2b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089

Resubmissions

07/10/2023, 18:50

231007-xhdn1aee5y 7

07/10/2023, 18:45

07/10/2023, 18:42

07/10/2023, 18:38

07/10/2023, 18:30

Analysis

max time kernel
127s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
07/10/2023, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

133KB
MD5

fc3378c4e8cd002ba1e8a05b37f09d24
SHA1

6b3620287c4f94d2f515c1a8577fffcc02331b0c
SHA256

2b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089
SHA512

c1ac224a9aad0dde67f5ec4b4ae9f4921cb7718bf1a27755d32de6ea04f8aaf09864228c0d576492bbd1742209333b988429a3e277b1f4d19ea068b1e548fe69
SSDEEP

1536:yxYnIibKxkGHHIy2MwxIQ+b/zvc5j6xOVHRvUF80XbpGQqmyVttdGFQeOPigE:aLRIHpx3+bb5OVHpUFNcQqmyBeT

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm Auto Updater.lnk	Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XWorm Auto Updater.lnk	Loader.exe

Executes dropped EXE 2 IoCs

pid	Process
4852	XWorm Auto Updater
4284	XWorm Auto Updater

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2204032094-4125186646-761438227-1000\Software\Microsoft\Windows\CurrentVersion\Run\XWorm Auto Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XWorm Auto Updater"	Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
648	powershell.exe
648	powershell.exe
648	powershell.exe
2176	powershell.exe
2176	powershell.exe
2176	powershell.exe
392	powershell.exe
392	powershell.exe
392	powershell.exe
5092	Loader.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	Loader.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeIncreaseQuotaPrivilege	4296	powershell.exe
Token: SeSecurityPrivilege	4296	powershell.exe
Token: SeTakeOwnershipPrivilege	4296	powershell.exe
Token: SeLoadDriverPrivilege	4296	powershell.exe
Token: SeSystemProfilePrivilege	4296	powershell.exe
Token: SeSystemtimePrivilege	4296	powershell.exe
Token: SeProfSingleProcessPrivilege	4296	powershell.exe
Token: SeIncBasePriorityPrivilege	4296	powershell.exe
Token: SeCreatePagefilePrivilege	4296	powershell.exe
Token: SeBackupPrivilege	4296	powershell.exe
Token: SeRestorePrivilege	4296	powershell.exe
Token: SeShutdownPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeSystemEnvironmentPrivilege	4296	powershell.exe
Token: SeRemoteShutdownPrivilege	4296	powershell.exe
Token: SeUndockPrivilege	4296	powershell.exe
Token: SeManageVolumePrivilege	4296	powershell.exe
Token: 33	4296	powershell.exe
Token: 34	4296	powershell.exe
Token: 35	4296	powershell.exe
Token: 36	4296	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeIncreaseQuotaPrivilege	648	powershell.exe
Token: SeSecurityPrivilege	648	powershell.exe
Token: SeTakeOwnershipPrivilege	648	powershell.exe
Token: SeLoadDriverPrivilege	648	powershell.exe
Token: SeSystemProfilePrivilege	648	powershell.exe
Token: SeSystemtimePrivilege	648	powershell.exe
Token: SeProfSingleProcessPrivilege	648	powershell.exe
Token: SeIncBasePriorityPrivilege	648	powershell.exe
Token: SeCreatePagefilePrivilege	648	powershell.exe
Token: SeBackupPrivilege	648	powershell.exe
Token: SeRestorePrivilege	648	powershell.exe
Token: SeShutdownPrivilege	648	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeSystemEnvironmentPrivilege	648	powershell.exe
Token: SeRemoteShutdownPrivilege	648	powershell.exe
Token: SeUndockPrivilege	648	powershell.exe
Token: SeManageVolumePrivilege	648	powershell.exe
Token: 33	648	powershell.exe
Token: 34	648	powershell.exe
Token: 35	648	powershell.exe
Token: 36	648	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeIncreaseQuotaPrivilege	2176	powershell.exe
Token: SeSecurityPrivilege	2176	powershell.exe
Token: SeTakeOwnershipPrivilege	2176	powershell.exe
Token: SeLoadDriverPrivilege	2176	powershell.exe
Token: SeSystemProfilePrivilege	2176	powershell.exe
Token: SeSystemtimePrivilege	2176	powershell.exe
Token: SeProfSingleProcessPrivilege	2176	powershell.exe
Token: SeIncBasePriorityPrivilege	2176	powershell.exe
Token: SeCreatePagefilePrivilege	2176	powershell.exe
Token: SeBackupPrivilege	2176	powershell.exe
Token: SeRestorePrivilege	2176	powershell.exe
Token: SeShutdownPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeSystemEnvironmentPrivilege	2176	powershell.exe
Token: SeRemoteShutdownPrivilege	2176	powershell.exe
Token: SeUndockPrivilege	2176	powershell.exe
Token: SeManageVolumePrivilege	2176	powershell.exe
Token: 33	2176	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5092	Loader.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 4296	5092	Loader.exe	72
PID 5092 wrote to memory of 4296	5092	Loader.exe	72
PID 5092 wrote to memory of 648	5092	Loader.exe	74
PID 5092 wrote to memory of 648	5092	Loader.exe	74
PID 5092 wrote to memory of 2176	5092	Loader.exe	76
PID 5092 wrote to memory of 2176	5092	Loader.exe	76
PID 5092 wrote to memory of 392	5092	Loader.exe	78
PID 5092 wrote to memory of 392	5092	Loader.exe	78
PID 5092 wrote to memory of 2408	5092	Loader.exe	80
PID 5092 wrote to memory of 2408	5092	Loader.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loader.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Loader.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XWorm Auto Updater'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XWorm Auto Updater" /tr "C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"
  2⤵
  - Creates scheduled task(s)
  PID:2408

C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater
"C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"
1⤵
- Executes dropped EXE
PID:4852

C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater
"C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater"
1⤵
- Executes dropped EXE
PID:4284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XWorm Auto Updater.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1b7729a81ccc1dc1bc5e0a80daaee472

SHA1
a836da0a784bcdec99a22b0dd253abde21d6cfe0

SHA256
0047e8591b8f713d9e4a2ab1d62dee6d7f76758db27d75efcd0e8d4bc1bf2693

SHA512
acbc7c083680d15eb21dc35d8da0982dd1c604026c11b3898481ccb1a68fbb34341acdc812698aee22a5bdc0f42596eaf9a6473324ed5a1b72e4b005f9f6437f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2d2d46be85d7cda3932b29fa09dd9487

SHA1
9e193e835cee665480aa818bcdff24192f454f85

SHA256
87a01d13bd690be381e88b0fe80638ff4865fafbcd315810da81e43cbedbe01d

SHA512
c51b9dfac7a25c90bd23bcf3280ca677d07845408517dff168213986576a7006fa58dd43dc65777a9035c5492811884b9d9b2225c6b5125c32b733a95d5ba6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b48f12bf7a087878cde50d525389b454

SHA1
655eef6151cdd8ec457835250e4da535632f4593

SHA256
d489653e0466a94aa15bd806318ecb22fb919471f61ace25468a34de359ea11d

SHA512
908835f0729cb66821bb60bdace5da2573d61fa74c0410a401f4947943118c9f861842285b887157aa61f8c584868967a7fce0f5ec74ea3aebc2f22226553a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater

Filesize
133KB

MD5
fc3378c4e8cd002ba1e8a05b37f09d24

SHA1
6b3620287c4f94d2f515c1a8577fffcc02331b0c

SHA256
2b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089

SHA512
c1ac224a9aad0dde67f5ec4b4ae9f4921cb7718bf1a27755d32de6ea04f8aaf09864228c0d576492bbd1742209333b988429a3e277b1f4d19ea068b1e548fe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater

Filesize
133KB

MD5
fc3378c4e8cd002ba1e8a05b37f09d24

SHA1
6b3620287c4f94d2f515c1a8577fffcc02331b0c

SHA256
2b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089

SHA512
c1ac224a9aad0dde67f5ec4b4ae9f4921cb7718bf1a27755d32de6ea04f8aaf09864228c0d576492bbd1742209333b988429a3e277b1f4d19ea068b1e548fe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWorm Auto Updater

Filesize
133KB

MD5
fc3378c4e8cd002ba1e8a05b37f09d24

SHA1
6b3620287c4f94d2f515c1a8577fffcc02331b0c

SHA256
2b03faa10419218a0214b4ef415ecc41d9c78a8031deaf89d9d836b8fcd54089

SHA512
c1ac224a9aad0dde67f5ec4b4ae9f4921cb7718bf1a27755d32de6ea04f8aaf09864228c0d576492bbd1742209333b988429a3e277b1f4d19ea068b1e548fe69

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cqcvznlw.w00.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/392-200-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/392-197-0x0000016AD18F0000-0x0000016AD1900000-memory.dmp

Filesize
64KB

Download
memory/392-174-0x0000016AD18F0000-0x0000016AD1900000-memory.dmp

Filesize
64KB

Download
memory/392-157-0x0000016AD18F0000-0x0000016AD1900000-memory.dmp

Filesize
64KB

Download
memory/392-158-0x0000016AD18F0000-0x0000016AD1900000-memory.dmp

Filesize
64KB

Download
memory/392-154-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/648-59-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/648-61-0x000002BA39CD0000-0x000002BA39CE0000-memory.dmp

Filesize
64KB

Download
memory/648-77-0x000002BA39CD0000-0x000002BA39CE0000-memory.dmp

Filesize
64KB

Download
memory/648-100-0x000002BA39CD0000-0x000002BA39CE0000-memory.dmp

Filesize
64KB

Download
memory/648-103-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/648-60-0x000002BA39CD0000-0x000002BA39CE0000-memory.dmp

Filesize
64KB

Download
memory/2176-149-0x000001DF19B30000-0x000001DF19B40000-memory.dmp

Filesize
64KB

Download
memory/2176-110-0x000001DF19B30000-0x000001DF19B40000-memory.dmp

Filesize
64KB

Download
memory/2176-109-0x000001DF19B30000-0x000001DF19B40000-memory.dmp

Filesize
64KB

Download
memory/2176-151-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/2176-106-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/2176-126-0x000001DF19B30000-0x000001DF19B40000-memory.dmp

Filesize
64KB

Download
memory/4284-215-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/4284-214-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/4296-5-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/4296-12-0x0000021DC6FA0000-0x0000021DC7016000-memory.dmp

Filesize
472KB

Download
memory/4296-52-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/4296-48-0x0000021DAE7D0000-0x0000021DAE7E0000-memory.dmp

Filesize
64KB

Download
memory/4296-25-0x0000021DAE7D0000-0x0000021DAE7E0000-memory.dmp

Filesize
64KB

Download
memory/4296-6-0x0000021DAE7D0000-0x0000021DAE7E0000-memory.dmp

Filesize
64KB

Download
memory/4296-8-0x0000021DAE7D0000-0x0000021DAE7E0000-memory.dmp

Filesize
64KB

Download
memory/4296-9-0x0000021DC6DF0000-0x0000021DC6E12000-memory.dmp

Filesize
136KB

Download
memory/4852-209-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/4852-211-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/5092-57-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/5092-0-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/5092-1-0x00007FFBD18C0000-0x00007FFBD22AC000-memory.dmp

Filesize
9.9MB

Download
memory/5092-205-0x000000001B640000-0x000000001B650000-memory.dmp

Filesize
64KB

Download
memory/5092-204-0x000000001B640000-0x000000001B650000-memory.dmp

Filesize
64KB

Download