Overview

overview

10

Static

static

3

loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    5s
  • max time network
    6s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2024 10:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader.exe

  • Size

    5.2MB

  • MD5

    c136329a989aad9543c913f9197a01fe

  • SHA1

    0b3bdab50947cf330243938c9ccb3e685c43457b

  • SHA256

    9b802ef1b1e58a521a45dbd45c48c75c5b7f9ac53b273d6d2cf868c1f6d46885

  • SHA512

    fa7a7efa10b4da760b7d281aa235fa4bb4ce28d12796f28632fd653ae184a6f09bc796c18ba1aa3253f713af0334d97f040dc762a8a1d25352dc7308d49b8590

  • SSDEEP

    98304:fKYhdZRJ8os9WXz/DsEAE4SfTQ3+5wJCn9cK4KwrUWxeNVSreDGknLjiSXBI:CYhdo0D/D1J8+mM9Y/gNIsGkLj

Score
10/10
umbralxwormdiscoveryexecutionratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes
  • Install_directory

    %AppData%

  • install_file

    Ondrive.exe

aes.plain

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
      "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:312
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3452
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Users\Admin\AppData\Roaming\Server.exe
        "C:\Users\Admin\AppData\Roaming\Server.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4208
      • C:\Users\Admin\AppData\Roaming\conhost.exe
        "C:\Users\Admin\AppData\Roaming\conhost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:464
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          PID:4624
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          PID:2372
    • C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2540
      • C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
        "C:\Users\Admin\AppData\Local\Temp\Aquatic.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3620
      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3856
        • C:\Users\Admin\AppData\Roaming\Server.exe
          "C:\Users\Admin\AppData\Roaming\Server.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4584
        • C:\Users\Admin\AppData\Roaming\conhost.exe
          "C:\Users\Admin\AppData\Roaming\conhost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4868
      • C:\Users\Admin\AppData\Local\Temp\loader.exe
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        3⤵
          PID:1392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Aquatic.exe.log
      Filesize

      1KB

      MD5

      8094b248fe3231e48995c2be32aeb08c

      SHA1

      2fe06e000ebec919bf982d033c5d1219c1f916b6

      SHA256

      136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

      SHA512

      bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log
      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      77d622bb1a5b250869a3238b9bc1402b

      SHA1

      d47f4003c2554b9dfc4c16f22460b331886b191b

      SHA256

      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

      SHA512

      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Aquatic.exe
      Filesize

      229KB

      MD5

      56c788116da32ec8e9ac3b1b0e66b520

      SHA1

      545f203f2bdf6fac2f131a76a5f36e21637b27ca

      SHA256

      f67268d2659ceb1e8cf8a7560784372294bcd8f249f7c0efdf33216722a5f0bb

      SHA512

      7da85b8e5f92f4a448a10f5c60c21f46b3eb511fda461b15956339ca7130c901e05ad58856a3a3903cdb52b81c4051d3bb0222e87aefab87136351d1ff01734f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      Filesize

      71KB

      MD5

      f9b08bd21b40a938122b479095b7c70c

      SHA1

      eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

      SHA256

      c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

      SHA512

      fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3hrefxid.b3s.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Server.exe
      Filesize

      23KB

      MD5

      32fe01ccb93b0233503d0aaaa451f7b2

      SHA1

      58e5a63142150e8fb175dbb4dedea2ce405d7db0

      SHA256

      6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

      SHA512

      76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\conhost.exe
      Filesize

      37KB

      MD5

      b37dd1a1f0507baf993471ae1b7a314c

      SHA1

      9aff9d71492ffff8d51f8e8d67f5770755899882

      SHA256

      e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

      SHA512

      ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

      Download Submit

    • memory/312-55-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/312-22-0x000002159AA30000-0x000002159AA70000-memory.dmp

      Filesize

      256KB

      Download

    • memory/312-26-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/464-52-0x0000000000B00000-0x0000000000B10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1524-53-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1524-28-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1524-30-0x0000000000300000-0x0000000000318000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2312-32-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2312-0-0x00007FF81A2E3000-0x00007FF81A2E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2312-10-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2312-1-0x0000000000B40000-0x000000000107E000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2372-107-0x000001F859900000-0x000001F859A6A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4624-87-0x000001DC1C670000-0x000001DC1C692000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4624-94-0x000001DC1CA90000-0x000001DC1CBFA000-memory.dmp

      Filesize

      1.4MB

      Download