Overview

overview

10

Static

static

3

Api-AutoUpdaterV2.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-11-2024 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Api-AutoUpdaterV2.exe

  • Size

    87KB

  • MD5

    9f9e3e562c3ace91fd36c7d9b49c56a7

  • SHA1

    32317350629c0591b49726ad71ab49e12b208918

  • SHA256

    c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971

  • SHA512

    8a60f2a143475fed2837a670717c5e35bcb0c0602fd633cda4efdfdd95ae15c407077fca5b7e5ac1dd771acc994f7f3b3fdff589dc3f613bce6144cdc3c7df8d

  • SSDEEP

    1536:CLVnqRcrCwNlhr/CbCRSCpv1ZLFNxdlub5mUnaC9UWGIiEdrRFbw0I5oKV+Uq4Q3:CslcCbCRBnFNblub5mUavWGAfFbwVVTQ

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

job-moore.gl.at.ply.gg:49404

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Helper.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe
    "C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1352
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1452
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Api-AutoUpdaterV2" /tr "C:\ProgramData\Api-AutoUpdaterV2.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1500
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Api-AutoUpdaterV2.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1248
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4308
  • C:\ProgramData\Api-AutoUpdaterV2.exe
    C:\ProgramData\Api-AutoUpdaterV2.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2936
  • C:\ProgramData\WindowsDefender
    C:\ProgramData\WindowsDefender
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3868
  • C:\ProgramData\Api-AutoUpdaterV2.exe
    C:\ProgramData\Api-AutoUpdaterV2.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4400
  • C:\ProgramData\WindowsDefender
    C:\ProgramData\WindowsDefender
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Api-AutoUpdaterV2.exe
    Filesize

    87KB

    MD5

    9f9e3e562c3ace91fd36c7d9b49c56a7

    SHA1

    32317350629c0591b49726ad71ab49e12b208918

    SHA256

    c2306587c0e582a16037717598479523ba07d1afb646ab4a4ab63173adaaa971

    SHA512

    8a60f2a143475fed2837a670717c5e35bcb0c0602fd633cda4efdfdd95ae15c407077fca5b7e5ac1dd771acc994f7f3b3fdff589dc3f613bce6144cdc3c7df8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Api-AutoUpdaterV2.exe.log
    Filesize

    1KB

    MD5

    94aaadf8fa4c31d238b961fcb2a519d5

    SHA1

    608175ecf723861c59796d3989fee3dfdf3bb6d2

    SHA256

    744cf26c0641b62c0daa1d5508613d6f1417778c242d3d79220121f70f9515b5

    SHA512

    574d80ffabd249da41a8c4618123aa2e88595cf3ac55b9e3e4c2dd2a3c2cee52c954119f5ed54d36941da78a4bc1963cdaa7dfdd4f19d3c1e954ced86deafecf

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    aa4f31835d07347297d35862c9045f4a

    SHA1

    83e728008935d30f98e5480fba4fbccf10cefb05

    SHA256

    99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

    SHA512

    ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    df808b11175970c23f00e611a7b6d2cc

    SHA1

    0243f099e483fcafb6838c0055982e65634b6db6

    SHA256

    2d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d

    SHA512

    c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    c8e142ee24a77ad7f21f6a741d48c8da

    SHA1

    2f174ae49dd03c3b2acd2f9cb2f4e1913908e749

    SHA256

    e81cbecfdbc457b5d8aad1fbd1dc29ab05e6425e9921bff30089f074ddfc6961

    SHA512

    ea1c13f3c559afbdfd63a6ecd2ca354612c3c29c2716156d5afcafe6d3fbd0e7eca7b1f03e68f3a28c78cbea5ec430285fa699facad72fc52a37fca207999799

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    8cb7f4b4ab204cacd1af6b29c2a2042c

    SHA1

    244540c38e33eac05826d54282a0bfa60340d6a1

    SHA256

    4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6

    SHA512

    7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    051a74485331f9d9f5014e58ec71566c

    SHA1

    4ed0256a84f2e95609a0b4d5c249bca624db8fe4

    SHA256

    3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

    SHA512

    1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    cef328ddb1ee8916e7a658919323edd8

    SHA1

    a676234d426917535e174f85eabe4ef8b88256a5

    SHA256

    a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

    SHA512

    747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c0zfupoj.1z2.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1252-43-0x000000001C250000-0x000000001C266000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1252-0-0x00007FFBA8CD3000-0x00007FFBA8CD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1252-1-0x0000000000780000-0x000000000079C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/1252-95-0x0000000001150000-0x000000000115C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1252-40-0x00007FFBA8CD3000-0x00007FFBA8CD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1252-2-0x00007FFBA8CD0000-0x00007FFBA9792000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1252-44-0x00007FFBA8CD0000-0x00007FFBA9792000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3492-3-0x00007FFBA8CD0000-0x00007FFBA9792000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3492-13-0x00007FFBA8CD0000-0x00007FFBA9792000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3492-16-0x00007FFBA8CD0000-0x00007FFBA9792000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3492-15-0x00007FFBA8CD0000-0x00007FFBA9792000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3492-14-0x000002F06DB10000-0x000002F06DB32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3492-4-0x00007FFBA8CD0000-0x00007FFBA9792000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3492-19-0x00007FFBA8CD0000-0x00007FFBA9792000-memory.dmp

    Filesize

    10.8MB

    Download