Analysis

  • max time kernel
    30s
  • max time network
    6s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    29/10/2024, 22:04

General

  • Target

    BOTTLE_config.exe

  • Size

    129KB

  • MD5

    980a7d8044ad13e6b0ba2c61b52e1365

  • SHA1

    8ce2cda11a969e97e1aac3579bebc6ff5087d87e

  • SHA256

    c77da91c55e49be9d9ce67fe5338f21cafef1c22c22b59f2b4823ae7918e680c

  • SHA512

    715ac4ea48e5f7d503b6a202a139b9e02813f7d62dee2457d54c68c28e0540cf9bb5b7131d966758d5e7acd9b341e8f2c2f3888cb3e9f5776b96fa5a94444f95

  • SSDEEP

    3072:0pJHCvpAli35r0tjLE2fWT7UIMqcgeS71zfqz6:SKAlq5wtW7Fcg9JLqz

Malware Config

Extracted

Family

xworm

C2

185.84.161.64:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • System Time Discovery 1 TTPs 1 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BOTTLE_config.exe
    "C:\Users\Admin\AppData\Local\Temp\BOTTLE_config.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BOTTLE_config.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
        3⤵
          PID:1036
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:1560
          • C:\Windows\system32\mode.com
            mode 120,10
            3⤵
              PID:2108
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:640
              • C:\Windows\system32\mode.com
                mode 40,10
                3⤵
                  PID:4412
                • C:\Windows\system32\netsh.exe
                  netsh interface ipv4 set subinterface "Ethernet" mtu=1500 store=persistent
                  3⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:1784
                • C:\Windows\system32\netsh.exe
                  netsh interface ipv4 set subinterface "Wi-Fi" mtu=1500 store=persistent
                  3⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:4560
                • C:\Windows\system32\netsh.exe
                  netsh int tcp set global maxsynretransmissions=8
                  3⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:1556
                • C:\Windows\system32\netsh.exe
                  netsh int tcp set global rss=enabled
                  3⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:3840
                • C:\Windows\system32\netsh.exe
                  netsh interface ipv4 set subinterface "Ethernet" mtu=1640 store=persistent
                  3⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:1452
                • C:\Windows\system32\netsh.exe
                  netsh int tcp set heuristics disabled
                  3⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:4604
                • C:\Windows\system32\netsh.exe
                  netsh int tcp set global netdma=enabled
                  3⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:3312
                • C:\Windows\system32\netsh.exe
                  netsh int tcp set global dca=enabled
                  3⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:2400
                • C:\Windows\system32\netsh.exe
                  netsh int tcp set global nonsackrttresiliency=disabled
                  3⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:1208
                • C:\Windows\system32\netsh.exe
                  netsh int tcp set global ecncapability=disabled
                  3⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:1836
                • C:\Windows\system32\PING.EXE
                  ping -n 3 localhost
                  3⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2200
                • C:\Windows\system32\reg.exe
                  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "IRPStackSize" /t REG_DWORD /d "32" /f
                  3⤵
                    PID:4912
                  • C:\Windows\system32\reg.exe
                    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SizReqBuf" /t REG_DWORD /d "17424" /f
                    3⤵
                      PID:1124
                    • C:\Windows\system32\reg.exe
                      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "Size" /t REG_DWORD /d "3" /f
                      3⤵
                        PID:692
                      • C:\Windows\system32\reg.exe
                        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxWorkItems" /t REG_DWORD /d "8192" /f
                        3⤵
                          PID:1284
                        • C:\Windows\system32\reg.exe
                          Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxMpxCt" /t REG_DWORD /d "2048" /f
                          3⤵
                            PID:1712
                          • C:\Windows\system32\reg.exe
                            Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxCmds" /t REG_DWORD /d "2048" /f
                            3⤵
                              PID:1092
                            • C:\Windows\system32\reg.exe
                              Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "DisableStrictNameChecking" /t REG_DWORD /d "1" /f
                              3⤵
                                PID:1628
                              • C:\Windows\system32\reg.exe
                                Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "EnableDynamicBacklog" /t REG_DWORD /d "1" /f
                                3⤵
                                  PID:3396
                                • C:\Windows\system32\reg.exe
                                  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "MinimumDynamicBacklog" /t REG_DWORD /d "200" /f
                                  3⤵
                                    PID:3696
                                  • C:\Windows\system32\reg.exe
                                    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "MaximumDynamicBacklog" /t REG_DWORD /d "20000" /f
                                    3⤵
                                      PID:1876
                                    • C:\Windows\system32\reg.exe
                                      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DynamicBacklogGrowthDelta" /t REG_DWORD /d "100" /f
                                      3⤵
                                        PID:2156
                                      • C:\Windows\system32\reg.exe
                                        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "KeepAliveInterval" /t REG_DWORD /d "1" /f
                                        3⤵
                                          PID:3676
                                        • C:\Windows\system32\reg.exe
                                          Reg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "NegativeSOACacheTime" /t REG_DWORD /d "0" /f
                                          3⤵
                                            PID:3500
                                          • C:\Windows\system32\reg.exe
                                            Reg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "NetFailureCacheTime" /t REG_DWORD /d "0" /f
                                            3⤵
                                            • System Time Discovery
                                            PID:1840
                                          • C:\Windows\system32\reg.exe
                                            Reg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "MaxCacheEntryTtlLimit" /t REG_DWORD /d "10800" /f
                                            3⤵
                                              PID:1964
                                            • C:\Windows\system32\reg.exe
                                              Reg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "MaxCacheTtl" /t REG_DWORD /d "10800" /f
                                              3⤵
                                                PID:1904
                                              • C:\Windows\system32\reg.exe
                                                Reg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "MaxNegativeCacheTtl" /t REG_DWORD /d "0" /f
                                                3⤵
                                                  PID:2428
                                                • C:\Windows\system32\netsh.exe
                                                  netsh int tcp set global rsc=enabled
                                                  3⤵
                                                  • Event Triggered Execution: Netsh Helper DLL
                                                  PID:2728
                                                • C:\Windows\system32\netsh.exe
                                                  netsh int tcp set global ecncapability=disabled
                                                  3⤵
                                                  • Event Triggered Execution: Netsh Helper DLL
                                                  PID:344
                                              • C:\Users\Admin\AppData\Roaming\svchost.exe
                                                "C:\Users\Admin\AppData\Roaming\svchost.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:648

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\Roaming\BOTTLE_config.bat

                                                    Filesize

                                                    43KB

                                                    MD5

                                                    ebac9390577bc00de4278fe25d2b54f0

                                                    SHA1

                                                    ab0507bcf7259a95453c392cf30cf03b327d3279

                                                    SHA256

                                                    a6b57685093715cac1b7e5470e4b8ca4b871a6b5d1d7d7e9ee8df5ee015a5252

                                                    SHA512

                                                    add0a3e64cf8cef059e1b12cc804d1685e3c8fc0d72ad1bdb88cc5da3bac8efa6e0c422645e9b84ea3ef558d1106dae49169748b50999d6a617580c04744ef93

                                                  • C:\Users\Admin\AppData\Roaming\svchost.exe

                                                    Filesize

                                                    70KB

                                                    MD5

                                                    ae702d156a2ee10aa0df4e5a365654a1

                                                    SHA1

                                                    bad92787d53da53bda2f180f770752e679ba80c0

                                                    SHA256

                                                    07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716

                                                    SHA512

                                                    3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c

                                                  • memory/648-23-0x0000000000CA0000-0x0000000000CB8000-memory.dmp

                                                    Filesize

                                                    96KB

                                                  • memory/648-24-0x00007FF8A9710000-0x00007FF8AA1D2000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/648-26-0x00007FF8A9710000-0x00007FF8AA1D2000-memory.dmp

                                                    Filesize

                                                    10.8MB

                                                  • memory/4836-0-0x00007FF8A9713000-0x00007FF8A9715000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/4836-1-0x0000000000E20000-0x0000000000E46000-memory.dmp

                                                    Filesize

                                                    152KB