Overview

overview

10

Static

static

3

KING_BOTTLE.exe

windows7-x64

10

KING_BOTTLE.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 23:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    KING_BOTTLE.exe

  • Size

    105KB

  • MD5

    5ee059c0e66dbcf5eaac208829cf73fb

  • SHA1

    4582948195572f2ac0428bfd0cb1708bf7297d4d

  • SHA256

    873b8992d43241a737721a289679e2c51e46ce705b5b74fd1df8e4062d7892bc

  • SHA512

    5b6b543072c73ebcc71ab9c5da88a288df0d6e3cac4828e9627440768e5a52e8b7493cba7d4bfd6aee17158665bdc92cda3dcd5e3967d88495aed8245c155cdb

  • SSDEEP

    1536:/cp9JeddKdZ9JImr2RF4a9ZhH3D3LKvGHsmt7y/gXqzKUJC9TCw0llAnJ:12jlyRF4a9ZhrIm9qHJC9TCw0bAnJ

Score
10/10
xwormrattrojan

Malware Config

Extracted

Family

xworm

C2

45.141.26.214:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\KING_BOTTLE.exe
    "C:\Users\Admin\AppData\Local\Temp\KING_BOTTLE.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1188
    • C:\ProgramData\svchost.exe
      "C:\ProgramData\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3452
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\KING_BOTTLE.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3772
      • C:\Windows\system32\mode.com
        Mode 153,45
        3⤵
          PID:1132
        • C:\Windows\system32\reg.exe
          Reg.exe add HKLM /F
          3⤵
          • Modifies registry key
          PID:3324
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
          3⤵
            PID:2524
          • C:\Windows\system32\mode.com
            Mode 153,45
            3⤵
              PID:4328
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:1296

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\KING_BOTTLE.bat
            Filesize

            17KB

            MD5

            69bcb8045611c1459e9ca93f88009c81

            SHA1

            40865dd415f4eae3bffd182f3c068315857880a9

            SHA256

            0f66c49cad93925f51152867a98a1a95b1d200cafc45f2e9c32afba66a337d0b

            SHA512

            b81154684924482db06261933258bd5109de63e21be31c7cfa708946987b86a36db71f8123e9bb5d8876f402384cb3497ec34dc8bd717cefcffdafdfc755ea40

            Download Submit

          • C:\ProgramData\svchost.exe
            Filesize

            75KB

            MD5

            907e3316a9311d08c09eaae41b3d078f

            SHA1

            0052c133e8f0af426f90c4b755dc7781e24f1b83

            SHA256

            2850f31537516c0df7461fa946cc45e77b3af27ae0eca69c541f9a11399c31c0

            SHA512

            6330763ac1fd2363279b4f5dc1cdf25ea1306cfe0e3c60cd09cec6dba91031ab28b936e2a7c15ba495de0c031d6fc41429c33dcd02a2cc9dfb4cc9c566f59734

            Download Submit

          • memory/1188-0-0x00007FFFFDBF3000-0x00007FFFFDBF5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1188-1-0x0000000000C20000-0x0000000000C40000-memory.dmp

            Filesize

            128KB

            Download

          • memory/3452-16-0x0000000000300000-0x000000000031A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3452-18-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3452-20-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

            Filesize

            10.8MB

            Download