Overview

overview

10

Static

static

1

dsad.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    49s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-11-2024 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dsad.bat

  • Size

    122KB

  • MD5

    966f3ad6d9f5ad03afbef0a7917cbede

  • SHA1

    5c62ed021daefb494d236017d5cd5110928942a0

  • SHA256

    45e0996bc0c167dc427891ecc287d98cab9a5157ec74803c8873c435067f42f7

  • SHA512

    0774869e64b20dbfa503a65b3c40b0e1ef15cfba16078a9526da7bacf46a69636be2bf52dc20ee6f502d59dabd76ddf6a088ce85e931b20f4e9094017a7821ae

  • SSDEEP

    3072:PX5WdgyknI18fbSRFmj53iT4GgV/POVuAQDXiriToJl0:PX557y+bz53iKOV9QDYi0Jl0

Score
10/10
xwormdefense_evasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

left-noon.gl.at.ply.gg:60705

Attributes
  • Install_directory

    %AppData%

  • install_file

    US11B.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Payload decoded via CertUtil.

    defense_evasion
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dsad.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Windows\system32\certutil.exe
      certutil -decode C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.txt C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.exe
      2⤵
      • Deobfuscate/Decode Files or Information
      PID:4600
    • C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.exe
      C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5008
      • C:\Users\Admin\AppData\Local\Temp\sms5D04.tmp
        "C:\Users\Admin\AppData\Local\Temp\sms5D04.tmp"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1276
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sms5D04.tmp'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3104
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sms5D04.tmp'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4836
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\sms5D04.tmp'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5020
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sms5D04" /tr "C:\Users\Admin\AppData\Roaming\sms5D04.tmp"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1304
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:1336
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe "C:\Users\Admin\AppData\Roaming\sms5D04.tmp"
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1464

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      627073ee3ca9676911bee35548eff2b8

      SHA1

      4c4b68c65e2cab9864b51167d710aa29ebdcff2e

      SHA256

      85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

      SHA512

      3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      d0a4a3b9a52b8fe3b019f6cd0ef3dad6

      SHA1

      fed70ce7834c3b97edbd078eccda1e5effa527cd

      SHA256

      21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

      SHA512

      1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      21017c68eaf9461301de459f4f07e888

      SHA1

      41ff30fc8446508d4c3407c79e798cf6eaa5bb73

      SHA256

      03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888

      SHA512

      956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3thrmyw2.hgf.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.exe
      Filesize

      89KB

      MD5

      c708b4e6749fe2bea4c7a6881f2d21fc

      SHA1

      1264556923d27d0266a1a34a305c9c5deded08c0

      SHA256

      4454446918edc9730718e4ce610986706f14b03c0c2c1cb2eab6d774ef73d581

      SHA512

      6886a023e040edeafdc59c07bbcf1b97329e9dbe63b098ef16004dcc5b5a9644e431221cf9b37b4612f1ac14d548b0df1c538f998e44ba8f93a8a10cbeffef44

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.txt
      Filesize

      119KB

      MD5

      7f70cd0d872ebbfc9917850c310ca541

      SHA1

      cd957a542f30964e8943550ce52b07b2ffcb5676

      SHA256

      70a42df8f7ea2080973d351d99324be090bfb58b91d6d708313828a7a3d2e53a

      SHA512

      c96e9726d34dee24c734e81af7e35cf8153aa853d91890dbe8e6311e9019886c39bfa7a6da86f78d7c20ac0ed1e509906bd572abb3def986d7ef8272d8305b7a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bdzyqzk78j.txt
      Filesize

      7KB

      MD5

      62f0045a3133367c21b17f3b71579fa7

      SHA1

      20f1fa70407b6ca8033eea474e3ddbd99267497f

      SHA256

      5f7ea73166179fce0372fd66af291abaa25f67affcf4e5bc41eb248905c88ef8

      SHA512

      4a457bef7fb05a289ea088dd34132065f1d45b117450b6fbfc766b9b10d708f9d2a3fec30477e5172e49cf0714ff3be4743f48831ba50cb8a8c74af7b94b9e2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sms5D04.tmp
      Filesize

      76KB

      MD5

      c01f551edc26c87f9060358f75bf227d

      SHA1

      3755e4043a98bbe6efff60f2442c29373049052a

      SHA256

      6f588a5b0a111fb296e01c7633b65c3904acb094feafced2c8f174e7d3013c1f

      SHA512

      dc919d689b4965f8df64d63f64bb289bd82bee2a2ca273835d55765e8bd69046b130fa931efad54e46de4bd5508503e6d3fb3d2fa6e493dbf88787b56de0770a

      Download Submit

    • memory/1276-161-0x00007FFE74F73000-0x00007FFE74F75000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1276-163-0x00007FFE74F70000-0x00007FFE75A32000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1276-162-0x0000000000BB0000-0x0000000000BCA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1276-203-0x00007FFE74F73000-0x00007FFE74F75000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1276-204-0x00007FFE74F70000-0x00007FFE75A32000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1276-205-0x000000001C540000-0x000000001C54C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3104-172-0x000001AC5CC90000-0x000001AC5CCB2000-memory.dmp

      Filesize

      136KB

      Download