Analysis
-
max time kernel
30s -
max time network
6s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
29/10/2024, 22:04
Static task
static1
Behavioral task
behavioral1
Sample
BOTTLE_config.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
BOTTLE_config.exe
-
Size
129KB
-
MD5
980a7d8044ad13e6b0ba2c61b52e1365
-
SHA1
8ce2cda11a969e97e1aac3579bebc6ff5087d87e
-
SHA256
c77da91c55e49be9d9ce67fe5338f21cafef1c22c22b59f2b4823ae7918e680c
-
SHA512
715ac4ea48e5f7d503b6a202a139b9e02813f7d62dee2457d54c68c28e0540cf9bb5b7131d966758d5e7acd9b341e8f2c2f3888cb3e9f5776b96fa5a94444f95
-
SSDEEP
3072:0pJHCvpAli35r0tjLE2fWT7UIMqcgeS71zfqz6:SKAlq5wtW7Fcg9JLqz
Malware Config
Extracted
xworm
185.84.161.64:7000
-
Install_directory
%ProgramData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x00290000000450ba-13.dat family_xworm behavioral1/memory/648-23-0x0000000000CA0000-0x0000000000CB8000-memory.dmp family_xworm -
Xworm family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation BOTTLE_config.exe -
Executes dropped EXE 1 IoCs
pid Process 648 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2200 PING.EXE -
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 1840 reg.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2200 PING.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 648 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4836 wrote to memory of 3856 4836 BOTTLE_config.exe 81 PID 4836 wrote to memory of 3856 4836 BOTTLE_config.exe 81 PID 4836 wrote to memory of 648 4836 BOTTLE_config.exe 83 PID 4836 wrote to memory of 648 4836 BOTTLE_config.exe 83 PID 3856 wrote to memory of 1036 3856 cmd.exe 85 PID 3856 wrote to memory of 1036 3856 cmd.exe 85 PID 3856 wrote to memory of 1560 3856 cmd.exe 86 PID 3856 wrote to memory of 1560 3856 cmd.exe 86 PID 3856 wrote to memory of 2108 3856 cmd.exe 87 PID 3856 wrote to memory of 2108 3856 cmd.exe 87 PID 3856 wrote to memory of 640 3856 cmd.exe 92 PID 3856 wrote to memory of 640 3856 cmd.exe 92 PID 3856 wrote to memory of 4412 3856 cmd.exe 93 PID 3856 wrote to memory of 4412 3856 cmd.exe 93 PID 3856 wrote to memory of 1784 3856 cmd.exe 94 PID 3856 wrote to memory of 1784 3856 cmd.exe 94 PID 3856 wrote to memory of 4560 3856 cmd.exe 95 PID 3856 wrote to memory of 4560 3856 cmd.exe 95 PID 3856 wrote to memory of 1556 3856 cmd.exe 96 PID 3856 wrote to memory of 1556 3856 cmd.exe 96 PID 3856 wrote to memory of 3840 3856 cmd.exe 97 PID 3856 wrote to memory of 3840 3856 cmd.exe 97 PID 3856 wrote to memory of 1452 3856 cmd.exe 98 PID 3856 wrote to memory of 1452 3856 cmd.exe 98 PID 3856 wrote to memory of 4604 3856 cmd.exe 99 PID 3856 wrote to memory of 4604 3856 cmd.exe 99 PID 3856 wrote to memory of 3312 3856 cmd.exe 100 PID 3856 wrote to memory of 3312 3856 cmd.exe 100 PID 3856 wrote to memory of 2400 3856 cmd.exe 101 PID 3856 wrote to memory of 2400 3856 cmd.exe 101 PID 3856 wrote to memory of 1208 3856 cmd.exe 102 PID 3856 wrote to memory of 1208 3856 cmd.exe 102 PID 3856 wrote to memory of 1836 3856 cmd.exe 103 PID 3856 wrote to memory of 1836 3856 cmd.exe 103 PID 3856 wrote to memory of 2200 3856 cmd.exe 104 PID 3856 wrote to memory of 2200 3856 cmd.exe 104 PID 3856 wrote to memory of 4912 3856 cmd.exe 105 PID 3856 wrote to memory of 4912 3856 cmd.exe 105 PID 3856 wrote to memory of 1124 3856 cmd.exe 106 PID 3856 wrote to memory of 1124 3856 cmd.exe 106 PID 3856 wrote to memory of 692 3856 cmd.exe 107 PID 3856 wrote to memory of 692 3856 cmd.exe 107 PID 3856 wrote to memory of 1284 3856 cmd.exe 108 PID 3856 wrote to memory of 1284 3856 cmd.exe 108 PID 3856 wrote to memory of 1712 3856 cmd.exe 109 PID 3856 wrote to memory of 1712 3856 cmd.exe 109 PID 3856 wrote to memory of 1092 3856 cmd.exe 110 PID 3856 wrote to memory of 1092 3856 cmd.exe 110 PID 3856 wrote to memory of 1628 3856 cmd.exe 111 PID 3856 wrote to memory of 1628 3856 cmd.exe 111 PID 3856 wrote to memory of 3396 3856 cmd.exe 112 PID 3856 wrote to memory of 3396 3856 cmd.exe 112 PID 3856 wrote to memory of 3696 3856 cmd.exe 113 PID 3856 wrote to memory of 3696 3856 cmd.exe 113 PID 3856 wrote to memory of 1876 3856 cmd.exe 114 PID 3856 wrote to memory of 1876 3856 cmd.exe 114 PID 3856 wrote to memory of 2156 3856 cmd.exe 115 PID 3856 wrote to memory of 2156 3856 cmd.exe 115 PID 3856 wrote to memory of 3676 3856 cmd.exe 116 PID 3856 wrote to memory of 3676 3856 cmd.exe 116 PID 3856 wrote to memory of 3500 3856 cmd.exe 117 PID 3856 wrote to memory of 3500 3856 cmd.exe 117 PID 3856 wrote to memory of 1840 3856 cmd.exe 118 PID 3856 wrote to memory of 1840 3856 cmd.exe 118
Processes
-
C:\Users\Admin\AppData\Local\Temp\BOTTLE_config.exe"C:\Users\Admin\AppData\Local\Temp\BOTTLE_config.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BOTTLE_config.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"3⤵PID:1036
-
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:1560
-
-
C:\Windows\system32\mode.commode 120,103⤵PID:2108
-
-
C:\Windows\system32\chcp.comchcp 650013⤵PID:640
-
-
C:\Windows\system32\mode.commode 40,103⤵PID:4412
-
-
C:\Windows\system32\netsh.exenetsh interface ipv4 set subinterface "Ethernet" mtu=1500 store=persistent3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1784
-
-
C:\Windows\system32\netsh.exenetsh interface ipv4 set subinterface "Wi-Fi" mtu=1500 store=persistent3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4560
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global maxsynretransmissions=83⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1556
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rss=enabled3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3840
-
-
C:\Windows\system32\netsh.exenetsh interface ipv4 set subinterface "Ethernet" mtu=1640 store=persistent3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1452
-
-
C:\Windows\system32\netsh.exenetsh int tcp set heuristics disabled3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4604
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global netdma=enabled3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3312
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global dca=enabled3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2400
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global nonsackrttresiliency=disabled3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1208
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global ecncapability=disabled3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1836
-
-
C:\Windows\system32\PING.EXEping -n 3 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2200
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "IRPStackSize" /t REG_DWORD /d "32" /f3⤵PID:4912
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SizReqBuf" /t REG_DWORD /d "17424" /f3⤵PID:1124
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "Size" /t REG_DWORD /d "3" /f3⤵PID:692
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxWorkItems" /t REG_DWORD /d "8192" /f3⤵PID:1284
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxMpxCt" /t REG_DWORD /d "2048" /f3⤵PID:1712
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxCmds" /t REG_DWORD /d "2048" /f3⤵PID:1092
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "DisableStrictNameChecking" /t REG_DWORD /d "1" /f3⤵PID:1628
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "EnableDynamicBacklog" /t REG_DWORD /d "1" /f3⤵PID:3396
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "MinimumDynamicBacklog" /t REG_DWORD /d "200" /f3⤵PID:3696
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "MaximumDynamicBacklog" /t REG_DWORD /d "20000" /f3⤵PID:1876
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DynamicBacklogGrowthDelta" /t REG_DWORD /d "100" /f3⤵PID:2156
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "KeepAliveInterval" /t REG_DWORD /d "1" /f3⤵PID:3676
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "NegativeSOACacheTime" /t REG_DWORD /d "0" /f3⤵PID:3500
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "NetFailureCacheTime" /t REG_DWORD /d "0" /f3⤵
- System Time Discovery
PID:1840
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "MaxCacheEntryTtlLimit" /t REG_DWORD /d "10800" /f3⤵PID:1964
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "MaxCacheTtl" /t REG_DWORD /d "10800" /f3⤵PID:1904
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "MaxNegativeCacheTtl" /t REG_DWORD /d "0" /f3⤵PID:2428
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global rsc=enabled3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2728
-
-
C:\Windows\system32\netsh.exenetsh int tcp set global ecncapability=disabled3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:344
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:648
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5ebac9390577bc00de4278fe25d2b54f0
SHA1ab0507bcf7259a95453c392cf30cf03b327d3279
SHA256a6b57685093715cac1b7e5470e4b8ca4b871a6b5d1d7d7e9ee8df5ee015a5252
SHA512add0a3e64cf8cef059e1b12cc804d1685e3c8fc0d72ad1bdb88cc5da3bac8efa6e0c422645e9b84ea3ef558d1106dae49169748b50999d6a617580c04744ef93
-
Filesize
70KB
MD5ae702d156a2ee10aa0df4e5a365654a1
SHA1bad92787d53da53bda2f180f770752e679ba80c0
SHA25607cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA5123a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c