Overview

overview

10

Static

static

3

spf.exe

windows7-x64

10

spf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2024 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spf.exe

  • Size

    66.1MB

  • MD5

    2424c3fe215d77e8e460a8f6796de636

  • SHA1

    07b47f0878c5859b6681c6bd14cf2a464729f330

  • SHA256

    dba0c17d6101161862cb98fd0d5cc2c9c196ef3c561a6159d4df9cff2da4cc8f

  • SHA512

    52208cef403e4d36cd0704e8da0e159511a28ad972176e3dbc7fd47111cd4a5e0331d22df4f89d939b6a317d51345818f9bcc24219c9d0fc8818c005ecf7238a

  • SSDEEP

    1572864:nu43xWJUEl1vVvo3fXzU/Pymw7NtvPeJxHIa6p02SfkHn4HfQ:nu4BaUEPdvo3fXziqdNJ0H+0hkHMI

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

cash-infections.gl.at.ply.gg:54632

Mutex

uaiEP0l5RwMqBswG

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\spf.exe
    "C:\Users\Admin\AppData\Local\Temp\spf.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spf.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spf.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spf.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2976
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spf.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2684
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Spoofer'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1684
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Spoofer'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
    • C:\Users\Admin\AppData\Local\Temp\sigma reported.exe
      "C:\Users\Admin\AppData\Local\Temp\sigma reported.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1520

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    96df90adcc537ec0c01194e9a95914f9

    SHA1

    0b83dc74180c018a48a4b47eec3bc403f6f997f9

    SHA256

    f8f827974b2337262bc7b09702ca37ae7d32ff3e53abc51175dfc53591798add

    SHA512

    8c25edb74f192f91cbcacb5f2143dab2fe1eb68d3b55457b5ff18bfcc027c83cb0e2385890a06fa32b622d7b62f4ae2327cbb4bada035102011ee1f111fc20a4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spf.exe
    Filesize

    50KB

    MD5

    64470671400941aa271bb9961c65009d

    SHA1

    e684951964a2fdfffd8e107768c27cc8541f8219

    SHA256

    692eb4845bc59eb61fd3340f8cfb7692392d4e9e8dd1aa22bd64f89e3dd34614

    SHA512

    8583abcb6c163921469567363a4173e4e748fd49beca77cd36ae5a10bf59627b369dab50d4723d3f84e8f453ed95ee688f2db7724ba15a2ee2a995385b5003d8

    Download Submit

  • memory/1292-1-0x000000013F0F0000-0x000000014330A000-memory.dmp

    Filesize

    66.1MB

    Download

  • memory/1292-0-0x000007FEF5DE3000-0x000007FEF5DE4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1292-8-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1292-15-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1520-47-0x000000013F5A0000-0x00000001405A0000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2504-50-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2504-16-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2504-9-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2504-45-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2504-7-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2684-29-0x00000000022D0000-0x00000000022D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2684-28-0x000000001B720000-0x000000001BA02000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2976-22-0x00000000020C0000-0x00000000020C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2976-21-0x000000001B680000-0x000000001B962000-memory.dmp

    Filesize

    2.9MB

    Download