Analysis
-
max time kernel
57s -
max time network
71s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-08-2024 19:24
Static task
static1
Behavioral task
behavioral1
Sample
Loader V2.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Loader V2.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Loader V2.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
Loader V2.exe
Resource
win11-20240802-en
Errors
General
-
Target
Loader V2.exe
-
Size
8.1MB
-
MD5
70a8a700260d1bf5d40214b4d16f2a4d
-
SHA1
888afda0f542f857c3627845abb17320c79348a3
-
SHA256
14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87
-
SHA512
8d139e071d25106a30b3b00350fe08558bdaf884d039492611d90afd30c11ff08643560dc75ffaf7dafc0c53a96cf2b446239faf2fd8df9d0895d25b746d5d83
-
SSDEEP
196608:X7fP69w9dHnln76gtmUd74JVCbkQqeDDFloLRj/UVn5HIL6qG:Nvnln7RmUuJVuk0DDFWJCnVGs
Malware Config
Extracted
xworm
147.185.221.20:13908
147.185.221.16:60401
-
Install_directory
%AppData%
-
install_file
svhost.exe
-
telegram
https://api.telegram.org/bot7220907212:AAEOc5N7cpqGUVVvnWrzGHm8mdOrYN2e9mc/sendMessage?chat_id=6987872630
Extracted
44caliber
https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral4/memory/1028-239-0x0000000002D10000-0x0000000002D1E000-memory.dmp disable_win_def -
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral4/files/0x000300000002a9a7-17.dat family_xworm behavioral4/memory/1028-25-0x0000000000B60000-0x0000000000BA2000-memory.dmp family_xworm behavioral4/files/0x000100000002a9ac-34.dat family_xworm behavioral4/memory/1592-62-0x0000000000980000-0x0000000000996000-memory.dmp family_xworm -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 872 powershell.exe 1448 powershell.exe 2716 powershell.exe 3952 powershell.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk loaderr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk injectdll.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk injectdll.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk loaderr.exe -
Executes dropped EXE 6 IoCs
pid Process 1544 Loader.exe 1028 injectdll.exe 1592 loaderr.exe 3700 fixer.exe 1264 svchost.exe 1488 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" injectdll.exe Set value (str) \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" loaderr.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 freegeoip.app 1 ip-api.com 2 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier fixer.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 fixer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2356 schtasks.exe 1860 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3700 fixer.exe 3700 fixer.exe 3700 fixer.exe 3700 fixer.exe 872 powershell.exe 872 powershell.exe 1448 powershell.exe 1448 powershell.exe 2716 powershell.exe 2716 powershell.exe 1028 injectdll.exe 3952 powershell.exe 3952 powershell.exe 1592 loaderr.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 1028 injectdll.exe Token: SeDebugPrivilege 3700 fixer.exe Token: SeDebugPrivilege 1592 loaderr.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeDebugPrivilege 1028 injectdll.exe Token: SeDebugPrivilege 3952 powershell.exe Token: SeDebugPrivilege 1592 loaderr.exe Token: SeDebugPrivilege 1264 svchost.exe Token: SeDebugPrivilege 1488 svhost.exe Token: SeShutdownPrivilege 1028 injectdll.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1028 injectdll.exe 1592 loaderr.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3304 wrote to memory of 1544 3304 Loader V2.exe 79 PID 3304 wrote to memory of 1544 3304 Loader V2.exe 79 PID 3304 wrote to memory of 1028 3304 Loader V2.exe 80 PID 3304 wrote to memory of 1028 3304 Loader V2.exe 80 PID 1544 wrote to memory of 1592 1544 Loader.exe 81 PID 1544 wrote to memory of 1592 1544 Loader.exe 81 PID 1544 wrote to memory of 3700 1544 Loader.exe 82 PID 1544 wrote to memory of 3700 1544 Loader.exe 82 PID 1592 wrote to memory of 872 1592 loaderr.exe 84 PID 1592 wrote to memory of 872 1592 loaderr.exe 84 PID 1592 wrote to memory of 1448 1592 loaderr.exe 86 PID 1592 wrote to memory of 1448 1592 loaderr.exe 86 PID 1592 wrote to memory of 2716 1592 loaderr.exe 88 PID 1592 wrote to memory of 2716 1592 loaderr.exe 88 PID 1028 wrote to memory of 2356 1028 injectdll.exe 90 PID 1028 wrote to memory of 2356 1028 injectdll.exe 90 PID 1592 wrote to memory of 3952 1592 loaderr.exe 92 PID 1592 wrote to memory of 3952 1592 loaderr.exe 92 PID 1592 wrote to memory of 1860 1592 loaderr.exe 94 PID 1592 wrote to memory of 1860 1592 loaderr.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Users\Admin\AppData\Roaming\Loader.exe"C:\Users\Admin\AppData\Roaming\Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\loaderr.exe"C:\Users\Admin\AppData\Local\Temp\loaderr.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1860
-
-
-
C:\Users\Admin\AppData\Local\Temp\fixer.exe"C:\Users\Admin\AppData\Local\Temp\fixer.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
-
C:\Users\Admin\AppData\Roaming\injectdll.exe"C:\Users\Admin\AppData\Roaming\injectdll.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2356
-
-
-
C:\Users\Admin\AppData\Local\svchost.exeC:\Users\Admin\AppData\Local\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1488
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d4cc54d2c89190d6e0c94c44efb9bd83
SHA13b0d452059e908d1c0332d0d22fb3258e3bc5037
SHA256a55d1727a2c835ef5ad06df8088df4ae19bd837793e1ee29408bc802728933ee
SHA512c87649693de68c4ddde9571190c180e5a7e30d198d4d00c0898614dcc22678b1eae130758e6a0cbf1800a7aba738bee59c1c98445ecaa8d45036885c35b1e843
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD569416944dac24129d0969e2ac46f0533
SHA1d71969659956b32411e0606a9bee640a0b108ef4
SHA256dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca
SHA512aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c
-
Filesize
944B
MD580b42fe4c6cf64624e6c31e5d7f2d3b3
SHA11f93e7dd83b86cb900810b7e3e43797868bf7d93
SHA256ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d
SHA51283c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
274KB
MD588505913c2c75f796c9a021aab2d356d
SHA15b5c06998d3e200c21c77ea4efaeaecdc7344e78
SHA25662e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204
SHA5126fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905
-
Filesize
65KB
MD595f8f28f5a8503461db6804cda9c4934
SHA181c0a30e498093d41948777135bbd407c7611cda
SHA256aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2
SHA5125c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461
-
Filesize
7.6MB
MD5aa16f3774491b600121545a5f194cefc
SHA1c872fe765ecff1dada8378ad8a12cd5cf0425219
SHA256c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d
SHA5128b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8
-
Filesize
244KB
MD574ffb0d60d647dd6ad8d00c1bee48011
SHA14c8a707a33b35b78f374c66d59f9c2314c20b25f
SHA256b481f1e0cfe25e5f19da0a0333c78661bf5c75c0b1c616ff4aaaa07aed31efd1
SHA512fc667f4560d6b19a9a4f37eb0e66c751eb348ffc0db69c7d0bd733dfd2df2dfdadc7b780cd93686350444cc14a54283bafe3afec611bcac3ad0239eda659f46c