Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
02-08-2024 11:14
Static task
static1
Behavioral task
behavioral1
Sample
Loader V2.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Loader V2.exe
Resource
win10-20240611-en
Behavioral task
behavioral3
Sample
Loader V2.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral4
Sample
Loader V2.exe
Resource
win11-20240730-en
General
-
Target
Loader V2.exe
-
Size
8.1MB
-
MD5
70a8a700260d1bf5d40214b4d16f2a4d
-
SHA1
888afda0f542f857c3627845abb17320c79348a3
-
SHA256
14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87
-
SHA512
8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83
-
SSDEEP
196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs
Malware Config
Extracted
xworm
147.185.221.20:13908
147.185.221.16:60401
-
Install_directory
%AppData%
-
install_file
svhost.exe
-
telegram
https://api.telegram.org/bot7220907212:AAEOc5N7cpqGUVVvnWrzGHm8mdOrYN2e9mc/sendMessage?chat_id=6987872630
Extracted
44caliber
https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral2/files/0x000800000001ab71-10.dat family_xworm behavioral2/memory/4372-16-0x0000000000440000-0x0000000000482000-memory.dmp family_xworm behavioral2/files/0x000800000001ab75-22.dat family_xworm behavioral2/memory/2892-34-0x0000000000630000-0x0000000000646000-memory.dmp family_xworm -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4296 powershell.exe 4396 powershell.exe 4640 powershell.exe 5036 powershell.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk injectdll.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk injectdll.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk loaderr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk loaderr.exe -
Executes dropped EXE 8 IoCs
pid Process 596 Loader.exe 4372 injectdll.exe 2892 loaderr.exe 4052 fixer.exe 4668 svhost.exe 3480 svchost.exe 2580 svhost.exe 4188 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" injectdll.exe Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" loaderr.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 freegeoip.app 2 freegeoip.app 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 fixer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier fixer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2628 schtasks.exe 752 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4052 fixer.exe 4052 fixer.exe 4052 fixer.exe 4052 fixer.exe 4372 injectdll.exe 4296 powershell.exe 4296 powershell.exe 4296 powershell.exe 4396 powershell.exe 4396 powershell.exe 4396 powershell.exe 4640 powershell.exe 4640 powershell.exe 4640 powershell.exe 5036 powershell.exe 5036 powershell.exe 5036 powershell.exe 2892 loaderr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4372 injectdll.exe Token: SeDebugPrivilege 2892 loaderr.exe Token: SeDebugPrivilege 4052 fixer.exe Token: SeDebugPrivilege 4372 injectdll.exe Token: SeDebugPrivilege 4296 powershell.exe Token: SeIncreaseQuotaPrivilege 4296 powershell.exe Token: SeSecurityPrivilege 4296 powershell.exe Token: SeTakeOwnershipPrivilege 4296 powershell.exe Token: SeLoadDriverPrivilege 4296 powershell.exe Token: SeSystemProfilePrivilege 4296 powershell.exe Token: SeSystemtimePrivilege 4296 powershell.exe Token: SeProfSingleProcessPrivilege 4296 powershell.exe Token: SeIncBasePriorityPrivilege 4296 powershell.exe Token: SeCreatePagefilePrivilege 4296 powershell.exe Token: SeBackupPrivilege 4296 powershell.exe Token: SeRestorePrivilege 4296 powershell.exe Token: SeShutdownPrivilege 4296 powershell.exe Token: SeDebugPrivilege 4296 powershell.exe Token: SeSystemEnvironmentPrivilege 4296 powershell.exe Token: SeRemoteShutdownPrivilege 4296 powershell.exe Token: SeUndockPrivilege 4296 powershell.exe Token: SeManageVolumePrivilege 4296 powershell.exe Token: 33 4296 powershell.exe Token: 34 4296 powershell.exe Token: 35 4296 powershell.exe Token: 36 4296 powershell.exe Token: SeDebugPrivilege 4396 powershell.exe Token: SeIncreaseQuotaPrivilege 4396 powershell.exe Token: SeSecurityPrivilege 4396 powershell.exe Token: SeTakeOwnershipPrivilege 4396 powershell.exe Token: SeLoadDriverPrivilege 4396 powershell.exe Token: SeSystemProfilePrivilege 4396 powershell.exe Token: SeSystemtimePrivilege 4396 powershell.exe Token: SeProfSingleProcessPrivilege 4396 powershell.exe Token: SeIncBasePriorityPrivilege 4396 powershell.exe Token: SeCreatePagefilePrivilege 4396 powershell.exe Token: SeBackupPrivilege 4396 powershell.exe Token: SeRestorePrivilege 4396 powershell.exe Token: SeShutdownPrivilege 4396 powershell.exe Token: SeDebugPrivilege 4396 powershell.exe Token: SeSystemEnvironmentPrivilege 4396 powershell.exe Token: SeRemoteShutdownPrivilege 4396 powershell.exe Token: SeUndockPrivilege 4396 powershell.exe Token: SeManageVolumePrivilege 4396 powershell.exe Token: 33 4396 powershell.exe Token: 34 4396 powershell.exe Token: 35 4396 powershell.exe Token: 36 4396 powershell.exe Token: SeDebugPrivilege 4640 powershell.exe Token: SeIncreaseQuotaPrivilege 4640 powershell.exe Token: SeSecurityPrivilege 4640 powershell.exe Token: SeTakeOwnershipPrivilege 4640 powershell.exe Token: SeLoadDriverPrivilege 4640 powershell.exe Token: SeSystemProfilePrivilege 4640 powershell.exe Token: SeSystemtimePrivilege 4640 powershell.exe Token: SeProfSingleProcessPrivilege 4640 powershell.exe Token: SeIncBasePriorityPrivilege 4640 powershell.exe Token: SeCreatePagefilePrivilege 4640 powershell.exe Token: SeBackupPrivilege 4640 powershell.exe Token: SeRestorePrivilege 4640 powershell.exe Token: SeShutdownPrivilege 4640 powershell.exe Token: SeDebugPrivilege 4640 powershell.exe Token: SeSystemEnvironmentPrivilege 4640 powershell.exe Token: SeRemoteShutdownPrivilege 4640 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4372 injectdll.exe 2892 loaderr.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4604 wrote to memory of 596 4604 Loader V2.exe 71 PID 4604 wrote to memory of 596 4604 Loader V2.exe 71 PID 4604 wrote to memory of 4372 4604 Loader V2.exe 72 PID 4604 wrote to memory of 4372 4604 Loader V2.exe 72 PID 596 wrote to memory of 2892 596 Loader.exe 73 PID 596 wrote to memory of 2892 596 Loader.exe 73 PID 596 wrote to memory of 4052 596 Loader.exe 74 PID 596 wrote to memory of 4052 596 Loader.exe 74 PID 4372 wrote to memory of 2628 4372 injectdll.exe 76 PID 4372 wrote to memory of 2628 4372 injectdll.exe 76 PID 2892 wrote to memory of 4296 2892 loaderr.exe 78 PID 2892 wrote to memory of 4296 2892 loaderr.exe 78 PID 2892 wrote to memory of 4396 2892 loaderr.exe 81 PID 2892 wrote to memory of 4396 2892 loaderr.exe 81 PID 2892 wrote to memory of 4640 2892 loaderr.exe 83 PID 2892 wrote to memory of 4640 2892 loaderr.exe 83 PID 2892 wrote to memory of 5036 2892 loaderr.exe 85 PID 2892 wrote to memory of 5036 2892 loaderr.exe 85 PID 2892 wrote to memory of 752 2892 loaderr.exe 87 PID 2892 wrote to memory of 752 2892 loaderr.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Users\Admin\AppData\Roaming\Loader.exe"C:\Users\Admin\AppData\Roaming\Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Users\Admin\AppData\Local\Temp\loaderr.exe"C:\Users\Admin\AppData\Local\Temp\loaderr.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:752
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixer.exe"C:\Users\Admin\AppData\Local\Temp\fixer.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
-
C:\Users\Admin\AppData\Roaming\injectdll.exe"C:\Users\Admin\AppData\Roaming\injectdll.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2628
-
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:4668
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵
- Executes dropped EXE
PID:3480
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:2580
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵
- Executes dropped EXE
PID:4188
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
937B
MD540dc80b9b30d2b39502ce4a889c6db37
SHA14c8e3aee030a8af8d622bd8f44deb07ec5793f21
SHA2562dfa544014f8914104ee3949cc9fd97f0322ae2242b8225b5ae449f66819dd39
SHA512c65c8168f2ce4aa32157a9f9f38686d70affbd84eb261cb83e115294e3018f126fb6718ee46dff5ef54157b54b27db557bf277fe70a4f467fe05e6b6ed66bca9
-
Filesize
1KB
MD54d655e210df9766913d07c5fc88a88fd
SHA1b871e286acb97284cce8e3f6663cd10a1e62f74e
SHA256c92807d6674d3dcbc99139c22132c6eba338c1acaaa5a71f56a5e0751bc1c676
SHA512207cc1d302c525ae7523572408cdd681858d3fd80fea514d0d01827afdff47598d76b62868f20af009ad71b1af89aecc652b2ad1d751968147425067e14d0621
-
Filesize
653B
MD53126dd3c8290a63343855d7d676f4a20
SHA14b06e716d056361a0a428f58014ad1aaca099efe
SHA2567d01873b5e6be4cfcf6a89ca4d982a62c2e814b61451e5d34172579ebd7be373
SHA51277d57523536a02ce713d15d053932d2830ed5bb6ae4dc4353f7e9d06819b3d5b3af1a959f6aff6a18b8cbc43e1ad510074a0a6b9ce4f9fe79d9f71aaf1800451
-
Filesize
638B
MD585054e575b47da419a40b697c7cdc278
SHA139bd1f02d6c22993219311acb6fed5fd86d248f7
SHA25600ccd02f0f2e3d2fff25d34cd7a8656442a6b45819ba0f11f345424d3af69118
SHA51239a01c007fb49d1e03eff43364a512e1c38c10740a928d5bb32b9d0299f4fba1c1d2a7cda728f1a88a4b6d3729ff18e711cd805f4e4ff5315b414165a879b0ec
-
Filesize
682B
MD5c716a88607dc44ce368bcc1bb680c2a0
SHA121eff6c7a1206a3ab567a4bae3e49a9e3d3a1d32
SHA2564c8c724e2da7ded3a44d87077bc45ae17ff85101d4cbe57d297dc5ddd6173e6d
SHA51245c14b649606bee2a689910122c694bbef3340f4191231e5476974425b4d2ccc14b1807ded471d7bee3c5bc48c5ca34ef291b7defffa18a24df1373aa06c15f3
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
Filesize
1KB
MD5827008fc3b49149ccc4810aa8b0da9e6
SHA131d80edc5d4326ab7269cd7c0f74bd1214610bbd
SHA256812c177767c772c1f5299d9016f2fba49872e5591d3ebac26e21726bfb36a70e
SHA5121bba7c065dd2873d33556c5439ae9e6cd73a151018c862f8bc90b1abe86a0762ed237def4b8bd406e2d58005dfaf5d45a067a3144cb373ce705bb78b34fa0045
-
Filesize
1KB
MD5b53d6f846be8379d9073e90b131262cc
SHA12b501d0c5fbc216e68488fffefe6a344c46d71fc
SHA25699740d3e9cfe5284d4f0c7a86620f4d53fc1c97e328fbf33edfb4731a37bca97
SHA5127d0d6c8ec70d0e7d78df6dcc47e350880a7ab55322defb2b45d9d13171f0c7ef162555697673043b694f1660086597a23e93265fb46a09452cae7a5a71dc27ee
-
Filesize
1KB
MD524ecaf8649da264e4272ac1bbe689417
SHA1e86511905d7ee22b766f583d85ec7334ce1428fd
SHA256a3b5322adf9b3c8dca365400b2e29e8f011d9a105e6616dacd69392e2f841d44
SHA512cb3244599b6163cf6adad161c9190911201dd7d62663ae9284f5b5618fbff2615627da4d5e5f0b0f66cc61ee1bd639a5ff1d28be72aedb16a0382148b304e407
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
274KB
MD588505913c2c75f796c9a021aab2d356d
SHA15b5c06998d3e200c21c77ea4efaeaecdc7344e78
SHA25662e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204
SHA5126fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905
-
Filesize
65KB
MD595f8f28f5a8503461db6804cda9c4934
SHA181c0a30e498093d41948777135bbd407c7611cda
SHA256aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2
SHA5125c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461
-
Filesize
7.6MB
MD5aa16f3774491b600121545a5f194cefc
SHA1c872fe765ecff1dada8378ad8a12cd5cf0425219
SHA256c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d
SHA5128b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8
-
Filesize
244KB
MD574ffb0d60d647dd6ad8d00c1bee48011
SHA14c8a707a33b35b78f374c66d59f9c2314c20b25f
SHA256b481f1e0cfe25e5f19da0a0333c78661bf5c75c0b1c616ff4aaaa07aed31efd1
SHA512fc667f4560d6b19a9a4f37eb0e66c751eb348ffc0db69c7d0bd733dfd2df2dfdadc7b780cd93686350444cc14a54283bafe3afec611bcac3ad0239eda659f46c