Analysis
-
max time kernel
126s -
max time network
132s -
platform
windows11-21h2_x64 -
resource
win11-20231222-en -
resource tags
-
submitted
12-02-2024 18:15
General
-
Target
botkiller_v2.exe
-
Size
2.4MB
-
MD5
393f1a65423bed5cd9fe07f0961c57fd
-
SHA1
24e44d12f7b480cbde26416ed0c0d5d6de16d173
-
SHA256
f5883a24e7944446c96fd756ff7903fb82d7af8eb3d67d4d45e05a9d6481d78b
-
SHA512
98722a4bfc30ba4ca2804fd18a2bec26c8cf4c55aaae29992067e7e212fb9b3756c3e67ad97623410dff780ae6b5e325427df51d4ccbc3b709c9291fe280dff7
-
SSDEEP
49152:N4G1qYbwVg9/146wPdppKF2gZKudi5HezLE06+3QXYfjbV+e:N5wSh146UBKPPdiBOE0QIfjb1
Malware Config
Extracted
xworm
147.185.221.16:40745
-
Install_directory
%AppData%
-
install_file
Wurst Client.exe
Signatures
-
Detect Xworm Payload 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\botkiller_v2.exe"C:\Users\Admin\AppData\Local\Temp\botkiller_v2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Streetfighter 2verses.exe"C:\Users\Admin\AppData\Local\Temp\Streetfighter 2verses.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Streetfighter 2verses.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Streetfighter 2verses.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Wurst Client.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wurst Client.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Wurst Client" /tr "C:\Users\Admin\AppData\Roaming\Wurst Client.exe"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\street-fighter-ii-plus-en-win.exe"C:\Users\Admin\AppData\Local\Temp\street-fighter-ii-plus-en-win.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-8DN71.tmp\is-3PRLT.tmp"C:\Users\Admin\AppData\Local\Temp\is-8DN71.tmp\is-3PRLT.tmp" /SL4 $50200 "C:\Users\Admin\AppData\Local\Temp\street-fighter-ii-plus-en-win.exe" 1950296 522243⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Street Fighter 2 Plus Champion Edition\Fusion.exe"C:\Program Files (x86)\Street Fighter 2 Plus Champion Edition\Fusion.exe" Street-Fighter-2-Plus-Champion-Edition-(J)-[!].zip4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004C41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Wurst Client.exe"C:\Users\Admin\AppData\Roaming\Wurst Client.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Wurst Client.exe"C:\Users\Admin\AppData\Roaming\Wurst Client.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5e12e797a82c351b359a98d0573c4b5c3
SHA13dd7ff6d0a37a2d81582e510ce45c9728d5fc04f
SHA25672ec96fc652d3276b2bc318fecee1bba3bdf80d8e9b593128aff0e9ce36a6c8e
SHA512776275c7b9679287b70834b8240f38997415c55e9e0bcbafcccd5db825d6bacb3ebf8506080d3fab76274384b3acd1e8f3ddaf5bcd18bba59c5a9c084fac12f4
-
Filesize
4KB
MD5b66240fa278e78a47f0c7ead338258ef
SHA1e523a370ef6f0f0e3aa12dba1c4df951e3f12b32
SHA2563de784ef5a30ab0e654c5103c707e128d37d34af22e827acfb60e6d08c8dc087
SHA512c94afcc132b34d6e844dedbea009ab44728c4728a994311fc5baf399618ef3f51c689a512bec1eefd94bdc0ef5d830c561e4d4614e788517ea8055a43b17ad30
-
Filesize
1.5MB
MD5c42fe2366d341905476a68dffa282959
SHA148217071a0dd0450c736352c3bf0d1d294169523
SHA2563d16b5495c3b3019f831c95944526fb68c93f8d45d8f039bd7ce980da7910d8b
SHA512d908a7101b50937bb7d35275981f64b5d6f0948226708092df5b7d3b1d2d09fbe5eab2298f4c849d5432e8e04d013679f8bc07ccb6d63a58e31c5ea05e541058
-
Filesize
632KB
MD5398d101c484314bbbccf0857fc0f41da
SHA1d04d88735ff66fb299f127c43396cc262ae3f3a5
SHA2569b433b6cfd10bdcd6c9c18ceaf244280590961b5278737da7fb205725f5d04c4
SHA512b55c9198d53963a031f569f7b166c63021e6acf14bbb81aef3507f49134d11c67e8641bd745e7a1f142517ab8cd9da9f5166ff30bdebbf05f66dbc559b98afce
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD54093e5ab3812960039eba1a814c2ffb0
SHA1b5e4a98a80be72fccd3cc910e93113d2febef298
SHA256c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c
SHA512f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b
-
Filesize
944B
MD539f275549f523222efba91bbfeedd021
SHA17e48c021b1e7b7c81b9a3b6b5cc1b220606e5731
SHA256a0072f885bdd0063b2415b0aa78d2228348ead9a89b307032cbba01894d5f3cd
SHA5123a0495982e447b14574f565c4756e4fe8a853543d5c791755f04de805f956f8a16109712a71b309d7ff4cd8385bffcbb40fceb054f59b7d742d7d9ed776d44f8
-
Filesize
944B
MD5aa6b748cd8f3e3c0e41549529b919e21
SHA15a4b9721f9fb5042f6ef7afd698d5ac5216a88bb
SHA256d7d665a42f940443efb28eb231dfe1c4062394e71fba145d6eea9ec075b0f0e8
SHA512361c523f49428a7e430279099e669a1a8af8764653f42e83105c0da3f8e8dd3be6c1719ea8c158d8f2e8425d74457147a4683190eb4a67019b9d02be44c13534
-
Filesize
76KB
MD53fe100d52f16ad437d735fe337e26045
SHA1fc9dfa5c989063a4e01c3d390852d10585fa6f2f
SHA256ec40152ef39685c68f9db62c6383c5fcb0096eeb91582c35dd1d4aa1ae5c5e65
SHA512a75d105c507a900323cfe399d5b5b93341ae893763d9cf869c1cfe6bee082ff0d60dce357423aced3f8e71ef80fee8fda4757223f0070466eb5f968c40af2fbd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
647KB
MD5b683339ce008e97a0243a0f83bca1e09
SHA1a8a4c078225ec9d94912762bda3a745d83dbe8f4
SHA2565c6b8a1ab73cd03140040a3093e0d8466c666cd3fe17e8660dbc1a30d0b6f925
SHA512c39b2501f5887c363633c94b04d58396a0d285ff65963ed513e99ff2dd7f36da323904278c6a64b9f1f637aaeed17e3d9d40540baa9805369cc664a32c62c780
-
Filesize
2.1MB
MD5b9fdeac0fe8bd7910bee03b87f58c40e
SHA14202338dd8cba126d35a06876559d7cefdff196d
SHA256316691de2e852f677c55ab0530c4623d980b0bf08a007f353163c765a839cdb6
SHA512f4914116a6d7b33a295b7791ce07c6a01c2d1035e5e3683bd2b6ca4ead54b2191954e49f351dd859abbd5dcb7236930c10b40abecae156d5eaececdcedaa47fe
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
48KB
-
Filesize
10.8MB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
704KB
-
Filesize
704KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB