Overview

overview

10

Static

static

10

$RVULAPD.exe

windows7-x64

10

$RVULAPD.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2023 19:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $RVULAPD.exe

  • Size

    93KB

  • MD5

    7865912339245d7e4970eb1a27fabc2c

  • SHA1

    dd584c401e2b21296d4f3167cf070024c71f640c

  • SHA256

    bcd98496e76c128871952de7d7daa0b8930b0430d6553e77ce72508ff418bb19

  • SHA512

    1d688a0ee969695f765794b8f864078c68a4ded7ab6a081e19d5040530bef210d989df772068d9f5291ac9093ac4cc73341e0582fca0a69435f1fe3d7f33504d

  • SSDEEP

    1536:aYP0rsKtfimtQz5/Ae2G6WE0OsaTbWQw7T+fxSG6RsaSSuOLygpNw1PbVy:1P0rs4zyz54e2LF/TbWQw6xSiaSpOLyU

Score
10/10
xwormevasionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

tr3.localto.net:42425:52773

16.ip.gl.ply.gg:52773
Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    InvidiaDriver.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\$RVULAPD.exe
    "C:\Users\Admin\AppData\Local\Temp\$RVULAPD.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\$RVULAPD.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:8
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$RVULAPD.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\InvidiaDriver.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1072
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InvidiaDriver.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1516
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "InvidiaDriver" /tr "C:\Users\Admin\AppData\Local\InvidiaDriver.exe"
      2⤵
      • Creates scheduled task(s)
      PID:3576
    • C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /im ngrok.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3560
    • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
      C:\Users\Admin\AppData\Local\Temp\ngrok.exe config add-authtoken Your_Authtoken
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4844
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2216
  • C:\Users\Admin\AppData\Local\InvidiaDriver.exe
    C:\Users\Admin\AppData\Local\InvidiaDriver.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3208
  • C:\Users\Admin\AppData\Local\InvidiaDriver.exe
    C:\Users\Admin\AppData\Local\InvidiaDriver.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\InvidiaDriver.exe
    Filesize

    93KB

    MD5

    7865912339245d7e4970eb1a27fabc2c

    SHA1

    dd584c401e2b21296d4f3167cf070024c71f640c

    SHA256

    bcd98496e76c128871952de7d7daa0b8930b0430d6553e77ce72508ff418bb19

    SHA512

    1d688a0ee969695f765794b8f864078c68a4ded7ab6a081e19d5040530bef210d989df772068d9f5291ac9093ac4cc73341e0582fca0a69435f1fe3d7f33504d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\InvidiaDriver.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    4dd6d3175af8dc4012b3858534e77e85

    SHA1

    9ab92757463109c5759474231a56730cbff45511

    SHA256

    8ae5ff7674655515b7e8038753fb7ad41f872a7b51f1b659537c57c431dcf06d

    SHA512

    165d2d29a4931608c118c940fef262b95c43f9d653402131f5ce3205d55e46c6a542a5a3b3f330933b063fb0c741f45975c2040bda7a599d95e9353040be19c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    ecceac16628651c18879d836acfcb062

    SHA1

    420502b3e5220a01586c59504e94aa1ee11982c9

    SHA256

    58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

    SHA512

    be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    a9293ef980c925abe33d940554ed8575

    SHA1

    9b6d85f2595f7fd4923f52b21ab7607279066969

    SHA256

    8313a191aa9d11cce868d95ac9a9b1609275bfe93131fcb6e547b985b0242fbe

    SHA512

    2003d90bb2bc89378ccaeb9c5edf76b2dfd93c80369d063e56141abb8d7fea6acee6a103874ab227bc1548437269c8e4ee5174bf482ecf3d66c38f3e0ba35d85

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    7a451cd1316d70a65910773fee8c3a43

    SHA1

    d2db32d5037153dd1d94565b51b5b385817a3c3d

    SHA256

    862d25ed22075f3d1f5e8d29a3c6e050dc91e53a4dc653c3f0f7c627a12ee26c

    SHA512

    60887f795036fbd6d25234c17dab4463a8a02f576ae8c07dd7b4c4ff1dba35f99b7301139ea051a7a80fdfc9e003a2f0c2dd0d444a82ecf87a3df21507332aa6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hpyfuwna.h2w.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ngrok.exe
    Filesize

    16.4MB

    MD5

    ee2397b5f70e81dd97a4076ba1cb1d3a

    SHA1

    8350f648ebd269b4bca720b4143dd3edcdfafa8f

    SHA256

    b5b1454e2e3a66edf3bde92b29a4f4b324fa3c3d88dc28e378c22cb42237cc67

    SHA512

    57fc76393881c504ac4c37a8ea812a7e21f2bed4ffa4de42a2e6e4558a78bba679ec0f8fcdc39798306c3a97e424fb875680b7f78ac07be3f7f58df093575562

    Download Submit

  • memory/8-16-0x00000201BEA70000-0x00000201BEA80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/8-19-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/8-10-0x00000201BEA70000-0x00000201BEA80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/8-11-0x00000201BE9C0000-0x00000201BE9E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/8-4-0x00000201BEA70000-0x00000201BEA80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/8-3-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/460-83-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/460-81-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1020-21-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1020-35-0x0000016FFE4B0000-0x0000016FFE4C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1020-22-0x0000016FFE4B0000-0x0000016FFE4C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1020-28-0x0000016FFE4B0000-0x0000016FFE4C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1020-37-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1072-51-0x0000016B7CD10000-0x0000016B7CD20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1072-53-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1072-38-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1072-40-0x0000016B7CD10000-0x0000016B7CD20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1072-39-0x0000016B7CD10000-0x0000016B7CD20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1516-54-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1516-55-0x000002029CFD0000-0x000002029CFE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1516-67-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2216-104-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2216-113-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2216-111-0x0000023CFB7B0000-0x0000023CFB7C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2216-105-0x0000023CFB7B0000-0x0000023CFB7C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3208-76-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3208-74-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4172-0-0x0000000000130000-0x000000000014E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4172-84-0x000000001D060000-0x000000001D072000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4172-85-0x000000001DBA0000-0x000000001E2AC000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/4172-2-0x000000001B060000-0x000000001B070000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4172-98-0x000000001A600000-0x000000001A60E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4172-82-0x000000001D9E0000-0x000000001DB9A000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4172-78-0x0000000000910000-0x000000000091A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4172-1-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4172-29-0x00007FF92A3D0000-0x00007FF92AE91000-memory.dmp

    Filesize

    10.8MB

    Download