Malware Analysis Report

2025-08-11 07:49

Sample ID 241029-1yw23a1aqf
Target BOTTLE_config.exe
SHA256 c77da91c55e49be9d9ce67fe5338f21cafef1c22c22b59f2b4823ae7918e680c
Tags
xworm discovery persistence privilege_escalation rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c77da91c55e49be9d9ce67fe5338f21cafef1c22c22b59f2b4823ae7918e680c

Threat Level: Known bad

The file BOTTLE_config.exe was found to be: Known bad.

Malicious Activity Summary

xworm discovery persistence privilege_escalation rat trojan

Xworm family

Xworm

Detect Xworm Payload

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

System Time Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 22:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 22:04

Reported

2024-10-29 22:04

Platform

win10ltsc2021-20241023-en

Max time kernel

30s

Max time network

6s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BOTTLE_config.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BOTTLE_config.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

System Time Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\BOTTLE_config.exe C:\Windows\system32\cmd.exe
PID 4836 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\BOTTLE_config.exe C:\Windows\system32\cmd.exe
PID 4836 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\BOTTLE_config.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4836 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\BOTTLE_config.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3856 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3856 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3856 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3856 wrote to memory of 1560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3856 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3856 wrote to memory of 2108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3856 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3856 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3856 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3856 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 3856 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 4604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 2400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 1208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 1836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3856 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3856 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3856 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 3396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 3696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3856 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BOTTLE_config.exe

"C:\Users\Admin\AppData\Local\Temp\BOTTLE_config.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BOTTLE_config.bat" "

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\mode.com

mode 120,10

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\mode.com

mode 40,10

C:\Windows\system32\netsh.exe

netsh interface ipv4 set subinterface "Ethernet" mtu=1500 store=persistent

C:\Windows\system32\netsh.exe

netsh interface ipv4 set subinterface "Wi-Fi" mtu=1500 store=persistent

C:\Windows\system32\netsh.exe

netsh int tcp set global maxsynretransmissions=8

C:\Windows\system32\netsh.exe

netsh int tcp set global rss=enabled

C:\Windows\system32\netsh.exe

netsh interface ipv4 set subinterface "Ethernet" mtu=1640 store=persistent

C:\Windows\system32\netsh.exe

netsh int tcp set heuristics disabled

C:\Windows\system32\netsh.exe

netsh int tcp set global netdma=enabled

C:\Windows\system32\netsh.exe

netsh int tcp set global dca=enabled

C:\Windows\system32\netsh.exe

netsh int tcp set global nonsackrttresiliency=disabled

C:\Windows\system32\netsh.exe

netsh int tcp set global ecncapability=disabled

C:\Windows\system32\PING.EXE

ping -n 3 localhost

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "IRPStackSize" /t REG_DWORD /d "32" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SizReqBuf" /t REG_DWORD /d "17424" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "Size" /t REG_DWORD /d "3" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxWorkItems" /t REG_DWORD /d "8192" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxMpxCt" /t REG_DWORD /d "2048" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "MaxCmds" /t REG_DWORD /d "2048" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "DisableStrictNameChecking" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "EnableDynamicBacklog" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "MinimumDynamicBacklog" /t REG_DWORD /d "200" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "MaximumDynamicBacklog" /t REG_DWORD /d "20000" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "DynamicBacklogGrowthDelta" /t REG_DWORD /d "100" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\AFD\Parameters" /v "KeepAliveInterval" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "NegativeSOACacheTime" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "NetFailureCacheTime" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "MaxCacheEntryTtlLimit" /t REG_DWORD /d "10800" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "MaxCacheTtl" /t REG_DWORD /d "10800" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\SYSTEM\ControlControlSet\Services\Dnscache\Parameters" /v "MaxNegativeCacheTtl" /t REG_DWORD /d "0" /f

C:\Windows\system32\netsh.exe

netsh int tcp set global rsc=enabled

C:\Windows\system32\netsh.exe

netsh int tcp set global ecncapability=disabled

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp

Files

memory/4836-0-0x00007FF8A9713000-0x00007FF8A9715000-memory.dmp

memory/4836-1-0x0000000000E20000-0x0000000000E46000-memory.dmp

C:\Users\Admin\AppData\Roaming\BOTTLE_config.bat

MD5 ebac9390577bc00de4278fe25d2b54f0
SHA1 ab0507bcf7259a95453c392cf30cf03b327d3279
SHA256 a6b57685093715cac1b7e5470e4b8ca4b871a6b5d1d7d7e9ee8df5ee015a5252
SHA512 add0a3e64cf8cef059e1b12cc804d1685e3c8fc0d72ad1bdb88cc5da3bac8efa6e0c422645e9b84ea3ef558d1106dae49169748b50999d6a617580c04744ef93

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 ae702d156a2ee10aa0df4e5a365654a1
SHA1 bad92787d53da53bda2f180f770752e679ba80c0
SHA256 07cc6cdf43c5bfa4c7dc097c3abc5a6fcdfbbda8a52db993ed9f397c4a8af716
SHA512 3a6daf7b4ee44cfd6c9a15575f9b4bbc54f22192c72ff4380a2fb3f33227645a4c25cd5cfb15445b446d6485c6bfb38fdf6adf94f121b719ed373e2b5c9a0d9c

memory/648-23-0x0000000000CA0000-0x0000000000CB8000-memory.dmp

memory/648-24-0x00007FF8A9710000-0x00007FF8AA1D2000-memory.dmp

memory/648-26-0x00007FF8A9710000-0x00007FF8AA1D2000-memory.dmp