Analysis Overview
SHA256
002a55a722eb437d66039df4b8e16b32baa59ba4f3a180c0d5a0514e01dc7377
Threat Level: Known bad
The file 54335453425234.exe was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
Xworm
Detect Xworm Payload
Xworm family
ModiLoader, DBatLoader
ModiLoader Second Stage
UPX packed file
Executes dropped EXE
Drops startup file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-03 17:25
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-03 17:25
Reported
2024-05-03 17:26
Platform
win11-20240426-en
Max time kernel
62s
Max time network
73s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ModiLoader, DBatLoader
Xworm
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\54335453425234.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\54335453425234.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\clvbvf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\clvbvf.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\clvbvf.exe" | C:\Users\Admin\AppData\Local\Temp\clvbvf.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\54335453425234.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\54335453425234.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\54335453425234.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 232 wrote to memory of 328 | N/A | C:\Users\Admin\AppData\Local\Temp\54335453425234.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 232 wrote to memory of 328 | N/A | C:\Users\Admin\AppData\Local\Temp\54335453425234.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 232 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\54335453425234.exe | C:\Users\Admin\AppData\Local\Temp\clvbvf.exe |
| PID 232 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\54335453425234.exe | C:\Users\Admin\AppData\Local\Temp\clvbvf.exe |
| PID 232 wrote to memory of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\54335453425234.exe | C:\Users\Admin\AppData\Local\Temp\clvbvf.exe |
| PID 232 wrote to memory of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\54335453425234.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 232 wrote to memory of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\54335453425234.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\54335453425234.exe
"C:\Users\Admin\AppData\Local\Temp\54335453425234.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\cbwnio.txt
C:\Users\Admin\AppData\Local\Temp\clvbvf.exe
"C:\Users\Admin\AppData\Local\Temp\clvbvf.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dlhgcn.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.223.134:15487 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 134.223.125.3.in-addr.arpa | udp |
| DE | 3.125.223.134:15487 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/232-0-0x00007FFB0AEE3000-0x00007FFB0AEE5000-memory.dmp
memory/232-1-0x0000000000B10000-0x0000000000B24000-memory.dmp
memory/232-6-0x00007FFB0AEE0000-0x00007FFB0B9A2000-memory.dmp
memory/232-7-0x0000000002EE0000-0x0000000002EEC000-memory.dmp
memory/232-8-0x00007FFB0AEE3000-0x00007FFB0AEE5000-memory.dmp
memory/232-9-0x00007FFB0AEE0000-0x00007FFB0B9A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cbwnio.txt
| MD5 | 14971ff50a2c64ab66b3c75dbc7d4843 |
| SHA1 | 06ccc16cc89657fcb273ce32a9e08e390bb941b2 |
| SHA256 | 89958b18030ce0c7df6fbfd12060ad8352ed9db5c15d322fcefcf3fc3989519d |
| SHA512 | 1aa3ec9efab14b0aca49605e721555e5f4c04dc289faa5513948bca004da9c8c7ed615f1d75d40b2ab14dab03500bdb3939c497b8e10bf67378e1557556c3f7e |
C:\Users\Admin\AppData\Local\Temp\clvbvf.exe
| MD5 | 9f651f1d0558abd7b1c154e2f62ca805 |
| SHA1 | ff55de48651bd4f35b7a41b56db2c37a038289bc |
| SHA256 | 12d7b0e21dc5c11862794b698e2e675810fbaae69cb106e43ce2b4e372265284 |
| SHA512 | cf25c4402b4156c8148b8d5567f97bca98666d1c7a493e2bd661e5468599ca13adf2bd9bbc158797d4ae46113017020b65316ddeacb1126fe0ea9a5f3056a2a2 |
memory/4828-21-0x0000000000400000-0x0000000000487000-memory.dmp
memory/4828-22-0x0000000000400000-0x0000000000487000-memory.dmp
memory/232-28-0x0000000001400000-0x000000000140E000-memory.dmp