Resubmissions
03-05-2024 17:26
240503-vz54gaef96 1003-05-2024 17:25
240503-vy9p9sef75 1003-05-2024 17:19
240503-vvvryaef24 1003-05-2024 17:17
240503-vt5krabf8x 1003-05-2024 17:11
240503-vqjtwabf2t 10Analysis
-
max time kernel
62s -
max time network
73s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-05-2024 17:25
Behavioral task
behavioral1
Sample
54335453425234.exe
Resource
win11-20240426-en
Errors
General
-
Target
54335453425234.exe
-
Size
57KB
-
MD5
3db6691099ca8a85cb08e68dc8eed38a
-
SHA1
9592497a91fd06c82e0082c61ebff8688b4932dc
-
SHA256
002a55a722eb437d66039df4b8e16b32baa59ba4f3a180c0d5a0514e01dc7377
-
SHA512
ba0778c135da545a10cfeea230263493d2339e19b61d2a9a2db93f805a620a79381c2d6be82ee1ff199b4bb490013e624b2d68e937966615c6ea64a67c6cb60e
-
SSDEEP
1536:JiNNpIaOeW6fBnwL36ZOR8Rngkb/kiqnLx3oXyDmOJHLFu/:MNNpzW6fBwL6/gkb/O6lOJk/
Malware Config
Extracted
xworm
0.tcp.eu.ngrok.io:15487
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/232-28-0x0000000001400000-0x000000000140E000-memory.dmp disable_win_def -
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/232-1-0x0000000000B10000-0x0000000000B24000-memory.dmp family_xworm -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4828-22-0x0000000000400000-0x0000000000487000-memory.dmp modiloader_stage2 -
Drops startup file 2 IoCs
Processes:
54335453425234.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk 54335453425234.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk 54335453425234.exe -
Executes dropped EXE 1 IoCs
Processes:
clvbvf.exepid process 4828 clvbvf.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\clvbvf.exe upx behavioral1/memory/4828-21-0x0000000000400000-0x0000000000487000-memory.dmp upx behavioral1/memory/4828-22-0x0000000000400000-0x0000000000487000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
clvbvf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\clvbvf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\clvbvf.exe" clvbvf.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
54335453425234.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings 54335453425234.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 328 NOTEPAD.EXE 2720 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
clvbvf.exepid process 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe 4828 clvbvf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
54335453425234.exedescription pid process Token: SeDebugPrivilege 232 54335453425234.exe Token: SeShutdownPrivilege 232 54335453425234.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
54335453425234.exedescription pid process target process PID 232 wrote to memory of 328 232 54335453425234.exe NOTEPAD.EXE PID 232 wrote to memory of 328 232 54335453425234.exe NOTEPAD.EXE PID 232 wrote to memory of 4828 232 54335453425234.exe clvbvf.exe PID 232 wrote to memory of 4828 232 54335453425234.exe clvbvf.exe PID 232 wrote to memory of 4828 232 54335453425234.exe clvbvf.exe PID 232 wrote to memory of 2720 232 54335453425234.exe NOTEPAD.EXE PID 232 wrote to memory of 2720 232 54335453425234.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\54335453425234.exe"C:\Users\Admin\AppData\Local\Temp\54335453425234.exe"1⤵
- Drops startup file
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cbwnio.txt2⤵
- Opens file in notepad (likely ransom note)
PID:328 -
C:\Users\Admin\AppData\Local\Temp\clvbvf.exe"C:\Users\Admin\AppData\Local\Temp\clvbvf.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:4828 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dlhgcn.txt2⤵
- Opens file in notepad (likely ransom note)
PID:2720
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:5080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73B
MD514971ff50a2c64ab66b3c75dbc7d4843
SHA106ccc16cc89657fcb273ce32a9e08e390bb941b2
SHA25689958b18030ce0c7df6fbfd12060ad8352ed9db5c15d322fcefcf3fc3989519d
SHA5121aa3ec9efab14b0aca49605e721555e5f4c04dc289faa5513948bca004da9c8c7ed615f1d75d40b2ab14dab03500bdb3939c497b8e10bf67378e1557556c3f7e
-
Filesize
206KB
MD59f651f1d0558abd7b1c154e2f62ca805
SHA1ff55de48651bd4f35b7a41b56db2c37a038289bc
SHA25612d7b0e21dc5c11862794b698e2e675810fbaae69cb106e43ce2b4e372265284
SHA512cf25c4402b4156c8148b8d5567f97bca98666d1c7a493e2bd661e5468599ca13adf2bd9bbc158797d4ae46113017020b65316ddeacb1126fe0ea9a5f3056a2a2