Overview

overview

10

Static

static

3

Modrinth_I...er.exe

windows10-1703-x64

10

Modrinth_I...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    594s
  • max time network
    605s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/07/2024, 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Modrinth_Installer.exe

  • Size

    5.6MB

  • MD5

    578b2c56cabfa2d2a29bc7c0184a8e1d

  • SHA1

    11326b4b732c5cdb0edf9541c70d2dea3411ad6f

  • SHA256

    cf7a4925fdb1f1add01d039751d168ecf9fc958efe3b926c14566d207de4b6b4

  • SHA512

    7ef67f3e50ad6bfb49b4fe62c7b44982d9b1620627c6514c535fb7df5c56aceb16a0392d7c9af82016d42a809ea2475eb1c4595bf87cedb3657a73d0fa6b57d8

  • SSDEEP

    98304:AxdENT+6HE4ThcGalSS9d+udj3mYcCqQcgT3XV8tEbETvsDHaLqV710ZZ9rPzrPH:v/HMlS2JxmYcmcg7XGqb6Msq51GPf

Score
10/10
xwormdiscoverypersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

she-vocal.gl.at.ply.gg:36704

Attributes
  • Install_directory

    %AppData%

  • install_file

    notepad.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Modrinth_Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Modrinth_Installer.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Users\Admin\AppData\Local\Temp\Modrinth.exe
      "C:\Users\Admin\AppData\Local\Temp\Modrinth.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4836
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "notepad" /tr "C:\Users\Admin\AppData\Roaming\notepad.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4196
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi"
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:228
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2152
  • C:\Users\Admin\AppData\Roaming\notepad.exe
    C:\Users\Admin\AppData\Roaming\notepad.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1344
  • C:\Users\Admin\AppData\Roaming\notepad.exe
    C:\Users\Admin\AppData\Roaming\notepad.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2384
  • C:\Users\Admin\AppData\Roaming\notepad.exe
    C:\Users\Admin\AppData\Roaming\notepad.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1664
  • C:\Users\Admin\AppData\Roaming\notepad.exe
    C:\Users\Admin\AppData\Roaming\notepad.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5016
  • C:\Users\Admin\AppData\Roaming\notepad.exe
    C:\Users\Admin\AppData\Roaming\notepad.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3372
  • C:\Users\Admin\AppData\Roaming\notepad.exe
    C:\Users\Admin\AppData\Roaming\notepad.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4172
  • C:\Users\Admin\AppData\Roaming\notepad.exe
    C:\Users\Admin\AppData\Roaming\notepad.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2632
  • C:\Users\Admin\AppData\Roaming\notepad.exe
    C:\Users\Admin\AppData\Roaming\notepad.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3268
  • C:\Users\Admin\AppData\Roaming\notepad.exe
    C:\Users\Admin\AppData\Roaming\notepad.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1160
  • C:\Users\Admin\AppData\Roaming\notepad.exe
    C:\Users\Admin\AppData\Roaming\notepad.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\notepad.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi
    Filesize

    5.0MB

    MD5

    5003486a784143bc96c3577172bbb44a

    SHA1

    9a960998807126041fae5b4fe9488d7ff3c5ca42

    SHA256

    b1ac36000cee14b9c36aea4cef7f53ed2e7c18c9534b4ff66f07da11e8c07b59

    SHA512

    3fd871414cffe35ae649dbb02935eddcad75ee094f2d61f2cef48827dfb852ff3b8e4211f913bf65e4619b2a4989a2807d876a920a105735ac3e59362802ee19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Modrinth.exe
    Filesize

    316KB

    MD5

    6f56f305614cbad9e5737acbee0f8894

    SHA1

    8feb8eb68fd2a0b8b502032073277961ec5d9ab9

    SHA256

    7389aaa07392f6533dc7a4b1f0377ab9b694bb5c08a45f7b871062e7f9f0bdff

    SHA512

    bcfa430e336735785d988c3276d0524a0c66f629a8b26a39d6b4f93607f6f435f7ade02f68f963cf4bcbc6a42c63ea99ad6da8020f41defab242bd197121a26c

    Download Submit

  • memory/3600-18-0x0000000000400000-0x00000000009A7000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4836-12-0x00007FFAD17F3000-0x00007FFAD17F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4836-13-0x0000000000C10000-0x0000000000C66000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4836-20-0x00007FFAD17F0000-0x00007FFAD22B1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4836-34-0x00007FFAD17F3000-0x00007FFAD17F5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4836-35-0x00007FFAD17F0000-0x00007FFAD22B1000-memory.dmp

    Filesize

    10.8MB

    Download