Overview

overview

10

Static

static

3

B0TTLE.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    26s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17-11-2024 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    B0TTLE.exe

  • Size

    339KB

  • MD5

    e0d9d67f2387df7ffd3b02d022eed5a6

  • SHA1

    6b4efe7a39ffc77840e9274da19327fa878f5c3c

  • SHA256

    51ae0b0bfd3aa9eb4009aaa96528ba5db3a716732ab67206f6626a77180e2a7d

  • SHA512

    0e12e16e3eaacc0d87297fed55b58f5a16b27d88d14f73b9aaab66dd7a7d2301bda487cb5f04f89be0fbec2dfc5203280107313b7c1fce80b680af2b2a378bd8

  • SSDEEP

    3072:oU5zftF6SslXjgxzi3Z80WaXjTPbUiS75l/NTugUJV21KFpwqEBOrNoq98wSpvbK:oU5zlFJslzgxAZ826SlQqrR98XU

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

185.84.161.66:5000

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 14 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 14 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
    "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
      "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3248
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:220
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BLACKSUPER X.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1784
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2380
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:3832
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1504
    • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
      "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
        "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4720
      • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
        "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:448
        • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
          "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1584
        • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
          "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:2176
          • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
            "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
            5⤵
            • Executes dropped EXE
            PID:3608
          • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
            "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4640
            • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
              "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
              6⤵
              • Executes dropped EXE
              PID:4816
            • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
              "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
              6⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:3740
              • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                7⤵
                • Executes dropped EXE
                PID:4840
              • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
                "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
                7⤵
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:1032
                • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                  "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                  8⤵
                  • Executes dropped EXE
                  PID:1692
                • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
                  "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
                  8⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:3048
                  • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                    "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                    9⤵
                    • Executes dropped EXE
                    PID:2904
                  • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
                    "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
                    9⤵
                    • Checks computer location settings
                    • Suspicious use of WriteProcessMemory
                    PID:3980
                    • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                      "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                      10⤵
                      • Executes dropped EXE
                      PID:2444
                    • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
                      "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
                      10⤵
                      • Checks computer location settings
                      • Suspicious use of WriteProcessMemory
                      PID:2040
                      • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                        "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                        11⤵
                        • Executes dropped EXE
                        PID:3140
                      • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
                        "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
                        11⤵
                        • Checks computer location settings
                        • Suspicious use of WriteProcessMemory
                        PID:5032
                        • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                          "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                          12⤵
                          • Executes dropped EXE
                          PID:5056
                        • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
                          "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
                          12⤵
                          • Checks computer location settings
                          • Suspicious use of WriteProcessMemory
                          PID:4552
                          • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                            "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                            13⤵
                            • Executes dropped EXE
                            PID:1944
                          • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
                            "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
                            13⤵
                            • Checks computer location settings
                            • Suspicious use of WriteProcessMemory
                            PID:2160
                            • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
                              "C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe"
                              14⤵
                              • Executes dropped EXE
                              PID:3020
                            • C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe
                              "C:\Users\Admin\AppData\Local\Temp\B0TTLE.exe"
                              14⤵
                                PID:4436
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      1⤵
      • Executes dropped EXE
      PID:4980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\B0TTLE.exe.log
      Filesize

      654B

      MD5

      11c6e74f0561678d2cf7fc075a6cc00c

      SHA1

      535ee79ba978554abcb98c566235805e7ea18490

      SHA256

      d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

      SHA512

      32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      3eb3833f769dd890afc295b977eab4b4

      SHA1

      e857649b037939602c72ad003e5d3698695f436f

      SHA256

      c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

      SHA512

      c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      c67441dfa09f61bca500bb43407c56b8

      SHA1

      5a56cf7cbeb48c109e2128c31b681fac3959157b

      SHA256

      63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

      SHA512

      325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      b43246eb61dbab10bc560c5d4ef9fed9

      SHA1

      53fa01ade1612c0bb3dd04f73e3db161aad99c43

      SHA256

      74865bf25464ca44e0d6bb474f49aaa9855102b9e30c71b2e606e2b6ca5189a3

      SHA512

      2d6ecb5e7c1dbf1837aedea5395bebcd6e68a02975e06d73c3e0b6f3784739d82c6d7c298dc5dd517e4352cfde6fd19f730e8ce8f0e27089b031552af2e5db83

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      2b27493719bb91528bd7fdb4b71d1d6d

      SHA1

      50e5879d35d2895e48ec1a7b8eeb75cfe767d6c4

      SHA256

      279860eae0661649af64c434196d784d3c4f56aa690ffa2780fa81b055164da2

      SHA512

      d900fe86d90429ff17892e54c2689445ce58be036f6cba34311f54c827f8b2145bac0f9c193e4ad0ea4efb666b9477a790929b707095b5b1f38d86d336540cd0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\BLACKSUPER X.exe
      Filesize

      69KB

      MD5

      2d58b179ec133f1016a2496a96c5da20

      SHA1

      f5b59d6c3c382295d5d5fed1aed04342a7ab7f2e

      SHA256

      ea9c924bd79e33535b8d6537da0a320ce89d6700697173397bb0a31341831a1b

      SHA512

      486e8248f14d721519bd3701d8dfaf6b8e5af2bce02825fac078402c5ac4a1ceff72af2c36eb3a5c3006aaef0eb00ae8b2289d5a2b8b149e50e7bc7e2bad5abc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xybpcyfx.dyr.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/220-27-0x000001F4E69F0000-0x000001F4E6A12000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1680-1-0x0000000000F40000-0x0000000000F9C000-memory.dmp

      Filesize

      368KB

      Download

    • memory/1680-3-0x00007FF922830000-0x00007FF9232F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1680-0-0x00007FF922833000-0x00007FF922835000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1680-20-0x00007FF922830000-0x00007FF9232F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3248-18-0x00007FF922830000-0x00007FF9232F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3248-26-0x00007FF922830000-0x00007FF9232F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3248-19-0x0000000000CC0000-0x0000000000CD8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/3248-76-0x00007FF922830000-0x00007FF9232F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3248-85-0x00007FF922830000-0x00007FF9232F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4992-25-0x00007FF922830000-0x00007FF9232F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4992-22-0x00007FF922830000-0x00007FF9232F2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4992-21-0x00007FF922830000-0x00007FF9232F2000-memory.dmp

      Filesize

      10.8MB

      Download