Analysis

  • max time kernel
    297s
  • max time network
    264s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-05-2024 17:15

General

  • Target

    refl‮gnp.exe

  • Size

    79KB

  • MD5

    863711c10c1844754fca2729ac0f0380

  • SHA1

    2836a5baebb141188c2f845453a2c7700ed6e40f

  • SHA256

    a441decf9cc4b9ac966e45c4127f253818f75328a30f2810acacf6551cd6f2bd

  • SHA512

    6aa41e7112b5edbc9e3a1d7ab5fb5fb5e26c5cde702f60f70715178a7acb59479f59d182afe5c42ba0b5ca6f5107934b47c19ecd6e99c34fbc7386804c2aa7d6

  • SSDEEP

    1536:YA2ixxSE7SX6TkIjnG18PyC+uF8iqUH3pbLYkDlGe4QDDa2OYoFpUrps24u:LgIu8PlxpbLYslNODF1u

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/cVQrB6DR

Signatures

  • Detect Xworm Payload 2 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • ModiLoader Second Stage 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\refl‮gnp.exe
    "C:\Users\Admin\AppData\Local\Temp\refl‮gnp.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Roaming\WindowsSecurity"
      2⤵
      • Creates scheduled task(s)
      PID:2564
    • C:\Users\Admin\AppData\Local\Temp\ufpdgu.exe
      "C:\Users\Admin\AppData\Local\Temp\ufpdgu.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:4052
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "WindowsSecurity"
      2⤵
        PID:420
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB63B.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:792
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:1984
    • C:\Users\Admin\AppData\Roaming\WindowsSecurity
      C:\Users\Admin\AppData\Roaming\WindowsSecurity
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4784
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:1944
      • C:\Users\Admin\AppData\Roaming\WindowsSecurity
        C:\Users\Admin\AppData\Roaming\WindowsSecurity
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4064
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
        1⤵
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4304
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4460

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsSecurity.log

        Filesize

        654B

        MD5

        2cbbb74b7da1f720b48ed31085cbd5b8

        SHA1

        79caa9a3ea8abe1b9c4326c3633da64a5f724964

        SHA256

        e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

        SHA512

        ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3JV2N3YF\www.bing[1].xml

        Filesize

        2KB

        MD5

        847d5c30ad93993f9e437446b9958e10

        SHA1

        d1e799e6f6f9d3d18f513246950eb1702e26fb08

        SHA256

        344ee1cb3f603345cbb981aa4b14e84ccc1a56da4369901710201a863c5e066a

        SHA512

        ee852b7a6c09c373ef50b0a2d61befb2caa0a6709e16d36ea86141669db8b3104c17420c5d69da919191d4d3f80c643a8424e187d8a4c1c6856574c2968eb744

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3JV2N3YF\www.bing[1].xml

        Filesize

        17KB

        MD5

        cd4bea37d87e08de117ed143bb1d9505

        SHA1

        6ced5d28069169ad339572ba811bc0406d9e3469

        SHA256

        4374cb1b94d5f53b09e5fd3f2adfa22ff8f786497dee41261d7365bbcb02d042

        SHA512

        e51a914ee39746e2c252507ad16801d4f92c90bb6eaeec3cea64bf2e4c9c4a72ac039cb1d7baa8d6231455b9d297ad53306b06ceb0739f3411521f4d5aa01d0e

      • C:\Users\Admin\AppData\Local\Temp\tmpB63B.tmp.bat

        Filesize

        162B

        MD5

        6fced42a6f1f8eba7f09ebade1f17542

        SHA1

        96ea03cd78a316d97f33c1271e9349fba929c2f5

        SHA256

        a8a6ad362af60d17aa6fa2cf553c1d7fa16e395681793e16d9ca191091e70a56

        SHA512

        59eb527c36d625e4d4b2f7d24174336a082ea1685fd8699d916afe60d2b2d90bfbae33852f41e26218483829ee8b02cd20c7a524b55d9eb2c4b6d66bd46dc178

      • C:\Users\Admin\AppData\Local\Temp\ufpdgu.exe

        Filesize

        156KB

        MD5

        874a87a6903064c1b5eeceef8e1d7821

        SHA1

        5321495dd0e71f70a6073f05b78810f98d2caa39

        SHA256

        ccb9811b8655b47e64cb40e6c58e8627e5f87c8937f9546d4a6efad30cecaad4

        SHA512

        9e679670811b8fadc0f6629778d591b66272f6616b76ea3701c156c959ad97a791f7fe9cafed20326f99c7301e3938f40cd8be6c5eccd572ff8632f6a3068d06

      • C:\Users\Admin\AppData\Roaming\WindowsSecurity

        Filesize

        79KB

        MD5

        863711c10c1844754fca2729ac0f0380

        SHA1

        2836a5baebb141188c2f845453a2c7700ed6e40f

        SHA256

        a441decf9cc4b9ac966e45c4127f253818f75328a30f2810acacf6551cd6f2bd

        SHA512

        6aa41e7112b5edbc9e3a1d7ab5fb5fb5e26c5cde702f60f70715178a7acb59479f59d182afe5c42ba0b5ca6f5107934b47c19ecd6e99c34fbc7386804c2aa7d6

      • memory/444-33-0x0000000000400000-0x000000000046F000-memory.dmp

        Filesize

        444KB

      • memory/444-23-0x0000000000400000-0x000000000046F000-memory.dmp

        Filesize

        444KB

      • memory/3876-9-0x00007FF9FFFB3000-0x00007FF9FFFB5000-memory.dmp

        Filesize

        8KB

      • memory/3876-13-0x00000000028C0000-0x00000000028CC000-memory.dmp

        Filesize

        48KB

      • memory/3876-12-0x00007FF9FFFB0000-0x00007FFA00A72000-memory.dmp

        Filesize

        10.8MB

      • memory/3876-336-0x00007FF9FFFB0000-0x00007FFA00A72000-memory.dmp

        Filesize

        10.8MB

      • memory/3876-1-0x00000000005F0000-0x000000000060A000-memory.dmp

        Filesize

        104KB

      • memory/3876-0-0x00007FF9FFFB3000-0x00007FF9FFFB5000-memory.dmp

        Filesize

        8KB

      • memory/3876-2-0x00007FF9FFFB0000-0x00007FFA00A72000-memory.dmp

        Filesize

        10.8MB

      • memory/4304-126-0x000001FE7B310000-0x000001FE7B410000-memory.dmp

        Filesize

        1024KB

      • memory/4304-138-0x000001FE7B110000-0x000001FE7B130000-memory.dmp

        Filesize

        128KB

      • memory/4304-139-0x000001FE7B8E0000-0x000001FE7B900000-memory.dmp

        Filesize

        128KB

      • memory/4304-140-0x000001FE7B1F0000-0x000001FE7B210000-memory.dmp

        Filesize

        128KB

      • memory/4304-99-0x000001FE7AE80000-0x000001FE7AEA0000-memory.dmp

        Filesize

        128KB

      • memory/4304-46-0x000001FE67BD0000-0x000001FE67CD0000-memory.dmp

        Filesize

        1024KB

      • memory/4784-8-0x00007FF9FFFB0000-0x00007FFA00A72000-memory.dmp

        Filesize

        10.8MB

      • memory/4784-11-0x00007FF9FFFB0000-0x00007FFA00A72000-memory.dmp

        Filesize

        10.8MB