Overview

overview

10

Static

static

1

injector.msi

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    115s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250217-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    08/03/2025, 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    injector.msi

  • Size

    1.2MB

  • MD5

    f2ab259a57ce31c7a61cdb4266f28a58

  • SHA1

    91569473b6fea4dc90541e25d2239cf7b1ade8ae

  • SHA256

    2d6e6b6590d2541da93aaf4690fec839fc56fbabcbd110d18f3d53ae4105c012

  • SHA512

    bec918973d2aa44411b5ff1c003a50180dc50b9c19f3fa23776337e99d94757c4c0ec39b39cb4d1bc5fb5c68675b45a2c26eb5e45aaea67479c88161e3be8353

  • SSDEEP

    24576:gt9cpVDhtnJlL52UoehMFc+8CrgyZRcO/WrtrDFJIGL5UGWq:/pRhtJB5RbKF7nzZ0ZJb

Score
10/10
xwormdiscoveryexecutionpersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    injector.exe

  • pastebin_url

    https://pastebin.com/raw/DSFaHH8B

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\injector.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4364
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:748
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 0DFDE90676101C3C49B320FBDE29DA2B
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1284
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-0f6b8fb5-7ae2-489f-b6a8-e03b4100d9c4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
          3⤵
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:1476
        • C:\Windows\SysWOW64\EXPAND.EXE
          "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
          3⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:2096
        • C:\Users\Admin\AppData\Local\Temp\MW-0f6b8fb5-7ae2-489f-b6a8-e03b4100d9c4\files\injector.exe
          "C:\Users\Admin\AppData\Local\Temp\MW-0f6b8fb5-7ae2-489f-b6a8-e03b4100d9c4\files\injector.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1956
          • C:\Users\Admin\AppData\Roaming\WindowsServiceHost.exe
            "C:\Users\Admin\AppData\Roaming\WindowsServiceHost.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:984
          • C:\Users\Admin\AppData\Roaming\clienthook.exe
            "C:\Users\Admin\AppData\Roaming\clienthook.exe"
            4⤵
            • Drops startup file
            • Adds Run key to start application
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1832
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\clienthook.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4544
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'clienthook.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2388
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\injector.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1148
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'injector.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:380
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\SysWOW64\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "injector" /tr "C:\Users\Admin\injector.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:448
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-0f6b8fb5-7ae2-489f-b6a8-e03b4100d9c4\." /SETINTEGRITYLEVEL (CI)(OI)LOW
          3⤵
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:4928
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4844
    • C:\Users\Admin\injector.exe
      "C:\Users\Admin\injector.exe"
      1⤵
      • Executes dropped EXE
      PID:2492
    • C:\Users\Admin\injector.exe
      "C:\Users\Admin\injector.exe"
      1⤵
      • Executes dropped EXE
      PID:2068

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Installer Packages

    1
    T1546.016

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    File and Directory Permissions Modification

    1
    T1222

    Modify Registry

    1
    T1112

    System Binary Proxy Execution

    1
    T1218

    Msiexec

    1
    T1218.007

    Credential Access

    Discovery

    Peripheral Device Discovery

    2
    T1120

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Web Service

    1
    T1102

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\injector.exe.log
      Filesize

      654B

      MD5

      11c6e74f0561678d2cf7fc075a6cc00c

      SHA1

      535ee79ba978554abcb98c566235805e7ea18490

      SHA256

      d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

      SHA512

      32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      020d1cbef5aeb22088c0faff8d76af4e

      SHA1

      93e7f27b8fb57cfea4ae330bedcace1a8ce7c014

      SHA256

      cb283829df7f7ca2f7f8072ed014bebb7d424581e8672a9fa5683f3674726bb0

      SHA512

      1046228ed9d08e5296c02409b5aa460e8280a633f7f2022ec7dc7c1e750522260006844bd5114ec713593bce1d10b8932963a8630e6707e76b45a0cb8c8ff53d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      714c05aecb94594ffcbd61b1eea79d83

      SHA1

      966442eb5cbf00d3d94dff78b67df228e49e1b9f

      SHA256

      07c4ee5409cd3d2f979809ec3eb3b7f245dd5c32d733fa8c683984ba5dfe4c4c

      SHA512

      9777034067dc146ec21c91f357a62fb6841744b1b258b1c642173285636a5e13e6ef6e536fb99331caa1de155071f5e7dd3f3d619992e5e78e319db2862c4b9c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      808f797fa79f7f9b5c6849d529734680

      SHA1

      4bc234dd22f06b07d6e661d813bfc5bdf65e8b03

      SHA256

      e4f003683b47e933315e6d54e81f51fe2c4082f847982a7af338f40c3d0becb2

      SHA512

      70c6d79f484597b07e781c24a7523076f2c647af116d9e0a3e26ad1e595a0fd41ea5c005bfa045a7b3b5e606188584476a4c2318b5a6b7f72dab7d561c151692

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      c9569d209d2c7736dd0bf85e5b391e18

      SHA1

      123597f50a683c6b8b724460aba71b8fbd92d7a7

      SHA256

      e65255c123e55f2972607e6f596be0e8f879a946bdceb235b635f557046bc4b7

      SHA512

      40d491e266869814da5f87410ca2b1de279a1bcd89ef382b13940bdbb9f017d3ad6ece22ab98c8f06fb9d227c4adeafd390be622cb27dd08240f201e96a5ca6a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-0f6b8fb5-7ae2-489f-b6a8-e03b4100d9c4\files.cab
      Filesize

      919KB

      MD5

      3fa959051d9c8679ef470be0ff5be394

      SHA1

      c0c215d74291f222ce815e1ee4f600525840e2a0

      SHA256

      ed7d536917099f13c40749c3a015f8b6b05ad9ab956a5c9ef45544e67b2e919c

      SHA512

      8599420e4f38d57877c8e54026b6124849d3a673c2853e8f30018c2a4b7a87076b5c77a9a40fb05f8d9d8204c0b7c9be23f3ed0ed99d14cbd1de59d71a991267

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-0f6b8fb5-7ae2-489f-b6a8-e03b4100d9c4\files\injector.exe
      Filesize

      1.4MB

      MD5

      f18c325d8e39f3415aa807f6a87a7899

      SHA1

      75f84d9beb3ae4b552f8194668acc82710dad7e3

      SHA256

      1db749dd1df020f0854cd103dbf5653efb9583a2f59a3337ca68caa4dc22a975

      SHA512

      6fa2e541b9b137b2c5ed9c3803b208f9925dd3a0ee249340bd501fb0fa79438b3b1c409e15d3b160fc037912be048f285d554770837a8b15f5034e9a90d0b3be

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-0f6b8fb5-7ae2-489f-b6a8-e03b4100d9c4\msiwrapper.ini
      Filesize

      1KB

      MD5

      de352afd72c629b3d0a33a56fbedf423

      SHA1

      2591e1ff94124a03dbbd0aa60bf891e851c27956

      SHA256

      5cdddb7606440f22007acf4e0928d4c72e8b23d71d9ce78d4024dcaf84c857d1

      SHA512

      dfc42fcdb8f881865e6c280e423829bb9687f037df00e9efd20d1dba079242d27e1c2687975976b72648732b701f1fc40f83a4a90341594a867e55a0418d0ba3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-0f6b8fb5-7ae2-489f-b6a8-e03b4100d9c4\msiwrapper.ini
      Filesize

      442B

      MD5

      d8ebba77915fad07f38fd76ce2176e7e

      SHA1

      a6c511aea3d756ec1385cb786363db2e96936865

      SHA256

      f05fb193eff2a245d927dc5f92bdaa7936dd3ed3b5cbc1b789d6570997dca77c

      SHA512

      a34e15d1aa20119297c10c8698bfd6fbdc0beac5711b8dea7a203b1420df86fc590ac61494b5cbc45828f070f44f42851101ade3febf8aa697edae2d5d4073d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-0f6b8fb5-7ae2-489f-b6a8-e03b4100d9c4\msiwrapper.ini
      Filesize

      1KB

      MD5

      bc6d57bb52845975fb748b5135e6c808

      SHA1

      1b191831cc8d8dadc29c2cbd5bf02922f3c829bc

      SHA256

      069622be14fcb979e5bdfe6a0b9c526fc245be933c1d321febf8adeaeb602d78

      SHA512

      4d154fc12ce55692a8553a18933952a44c232910782207959de1966fcc153066c459849246b21b25edf7ad3051ef967b6117bf47768975488fd9dfe5afd16f23

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-0f6b8fb5-7ae2-489f-b6a8-e03b4100d9c4\msiwrapper.ini
      Filesize

      1KB

      MD5

      49790fb488f1106f7861d9b747bef577

      SHA1

      95e12c90c59eb648b32c0ffb80341cc47d81bf9e

      SHA256

      cf20b0eae0fdf894edec4c19d1c600c9f5a4b24c854b89d624b81693cbee54f1

      SHA512

      934da49db2ad9ed1deff89be8d35ac0ff0a3b803b8bb037cc0ee5861690877a7f60d48a59c21e191fbcf906d7f4e4d3c72ea1b2f9d2fae4251d33d37c3576861

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l5nqwsgy.soo.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\WindowsServiceHost.exe
      Filesize

      23KB

      MD5

      3b5ba1d090951d3d769836223db57393

      SHA1

      9b31771eba4dd8c7bbccdc2a50bb6dad87e42fc4

      SHA256

      898ac3faf4ecaad9b2fee90a2e5545b647e260c7a3f55c40babfa3c002170a19

      SHA512

      959552901b232666b1c4ff75729b18952c39da5672346779d45025daae108eba7a682fc9f41b0edb94c924f0a2c349db57e3ca3dbe5adb0b44c9d1c7d0888d5d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\clienthook.exe
      Filesize

      57KB

      MD5

      66fad41f7b041f6b8471678f91d69e5d

      SHA1

      544c90183fa935f37b329d2195f6c9ca8273e5f1

      SHA256

      b52d775f91462e0c7fe1ceed7bd28479706e52bba59196d28151423fb42673a1

      SHA512

      8a12a32e53d210c34705ca887438a469010674a0b38b65d9a35fb08f287e646c76959d9ecb587da0422033d368a4a5e36e8260cd9b3bee45708da2908d1eb5f1

      Download Submit

    • C:\Windows\Installer\MSIF53D.tmp
      Filesize

      208KB

      MD5

      0c8921bbcc37c6efd34faf44cf3b0cb5

      SHA1

      dcfa71246157edcd09eecaf9d4c5e360b24b3e49

      SHA256

      fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

      SHA512

      ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.0MB

      MD5

      f0f2ad36907075c84a3b9e5b3185b803

      SHA1

      d896795bfe7260cbb9dbc1542a002d112cdbb31d

      SHA256

      6f1986d6ba1f380ee4eb9188552e073a2b79b4337a33121a6b18dd177c9e368d

      SHA512

      047d89ffc6e87c77b8cdd3e6fb4b90771bc04336f2e47b354953a170e746666fa05ecd4a6a3d236f64057bfa18e50da1fa97cf2d19b670d47db17dfe1b7dc885

      Download Submit

    • \??\Volume{1adc0b49-0000-0000-0000-d08302000000}\System Volume Information\SPP\OnlineMetadataCache\{ce0186d7-f8a2-4a0c-b86e-933c4ab6b9ce}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      a6f4c13dd22ba9cbe81b30ec71457f52

      SHA1

      dc8175f18aa2f659e54d9bf4c43cc7db5c83f6ea

      SHA256

      e9562ebb7d1f242e6a02d6bf22f38b972bc264a9cea1987064815e77d8ce39d8

      SHA512

      1d06e4cdbc7158459471393ebf371256a6b1726e21bc82039c328f237e23388f60d416e6babeb43b62222fbfa42cbba5def822edd4aa82a50e154fb843ac8a47

      Download Submit

    • memory/1832-100-0x0000000000C70000-0x0000000000C84000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1956-68-0x0000000000C80000-0x0000000000DF2000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4544-120-0x000001D6F7DB0000-0x000001D6F7DD2000-memory.dmp

      Filesize

      136KB

      Download