Analysis
-
max time kernel
68s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 19:24
Static task
static1
Behavioral task
behavioral1
Sample
Loader V2.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Loader V2.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Loader V2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Loader V2.exe
Resource
win11-20240802-en
General
-
Target
Loader V2.exe
-
Size
8.1MB
-
MD5
70a8a700260d1bf5d40214b4d16f2a4d
-
SHA1
888afda0f542f857c3627845abb17320c79348a3
-
SHA256
14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87
-
SHA512
8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83
-
SSDEEP
196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs
Malware Config
Extracted
xworm
147.185.221.20:13908
147.185.221.16:60401
-
Install_directory
%AppData%
-
install_file
svhost.exe
-
telegram
https://api.telegram.org/bot7220907212:AAEOc5N7cpqGUVVvnWrzGHm8mdOrYN2e9mc/sendMessage?chat_id=6987872630
Extracted
44caliber
https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/2420-135-0x00000000020F0000-0x00000000020FE000-memory.dmp disable_win_def -
Detect Xworm Payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\injectdll.exe family_xworm C:\Users\Admin\AppData\Local\Temp\loaderr.exe family_xworm behavioral1/memory/2608-32-0x00000000011A0000-0x00000000011B6000-memory.dmp family_xworm behavioral1/memory/2420-39-0x0000000000010000-0x0000000000052000-memory.dmp family_xworm behavioral1/memory/324-131-0x0000000001150000-0x0000000001192000-memory.dmp family_xworm behavioral1/memory/3004-130-0x00000000002A0000-0x00000000002B6000-memory.dmp family_xworm -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3064 powershell.exe 1316 powershell.exe 1532 powershell.exe 1004 powershell.exe -
Drops startup file 4 IoCs
Processes:
loaderr.exeinjectdll.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk loaderr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk injectdll.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk injectdll.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk loaderr.exe -
Executes dropped EXE 6 IoCs
Processes:
Loader.exeinjectdll.exeloaderr.exefixer.exesvhost.exesvchost.exepid process 2436 Loader.exe 2420 injectdll.exe 2608 loaderr.exe 804 fixer.exe 324 svhost.exe 3004 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
injectdll.exeloaderr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" injectdll.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" loaderr.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 freegeoip.app 5 freegeoip.app 10 ip-api.com 11 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fixer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 fixer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier fixer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1468 schtasks.exe 1452 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
fixer.exepowershell.exepowershell.exepowershell.exepowershell.exeinjectdll.exeloaderr.exepid process 804 fixer.exe 804 fixer.exe 804 fixer.exe 804 fixer.exe 3064 powershell.exe 1316 powershell.exe 1532 powershell.exe 1004 powershell.exe 2420 injectdll.exe 2608 loaderr.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
loaderr.exeinjectdll.exefixer.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exesvhost.exedescription pid process Token: SeDebugPrivilege 2608 loaderr.exe Token: SeDebugPrivilege 2420 injectdll.exe Token: SeDebugPrivilege 804 fixer.exe Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 1532 powershell.exe Token: SeDebugPrivilege 1004 powershell.exe Token: SeDebugPrivilege 2420 injectdll.exe Token: SeDebugPrivilege 2608 loaderr.exe Token: SeDebugPrivilege 3004 svchost.exe Token: SeDebugPrivilege 324 svhost.exe Token: SeShutdownPrivilege 2420 injectdll.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
injectdll.exeloaderr.exepid process 2420 injectdll.exe 2608 loaderr.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
Loader V2.exeLoader.exeloaderr.exeinjectdll.exetaskeng.exedescription pid process target process PID 2028 wrote to memory of 2436 2028 Loader V2.exe Loader.exe PID 2028 wrote to memory of 2436 2028 Loader V2.exe Loader.exe PID 2028 wrote to memory of 2436 2028 Loader V2.exe Loader.exe PID 2028 wrote to memory of 2420 2028 Loader V2.exe injectdll.exe PID 2028 wrote to memory of 2420 2028 Loader V2.exe injectdll.exe PID 2028 wrote to memory of 2420 2028 Loader V2.exe injectdll.exe PID 2436 wrote to memory of 2608 2436 Loader.exe loaderr.exe PID 2436 wrote to memory of 2608 2436 Loader.exe loaderr.exe PID 2436 wrote to memory of 2608 2436 Loader.exe loaderr.exe PID 2436 wrote to memory of 804 2436 Loader.exe fixer.exe PID 2436 wrote to memory of 804 2436 Loader.exe fixer.exe PID 2436 wrote to memory of 804 2436 Loader.exe fixer.exe PID 2608 wrote to memory of 3064 2608 loaderr.exe powershell.exe PID 2608 wrote to memory of 3064 2608 loaderr.exe powershell.exe PID 2608 wrote to memory of 3064 2608 loaderr.exe powershell.exe PID 2608 wrote to memory of 1316 2608 loaderr.exe powershell.exe PID 2608 wrote to memory of 1316 2608 loaderr.exe powershell.exe PID 2608 wrote to memory of 1316 2608 loaderr.exe powershell.exe PID 2608 wrote to memory of 1532 2608 loaderr.exe powershell.exe PID 2608 wrote to memory of 1532 2608 loaderr.exe powershell.exe PID 2608 wrote to memory of 1532 2608 loaderr.exe powershell.exe PID 2608 wrote to memory of 1004 2608 loaderr.exe powershell.exe PID 2608 wrote to memory of 1004 2608 loaderr.exe powershell.exe PID 2608 wrote to memory of 1004 2608 loaderr.exe powershell.exe PID 2420 wrote to memory of 1468 2420 injectdll.exe schtasks.exe PID 2420 wrote to memory of 1468 2420 injectdll.exe schtasks.exe PID 2420 wrote to memory of 1468 2420 injectdll.exe schtasks.exe PID 2608 wrote to memory of 1452 2608 loaderr.exe schtasks.exe PID 2608 wrote to memory of 1452 2608 loaderr.exe schtasks.exe PID 2608 wrote to memory of 1452 2608 loaderr.exe schtasks.exe PID 556 wrote to memory of 324 556 taskeng.exe svhost.exe PID 556 wrote to memory of 3004 556 taskeng.exe svchost.exe PID 556 wrote to memory of 324 556 taskeng.exe svhost.exe PID 556 wrote to memory of 324 556 taskeng.exe svhost.exe PID 556 wrote to memory of 3004 556 taskeng.exe svchost.exe PID 556 wrote to memory of 3004 556 taskeng.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Roaming\Loader.exe"C:\Users\Admin\AppData\Roaming\Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Local\Temp\loaderr.exe"C:\Users\Admin\AppData\Local\Temp\loaderr.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\fixer.exe"C:\Users\Admin\AppData\Local\Temp\fixer.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804 -
C:\Users\Admin\AppData\Roaming\injectdll.exe"C:\Users\Admin\AppData\Roaming\injectdll.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\taskeng.exetaskeng.exe {931D5DDF-3884-4702-9300-4894CBAE252F} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:324
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
479B
MD56273b47c5272225361713dfa473da7ec
SHA1e0a0e961c80a138f7f2c4ca95ef289c6206e9f08
SHA2568ed83fe2d59dce4c364a26743da51c2c6e2ad4f5a95364129eb014f3f137b50b
SHA512f92b70b7df675e038106636d235c99efd36147fb6e336973e16bca5d3ccf5db4e4b97365282512c20277fcbb730e8f8cabf156a782959a39251f476d017065fa
-
Filesize
274KB
MD588505913c2c75f796c9a021aab2d356d
SHA15b5c06998d3e200c21c77ea4efaeaecdc7344e78
SHA25662e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204
SHA5126fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905
-
Filesize
65KB
MD595f8f28f5a8503461db6804cda9c4934
SHA181c0a30e498093d41948777135bbd407c7611cda
SHA256aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2
SHA5125c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461
-
Filesize
7.6MB
MD5aa16f3774491b600121545a5f194cefc
SHA1c872fe765ecff1dada8378ad8a12cd5cf0425219
SHA256c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d
SHA5128b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5785417237820fcb4725c7f7809f45b8b
SHA11867d6790568fb7b537ca100dd3a0af7fe203cdf
SHA2562fb9018dea93b558817b60e6e2073ff6d992a143b25431ce789438525eddc802
SHA512a692a5fcde4a29d9717c0e0fde7e8c65391839611023cb5080afd68759d02ced4d4d1181a03844f0f5f786adb821a9a23445b33ef5f117c39adc757c6cb3ee1a
-
Filesize
244KB
MD574ffb0d60d647dd6ad8d00c1bee48011
SHA14c8a707a33b35b78f374c66d59f9c2314c20b25f
SHA256b481f1e0cfe25e5f19da0a0333c78661bf5c75c0b1c616ff4aaaa07aed31efd1
SHA512fc667f4560d6b19a9a4f37eb0e66c751eb348ffc0db69c7d0bd733dfd2df2dfdadc7b780cd93686350444cc14a54283bafe3afec611bcac3ad0239eda659f46c