Analysis
-
max time kernel
1061s -
max time network
1584s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
24-03-2023 10:45
Behavioral task
behavioral1
Sample
Bot.exe
Resource
win10-20230220-en
General
-
Target
Bot.exe
-
Size
63KB
-
MD5
762f2fc17465058d27010124bb425202
-
SHA1
1b6b701c9c09128886e4676c4f1e534c7db39ad9
-
SHA256
ae045f8e36db8f38af35258127ff43a71d522ae6ad15b7aad527bf75dd7a7666
-
SHA512
329eacc85396f176fb30989f8d85fbeea097388ab37edecf22c3f4f368c1b0b0106cc7ec5c5ad06abbe488868ce4a5731ab04e4e7852a3d37bb1bdc42bb4e932
-
SSDEEP
768:8FfQVS7rGOe01ZDKMFiw7qyignMEOoCenkHubK23vuEBXKZ7ifudOPJhsAjDOep:Yfo/mKM1qrgnqebKivpaV0udOR3us
Malware Config
Extracted
xworm
ways-examining.at.ply.gg:18120
-
install_file
USB.exe
Signatures
-
Drops startup file 2 IoCs
Processes:
Bot.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bot.lnk Bot.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bot.lnk Bot.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Bot.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bot = "C:\\Users\\Admin\\AppData\\Roaming\\Bot.exe" Bot.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1820 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Bot.exepid process 2756 Bot.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Bot.exedescription pid process Token: SeDebugPrivilege 2756 Bot.exe Token: SeDebugPrivilege 2756 Bot.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Bot.exepid process 2756 Bot.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Bot.execmd.exedescription pid process target process PID 2756 wrote to memory of 2436 2756 Bot.exe cmd.exe PID 2756 wrote to memory of 2436 2756 Bot.exe cmd.exe PID 2436 wrote to memory of 1820 2436 cmd.exe timeout.exe PID 2436 wrote to memory of 1820 2436 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bot.exe"C:\Users\Admin\AppData\Local\Temp\Bot.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7585.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1820
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7585.tmp.batFilesize
155B
MD59197ba64c6cf5b5027a45e2c060f0b52
SHA197898de3d5e26cd7abd7df8b3ebec571a7154a43
SHA25638228b1175172da1815c0152ba44ef2c8891e8fa3fa97f15db994ce9033ec062
SHA512ca4312a8fcfeb7d7da14ed054dfb336695e8b11ac949992033cf79a677916772e109d5309fef69b4ebe4d27d1c0daf94fe74146892edca7ffc6b116babbac18f
-
memory/2756-119-0x0000000000110000-0x0000000000126000-memory.dmpFilesize
88KB
-
memory/2756-120-0x000000001AEA0000-0x000000001AEB0000-memory.dmpFilesize
64KB
-
memory/2756-124-0x000000001AEA0000-0x000000001AEB0000-memory.dmpFilesize
64KB
-
memory/2756-126-0x0000000000790000-0x000000000079A000-memory.dmpFilesize
40KB