Analysis

  • max time kernel
    343s
  • max time network
    360s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-05-2024 06:57

General

  • Target

    Loader.exe

  • Size

    139KB

  • MD5

    8f77f8b13b914f358059e3f7b9ddab70

  • SHA1

    d406a28486b4dd881c454e526e149b98c0ec8462

  • SHA256

    c22c863186e9e86a07cdb7f214c4acede216405a09d4032a603e64931f6966e6

  • SHA512

    b00ba88d36203e389021672b39839a172b58e492bb71afb33c9f53b9ba406a0cf5d61cb5bfe6f11dc40529be8424690737ce178d7dd4981b120ec4694f51abad

  • SSDEEP

    3072:bNmWFIDmBFlT1wnCMjIM8pec/dAnXQdnbeFa7cMjGvA/v2QmZ6OGmfx7jHJm:b06BwnRlcCXUhcdv2uN5

Malware Config

Extracted

Family

xworm

C2

answer-riverside.gl.at.ply.gg:45691

Attributes
  • Install_directory

    %AppData%

  • install_file

    svhost.exe

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3408
    • C:\Users\Admin\AppData\Local\Temp\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2720
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1512
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2080
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:2952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1612
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
        3⤵
        • Creates scheduled task(s)
        PID:4664
    • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe
      "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1576
      • C:\Windows\SYSTEM32\attrib.exe
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe"
        3⤵
        • Views/modifies file attributes
        PID:4344
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RustCheat.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1380
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4264
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3640
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" os get Caption
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1480
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" computersystem get totalphysicalmemory
        3⤵
          PID:4060
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          3⤵
            PID:640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4184
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            3⤵
            • Detects videocard installed
            PID:1804
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RustCheat.exe" && pause
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1528
            • C:\Windows\system32\PING.EXE
              ping localhost
              4⤵
              • Runs ping.exe
              PID:1972
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4224
      • C:\Users\Admin\AppData\Roaming\svhost.exe
        C:\Users\Admin\AppData\Roaming\svhost.exe
        1⤵
        • Executes dropped EXE
        PID:1928
      • C:\Users\Admin\AppData\Roaming\svhost.exe
        C:\Users\Admin\AppData\Roaming\svhost.exe
        1⤵
        • Executes dropped EXE
        PID:4444
      • C:\Users\Admin\AppData\Roaming\svhost.exe
        C:\Users\Admin\AppData\Roaming\svhost.exe
        1⤵
        • Executes dropped EXE
        PID:4012
      • C:\Users\Admin\AppData\Roaming\svhost.exe
        C:\Users\Admin\AppData\Roaming\svhost.exe
        1⤵
        • Executes dropped EXE
        PID:1212
      • C:\Users\Admin\AppData\Roaming\svhost.exe
        C:\Users\Admin\AppData\Roaming\svhost.exe
        1⤵
        • Executes dropped EXE
        PID:3716
      • C:\Users\Admin\AppData\Roaming\svhost.exe
        C:\Users\Admin\AppData\Roaming\svhost.exe
        1⤵
        • Executes dropped EXE
        PID:5044

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log

        Filesize

        654B

        MD5

        2cbbb74b7da1f720b48ed31085cbd5b8

        SHA1

        79caa9a3ea8abe1b9c4326c3633da64a5f724964

        SHA256

        e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

        SHA512

        ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        9d79442dfd4d7b3d489221dab648a8b0

        SHA1

        715225e9ad02901ef13250d9126e612b05751f49

        SHA256

        4f4c4f31db3e81c3afe2662eceb44fe4743019a5da26109d0c3af1c85bc1bf98

        SHA512

        3ae1e2467b81ead66b6fa0a9d274c503c1dee442465b81f161bb72a5b93eb9603d8504b795d02f8e6a74ed4b5ae5bd57e8faf1a9af8a018d5d43ca9094aaa630

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        6e4f5276ac4827dac632cc228cc825fd

        SHA1

        0d151017975a1e91325649b5ef4a4cce043b81aa

        SHA256

        9b59dd2123e61507bc98c878acb6a41e307e60adbb0e9a2a301f194cf51cf27a

        SHA512

        ab487a017bb10c80ec466e3207cbecb4b9453d88a1af7f1b8a9f6698b55b0a1bf721d8a63757ada195bf87807a4180a88222eb0ee96929404aacca09ed4a67a1

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        0ea6ac9b9bc1d4ae31ff7d82c5e2c8bb

        SHA1

        0659254cfdf0eca3f09665dea655438d3242c413

        SHA256

        a2c4271e070a9ce8ca10b129a7916c7271a5e4463d3810617a825d6f3ba7a1c8

        SHA512

        e78ec495cc7390522394950f29fc7c56359b89df71f451aca9f0379a942e801a0191f333f5bcf8df99ea0305b23448188db7754a54f55bef3cd3b8a275b6ee91

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        781da0576417bf414dc558e5a315e2be

        SHA1

        215451c1e370be595f1c389f587efeaa93108b4c

        SHA256

        41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

        SHA512

        24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        1a9fa92a4f2e2ec9e244d43a6a4f8fb9

        SHA1

        9910190edfaccece1dfcc1d92e357772f5dae8f7

        SHA256

        0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

        SHA512

        5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        948B

        MD5

        4b92d741d003e8d1f0394874017a6fe9

        SHA1

        1a4bebc2637bce160dae38d4d0bfdeb6b398059d

        SHA256

        8c8532230d71f0818daebff0d2ab496b02c25bdaa7156701f663b5474ad876fc

        SHA512

        5c2e84b072314aaae414f98f7dbeb13e030561b53270803d0cf7a8c6ed59368dcfdc4666e69abef39fcac5b75968a1174aca501023297a276a219ed0464612c6

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        7332074ae2b01262736b6fbd9e100dac

        SHA1

        22f992165065107cc9417fa4117240d84414a13c

        SHA256

        baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

        SHA512

        4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

        Filesize

        10KB

        MD5

        2cb9e3f89741961748d38d15dfecc8fb

        SHA1

        11f89dfac73dfacb194fa01bf6e7fddb38c1f6d7

        SHA256

        e76dcf1390543fde2ae6fd8263e90df10923df9dfe78a5fb588a50654577fd13

        SHA512

        20557311d13320d2f7c8bfb99e49c8af30dbcbace0faaa5101f9ea893a017a55100bf2b3c466c9d9cfe4fa8a8affcef9223a870abbcf571492fa90abd0e748f2

      • C:\Users\Admin\AppData\Local\Temp\RustCheat.exe

        Filesize

        231KB

        MD5

        ff8f5c2670894f74456e534b34d6a8fe

        SHA1

        e0b35ae06f68adf07e4616da8e91bb1f935e492a

        SHA256

        d9f3baf81271c395f4dc10e21d12bc2bfb875a8a28ede54abd54a0d8de194d37

        SHA512

        a58b08c3209bc196f914a82ca2b91a096988831bc45babb22ec2210303050cf03923ebf93e7a58926b8813328c672bec015cd0772f27a0192c661d83e796ffff

      • C:\Users\Admin\AppData\Local\Temp\XClient.exe

        Filesize

        60KB

        MD5

        28ff989c1d462f567aabb9c5ba76456b

        SHA1

        24be926b14f64f6a9f5b8248d1618bae9a7fc0b2

        SHA256

        a02fb0b588d89b4ea7f83fc303af6ab00b5ec81a39cf79b2e6ec65d3a3e4c63d

        SHA512

        2e639e5b5480c93c7605480de40e325c0692d3834f305d7d739f3569707e01cbd5d4c75c5fe4b02616edbb5c72b5f9df6466864a2b11fc862b35b5566d51bcba

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qyhrv2p3.fue.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • memory/1120-90-0x0000023231270000-0x000002323127A000-memory.dmp

        Filesize

        40KB

      • memory/1120-27-0x0000023230B60000-0x0000023230BA0000-memory.dmp

        Filesize

        256KB

      • memory/1120-56-0x00000232329C0000-0x00000232329DE000-memory.dmp

        Filesize

        120KB

      • memory/1120-54-0x000002324B3B0000-0x000002324B426000-memory.dmp

        Filesize

        472KB

      • memory/1120-55-0x000002324B330000-0x000002324B380000-memory.dmp

        Filesize

        320KB

      • memory/1120-91-0x000002324B380000-0x000002324B392000-memory.dmp

        Filesize

        72KB

      • memory/1380-31-0x000001E3DD950000-0x000001E3DD972000-memory.dmp

        Filesize

        136KB

      • memory/2720-26-0x0000000000F70000-0x0000000000F86000-memory.dmp

        Filesize

        88KB

      • memory/2720-28-0x00007FFDDAB70000-0x00007FFDDB632000-memory.dmp

        Filesize

        10.8MB

      • memory/2720-161-0x00007FFDDAB70000-0x00007FFDDB632000-memory.dmp

        Filesize

        10.8MB

      • memory/3408-29-0x00007FFDDAB70000-0x00007FFDDB632000-memory.dmp

        Filesize

        10.8MB

      • memory/3408-0-0x00007FFDDAB73000-0x00007FFDDAB75000-memory.dmp

        Filesize

        8KB

      • memory/3408-2-0x00007FFDDAB70000-0x00007FFDDB632000-memory.dmp

        Filesize

        10.8MB

      • memory/3408-1-0x0000000000560000-0x000000000058A000-memory.dmp

        Filesize

        168KB