3A7HPd4n+lbeRZIbSQPYU:RHovoX/0bgAoORHyHQbPRyZ2pPYU
Malware Config
Signatures
-
Detect Xworm Payload 3 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "spoolsv" /tr "C:\Users\Admin\AppData\Roaming\spoolsv.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2300 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {99AB9D0C-4829-4D20-86D2-CECECC0D1CC6} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\spoolsv.exeC:\Users\Admin\AppData\Roaming\spoolsv.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\spoolsv.exeC:\Users\Admin\AppData\Roaming\spoolsv.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\spoolsv.exeC:\Users\Admin\AppData\Roaming\spoolsv.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD565bca957b6d38e7a5f23bec23a15dc3b
SHA18158083d7faa97ad2da7b3959354ce04cf6a5616
SHA2560746a15b26841823f4cc2452aceac04e2365cf9b03d4918eabe72f749ab9b6f9
SHA5127afda2931d8d57f6842ec87e7bb6395f4e12ac4b553fbea89e839b712f063b26e2b2700954abe812567acdefc9e821c73b6657389fdd1d94bc634b992e56cdf6
-
Filesize
342B
MD520c0b1237b334633c4455a5a7ed3a5aa
SHA1a13dcb6d41406da3c00e97fd9639f951753a11e3
SHA256a16d480f1aa614d632d4bef2132ff86f87c044a680a0403014d19d666a6e0b4e
SHA512e348ba739bd3f40808127a60bb79dbaec554127b2690cc8496ef6ec41d445d66590a1324056798ee384ecbd73d4cb8b9d5608129c6d7ff1306ecfcfca9264410
-
Filesize
342B
MD5bd5f400d8f7246d3a6e7ba119b527ea3
SHA1a4142bca2ec729a2a28b0f6407cf133d2931e3e3
SHA25674dbdee8ecccf6efabceca035123295f5403c1ec8afdc46b75224459867ca869
SHA5123f08628ad9089a8aedd980aafb3d51c8c5c56dad55606d6d2ccab98a67fbd811b17fc9f0731633ee68357bfb4bc52c84ed3ebeeb475c621972f99eb51d087eca
-
Filesize
342B
MD569d377602783b4861d1e397052909458
SHA1b11791747a22e8a4dc8e0e1493a2490c5c2a227f
SHA2569c2e1d2d4d9987ed814a8599b8a427bf2679389eb514fb1d9a0514d2f982f8ab
SHA512805d0bb44c60f4b95c9f208112a6afda51a0f014a7f94e6df4ed75f01db7b225639029cc1e730e9575aa5c6e18913e839d81f0430e9be2f4102f6e9e73746ca4
-
Filesize
342B
MD546e6b274aa577c1c50c907f3a58c83ae
SHA1ab26d5671b0d74b95f71d2d0e0ff1309c6fa8431
SHA2561dd4e69dbc6ed852307959823ddc33c438d655513a7ea8dcaeec393341cd2d8d
SHA51209b92b5a3d558fdeb65b03730e510cc7aecadf5ae08f582244f3cb24938081b36a9f57064d430701b49b3c938db8120b52f3a4e8aa758a58f828635759f94db3
-
Filesize
342B
MD5e69d3d9a69ef6bc1f1ab45b9c9415c14
SHA16e071cf964b368930a557f0965b91e3d97ccedf4
SHA256bf0dc490ac03437938e38f4e06b91fcd8d2b273038596c7f33174929c5fdc08b
SHA5122fcbfca4b7446fa0a0959fad93ce55bf4da550846b27a8f331a3e60255eb2e5a3d0996cd37715430cca73924eefe71a72636183d2082b1356756b78539c25987
-
Filesize
342B
MD5708a8d5432dd69c62d8233dbc5aaac71
SHA1580dd57c4551ad43534de7f70ff585f865ad10ce
SHA256c7a97786541603cb7950110cb92a66902d3580a5d41a6f142960e93a85ff0bfc
SHA5123404135e3a4a15edebaccac8f301f70f0821de84b592b19477faac1b29c3acbfefa67985fc69759209106a2016a15a06397f9ef971ece79d355f89a836e19442
-
Filesize
342B
MD5c6b32b2522bdd4b092f38d8678836f1a
SHA13108703da599c531cbf96a3c04f085e9ee37d514
SHA256d288f79f0950a44bc159e5f59e8a900ecb7c7142b6cb49b2479dec28a8bba1cb
SHA512b9fe025646a35b14d299840025c4be805dc7938381a14a8ce8a1c63c0ca4dd3db66085f2527834e4630ea31fb6177e18a9f27a5f75d6e287628cccae817251e4
-
Filesize
342B
MD54629d44ccade51b1d809793183984075
SHA156c30418c1c265afb9f438fe3d75c8b975d3c253
SHA2564f3f243d5248ac714525ee11cb9d322855119ced9d860edc0a5748fe2ff556ef
SHA5120db3346134e241e24a0d7b19e577c1d621c4a23b50c70c67a88f3707e42574eac01fbdab9fd7c064e6084c65d90935663a9703b9fd612e4e18320356e9d0153e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
7KB
MD5644187ca387aef7b53976a701493bc01
SHA13fe4a6938774696113760f09826e87f0beba2bfe
SHA25617b050888d713113ac2b7ea8bdf792a48900d9eba3451ab2906fe83a53bdab7c
SHA51253234e15f983db999c5bf9b01982998c9b454a0d1db2b8cef3789c20866936406329d26438d2bcb2aeddcec972eb5243ee3b4ac93ad0a5b3446252628d90ce00
-
Filesize
125KB
MD502201ab0ffca3905fbf110296fd58298
SHA14068eb4c09f6e09637588ee3cf62bf7229a25faa
SHA2564d0f2f8fd89fec7e4f1348b5b6a0ea528d2b391f48e69df140b91845c0989abe
SHA5124f2d86d8dbdb6946bdd982b7c48aea803eccd99c51ddbd6edcb1f7301f9a8f255953210b5b47ecd6e6a8f1bf93269bb519b3a83548f7d3ea63ded3980bef3705
-
Filesize
639B
MD5d2dbbc3383add4cbd9ba8e1e35872552
SHA1020abbc821b2fe22c4b2a89d413d382e48770b6f
SHA2565ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be
SHA512bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66
-
Filesize
16B
MD542ab8eb81ebc2164308608f18f7560ef
SHA181588de100799eebec78d9af8d71f9cb89948799
SHA256abdfbe7d9a59525c979e68d11df044e12fd4746957602306364dd94aa4a27955
SHA51280c76b340ee62e8187681acea809d49afbff98ae2a3038926ca8a62508cc28767e0c5d70b9cf38fe4fd0384f76cea09e34da573f05737da4bcd4d1d4666c2446
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
3.3MB
-
Filesize
152KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
152KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
32KB