Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 18:51
Static task
static1
Behavioral task
behavioral1
Sample
ModStickInjectorV1.exe
Resource
win7-20240508-en
General
-
Target
ModStickInjectorV1.exe
-
Size
748KB
-
MD5
457143901d9ca2f0bc836c1dd1faefe3
-
SHA1
11e554dcfca0dd51c5bfe92d35b9c13b21b81691
-
SHA256
cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26
-
SHA512
0bd04e37e8f3bb869783661972b83ec8fb6b06727eff27374d2855e714b31cd51b15ada8e46d8b09eda9367dd002f65436785b7962f80f5812396aff3c03c0d0
-
SSDEEP
12288:Ykpcy+P2t8ysP8ZURBmtxjlk/u6ntgJ2E3P0DtaxoisMLHsXxteTX:Ykpcy5tVZqBmTji/PQP0Zaxd5LHxT
Malware Config
Extracted
xworm
head-experimental.gl.at.ply.gg:46178
best-bird.gl.at.ply.gg:27196
super-nearest.gl.at.ply.gg:17835
wiz.bounceme.net:6000
-
install_file
USB.exe
Extracted
quasar
3.1.5
Slave
stop-largely.gl.at.ply.gg:27116
$Sxr-kl1r656AGsPQksTmi8
-
encryption_key
ql4fQ8TV9ZFP9vRX2myA
-
install_name
$sxr~Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77STARTUP~MSF
-
subdirectory
$sxr~SubDir
Extracted
asyncrat
Default
finally-grande.gl.at.ply.gg:25844
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Part1.exe family_xworm behavioral2/memory/4400-21-0x0000000000FE0000-0x0000000000FF8000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\Part 1.exe family_xworm C:\Users\Admin\AppData\Local\Temp\Part 4.exe family_xworm behavioral2/memory/1588-59-0x0000000000440000-0x0000000000458000-memory.dmp family_xworm behavioral2/memory/1556-86-0x00000000006A0000-0x00000000006BA000-memory.dmp family_xworm behavioral2/memory/1588-169-0x000000001D6E0000-0x000000001D6EE000-memory.dmp family_xworm -
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Part 2.exe family_quasar behavioral2/memory/2300-87-0x0000000000750000-0x00000000007BC000-memory.dmp family_quasar -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Part 3.exe family_asyncrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2748 powershell.exe 4900 powershell.exe 3836 powershell.exe 1748 powershell.exe 2232 powershell.exe 1628 powershell.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Part 1.exePart1.exePart 4.exeModStickInjectorV1.exePart2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Part 1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Part1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Part 4.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation ModStickInjectorV1.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Part2.exe -
Executes dropped EXE 7 IoCs
Processes:
Part1.exePart2.exePart 1.exePart 2.exePart 3.exePart 4.exeWindows PowerShell.exepid process 4400 Part1.exe 4368 Part2.exe 1588 Part 1.exe 2300 Part 2.exe 4396 Part 3.exe 1556 Part 4.exe 4676 Windows PowerShell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows PowerShell.exepid process 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe 4676 Windows PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
Windows PowerShell.exePart 1.exePart 3.exePart 2.exePart1.exepowershell.exePart 4.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4676 Windows PowerShell.exe Token: SeDebugPrivilege 1588 Part 1.exe Token: SeDebugPrivilege 4396 Part 3.exe Token: SeDebugPrivilege 2300 Part 2.exe Token: SeDebugPrivilege 4400 Part1.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 1556 Part 4.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeDebugPrivilege 3836 powershell.exe Token: SeDebugPrivilege 1588 Part 1.exe Token: SeDebugPrivilege 1748 powershell.exe Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 4400 Part1.exe Token: SeDebugPrivilege 1628 powershell.exe Token: SeDebugPrivilege 1556 Part 4.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Part 2.exePart 1.exePart1.exePart 4.exepid process 2300 Part 2.exe 1588 Part 1.exe 4400 Part1.exe 1556 Part 4.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
ModStickInjectorV1.exePart2.exePart 1.exePart 2.exePart1.exePart 4.exedescription pid process target process PID 4312 wrote to memory of 4400 4312 ModStickInjectorV1.exe Part1.exe PID 4312 wrote to memory of 4400 4312 ModStickInjectorV1.exe Part1.exe PID 4312 wrote to memory of 4368 4312 ModStickInjectorV1.exe Part2.exe PID 4312 wrote to memory of 4368 4312 ModStickInjectorV1.exe Part2.exe PID 4368 wrote to memory of 1588 4368 Part2.exe Part 1.exe PID 4368 wrote to memory of 1588 4368 Part2.exe Part 1.exe PID 4368 wrote to memory of 2300 4368 Part2.exe Part 2.exe PID 4368 wrote to memory of 2300 4368 Part2.exe Part 2.exe PID 4368 wrote to memory of 2300 4368 Part2.exe Part 2.exe PID 4368 wrote to memory of 4396 4368 Part2.exe Part 3.exe PID 4368 wrote to memory of 4396 4368 Part2.exe Part 3.exe PID 4368 wrote to memory of 1556 4368 Part2.exe Part 4.exe PID 4368 wrote to memory of 1556 4368 Part2.exe Part 4.exe PID 4368 wrote to memory of 4676 4368 Part2.exe Windows PowerShell.exe PID 4368 wrote to memory of 4676 4368 Part2.exe Windows PowerShell.exe PID 4368 wrote to memory of 4676 4368 Part2.exe Windows PowerShell.exe PID 1588 wrote to memory of 2748 1588 Part 1.exe powershell.exe PID 1588 wrote to memory of 2748 1588 Part 1.exe powershell.exe PID 2300 wrote to memory of 2228 2300 Part 2.exe schtasks.exe PID 2300 wrote to memory of 2228 2300 Part 2.exe schtasks.exe PID 2300 wrote to memory of 2228 2300 Part 2.exe schtasks.exe PID 4400 wrote to memory of 4900 4400 Part1.exe powershell.exe PID 4400 wrote to memory of 4900 4400 Part1.exe powershell.exe PID 1588 wrote to memory of 3836 1588 Part 1.exe powershell.exe PID 1588 wrote to memory of 3836 1588 Part 1.exe powershell.exe PID 4400 wrote to memory of 1748 4400 Part1.exe powershell.exe PID 4400 wrote to memory of 1748 4400 Part1.exe powershell.exe PID 1556 wrote to memory of 2232 1556 Part 4.exe powershell.exe PID 1556 wrote to memory of 2232 1556 Part 4.exe powershell.exe PID 1556 wrote to memory of 1628 1556 Part 4.exe powershell.exe PID 1556 wrote to memory of 1628 1556 Part 4.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe"C:\Users\Admin\AppData\Local\Temp\ModStickInjectorV1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\Part1.exe"C:\Users\Admin\AppData\Local\Temp\Part1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4900 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part1.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\Part2.exe"C:\Users\Admin\AppData\Local\Temp\Part2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Users\Admin\AppData\Local\Temp\Part 1.exe"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3836 -
C:\Users\Admin\AppData\Local\Temp\Part 2.exe"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\Part 3.exe"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\Part 4.exe"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD504114c0529b116bf66d764ff6a5a8fe3
SHA10caeff17d1b2190f76c9bf539105f6c40c92bd14
SHA256fd7092b4e273314186bad6ce71aa4cd69450736b6ec6cc746868997ff82a7532
SHA5126a718c330824346606ef24f71cca6be0bfafc626b1d2b060b36e919ab07f3d6a345f56cace8a5a84ffbe2183976eb197842c9fd2f3e3b8c8dd307057d59d6f26
-
Filesize
944B
MD53f038ac2e2ceadad0f78317ea7de6881
SHA1f2ee66d1ab22d5594426a26e9d2628ce29b037a7
SHA256475591875182108710538a2ea21a89e0ffa1df43f776689288e0fa96da46efb7
SHA512f751f1f06b79550af211a9bf39d59712bb60f4e2c79a24d850970b1d40e871c2e53ce84ed4f5d974dad53cdbfb95d38a8eff9f871f22ae2d3e772deb731715f4
-
Filesize
67KB
MD5092a0c6fe885844fd74947e64e7fc11e
SHA1bfe46f64f36f2e927d862a1a787f146ed2c01219
SHA25691431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2
SHA512022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0
-
Filesize
409KB
MD5e10c7425705b2bd3214fa96247ee21c4
SHA17603536b97ab6337fa023bafcf80579c2b4059e6
SHA256021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4
SHA51247e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d
-
Filesize
63KB
MD527fe9341167a34f606b800303ac54b1f
SHA186373d218b48361bff1c23ddd08b6ab1803a51d0
SHA25629e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d
SHA51205b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0
-
Filesize
79KB
MD51f1b23752df3d29e7604ba52aea85862
SHA1bb582c6cf022098b171c4c9c7318a51de29ebcf4
SHA2564834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960
SHA512d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde
-
Filesize
74KB
MD5e35a7249966beef31a45272c53e06727
SHA1cc54648f9c9423f7a625e96256c608791b1ab275
SHA256ecb87965ad5fdc76a30721226b1cb8a6263bbbce476a0446ff730b6399022998
SHA5121dc30dc4a690aa87211db37b8fbc152e2e9e2b2554927296ff62bd4d2a7ab542777faaa4752399719cfe816cf3886b3bb4a90539f3f197dedd52298f2a315114
-
Filesize
661KB
MD5c47c0d681b491091209c54147c33da81
SHA158cb51be41aa576ce56d4c16c9c443e70e648f62
SHA256429c5dd3f4af9dcaa0ebaefda12281af7c84b3e3aa05d1034ddf89d2bdefb720
SHA512f3a6f9af783910dd94622bb0408385228dfe322487d9d89c140e2e49b8abbc3b9c9f3cb580635166d1ddf6f5b7feeac51380044cf100476d6994adc7cac6cc5c
-
Filesize
27KB
MD54daae2de5a31125d02b057c1ff18d58f
SHA1e1d603edfcc150a4718e2916ae3dda3aa9548dc8
SHA25625510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f
SHA5127cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82