Analysis Overview
SHA256
00850425582a22c868e727fbb72c188db08232313902f13b59473f7d46dc722a
Threat Level: Known bad
The file DarkLoader.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Xworm family
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 14:28
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 14:28
Reported
2024-05-26 14:31
Platform
win11-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DarkLoader.lnk | C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DarkLoader.lnk | C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkLoader = "C:\\ProgramData\\DarkLoader.exe" | C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setupact.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\System32\oobe\UserOOBEBroker.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1340 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1340 wrote to memory of 1696 | N/A | C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1340 wrote to memory of 3220 | N/A | C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1340 wrote to memory of 3220 | N/A | C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1340 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1340 wrote to memory of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe
"C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\DarkLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DarkLoader.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\DarkLoader.exe'
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.160:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 3.67.62.142:19444 | 5.tcp.eu.ngrok.io | tcp |
| US | 145.14.144.151:443 | wiznon.000webhostapp.com | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| DE | 3.67.62.142:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.62.142:19444 | 5.tcp.eu.ngrok.io | tcp |
| GB | 184.25.204.17:443 | tcp | |
| US | 20.42.65.94:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| DE | 3.67.62.142:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.62.142:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.62.142:19444 | 5.tcp.eu.ngrok.io | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| DE | 3.67.62.142:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:19444 | 5.tcp.eu.ngrok.io | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| DE | 3.67.112.102:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:19444 | 5.tcp.eu.ngrok.io | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| DE | 3.67.112.102:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.67.112.102:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.64.4.198:19444 | 5.tcp.eu.ngrok.io | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| DE | 3.64.4.198:19444 | 5.tcp.eu.ngrok.io | tcp |
| DE | 3.64.4.198:19444 | 5.tcp.eu.ngrok.io | tcp |
Files
memory/1340-0-0x00007FFD97EF3000-0x00007FFD97EF5000-memory.dmp
memory/1340-1-0x0000000000960000-0x0000000000974000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dzrgx2a3.fmm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1696-10-0x0000021BA1410000-0x0000021BA1432000-memory.dmp
memory/1696-11-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp
memory/1696-12-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp
memory/1696-13-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp
memory/1696-14-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp
memory/1696-17-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp
memory/1696-18-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 437395ef86850fbff98c12dff89eb621 |
| SHA1 | 9cec41e230fa9839de1e5c42b7dbc8b31df0d69c |
| SHA256 | 9c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6 |
| SHA512 | bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5a229813bb19961125dd054b7137e8a7 |
| SHA1 | 467c80909ebdfac7d0d9da24528fcb23ac052548 |
| SHA256 | 9681554aa5cc22dd2b54fe5089f6417341c2c32915a3feadc61fc864f0742177 |
| SHA512 | 37a408318d49bbe01acb04e57e5222e3cec89cd063ea26e18f20095955a85324bdccd036cb6efd4705a158b327041e66d4724ba3c87d6f8fa4428a99a93d87cd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f8c40f7624e23fa92ae2f41e34cfca77 |
| SHA1 | 20e742cfe2759ac2adbc16db736a9e143ca7b677 |
| SHA256 | c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b |
| SHA512 | f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7 |
memory/1340-46-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp
memory/1340-47-0x000000001C3A0000-0x000000001C3AE000-memory.dmp
memory/1340-48-0x00007FFD97EF0000-0x00007FFD989B2000-memory.dmp