Overview

overview

10

Static

static

10

NEVERLOSE ...EE.exe

windows10-2004-x64

10

NEVERLOSE ...EE.exe

windows10-1703-x64

10

NEVERLOSE ...EE.exe

windows7-x64

10

NEVERLOSE ...EE.exe

windows10-2004-x64

10

NEVERLOSE ...EE.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    28s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-05-2024 08:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEVERLOSE CRACK FREE.exe

  • Size

    66KB

  • MD5

    1cf87ed16775e956ca556f3948b535a7

  • SHA1

    20fe1d6699242591b2c86dd3200718822fd4ccdf

  • SHA256

    9f7c00c1656ae9f0d8f044e1de0a9783f29772a7a0897383bc00158ef3a77b32

  • SHA512

    a4daf6899c0fbead8cf32a9120860c3059f1c78164482db55c24293f361b2286be71c494a35409279ca7555e9c41ea394a3d426258562b5ed3c3ee9254689fb9

  • SSDEEP

    1536:D8JtOqoPKs1e3YNhXwfQLbbtoIi45BMJ6COEhKKGx:D8JtOrCs4IN8IbxR5uOEwx

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

  • pastebin_url

    https://pastebin.com/raw/zw6Etn4T

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEVERLOSE CRACK FREE.exe
    "C:\Users\Admin\AppData\Local\Temp\NEVERLOSE CRACK FREE.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NEVERLOSE CRACK FREE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NEVERLOSE CRACK FREE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:1960
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:396
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2224
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1800

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      8592ba100a78835a6b94d5949e13dfc1

      SHA1

      63e901200ab9a57c7dd4c078d7f75dcd3b357020

      SHA256

      fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

      SHA512

      87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      0a2e958757346f46ace00f01b2a4b6ad

      SHA1

      5d50b592bee1df1f75374d4042c0ea7f19912625

      SHA256

      5e5bcbfc0dd5901ef50461d706d0ab1d37691e2c7e8f33d60df3e210fbeb86f7

      SHA512

      145756eee001f93798a71277fcc16a48f7be2bbf2cabff615bcf1fac22a5551879ce8d88da25838392795e3763423c1cb0eb67d55f1bbbddfb3b36f25031abbe

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      520884cf1c41bbe870389b7801a8ec83

      SHA1

      a6c7c8953a2b87b4c716b24a595d58f3a41f7aab

      SHA256

      83b98960b50f4da0e92e948f0ce0186808643d9ba367ad33ce4d8dba16e65c0f

      SHA512

      6f8270b9411580147e2f7047cc89d8360dddb95e882111682c1106d99ee13722951fdd6236a7c3535cba45f85f8505692acc6bc5487528ee72736c5072935af6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      37dd47dad31b9c666f0f4df0beeddfa2

      SHA1

      a117eb3f670dff0656a96b15ba5f872f3da17591

      SHA256

      61bf769b256336c493ece34f176e0edcc1e47cde2d9e39a41f9ad69f80c9d83b

      SHA512

      120986ffd44f23531f3bb7de62c18e40f8b2cb12c8a470edb5b03e44f68dccdf04bbe2faf56759977f357334c48ae431dbcddf845e9005ba2a805383e8c8c118

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avxvbgj5.v3n.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk
      Filesize

      766B

      MD5

      b8d85b33ebe293b77c91c1eb1ef9017f

      SHA1

      3726f0858cec742f357ebbb72ea867a4d2fb498e

      SHA256

      977d595deb7f9f0e1593f0f941a0db18e38851ee3e11c7225dd7979e3f59b6fc

      SHA512

      cf8b655e4b43e1f5be94c31926b6a9528659574f8e646756c1543dce2b615aa4cf5c76a2c3f35bfbe60f2fe86941fcef828514a987dced0fbd645dafbc5ebd80

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svhost.exe
      Filesize

      66KB

      MD5

      1cf87ed16775e956ca556f3948b535a7

      SHA1

      20fe1d6699242591b2c86dd3200718822fd4ccdf

      SHA256

      9f7c00c1656ae9f0d8f044e1de0a9783f29772a7a0897383bc00158ef3a77b32

      SHA512

      a4daf6899c0fbead8cf32a9120860c3059f1c78164482db55c24293f361b2286be71c494a35409279ca7555e9c41ea394a3d426258562b5ed3c3ee9254689fb9

      Download Submit

    • memory/3188-2-0x00007FFF04D80000-0x00007FFF0576C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3188-1-0x00007FFF04D83000-0x00007FFF04D84000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3188-0-0x0000000000440000-0x0000000000456000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3188-188-0x00007FFF04D83000-0x00007FFF04D84000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3188-189-0x00007FFF04D80000-0x00007FFF0576C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3668-12-0x0000024CD6B80000-0x0000024CD6BA2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3668-15-0x0000024CD6D40000-0x0000024CD6DB6000-memory.dmp

      Filesize

      472KB

      Download