Resubmissions

03-05-2024 17:26

240503-vz54gaef96 10

03-05-2024 17:25

240503-vy9p9sef75 10

03-05-2024 17:19

240503-vvvryaef24 10

03-05-2024 17:17

240503-vt5krabf8x 10

03-05-2024 17:11

240503-vqjtwabf2t 10

Analysis

  • max time kernel
    62s
  • max time network
    73s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03-05-2024 17:25

Errors

Reason
Machine shutdown

General

  • Target

    54335453425234.exe

  • Size

    57KB

  • MD5

    3db6691099ca8a85cb08e68dc8eed38a

  • SHA1

    9592497a91fd06c82e0082c61ebff8688b4932dc

  • SHA256

    002a55a722eb437d66039df4b8e16b32baa59ba4f3a180c0d5a0514e01dc7377

  • SHA512

    ba0778c135da545a10cfeea230263493d2339e19b61d2a9a2db93f805a620a79381c2d6be82ee1ff199b4bb490013e624b2d68e937966615c6ea64a67c6cb60e

  • SSDEEP

    1536:JiNNpIaOeW6fBnwL36ZOR8Rngkb/kiqnLx3oXyDmOJHLFu/:MNNpzW6fBwL6/gkb/O6lOJk/

Malware Config

Extracted

Family

xworm

C2

0.tcp.eu.ngrok.io:15487

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • ModiLoader Second Stage 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\54335453425234.exe
    "C:\Users\Admin\AppData\Local\Temp\54335453425234.exe"
    1⤵
    • Drops startup file
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cbwnio.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:328
    • C:\Users\Admin\AppData\Local\Temp\clvbvf.exe
      "C:\Users\Admin\AppData\Local\Temp\clvbvf.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      PID:4828
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dlhgcn.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2720
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:5080

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\cbwnio.txt

      Filesize

      73B

      MD5

      14971ff50a2c64ab66b3c75dbc7d4843

      SHA1

      06ccc16cc89657fcb273ce32a9e08e390bb941b2

      SHA256

      89958b18030ce0c7df6fbfd12060ad8352ed9db5c15d322fcefcf3fc3989519d

      SHA512

      1aa3ec9efab14b0aca49605e721555e5f4c04dc289faa5513948bca004da9c8c7ed615f1d75d40b2ab14dab03500bdb3939c497b8e10bf67378e1557556c3f7e

    • C:\Users\Admin\AppData\Local\Temp\clvbvf.exe

      Filesize

      206KB

      MD5

      9f651f1d0558abd7b1c154e2f62ca805

      SHA1

      ff55de48651bd4f35b7a41b56db2c37a038289bc

      SHA256

      12d7b0e21dc5c11862794b698e2e675810fbaae69cb106e43ce2b4e372265284

      SHA512

      cf25c4402b4156c8148b8d5567f97bca98666d1c7a493e2bd661e5468599ca13adf2bd9bbc158797d4ae46113017020b65316ddeacb1126fe0ea9a5f3056a2a2

    • memory/232-0-0x00007FFB0AEE3000-0x00007FFB0AEE5000-memory.dmp

      Filesize

      8KB

    • memory/232-1-0x0000000000B10000-0x0000000000B24000-memory.dmp

      Filesize

      80KB

    • memory/232-6-0x00007FFB0AEE0000-0x00007FFB0B9A2000-memory.dmp

      Filesize

      10.8MB

    • memory/232-7-0x0000000002EE0000-0x0000000002EEC000-memory.dmp

      Filesize

      48KB

    • memory/232-8-0x00007FFB0AEE3000-0x00007FFB0AEE5000-memory.dmp

      Filesize

      8KB

    • memory/232-9-0x00007FFB0AEE0000-0x00007FFB0B9A2000-memory.dmp

      Filesize

      10.8MB

    • memory/232-28-0x0000000001400000-0x000000000140E000-memory.dmp

      Filesize

      56KB

    • memory/4828-21-0x0000000000400000-0x0000000000487000-memory.dmp

      Filesize

      540KB

    • memory/4828-22-0x0000000000400000-0x0000000000487000-memory.dmp

      Filesize

      540KB