Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08-07-2024 07:26
Static task
static1
Behavioral task
behavioral1
Sample
Montants à justifier_DGFIP45921-2.vbs
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Montants à justifier_DGFIP45921-2.vbs
Resource
win10v2004-20240704-en
General
-
Target
Montants à justifier_DGFIP45921-2.vbs
-
Size
352KB
-
MD5
c465ada59596b24ce7ec12859f022d1f
-
SHA1
ce4d09b3a355ed0f5f88bcdc1fcdac749862b728
-
SHA256
ea21df3506bd3e847b7d8c8b17ab681431ea616d48fc67e58352bc187fe81f7d
-
SHA512
b9563c08c2c76334d78e73b59e5a9450469e002030b28520231708e756185742bc96f115e887753a51512616e81e9a7f4a44d3314647c088c58bbe0f644b675f
-
SSDEEP
1536:jh2F+VOLE9uko/3o1v4c4g2EePv/qcwUNQX3vGcXaA+7/BzGdZQn2sk82SCGZjjI:jeV1CZpyM
Malware Config
Extracted
xworm
fudisa.com:58538
-
Install_directory
%AppData%
-
install_file
Notepad++.exe
Extracted
xworm
5.0
mparrain10.duckdns.org:24124
bgBnpZsYijmcMpUV
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4844-19-0x0000000000400000-0x0000000000418000-memory.dmp family_xworm behavioral2/memory/4844-38-0x0000000006CA0000-0x0000000006CAE000-memory.dmp family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4844-39-0x0000000006F40000-0x000000000705E000-memory.dmp family_stormkitty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 3 IoCs
Processes:
AddInProcess32.exeAddInProcess32.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad++.lnk AddInProcess32.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad++.lnk AddInProcess32.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad++.lnk AddInProcess32.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process target process PID 4288 set thread context of 4844 4288 powershell.exe AddInProcess32.exe PID 3508 set thread context of 1776 3508 powershell.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3248 4844 WerFault.exe AddInProcess32.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wermgr.exewermgr.exewermgr.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
wermgr.exewermgr.exewermgr.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 4632 vlc.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exeAddInProcess32.exepowershell.exepowershell.exeAddInProcess32.exepid process 4288 powershell.exe 4288 powershell.exe 4288 powershell.exe 4844 AddInProcess32.exe 3508 powershell.exe 3508 powershell.exe 3720 powershell.exe 3720 powershell.exe 3508 powershell.exe 1776 AddInProcess32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 4632 vlc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeAddInProcess32.exepowershell.exepowershell.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 4288 powershell.exe Token: SeDebugPrivilege 4844 AddInProcess32.exe Token: SeDebugPrivilege 3508 powershell.exe Token: SeDebugPrivilege 3720 powershell.exe Token: SeDebugPrivilege 1776 AddInProcess32.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
vlc.exepid process 4632 vlc.exe 4632 vlc.exe 4632 vlc.exe 4632 vlc.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
vlc.exepid process 4632 vlc.exe 4632 vlc.exe 4632 vlc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AddInProcess32.exevlc.exeAddInProcess32.exepid process 4844 AddInProcess32.exe 4632 vlc.exe 1776 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
WScript.exepowershell.exepowershell.exepowershell.exedescription pid process target process PID 4988 wrote to memory of 4288 4988 WScript.exe powershell.exe PID 4988 wrote to memory of 4288 4988 WScript.exe powershell.exe PID 4288 wrote to memory of 4844 4288 powershell.exe AddInProcess32.exe PID 4288 wrote to memory of 4844 4288 powershell.exe AddInProcess32.exe PID 4288 wrote to memory of 4844 4288 powershell.exe AddInProcess32.exe PID 4288 wrote to memory of 4844 4288 powershell.exe AddInProcess32.exe PID 4288 wrote to memory of 4844 4288 powershell.exe AddInProcess32.exe PID 4288 wrote to memory of 4844 4288 powershell.exe AddInProcess32.exe PID 4288 wrote to memory of 4844 4288 powershell.exe AddInProcess32.exe PID 4288 wrote to memory of 4844 4288 powershell.exe AddInProcess32.exe PID 4288 wrote to memory of 2448 4288 powershell.exe wermgr.exe PID 4288 wrote to memory of 2448 4288 powershell.exe wermgr.exe PID 4988 wrote to memory of 3508 4988 WScript.exe powershell.exe PID 4988 wrote to memory of 3508 4988 WScript.exe powershell.exe PID 4988 wrote to memory of 3720 4988 WScript.exe powershell.exe PID 4988 wrote to memory of 3720 4988 WScript.exe powershell.exe PID 3508 wrote to memory of 1776 3508 powershell.exe AddInProcess32.exe PID 3508 wrote to memory of 1776 3508 powershell.exe AddInProcess32.exe PID 3508 wrote to memory of 1776 3508 powershell.exe AddInProcess32.exe PID 3508 wrote to memory of 1776 3508 powershell.exe AddInProcess32.exe PID 3508 wrote to memory of 1776 3508 powershell.exe AddInProcess32.exe PID 3508 wrote to memory of 1776 3508 powershell.exe AddInProcess32.exe PID 3508 wrote to memory of 1776 3508 powershell.exe AddInProcess32.exe PID 3508 wrote to memory of 1776 3508 powershell.exe AddInProcess32.exe PID 3508 wrote to memory of 2712 3508 powershell.exe wermgr.exe PID 3508 wrote to memory of 2712 3508 powershell.exe wermgr.exe PID 3720 wrote to memory of 4656 3720 powershell.exe wermgr.exe PID 3720 wrote to memory of 4656 3720 powershell.exe wermgr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Montants à justifier_DGFIP45921-2.vbs"1⤵
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\asy3.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 20764⤵
- Program crash
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4288" "2856" "2808" "2860" "0" "0" "2864" "0" "0" "0" "0" "0"3⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3508" "2896" "2832" "2900" "0" "0" "2904" "0" "0" "0" "0" "0"3⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3720" "2732" "2664" "2736" "0" "0" "2740" "0" "0" "0" "0" "0"3⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4844 -ip 48441⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SyncGroup.WTV"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD59461a7cfb20ff5381df28f51b80c5ef1
SHA1c86c53fca1dcbe307dafbefbb366abf52c9f5eca
SHA256d4af1948337d0deb725f4f2b1fe1a9b60f4519841e28748b11bfd62ccd71e028
SHA512da1e17f67dfebb004ba93d489be504fd7af6d62709ada2581ffa77880baecdaa0015b49d36333d18216d9dc6aad7b0ea2e5bd224d8d3f65ee9b66a05fc45e304
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD52fa26d61362615b1d082cd7f47b0b7b9
SHA1fdeaf9aa10db2844ef9a13f05996e680ffc7e4af
SHA256c2d8dc5712917d6d545e3ce189ddd6beae5355de06a29e1728c1073718783ae5
SHA512f9a56f6da4651782eecc5b01153b00d58cd571fa980f95b1a93b3647a8ea717430112cd93877b2ca0c5a816e924c5dfe0ce7235d82433998e72aa0413890fdee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
3KB
MD50fa890bcc24627b309591f8d2a692028
SHA1edba7cfb6fee6860c862d4b384a03cdebe535ee4
SHA25648b7a3f9b77f9ca8c6e20c9a35dfc8068ad8006f43e6e94c2c46fdb9c35c15c5
SHA512a34380e2422782a3bab9842424dc41005e4878f735b2aa5d9aa80cbb1a6d4901c50f4022a70fe5232e5e6e9c35f11d6df62908a1b2d1e6a9aa531510430260ac
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4jyxiap.doi.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txtFilesize
230B
MD5dc0fc3b1d8dfb2151af683c5fe9128be
SHA17ff31e4cc5589bc38031b986f3c54fe94435a265
SHA2568b5d267bf8af05b8181abe36234fae9b9ce19a06875fc09b62d7b88240e5820a
SHA512e694e1fcc26bd7899aeaca448fefdf1f283003889d4a6f8673b092e8968b4afdfc1c16d72c5e22da60c16cbebe28477bc71a6efe551b17e9b5948011fd0a7ff2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD5158d9d644a4c2f618f9c17b99b854919
SHA128a09f90a231daee1cced803ab0588b7bdf5efb4
SHA25644b65cf1f7624bd22f42b45061a9ea51cc40cd19ff12a39fe1534e752b56fdd2
SHA5129e54a4f9632d0795b42ff124212b7e0979a4daa2b460a69976ca1792eede3c3f7ece2c56cc939a078135402a725646255c019b1c5d24e8a1045f7635ec43816b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD544f31555e27c0c27eee96bc36427be1e
SHA14438013b06676972692576a65b87416bf6118ec8
SHA256390b019fad0b1a43f02c1aea377f28b2d5d168bd01619aeca51a63a9f0441351
SHA512849cdaed256213f0acfc8b94741f8f470d7096e3a7197a074a5ed8cc7b99fd9c37eab0647cc294bb1e8d8259a588399845973e1fbdcd1f5c48cb79834a634aee
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
6KB
MD551b6b5772463397d63ca4103059da273
SHA19132c9060451b53026c7a7251c6f0174c1713431
SHA25642884de82210451b270eec56549ab25d3a52c6fa359ce0f9107a09a9e20d3e16
SHA512cd8f1aa8d2306ed5d90a16333393f41716b150ffb72a6b13d3b09b11b8dcd08a7e22d55e1f1f4364772c9055d23374d70327412de6eab999d76ba6af04696161
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad++.lnkFilesize
783B
MD5585b1c86e73cef9b2bcf9103c32ab3e5
SHA1e7c3dc09a1db6a438ba93e66de583cf8cda00c64
SHA256c742a748d3145e958620cadaf3dd07ca5e2874722838b3f48316ac447b8d1838
SHA512ce57b55b7f2e7bcb223cd3e59d1f6a98f1afabbba52a3f44172495db345a1fba8592e79154f710e9e74878c79fb1cada94d0c746a48b1afad2b19e2e8436c3de
-
C:\Users\Admin\AppData\Roaming\Notepad++.exeFilesize
42KB
MD59827ff3cdf4b83f9c86354606736ca9c
SHA1e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723
SHA256c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a
SHA5128261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579
-
C:\Users\Admin\asy3.vbsFilesize
1KB
MD5ecd56d423345d25d32d6894da7ea9a41
SHA1fa194094d6f86b76b9ea51cbee26ea2bd93d8852
SHA25601d5fd9a203634b7d45a547cdf72a1edcd601340f37892c324b5f842b22c7b73
SHA512a6d4550a2bd57be7cd3b50754d2826a100a844553e2a4308366cdd442250989971635d3847add663ec307981e8566f9bd823dece00fac48d085f60336bf5d355
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4288-17-0x00000144F4590000-0x00000144F459A000-memory.dmpFilesize
40KB
-
memory/4288-18-0x00000144F45A0000-0x00000144F45AC000-memory.dmpFilesize
48KB
-
memory/4288-15-0x00000144F6A80000-0x00000144F6AF6000-memory.dmpFilesize
472KB
-
memory/4288-14-0x00000144F45C0000-0x00000144F4604000-memory.dmpFilesize
272KB
-
memory/4288-13-0x00000144DC310000-0x00000144DC332000-memory.dmpFilesize
136KB
-
memory/4632-108-0x00007FFE1CF00000-0x00007FFE1DFB0000-memory.dmpFilesize
16.7MB
-
memory/4632-107-0x00007FFE203F0000-0x00007FFE206A6000-memory.dmpFilesize
2.7MB
-
memory/4632-106-0x00007FFE236F0000-0x00007FFE23724000-memory.dmpFilesize
208KB
-
memory/4632-105-0x00007FF7672B0000-0x00007FF7673A8000-memory.dmpFilesize
992KB
-
memory/4844-29-0x0000000004F40000-0x0000000004FDC000-memory.dmpFilesize
624KB
-
memory/4844-41-0x0000000007450000-0x000000000749C000-memory.dmpFilesize
304KB
-
memory/4844-40-0x00000000070A0000-0x00000000073F4000-memory.dmpFilesize
3.3MB
-
memory/4844-39-0x0000000006F40000-0x000000000705E000-memory.dmpFilesize
1.1MB
-
memory/4844-38-0x0000000006CA0000-0x0000000006CAE000-memory.dmpFilesize
56KB
-
memory/4844-37-0x0000000006390000-0x00000000063F6000-memory.dmpFilesize
408KB
-
memory/4844-36-0x0000000005B80000-0x0000000005B8A000-memory.dmpFilesize
40KB
-
memory/4844-35-0x0000000006170000-0x0000000006202000-memory.dmpFilesize
584KB
-
memory/4844-34-0x0000000005BC0000-0x0000000006164000-memory.dmpFilesize
5.6MB
-
memory/4844-19-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB