Overview

overview

10

Static

static

10

Api-AutoUpdater.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    137s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17-11-2024 02:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Api-AutoUpdater.exe

  • Size

    79KB

  • MD5

    2daa43c9c565faf24f1734caf5153215

  • SHA1

    946272bab59c119caabce1bb33ca6ac4b286ccf9

  • SHA256

    49f513bcc1641f438b6a4e41323db9243988c684bb2cc9690d6d6918787ead76

  • SHA512

    7e713e59367f5a23402d89d78139d20b9989c6a17774a0e0b52e75bee0713de853e8b5773d7b16db1e0315504064edf2c8c118af7e38cea2834181b078f397be

  • SSDEEP

    1536:hOaaiw5/XPr2SsofFni8Mjv1bMFXeOAP6h6a11TyO/6Yd3H:qvPuo1u1bMFAP631VyOSyH

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

job-moore.gl.at.ply.gg:49404

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Helper.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdater.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdater.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-AutoUpdater.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2128
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:2068
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2904
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "WindowsDefender"
      2⤵
        PID:3504
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp22E5.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:924
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:5112
    • C:\ProgramData\WindowsDefender
      "C:\ProgramData\WindowsDefender"
      1⤵
      • Executes dropped EXE
      PID:444

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\WindowsDefender
      Filesize

      79KB

      MD5

      2daa43c9c565faf24f1734caf5153215

      SHA1

      946272bab59c119caabce1bb33ca6ac4b286ccf9

      SHA256

      49f513bcc1641f438b6a4e41323db9243988c684bb2cc9690d6d6918787ead76

      SHA512

      7e713e59367f5a23402d89d78139d20b9989c6a17774a0e0b52e75bee0713de853e8b5773d7b16db1e0315504064edf2c8c118af7e38cea2834181b078f397be

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      3eb3833f769dd890afc295b977eab4b4

      SHA1

      e857649b037939602c72ad003e5d3698695f436f

      SHA256

      c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

      SHA512

      c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      6a807b1c91ac66f33f88a787d64904c1

      SHA1

      83c554c7de04a8115c9005709e5cd01fca82c5d3

      SHA256

      155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

      SHA512

      29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      87dd97d7abb42176d0a89f6790b3b2dc

      SHA1

      163e34d8133cfa9ac1721136b076da344ed9c320

      SHA256

      3a9332adca3d0bef2c0b847ab877a504d6c5df0680928773c43d766a79deff83

      SHA512

      e2581f478ca408fb6f6b15b260f6314179ac0e306eceac3c63f3f3119d0b2b5af2b0ec3091dbe744ed6c0c2f10d194f1c3860a1b08a9fdacea5f7917769e14c6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      6334ddfd553d22cd6487d387ebfd384f

      SHA1

      3ec3a3e79121e3d1da8aea3f46e4ae4e2bad9f29

      SHA256

      0f9529f814bbea2eeb06a82a4f523c5c009d3eec60b7370a576d253e3c5a03bf

      SHA512

      75e649bfda6d649cc9e3cefd528cc210d2d7fe1eb7c50464a8239fd09af15e99884d41450103d3af980d98e6a77402401f0b5b30311291e8522090329fab6ccb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acnilwnc.vgr.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp22E5.tmp.bat
      Filesize

      167B

      MD5

      ba8621ac5182abc34e35a8e3592d9db6

      SHA1

      a65e8ff8e9c641b37a3b3b4c049ebc224fb07725

      SHA256

      c9a39bae4a5e0dd1ed6efec5294bb262cbec364995d0e5a8f2ed97ac959e3663

      SHA512

      767301490d278752cfd7a709dbd508f3b5520e6e01e4c4b51ae7ce32996ea34cf44bb8aa2083c66a520fab61b2d884edde0c4d5c68b100f93d4a4aa7943f6291

      Download Submit

    • memory/944-14-0x000001F3B8CF0000-0x000001F3B8D12000-memory.dmp

      Filesize

      136KB

      Download

    • memory/944-4-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/944-17-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/944-20-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/944-15-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/944-3-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/944-16-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1028-32-0x00007FFC99173000-0x00007FFC99175000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1028-0-0x00007FFC99173000-0x00007FFC99175000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1028-59-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1028-60-0x000000001B640000-0x000000001B64C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1028-2-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1028-1-0x0000000000890000-0x00000000008AA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1028-70-0x00007FFC99170000-0x00007FFC99C32000-memory.dmp

      Filesize

      10.8MB

      Download