Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.
Threat behavior
Installation
VirTool:Win32/DelfInject drops itself using a random file name (such as "xpxnqdv.exe") in the %APPDATA%\Microsoft\Windows folder.
It modifies the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "<random value>" (for example, "B5XWlRZ5/ql2chDjTA") WIth data: "%AppData%\microsoft\windows\xpxnqdv.exe"
It then runs the legitimate file "<system folder>\rundll32.exe" and injects a thread into it to delete its originally running EXE file.
Before it runs, VirTool:Win32/DelfInject checks your PC for certain security software. If any are found, it stops running.
Payload
Downloads files
VirTool:Win32/DelfInject injects code into "svchost.exe" so it can connect to certain servers and download files. One of the servers that it is known to connect to is "cate<removed>ksys.info".
At the time of this analysis the files are not available for download.