Overview

overview

10

Static

static

10

NEVERLOSE ...EE.exe

windows10-2004-x64

10

NEVERLOSE ...EE.exe

windows10-1703-x64

10

NEVERLOSE ...EE.exe

windows7-x64

10

NEVERLOSE ...EE.exe

windows10-2004-x64

10

NEVERLOSE ...EE.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    31s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 08:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NEVERLOSE CRACK FREE.exe

  • Size

    66KB

  • MD5

    1cf87ed16775e956ca556f3948b535a7

  • SHA1

    20fe1d6699242591b2c86dd3200718822fd4ccdf

  • SHA256

    9f7c00c1656ae9f0d8f044e1de0a9783f29772a7a0897383bc00158ef3a77b32

  • SHA512

    a4daf6899c0fbead8cf32a9120860c3059f1c78164482db55c24293f361b2286be71c494a35409279ca7555e9c41ea394a3d426258562b5ed3c3ee9254689fb9

  • SSDEEP

    1536:D8JtOqoPKs1e3YNhXwfQLbbtoIi45BMJ6COEhKKGx:D8JtOrCs4IN8IbxR5uOEwx

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

  • pastebin_url

    https://pastebin.com/raw/zw6Etn4T

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEVERLOSE CRACK FREE.exe
    "C:\Users\Admin\AppData\Local\Temp\NEVERLOSE CRACK FREE.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NEVERLOSE CRACK FREE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NEVERLOSE CRACK FREE.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5088
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:3588

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          96b7303b3c5d43ea97d4ead95821a029

          SHA1

          ea1ecce72a776cd922b090f28e9d5aaca1b27539

          SHA256

          7e6faa0a80301b4dae2c6d499e68ad269378909cdd2dca17e972ff80d296b40f

          SHA512

          edc84e846ca527e28702bf981482af921d7872af10aad705b4a527921f68bd06ce38d28c6254f4197f4985297500fcecc51a9f3051915345cd2cd474e0dcd288

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          fe9b96bc4e29457b2d225a5412322a52

          SHA1

          551e29903e926b5d6c52a8f57cf10475ba790bd0

          SHA256

          e81b9bfd38a5199813d703d5caf75baa6f62847b2b9632302b5d6f10dd6cf997

          SHA512

          ff912526647f6266f37749dfdc3ed5fd37c35042ba481331434168704c827d128c22093ba73d7ad0cecde10365f0978fcd3f3e2af1a1c280cd2e592a62d5fa80

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          b1a1d8b05525b7b0c5babfd80488c1f2

          SHA1

          c85bbd6b7d0143676916c20fd52720499c2bb5c6

          SHA256

          adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

          SHA512

          346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3juxxcy.0sf.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • memory/4824-5-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4824-12-0x000001853D020000-0x000001853D042000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4824-18-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4824-4-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4824-3-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4932-0-0x00007FFB795C3000-0x00007FFB795C5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4932-2-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4932-1-0x0000000000620000-0x0000000000636000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4932-57-0x00007FFB795C3000-0x00007FFB795C5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4932-58-0x00007FFB795C0000-0x00007FFB7A081000-memory.dmp

          Filesize

          10.8MB

          Download