Analysis
-
max time kernel
63s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 19:24
Static task
static1
Behavioral task
behavioral1
Sample
Loader V2.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Loader V2.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Loader V2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Loader V2.exe
Resource
win11-20240802-en
General
-
Target
Loader V2.exe
-
Size
8.1MB
-
MD5
70a8a700260d1bf5d40214b4d16f2a4d
-
SHA1
888afda0f542f857c3627845abb17320c79348a3
-
SHA256
14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87
-
SHA512
8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83
-
SSDEEP
196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs
Malware Config
Extracted
xworm
147.185.221.20:13908
147.185.221.16:60401
-
Install_directory
%AppData%
-
install_file
svhost.exe
-
telegram
https://api.telegram.org/bot7220907212:AAEOc5N7cpqGUVVvnWrzGHm8mdOrYN2e9mc/sendMessage?chat_id=6987872630
Extracted
44caliber
https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2324-136-0x000000001AF00000-0x000000001AF0E000-memory.dmp disable_win_def -
Detect Xworm Payload 6 IoCs
resource yara_rule behavioral1/files/0x0008000000017349-9.dat family_xworm behavioral1/memory/2324-12-0x0000000000DA0000-0x0000000000DE2000-memory.dmp family_xworm behavioral1/files/0x0007000000017355-19.dat family_xworm behavioral1/memory/2704-39-0x0000000000D30000-0x0000000000D46000-memory.dmp family_xworm behavioral1/memory/1912-130-0x0000000000BC0000-0x0000000000BD6000-memory.dmp family_xworm behavioral1/memory/2760-133-0x0000000000BE0000-0x0000000000C22000-memory.dmp family_xworm -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2968 powershell.exe 2216 powershell.exe 1704 powershell.exe 1324 powershell.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk loaderr.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk loaderr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk injectdll.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk injectdll.exe -
Executes dropped EXE 6 IoCs
pid Process 3068 Loader.exe 2324 injectdll.exe 2704 loaderr.exe 1844 fixer.exe 1912 svchost.exe 2760 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" injectdll.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" loaderr.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 freegeoip.app 6 freegeoip.app 10 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 fixer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier fixer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1416 schtasks.exe 2312 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1844 fixer.exe 1844 fixer.exe 1844 fixer.exe 1844 fixer.exe 2968 powershell.exe 2324 injectdll.exe 2216 powershell.exe 1704 powershell.exe 1324 powershell.exe 2704 loaderr.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2324 injectdll.exe Token: SeDebugPrivilege 2704 loaderr.exe Token: SeDebugPrivilege 1844 fixer.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2324 injectdll.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 1324 powershell.exe Token: SeDebugPrivilege 2704 loaderr.exe Token: SeDebugPrivilege 1912 svchost.exe Token: SeDebugPrivilege 2760 svhost.exe Token: SeShutdownPrivilege 2324 injectdll.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2324 injectdll.exe 2704 loaderr.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2064 wrote to memory of 3068 2064 Loader V2.exe 30 PID 2064 wrote to memory of 3068 2064 Loader V2.exe 30 PID 2064 wrote to memory of 3068 2064 Loader V2.exe 30 PID 2064 wrote to memory of 2324 2064 Loader V2.exe 31 PID 2064 wrote to memory of 2324 2064 Loader V2.exe 31 PID 2064 wrote to memory of 2324 2064 Loader V2.exe 31 PID 3068 wrote to memory of 2704 3068 Loader.exe 32 PID 3068 wrote to memory of 2704 3068 Loader.exe 32 PID 3068 wrote to memory of 2704 3068 Loader.exe 32 PID 3068 wrote to memory of 1844 3068 Loader.exe 33 PID 3068 wrote to memory of 1844 3068 Loader.exe 33 PID 3068 wrote to memory of 1844 3068 Loader.exe 33 PID 2704 wrote to memory of 2968 2704 loaderr.exe 36 PID 2704 wrote to memory of 2968 2704 loaderr.exe 36 PID 2704 wrote to memory of 2968 2704 loaderr.exe 36 PID 2324 wrote to memory of 1416 2324 injectdll.exe 38 PID 2324 wrote to memory of 1416 2324 injectdll.exe 38 PID 2324 wrote to memory of 1416 2324 injectdll.exe 38 PID 2704 wrote to memory of 2216 2704 loaderr.exe 40 PID 2704 wrote to memory of 2216 2704 loaderr.exe 40 PID 2704 wrote to memory of 2216 2704 loaderr.exe 40 PID 2704 wrote to memory of 1704 2704 loaderr.exe 42 PID 2704 wrote to memory of 1704 2704 loaderr.exe 42 PID 2704 wrote to memory of 1704 2704 loaderr.exe 42 PID 2704 wrote to memory of 1324 2704 loaderr.exe 44 PID 2704 wrote to memory of 1324 2704 loaderr.exe 44 PID 2704 wrote to memory of 1324 2704 loaderr.exe 44 PID 2704 wrote to memory of 2312 2704 loaderr.exe 46 PID 2704 wrote to memory of 2312 2704 loaderr.exe 46 PID 2704 wrote to memory of 2312 2704 loaderr.exe 46 PID 1932 wrote to memory of 1912 1932 taskeng.exe 49 PID 1932 wrote to memory of 1912 1932 taskeng.exe 49 PID 1932 wrote to memory of 1912 1932 taskeng.exe 49 PID 1932 wrote to memory of 2760 1932 taskeng.exe 50 PID 1932 wrote to memory of 2760 1932 taskeng.exe 50 PID 1932 wrote to memory of 2760 1932 taskeng.exe 50 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Roaming\Loader.exe"C:\Users\Admin\AppData\Roaming\Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\loaderr.exe"C:\Users\Admin\AppData\Local\Temp\loaderr.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:2312
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixer.exe"C:\Users\Admin\AppData\Local\Temp\fixer.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844
-
-
-
C:\Users\Admin\AppData\Roaming\injectdll.exe"C:\Users\Admin\AppData\Roaming\injectdll.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1416
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BB3FE535-94F1-4C11-9458-53FAA4EF2B04} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD588505913c2c75f796c9a021aab2d356d
SHA15b5c06998d3e200c21c77ea4efaeaecdc7344e78
SHA25662e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204
SHA5126fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905
-
Filesize
65KB
MD595f8f28f5a8503461db6804cda9c4934
SHA181c0a30e498093d41948777135bbd407c7611cda
SHA256aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2
SHA5125c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461
-
Filesize
7.6MB
MD5aa16f3774491b600121545a5f194cefc
SHA1c872fe765ecff1dada8378ad8a12cd5cf0425219
SHA256c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d
SHA5128b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5cc87da16642a83f322c2c68fe57662e3
SHA13760e8433b8987410028f02b355109a817ae5464
SHA2564bdc4a23b67d814fa1635aa25c84fc34334fd8641543a98fcd1379c8718c4fd3
SHA512cb7552046bdcf6c48c506c8f6a94148ad7f4b14b5ea96f937dfce4c3e2af8b1be52346c41ede824039ef868ae665946f7ac340bb53020f81c78b1892ac3cd228
-
Filesize
244KB
MD574ffb0d60d647dd6ad8d00c1bee48011
SHA14c8a707a33b35b78f374c66d59f9c2314c20b25f
SHA256b481f1e0cfe25e5f19da0a0333c78661bf5c75c0b1c616ff4aaaa07aed31efd1
SHA512fc667f4560d6b19a9a4f37eb0e66c751eb348ffc0db69c7d0bd733dfd2df2dfdadc7b780cd93686350444cc14a54283bafe3afec611bcac3ad0239eda659f46c