Overview

overview

10

Static

static

3

Api-AutoUpdaterV2.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17-11-2024 06:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Api-AutoUpdaterV2.exe

  • Size

    87KB

  • MD5

    9f9e3e562c3ace91fd36c7d9b49c56a7

  • SHA1

    32317350629c0591b49726ad71ab49e12b208918

  • SHA256

    c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971

  • SHA512

    8a60f2a143475fed2837a670717c5e35bcb0c0602fd633cda4efdfdd95ae15c407077fca5b7e5ac1dd771acc994f7f3b3fdff589dc3f613bce6144cdc3c7df8d

  • SSDEEP

    1536:CLVnqRcrCwNlhr/CbCRSCpv1ZLFNxdlub5mUnaC9UWGIiEdrRFbw0I5oKV+Uq4Q3:CslcCbCRBnFNblub5mUavWGAfFbwVVTQ

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

job-moore.gl.at.ply.gg:49404

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Helper.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe
    "C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3668
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3444
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4960
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Api-AutoUpdaterV2" /tr "C:\ProgramData\Api-AutoUpdaterV2.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:1652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:1088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:2716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3508
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2108
  • C:\ProgramData\WindowsDefender
    "C:\ProgramData\WindowsDefender"
    1⤵
    • Executes dropped EXE
    PID:3636
  • C:\ProgramData\Api-AutoUpdaterV2.exe
    "C:\ProgramData\Api-AutoUpdaterV2.exe"
    1⤵
    • Executes dropped EXE
    PID:2704
  • C:\ProgramData\WindowsDefender
    "C:\ProgramData\WindowsDefender"
    1⤵
    • Executes dropped EXE
    PID:3180
  • C:\ProgramData\Api-AutoUpdaterV2.exe
    "C:\ProgramData\Api-AutoUpdaterV2.exe"
    1⤵
    • Executes dropped EXE
    PID:5076
  • C:\ProgramData\WindowsDefender
    "C:\ProgramData\WindowsDefender"
    1⤵
    • Executes dropped EXE
    PID:3356
  • C:\ProgramData\Api-AutoUpdaterV2.exe
    "C:\ProgramData\Api-AutoUpdaterV2.exe"
    1⤵
    • Executes dropped EXE
    PID:3128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\WindowsDefender
    Filesize

    87KB

    MD5

    9f9e3e562c3ace91fd36c7d9b49c56a7

    SHA1

    32317350629c0591b49726ad71ab49e12b208918

    SHA256

    c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971

    SHA512

    8a60f2a143475fed2837a670717c5e35bcb0c0602fd633cda4efdfdd95ae15c407077fca5b7e5ac1dd771acc994f7f3b3fdff589dc3f613bce6144cdc3c7df8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsDefender.log
    Filesize

    1KB

    MD5

    2b4889ecb49120375fdf2bccb3c0966e

    SHA1

    fc1ee2f1161887e3f8b0cdd2453ae441739b993a

    SHA256

    7bf24ff0f6791ef902937b3caba0de16814a2c898dfb103d922c48582b602379

    SHA512

    8d737276620add4738d3cb484bca8e1efe23247955d37ebad199d2428f2f494e10dbee98721a77c7fa9d55f662c230acb206894538da9b8a9d0314166b5549a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    60ba7ac90c0e466144b48a90919960b6

    SHA1

    fe7f5d9e1d317f9409d8daa35d9c890f7e222d6a

    SHA256

    43d3c3113c66141b3a1f1f1bbf2d32a80128d029903ca58db09e9c6a9410ef9e

    SHA512

    92a1d912fd7be06820ec97b192b965d04ff44ff6a1c76b55405ecf20ca995762d823f52f174d8f48feb1d454716ab244adb4945febbf4fe4a6f91dd9791f87f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    6f69ecb3fbecc3999e0c21b487b98ead

    SHA1

    7a5c56452c15581fe215bb57283d0462c10affd6

    SHA256

    fc5d87bc2b74258f9c1db7a4a78df502371ef30b0ee8c5cbed8fc000d8f1041b

    SHA512

    022bbe3eea838d22a63d457c16d8f4e4a44205f9388550eae8c1edf0e11e5a5551e52965298d60dda1fdbad3503bb5bdf9bb7d877e03ab2d573adbd108307155

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    1b0c91fd0646bc16568e0af0a7b38ca4

    SHA1

    3bacea479bcc5d943e280f5e69348934b2e7bf3f

    SHA256

    b0adfca1b1dffe5d7cb9aebbab47b906ecd71c95ca25b9aa39f7347e6342aa68

    SHA512

    0828c4d2803c94919fd757c1a07ef624933616952b31b2064819160b803b3ca67e8ca6dcb95672251bc8662276f537389e5a12ced297169b18aa173fa572f5b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    da11e3c30d34359c6dfa77475e7775e5

    SHA1

    45b6d72b7279f4b277778d4cdeb3547ceaca2fe9

    SHA256

    ac206e32a8f7a7b1118f195dcb41e32f2a05b38292d9bcf1d6269113b5f9abd9

    SHA512

    82b4cf8a02f74bbd03a629cf6949fd7053900cb6b4d875cc26c102908d99a229ee56f2c9fec0b26768a0d29239a289301d212e174d4f4ecb17d9bbeb70fc21b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    0d7544011245912fa8118aabff9cf4a9

    SHA1

    b79ba1b96a45493fd3ecc262173474d010bb9094

    SHA256

    b62f7cff896354646fd63e67f61d6bdf504c35c901f05b48ca905535a603ae3b

    SHA512

    73a13b130d895abbe93032734bd7c02957c97a28b6a828c5f61fbbfcc1d4de2eea4d36d57a6e38016268ab550e2501343beb4a797315d9e1daca1142dea131f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    03aa6911fecf3f0923ee454c47b948f7

    SHA1

    99205d2a61521238892647bbc232e0da4a1473a3

    SHA256

    39e73c21e8ef39e35252a5dc1f8ec0a0d646653cd285a3a97a09c2b8d54c38a1

    SHA512

    84190cfda72e45a1cf612a27de19421301b8c1777f065b305dbcef7359254820ed634e941f4fb4c865cc2f32773a11ad80123d27ad59876a2c051889d06c5b26

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tozgxyth.wvj.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3668-13-0x000001C14ABD0000-0x000001C14ABF2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3668-20-0x00007FF98ABA0000-0x00007FF98B662000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3668-17-0x00007FF98ABA0000-0x00007FF98B662000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3668-16-0x00007FF98ABA0000-0x00007FF98B662000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3668-15-0x00007FF98ABA0000-0x00007FF98B662000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3668-14-0x00007FF98ABA0000-0x00007FF98B662000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3668-3-0x00007FF98ABA0000-0x00007FF98B662000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3692-33-0x00007FF98ABA0000-0x00007FF98B662000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3692-32-0x00007FF98ABA3000-0x00007FF98ABA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3692-47-0x000000001C690000-0x000000001C6A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3692-0-0x00007FF98ABA3000-0x00007FF98ABA5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3692-2-0x00007FF98ABA0000-0x00007FF98B662000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3692-1-0x00000000001C0000-0x00000000001DC000-memory.dmp

    Filesize

    112KB

    Download