Analysis
-
max time kernel
13s -
max time network
7s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
25-01-2025 19:24
General
-
Target
ASpoofer.exe
-
Size
266KB
-
MD5
bc02803808b0fef29141032a807e855f
-
SHA1
c9d6339a10b06f4ad4175664c8728f6622d83855
-
SHA256
1670b4755805f0d523fba188435da1357c62562153db2b8fa5743ab9906e2c54
-
SHA512
2c27607c0c921e2d86a2e63bc7b2a0cea0df6f29d693ad9e91c16895ef348a6f415b2eaaeb74c41e25a65c3bd1c69578c78866725de6b1832f89f4283f71c0c3
-
SSDEEP
6144:YM+vTWbj7v/5bTgVziHzZnSKrCbYMBbX8Sq:YM+vo7v/5/gVziHlBrCbYq8b
Malware Config
Extracted
xworm
IDKTOBEHONESTNIGAS-56344.portmap.io:56344
-
install_file
Mason.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 3 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wlrmdr.exe-s -1 -f 2 -t Your PC will automatically restart in one minute -m Windows ran into a problem and needs to restart. You should close this message now and save your work. -a 32⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 704 -s 47442⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Windows\system32\MusNotification.exe"C:\Windows\system32\MusNotification.exe"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\ASpoofer.exe"C:\Users\Admin\AppData\Local\Temp\ASpoofer.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ibje53j4.us4.exe"C:\Users\Admin\AppData\Local\Temp\ibje53j4.us4.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "MasonASpoofer.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\ASpoofer.exe'" /sc onlogon /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "MasonASpoofer.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\ASpoofer.exe'" /sc onlogon /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ASpoofer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ASpoofer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\ASpoofer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD566f57ff0e0f47a9cf6c305b46937d54e
SHA11c4d60bc23f38fbb2c38f3c0a6c4eb7b57389754
SHA25621c416c30b1f6d6bb317f8fecbc731985d51b66c629ddac39ece4b9421427094
SHA5126d5022fd04d5b90c495b243652abe0da118c23f42c3b0d098efaad30bda3d13163b9497dc020d390db39250c55c53fff16287d6bd7d5ffaaf4b787a504ac22a9
-
Filesize
13KB
MD52779a10e70c8655a36e8e59626d490ff
SHA151781d10ad728200f904d61c14d74e38fbd5ee18
SHA256c2fe3ff16b53caf8ca577e29e1b18fa57d413bea35d13f3a40fbbb06e87bf19e
SHA51234d0ec50a0a7f26f9aa0f812701da115e3c6a95c3cd5ce3780bbfba25adecb2be891b7dfae5ed4aff1026ac276523494adea8857898b9d868c769af1a098726b
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD5d6d1b8bb34838ccf42d5f69e919b1612
SHA120e9df1f5dd5908ce1b537d158961e0b1674949e
SHA2568a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491
SHA512ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d
-
Filesize
1KB
MD510ca07a68340a8aee660dd54cb55c458
SHA1a615fc664c79803f6833946d8312a81c1756bd02
SHA25615b74f8e90b09944cd7c2fb7b4b780bc7a81364d0e082b4b99fc462a90a0c6a1
SHA5120f2a4023d6309383c0fe7a66e44b8b348f13cd47572d1eb43bdda70d89ca062a589530a0082c80e57d9889d9d51675072628e15212ce727a404f4bda85c41ad8
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
161KB
MD594f1ab3a068f83b32639579ec9c5d025
SHA138f3d5bc5de46feb8de093d11329766b8e2054ae
SHA256879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0
SHA51244d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c
-
Filesize
132KB
MD5b035f9c34956c9ef706237969617be61
SHA1aaf8e05e2b5c85ed31df3c4627b3df7ab1b3f91f
SHA256508afa4c6d5734cb10a32dd28163dab5c3dfb89ab519e1ca971cd5c959bb19d7
SHA51212d63d4c0a5ca4d0535495dd532df42c9de00ca19c401a9e90c27bb7e0cb4dedc1e668e90e0b4c8d9914f31ead9c49a147aa4b491c8e600edd9684f4d1b52525
-
Filesize
133KB
MD52fbc335ba9e4d586865f15a3d47c9325
SHA13f4ac9d31ba40bbaeaa70e6de1a402c7054fa2ef
SHA256874cd758f9f9038980ffb282a35dc17599dc5321d38e3915e58e33eb8a0e2920
SHA51233496b99af78af1708ed2e4f349d51b98d3b67e9ad01ce39fcb5b624d8721233c9f3c1838c7e265c8d82ed5fd9900248d1b68e202bd2490bab34008c37e43817
-
Filesize
132KB
MD50e80515d770f4b52c122ae2c6ee669c9
SHA115fb65a7ad7de8cfc7096af70edb4115c16354a2
SHA256ed313d462da8e9b16a3f50e786fb00dc903124ca4100472dd7e73844d5fd3ff2
SHA5128366c15e5e019ba47dbe87d3fcb88f508d78a1e522dfc7fad019858025626b349c902102ceb1a9b66f4c8e7d807e0f07c47d55725ba303535aa1a6f928d48e3d
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
148KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
172KB
-
Filesize
64KB
-
Filesize
756KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
176KB
-
Filesize
288KB
-
Filesize
136KB