Overview

overview

10

Static

static

3

Spoofer.exe

windows7-x64

Spoofer.exe

windows10-2004-x64

Analysis

  • max time kernel
    35s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2025, 15:51

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Spoofer.exe

  • Size

    90KB

  • MD5

    cb8398c640f85445d6e14a2e325eb826

  • SHA1

    2e888003ab1bda0e17297361901be57fbc746e4e

  • SHA256

    4414027d7369fa5b62c6cff9836dc792389c085defc5cba782793159e81036b1

  • SHA512

    268d3bace276b09e15f089e5e19b0181c3060c2965f1d24a2355123bfff8d0f274051c24132040002a0abf727f259756fecebc858050eeaa5445525a7d9d4833

  • SSDEEP

    1536:5jx25uS8KkpHTe9yivqHLrZ+UGpCr8lFo4XwCjAaBhlPrTAdxJ2MT6UaIPxnLxHY:51KuNrpH21CHLt9GMCbHlPXAhEU3xZ6z

Score
10/10
xwormdefense_evasiondiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

trip-thesaurus.gl.at.ply.gg:16715

Attributes
  • Install_directory

    %AppData%

  • install_file

    SecurityHealthSystray.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Spoofer.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYgBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAawBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdgB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAdQBnACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Users\Admin\AppData\Roaming\Woofer.exe
      "C:\Users\Admin\AppData\Roaming\Woofer.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Woofer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Woofer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2352
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2908
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2868
      • C:\Windows\system32\shutdown.exe
        shutdown.exe /f /s /t 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1676
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1952
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2096

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      1
      T1112

      Obfuscated Files or Information

      1
      T1027

      Command Obfuscation

      1
      T1027.010

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1BE675I1CNW9OUVCPS58.temp
        Filesize

        7KB

        MD5

        dc7d277728379d7fa27239ef32fcadf0

        SHA1

        87ee36c1b1f6d25c67e4e2712f3dc92693deda56

        SHA256

        4cfebb854db8c6f13a6e0d689e2b5b128ca8e3d97b5d5b8c62d65189c1b69521

        SHA512

        ac58609df389252c1d0fe57c3516304ee9996d64fd92c8abdeb6880408667aed617370642ee4627ead82d2e35f583fe34aef0381d5d695becdbf6ee969bf93fe

        Download Submit

      • \Users\Admin\AppData\Roaming\Woofer.exe
        Filesize

        84KB

        MD5

        401884996ecf50f3c44e4bc55e228b3c

        SHA1

        8eec44a33a180a8ea816f1d07d40c396dfa243d0

        SHA256

        602eb973f30d7c9533eb827f3731b057e17271bcc7617c1526c9909b71baa683

        SHA512

        ea8b57b10ad3c569e2456c0cfedaada977db6f8dd768e15800e3af535b68299e66e3f77df613ee3a30a8bcd68a8deff315f5531ac6a40135de0a0126a28e6d08

        Download Submit

      • memory/1052-21-0x000000001B590000-0x000000001B872000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1052-22-0x00000000027E0000-0x00000000027E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2192-8-0x0000000000140000-0x000000000015C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2192-38-0x0000000001F90000-0x0000000001F9C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2616-13-0x000000001B560000-0x000000001B842000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2616-14-0x0000000001F60000-0x0000000001F68000-memory.dmp

        Filesize

        32KB

        Download