Overview

overview

10

Static

static

3

Loader.exe

windows10-2004-x64

10

Resubmissions

29-07-2024 08:54

240729-ktxvssvcpc 10

Analysis

  • max time kernel
    17s
  • max time network
    45s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-07-2024 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    7.6MB

  • MD5

    aa16f3774491b600121545a5f194cefc

  • SHA1

    c872fe765ecff1dada8378ad8a12cd5cf0425219

  • SHA256

    c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d

  • SHA512

    8b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8

  • SSDEEP

    196608:8G46NbTO5uFqiXBIaqVCbB9+FsdH6HBiE555x:8G46N3O5uciXBvq09+wC/Hr

Score
10/10
44caliberxwormcredential_accessexecutionratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.16:60401

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    svchost.exe

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3232
    • C:\Users\Admin\AppData\Local\Temp\loaderr.exe
      "C:\Users\Admin\AppData\Local\Temp\loaderr.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3252
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4212
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3188
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2412
    • C:\Users\Admin\AppData\Local\Temp\fixer.exe
      "C:\Users\Admin\AppData\Local\Temp\fixer.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1476
  • C:\Users\Admin\AppData\Local\svchost.exe
    C:\Users\Admin\AppData\Local\svchost.exe
    1⤵
      PID:3500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\44\Process.txt
      Filesize

      1KB

      MD5

      1a83355810062b93e566f0bbe7a760ac

      SHA1

      27f4bd9e070397e83cb0e4b4b11a40028d83a639

      SHA256

      28a45c2f4bf900f05679ac65e44fef62bdeb60b4500b955ec3d07901aefeb884

      SHA512

      3d10271bcced28a7c76e713b9e0c8385cd919480d300e79c24b18f5d294c81873f6cad579cb547d718fa2b15fc2e154733098848fff02154a7a5d30525f892eb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      28d4235aa2e6d782751f980ceb6e5021

      SHA1

      f5d82d56acd642b9fc4b963f684fd6b78f25a140

      SHA256

      8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

      SHA512

      dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      9bc110200117a3752313ca2acaf8a9e1

      SHA1

      fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

      SHA256

      c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

      SHA512

      1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      120c6c9af4de2accfcff2ed8c3aab1af

      SHA1

      504f64ae4ac9c4fe308a6a50be24fe464f3dad95

      SHA256

      461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222

      SHA512

      041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pevxdjij.rej.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fixer.exe
      Filesize

      274KB

      MD5

      88505913c2c75f796c9a021aab2d356d

      SHA1

      5b5c06998d3e200c21c77ea4efaeaecdc7344e78

      SHA256

      62e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204

      SHA512

      6fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\loaderr.exe
      Filesize

      65KB

      MD5

      95f8f28f5a8503461db6804cda9c4934

      SHA1

      81c0a30e498093d41948777135bbd407c7611cda

      SHA256

      aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2

      SHA512

      5c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461

      Download Submit

    • memory/948-33-0x00007FFAF4AC0000-0x00007FFAF5581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/948-72-0x00007FFAF4AC0000-0x00007FFAF5581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/948-220-0x0000000002D40000-0x0000000002D4C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/948-21-0x0000000000BA0000-0x0000000000BB6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/948-221-0x00007FFAF4AC0000-0x00007FFAF5581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1476-31-0x0000025C81810000-0x0000025C8185A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/1476-34-0x00007FFAF4AC0000-0x00007FFAF5581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1476-214-0x00007FFAF4AC0000-0x00007FFAF5581000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3232-0-0x00007FFAF4AC3000-0x00007FFAF4AC5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3232-1-0x0000000000390000-0x0000000000B24000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/3252-85-0x00000278AD080000-0x00000278AD29C000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3252-78-0x00000278AD050000-0x00000278AD072000-memory.dmp

      Filesize

      136KB

      Download