Overview

overview

10

Static

static

3

ExodusInject.exe

windows7-x64

10

ExodusInject.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    06/03/2025, 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ExodusInject.exe

  • Size

    227KB

  • MD5

    38b7704d2b199559ada166401f1d51c1

  • SHA1

    3376eec35cd4616ba8127b976a8667e7a0aac87d

  • SHA256

    153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

  • SHA512

    07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

  • SSDEEP

    3072:iBIVzZQgudhV3mypQgbNjcEHBAnpK37nXY8q004Q78ePsi74tyJhbgKL/VoilIBS:Ur3mypQX8mOeP/9/VtLGH+8l

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    System.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe
    "C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3FCE.tmp.bat""
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:848
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2436
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {CA1CBD98-0458-40D4-A9CB-5FB83471E0CE} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
      C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2368
    • C:\ProgramData\System.exe
      C:\ProgramData\System.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1324
    • C:\ProgramData\System.exe
      C:\ProgramData\System.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2476
    • C:\ProgramData\System.exe
      C:\ProgramData\System.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3FCE.tmp.bat
    Filesize

    164B

    MD5

    647fff08212bfff02008830e137d0414

    SHA1

    4e484746ce479d57bcb492216b232ce1213fe10e

    SHA256

    11334586d91211636d2eb4257fe0ebf67b08b625ae38057f24d1cb2a5553213a

    SHA512

    e7b32253f6ef4f2f4bf049360c989da7e394c72c62e460cdd7f23682c06c920878d02bfa9728081626344fc7c95a78076b1967575a170f41752759e514aa28ee

    Download Submit

  • C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
    Filesize

    227KB

    MD5

    38b7704d2b199559ada166401f1d51c1

    SHA1

    3376eec35cd4616ba8127b976a8667e7a0aac87d

    SHA256

    153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

    SHA512

    07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    f54d1eeb70629c149ac041f8bfb3785a

    SHA1

    4019f4af701d418bf24f201ee160776210e7e20f

    SHA256

    c528cd945b1664de4e4165079bdf5351b44bddd6276b9b7f3167d9140ffb944a

    SHA512

    d377ce00fb634149943d47d9b91214e86377e446ba0ef2bec013bdc1e85a5cb2f426d7b29a428356d74036348a0174eb44de52cdf865d4faaba192f6fe9f7cc9

    Download Submit

  • memory/320-30-0x00000000003C0000-0x00000000003CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/320-29-0x00000000012E0000-0x0000000001320000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1012-25-0x000007FEF6BF0000-0x000007FEF75DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1012-0-0x000007FEF6BF3000-0x000007FEF6BF4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1012-1-0x00000000003D0000-0x0000000000410000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1012-39-0x000007FEF6BF0000-0x000007FEF75DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1324-38-0x0000000000EE0000-0x0000000000F20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1892-45-0x0000000001150000-0x0000000001190000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2172-7-0x00000000020C0000-0x00000000020C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2172-6-0x000000001B510000-0x000000001B7F2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2476-43-0x0000000001010000-0x0000000001050000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-14-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2644-13-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

    Filesize

    2.9MB

    Download