Analysis Overview
SHA256
14430e71914c83f8d1de8e66caa39d07ab782efb662245fb9eff6aa9fca7ce87
Threat Level: Known bad
The file Loader V2.exe was found to be: Known bad.
Malicious Activity Summary
44Caliber family
Detect Xworm Payload
Xworm
44Caliber
Xworm family
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-16 17:13
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-16 17:13
Reported
2024-11-16 17:14
Platform
win10ltsc2021-20241023-en
Max time kernel
48s
Max time network
50s
Command Line
Signatures
44Caliber
44Caliber family
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\loaderr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\injectdll.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Loader V2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk | C:\Users\Admin\AppData\Roaming\injectdll.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\loaderr.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\loaderr.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk | C:\Users\Admin\AppData\Roaming\injectdll.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\injectdll.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loaderr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fixer.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" | C:\Users\Admin\AppData\Roaming\injectdll.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\loaderr.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\fixer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\fixer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "18" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fixer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fixer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fixer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fixer.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\injectdll.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loaderr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\injectdll.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loaderr.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Loader V2.exe
"C:\Users\Admin\AppData\Local\Temp\Loader V2.exe"
C:\Users\Admin\AppData\Roaming\Loader.exe
"C:\Users\Admin\AppData\Roaming\Loader.exe"
C:\Users\Admin\AppData\Roaming\injectdll.exe
"C:\Users\Admin\AppData\Roaming\injectdll.exe"
C:\Users\Admin\AppData\Local\Temp\loaderr.exe
"C:\Users\Admin\AppData\Local\Temp\loaderr.exe"
C:\Users\Admin\AppData\Local\Temp\fixer.exe
"C:\Users\Admin\AppData\Local\Temp\fixer.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loaderr.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loaderr.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a24855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 147.185.221.20:13908 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 147.185.221.16:60401 | tcp | |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 147.185.221.16:60401 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 147.185.221.20:13908 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/2584-0-0x00007FF933B23000-0x00007FF933B25000-memory.dmp
memory/2584-1-0x0000000000D00000-0x0000000001518000-memory.dmp
C:\Users\Admin\AppData\Roaming\Loader.exe
| MD5 | aa16f3774491b600121545a5f194cefc |
| SHA1 | c872fe765ecff1dada8378ad8a12cd5cf0425219 |
| SHA256 | c0a2b824a0fd05854818bfb81b02bc6178db3f8519807b15d844580099428e1d |
| SHA512 | 8b50e7c6eca25ecc2196fbfaf42079873e3c532a90e8d8b691fb594da3e067593f86f0d6488d0c314a27d78519f33fcbfb4532f811997891d55a47d582e1b3a8 |
C:\Users\Admin\AppData\Roaming\injectdll.exe
| MD5 | 74ffb0d60d647dd6ad8d00c1bee48011 |
| SHA1 | 4c8a707a33b35b78f374c66d59f9c2314c20b25f |
| SHA256 | b481f1e0cfe25e5f19da0a0333c78661bf5c75c0b1c616ff4aaaa07aed31efd1 |
| SHA512 | fc667f4560d6b19a9a4f37eb0e66c751eb348ffc0db69c7d0bd733dfd2df2dfdadc7b780cd93686350444cc14a54283bafe3afec611bcac3ad0239eda659f46c |
memory/4152-31-0x0000000000C00000-0x0000000000C42000-memory.dmp
memory/2692-33-0x00007FF933B20000-0x00007FF9345E2000-memory.dmp
memory/2692-32-0x00000000003B0000-0x0000000000B44000-memory.dmp
memory/4152-35-0x00007FF933B20000-0x00007FF9345E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\loaderr.exe
| MD5 | 95f8f28f5a8503461db6804cda9c4934 |
| SHA1 | 81c0a30e498093d41948777135bbd407c7611cda |
| SHA256 | aa40b9b929868482be1daae474d7c93426cd049f844c956865709ff8b7f240c2 |
| SHA512 | 5c3460372a6640a98dd1b1d34a03b951ec4a8942e9065475e982a207881f290aedc3b51fe73c0da4c527e222addd1de2be7ba541e82287e43e16fc544ab34461 |
C:\Users\Admin\AppData\Local\Temp\fixer.exe
| MD5 | 88505913c2c75f796c9a021aab2d356d |
| SHA1 | 5b5c06998d3e200c21c77ea4efaeaecdc7344e78 |
| SHA256 | 62e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204 |
| SHA512 | 6fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905 |
memory/3708-70-0x00000290F9640000-0x00000290F968A000-memory.dmp
memory/3156-71-0x0000000000680000-0x0000000000696000-memory.dmp
memory/2692-80-0x00007FF933B20000-0x00007FF9345E2000-memory.dmp
C:\ProgramData\44\Process.txt
| MD5 | d784fa52946fa88f504a98f7e1f6f042 |
| SHA1 | c58d1f5e08128e4feb38a72d273dadcd98de1237 |
| SHA256 | 53a36d0e37c8eea82911d140a7ec89d7b6c7387846f6b20e92d37a312fa86f7e |
| SHA512 | 1e406c88c8931a7d1ed8ace91c61a6345103573d753218b085712f468e40e537c4cdc214788398a2a0767ca91d197eda3547cf4555cd47002f8cce44f5aad201 |
memory/4152-165-0x00007FF933B20000-0x00007FF9345E2000-memory.dmp
memory/1888-168-0x000002C3792C0000-0x000002C3792E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qslkf4zz.g40.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3eb3833f769dd890afc295b977eab4b4 |
| SHA1 | e857649b037939602c72ad003e5d3698695f436f |
| SHA256 | c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485 |
| SHA512 | c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c67441dfa09f61bca500bb43407c56b8 |
| SHA1 | 5a56cf7cbeb48c109e2128c31b681fac3959157b |
| SHA256 | 63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33 |
| SHA512 | 325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | dd898d1b5765d2c6af25566dac42d5e3 |
| SHA1 | 6bc216917284103ef14d7335b60e5c481732c381 |
| SHA256 | 67ef10f50dc2bb3bb0cb1e655275e97ab3c25aeed9a0860923a1965b2caf7a75 |
| SHA512 | 467b3900a18fd494aa64167960614e8b324f11d7d1702e7751c8d8a190538b80ca30f602f92a813e8e3aa18f643055416492ef58886c9e30e274a12d1134428e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 17778af19fc59e0d1837565339d38967 |
| SHA1 | 86e7dc5ef03b9e0fc8de825bca0c813e1d0c51ea |
| SHA256 | 79afb5effdf990463f18b7a137a537b9dc38f44af7e7f6f25127659021ef50c0 |
| SHA512 | 844084d3f9969c9d3031b2335d2f7622d83561f32b054a18bf5f74665ea2b41b89324b4123bc0c18afb1935267c372cdb1b40c168ad53d00f1f5264d10cafeea |
memory/4152-222-0x00007FF933B20000-0x00007FF9345E2000-memory.dmp
memory/3156-223-0x000000001C440000-0x000000001C44C000-memory.dmp
memory/4152-224-0x00007FF933B20000-0x00007FF9345E2000-memory.dmp