Malware Analysis Report

2024-10-23 19:35

Sample ID 240503-vy9p9sef75
Target 54335453425234.exe
SHA256 002a55a722eb437d66039df4b8e16b32baa59ba4f3a180c0d5a0514e01dc7377
Tags
xworm modiloader persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

002a55a722eb437d66039df4b8e16b32baa59ba4f3a180c0d5a0514e01dc7377

Threat Level: Known bad

The file 54335453425234.exe was found to be: Known bad.

Malicious Activity Summary

xworm modiloader persistence rat trojan upx

Contains code to disable Windows Defender

Xworm

Detect Xworm Payload

Xworm family

ModiLoader, DBatLoader

ModiLoader Second Stage

UPX packed file

Executes dropped EXE

Drops startup file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-03 17:25

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 17:25

Reported

2024-05-03 17:26

Platform

win11-20240426-en

Max time kernel

62s

Max time network

73s

Command Line

"C:\Users\Admin\AppData\Local\Temp\54335453425234.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

ModiLoader, DBatLoader

trojan modiloader

Xworm

trojan rat xworm

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\54335453425234.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\54335453425234.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\clvbvf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\clvbvf.exe" C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.eu.ngrok.io N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\54335453425234.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\clvbvf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54335453425234.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\54335453425234.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\54335453425234.exe

"C:\Users\Admin\AppData\Local\Temp\54335453425234.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cbwnio.txt

C:\Users\Admin\AppData\Local\Temp\clvbvf.exe

"C:\Users\Admin\AppData\Local\Temp\clvbvf.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dlhgcn.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.223.134:15487 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 134.223.125.3.in-addr.arpa udp
DE 3.125.223.134:15487 0.tcp.eu.ngrok.io tcp

Files

memory/232-0-0x00007FFB0AEE3000-0x00007FFB0AEE5000-memory.dmp

memory/232-1-0x0000000000B10000-0x0000000000B24000-memory.dmp

memory/232-6-0x00007FFB0AEE0000-0x00007FFB0B9A2000-memory.dmp

memory/232-7-0x0000000002EE0000-0x0000000002EEC000-memory.dmp

memory/232-8-0x00007FFB0AEE3000-0x00007FFB0AEE5000-memory.dmp

memory/232-9-0x00007FFB0AEE0000-0x00007FFB0B9A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cbwnio.txt

MD5 14971ff50a2c64ab66b3c75dbc7d4843
SHA1 06ccc16cc89657fcb273ce32a9e08e390bb941b2
SHA256 89958b18030ce0c7df6fbfd12060ad8352ed9db5c15d322fcefcf3fc3989519d
SHA512 1aa3ec9efab14b0aca49605e721555e5f4c04dc289faa5513948bca004da9c8c7ed615f1d75d40b2ab14dab03500bdb3939c497b8e10bf67378e1557556c3f7e

C:\Users\Admin\AppData\Local\Temp\clvbvf.exe

MD5 9f651f1d0558abd7b1c154e2f62ca805
SHA1 ff55de48651bd4f35b7a41b56db2c37a038289bc
SHA256 12d7b0e21dc5c11862794b698e2e675810fbaae69cb106e43ce2b4e372265284
SHA512 cf25c4402b4156c8148b8d5567f97bca98666d1c7a493e2bd661e5468599ca13adf2bd9bbc158797d4ae46113017020b65316ddeacb1126fe0ea9a5f3056a2a2

memory/4828-21-0x0000000000400000-0x0000000000487000-memory.dmp

memory/4828-22-0x0000000000400000-0x0000000000487000-memory.dmp

memory/232-28-0x0000000001400000-0x000000000140E000-memory.dmp