Overview

overview

10

Static

static

10

Perm-spofer.exe

windows7-x64

10

Perm-spofer.exe

windows10-2004-x64

10

Resubmissions

22-01-2025 15:58

250122-tewtmavmhq 10

22-01-2025 15:57

250122-td9zvsvmfq 10

22-01-2025 15:53

250122-tby5kstmhv 10

Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2025 15:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Perm-spofer.exe

  • Size

    68KB

  • MD5

    7214f6d7b7997cbfb22a9b3e6375b918

  • SHA1

    a9c53eb43e7b0eb1cfc0bc4714bc3816274310d9

  • SHA256

    c54762e7cfed04c23c765dd85ea5e92fcdc30e34d5ff3b151595e73e50e95c03

  • SHA512

    dc40ea0a445f2fd5a7c0e9a90d391d72267d02bc004af57f494e52e492d02de196c06d7335971868e55b0a8b18bc640b89f2c56837194c79227f5a48c9e8a223

  • SSDEEP

    1536:fVNtqrwwjZ2v5yNL0c+A4qvbWWEHLhASFtx6aMrTeOg54WER:fBzByNnP4qvbWWAASbaKOg54j

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

simply-exotic.gl.at.ply.gg:27183

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Perm-spofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Perm-spofer.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Perm-spofer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Perm-spofer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2260
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2452
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2516
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "User" /tr "C:\Users\Admin\AppData\Local\Temp\User"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2896
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {9D172983-7918-4354-9940-9AB08FB04EBD} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\User
      C:\Users\Admin\AppData\Local\Temp\User
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3060
    • C:\Users\Admin\AppData\Local\Temp\User
      C:\Users\Admin\AppData\Local\Temp\User
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
    • C:\Users\Admin\AppData\Local\Temp\User
      C:\Users\Admin\AppData\Local\Temp\User
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        PID:2444
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2932
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3020
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "User" /tr "C:\Users\Admin\AppData\Local\Temp\User"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2528

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\User
    Filesize

    68KB

    MD5

    7214f6d7b7997cbfb22a9b3e6375b918

    SHA1

    a9c53eb43e7b0eb1cfc0bc4714bc3816274310d9

    SHA256

    c54762e7cfed04c23c765dd85ea5e92fcdc30e34d5ff3b151595e73e50e95c03

    SHA512

    dc40ea0a445f2fd5a7c0e9a90d391d72267d02bc004af57f494e52e492d02de196c06d7335971868e55b0a8b18bc640b89f2c56837194c79227f5a48c9e8a223

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    4d622cf16574e6922d473b3e245bb24d

    SHA1

    5b3eb63e48b4093b95b985c03d30a005d6c365f5

    SHA256

    a4c4a81774179b5b137e88f4dbaa3e5f03e59a143d8e97ee6a28f30a55d7bfb8

    SHA512

    57fd47dbbee24a1e0a29d93b65a8ccf50700d91cef33849dc4e6a062c758034db75027cbb86a57b8d2ef5b779983681d92e15854da140dc1c4786e5db0975984

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NQFGFGEJHEG4FZAWQ81T.temp
    Filesize

    7KB

    MD5

    ae7eed040c7b537d8160e73efa3d08cf

    SHA1

    f2bb0bb7a8113f84f00dd7557b7ea402b34a992b

    SHA256

    fd141af2d89fc7176c0077e11e72ad986bcd463fb3a0e9805b5afe85fd31cf33

    SHA512

    7cc7269888d01d38227228a5426a6e16cd8dbaab9df58e48655d10c6caf699343109183eb10e5c9dc24201a7c032ac76f86d08350b363e92448f33702f4bd5c4

    Download Submit

  • memory/2040-35-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2040-1-0x00000000010D0000-0x00000000010E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2040-2-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2040-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-28-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-29-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2260-16-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2260-15-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2800-9-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2800-8-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2800-7-0x0000000002BD0000-0x0000000002C50000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3060-33-0x0000000001320000-0x0000000001338000-memory.dmp

    Filesize

    96KB

    Download