xworm | 250eda084776cd02c04ab1dfcffde5555218310351b9c88258f7236df10aeda0

General

Target

Loader1.exe
Size

119KB
MD5

991c63fffe62b6b237cad9203c5ef6eb
SHA1

36aa371799529fc70bbcc9a645eb15929fa06de2
SHA256

250eda084776cd02c04ab1dfcffde5555218310351b9c88258f7236df10aeda0
SHA512

b6b76ee6c21c35a4c1f10d33094e7340aef38646baaafcc86eb29385b29e89ebabf2626af3cd53ab115c4ce564c74052d4aa65d270e4a6e54e5e724646d8e432
SSDEEP

3072:VHlQLfyczsS2sJYnZwGrVYTGX8YhmMa0RYRitL:VHlcfTzD1OnOXGMJgRWi

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

expected-identifies.gl.at.ply.gg:28789

Attributes

Install_directory
%ProgramData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe	family_xworm
behavioral1/memory/2816-22-0x0000000000490000-0x00000000004A8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loader1.exeRunBeforeXLoader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Loader1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	RunBeforeXLoader.exe

Drops startup file 2 IoCs

Processes:

RunBeforeXLoader.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	RunBeforeXLoader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	RunBeforeXLoader.exe

Executes dropped EXE 4 IoCs

Processes:

Loader.exeRunBeforeXLoader.exesvchost.exesvchost.exe

pid process

4672 Loader.exe
2816 RunBeforeXLoader.exe
4980 svchost.exe
1256 svchost.exe

pid	process
4672	Loader.exe
2816	RunBeforeXLoader.exe
4980	svchost.exe
1256	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RunBeforeXLoader.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost.exe"	RunBeforeXLoader.exe

Drops file in Windows directory 1 IoCs

Processes:

Loader1.exe

description ioc process

File created C:\Windows\Loader.exe Loader1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2804 4672 WerFault.exe Loader.exe

description	ioc	process
File created	C:\Windows\Loader.exe	Loader1.exe

pid	pid_target	process	target process
2804	4672	WerFault.exe	Loader.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4732 schtasks.exe

pid	process
4732	schtasks.exe

Modifies registry class 5 IoCs

Processes:

taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeRunBeforeXLoader.exe

pid	process
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
2816	RunBeforeXLoader.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

228 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

RunBeforeXLoader.exetaskmgr.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2816	RunBeforeXLoader.exe
Token: SeDebugPrivilege	228	taskmgr.exe
Token: SeSystemProfilePrivilege	228	taskmgr.exe
Token: SeCreateGlobalPrivilege	228	taskmgr.exe
Token: SeDebugPrivilege	2816	RunBeforeXLoader.exe
Token: SeBackupPrivilege	3696	svchost.exe
Token: SeRestorePrivilege	3696	svchost.exe
Token: SeSecurityPrivilege	3696	svchost.exe
Token: SeTakeOwnershipPrivilege	3696	svchost.exe
Token: 35	3696	svchost.exe
Token: SeDebugPrivilege	4980	svchost.exe
Token: SeDebugPrivilege	1256	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe
228	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RunBeforeXLoader.exefirefox.exe

pid process

2816 RunBeforeXLoader.exe
5008 firefox.exe

pid	process
2816	RunBeforeXLoader.exe
5008	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Loader1.exeRunBeforeXLoader.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4848 wrote to memory of 4672	4848	Loader1.exe	Loader.exe
PID 4848 wrote to memory of 4672	4848	Loader1.exe	Loader.exe
PID 4848 wrote to memory of 4672	4848	Loader1.exe	Loader.exe
PID 4848 wrote to memory of 2816	4848	Loader1.exe	RunBeforeXLoader.exe
PID 4848 wrote to memory of 2816	4848	Loader1.exe	RunBeforeXLoader.exe
PID 2816 wrote to memory of 4732	2816	RunBeforeXLoader.exe	schtasks.exe
PID 2816 wrote to memory of 4732	2816	RunBeforeXLoader.exe	schtasks.exe
PID 2804 wrote to memory of 5008	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 5008	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 5008	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 5008	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 5008	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 5008	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 5008	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 5008	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 5008	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 5008	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 5008	2804	firefox.exe	firefox.exe
PID 5008 wrote to memory of 1008	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 1008	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe
PID 5008 wrote to memory of 3828	5008	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader1.exe
"C:\Users\Admin\AppData\Local\Temp\Loader1.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\Loader.exe
"C:\Windows\Loader.exe"
2⤵
- Executes dropped EXE
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1048
3⤵
- Program crash
PID:2804

C:\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe
"C:\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
3⤵
- Creates scheduled task(s)
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4672 -ip 4672
1⤵
PID:4960

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5008.0.498040611\1902801109" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1864 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {36ae39fe-5785-4821-907a-6234888943da} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" 1944 18148bbd858 gpu
3⤵
PID:1008

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5008.1.2025872745\280465894" -parentBuildID 20221007134813 -prefsHandle 2332 -prefMapHandle 2328 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e8d014a-d427-4be0-badc-61afffccfe38} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" 2344 18148741b58 socket
3⤵
PID:3828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5008.2.1857039810\1865287942" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 3020 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94aea63f-a5af-459f-b1ba-3e46aa17542b} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" 3172 1814cc96858 tab
3⤵
PID:4448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5008.3.859359663\2128954260" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3388 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cec74897-6298-465a-8442-858628330a2d} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" 3592 1814b2c1558 tab
3⤵
PID:1960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5008.4.289741045\1710660675" -childID 3 -isForBrowser -prefsHandle 4396 -prefMapHandle 4400 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c88bb7be-6ee8-46d8-b2da-b47146ca4dca} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" 4412 1814eb33658 tab
3⤵
PID:4560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5008.7.1894294930\286958339" -childID 6 -isForBrowser -prefsHandle 5340 -prefMapHandle 5344 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f67ae46c-d01c-4b6b-9c29-e9bd09a2eade} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" 5332 1814fc87858 tab
3⤵
PID:512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5008.6.2078329062\1935991212" -childID 5 -isForBrowser -prefsHandle 5148 -prefMapHandle 5152 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5602a90-141e-4bea-80d1-fbd2851aa4ec} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" 5140 1814f1fbc58 tab
3⤵
PID:1376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5008.5.622070671\872615489" -childID 4 -isForBrowser -prefsHandle 4944 -prefMapHandle 2832 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1352 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2ce2d3d-8b4e-4c6d-9b38-1b808608378b} 5008 "\\.\pipe\gecko-crash-server-pipe.5008" 4408 1813c366858 tab
3⤵
PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RunBeforeXLoader.exe

Filesize
73KB

MD5
312382a33d486601306789a01d0003d4

SHA1
feaafd132fbc62a481c20c29831f5184821cf23d

SHA256
c62a66fef3933991b01074a3ce881ff87ac605eed8d4b34fa0c98ac5f987d136

SHA512
58092c4affe2ebb0e47c5fe0a51fc41cf2652b7f29fa1fe5c9cbbe19b427dda85e6b8d4ddec69f543e0a3cfb3cae19820a04d9c789ef56c9e9253bd3584db59c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

Filesize
670B

MD5
e6b919481a0045f9801290ae9c0702b0

SHA1
d36cc75656b2604f998213c91ace95269a3a83d6

SHA256
ffc0f89ba216384bff04c2df4bc8133c8f4fa37a437d5dd1e7adc1e5d3489020

SHA512
ef7c4ba0c06ad07fa3eacba6b505815ba38eafa1c97380483bfaa8f738593224ebc84ef86163627c909f6009475d08500a18011b517ec711dee3b7362f6b9134

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
a411502e8837ece280f91701ebf42116

SHA1
d567ca043c74813f4338433d9302b314e6d470fd

SHA256
598736de4a2db4fce6b7c649070b6bc76553a9be5d2f59851b99452dbb2ae206

SHA512
ec8db4c2e97ed925fff10b8fb38c76a5a21d15d65ff4ef3e692ce048907d35d5780b9c81efe3005df1c58e03f51ee04e57694a7337e82093955f72ed7bd3be27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\a49c6a8f-1986-4dc9-8512-211368c4af9b

Filesize
10KB

MD5
ab2983c94300d9ca2d5b866f184d15cc

SHA1
59f37142616fb9f54ad557730e6b9958d8a137bc

SHA256
9a13270a85364861a79c64b3695547cd69a458b3bc1ed763b3ce283dbff2b409

SHA512
03eff1e52fd63749fcfb8cc53c4ddff80e7ea9af19404207c1a8594268c7a92adc7cfe0c0f75082ac4f2af46642e161f6a03f004610a726538192f71cb1981e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\datareporting\glean\pending_pings\d9936e8f-164c-4d05-afa9-25e513fef58c

Filesize
746B

MD5
f0a8774f72035fc25da5cb51222d46a8

SHA1
6ffaf46adc9fad3d471e6fc965e2d2fad2b7c4b7

SHA256
5531edcdff24bfb6ab7b561d46a24ffc3871cb9ea9d5f0ce439c3a4a112ef603

SHA512
7c1fffb666e016a2930a150716566a511dbf0ce1ca9e755f76cf8038159671b9e15712d6438b33f61b05726ef15ec157857f9554fa92029085db505036c705e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\92qyi9k9.default-release\prefs.js

Filesize
6KB

MD5
53a23af4335fcebf29afc4c6f5d8de71

SHA1
6759dbb7dcd8e7b3aecb8a8222d11e2a3ac48de7

SHA256
8dc7e73fe0e1c22834817d5bc5d3ae28220684dba98759190e73cbbd374e876e

SHA512
ff8be50607c55a6698d5313040bdb5e18cca6b6939c9cf84e816a3412487302e896c25c760564b76032ba9764af17312ff7b207177a4815a2eedf81443ade12e

Download Submit
C:\Windows\Loader.exe

Filesize
40KB

MD5
625a931cad6e8da72f1bbf3c37d65aa0

SHA1
2d54ebbe1691eeb0b097d0d0b0c5b071e30158c9

SHA256
c3cca8cdf2c5039022983f9f578f5474766c682caa3ecc3bb853269136e7e41d

SHA512
a961cb80b72908f7dd7e5897102bae75e2326b39b2eef68f1c3c8dcfea16ff666acd082a5e7114909da87b5f45369c920eaf0e47b1a3259b38aa303ab41d340b

Download Submit
memory/228-33-0x0000018F1EE10000-0x0000018F1EE11000-memory.dmp

Filesize
4KB

Download
memory/228-42-0x0000018F1EE10000-0x0000018F1EE11000-memory.dmp

Filesize
4KB

Download
memory/228-44-0x0000018F1EE10000-0x0000018F1EE11000-memory.dmp

Filesize
4KB

Download
memory/228-32-0x0000018F1EE10000-0x0000018F1EE11000-memory.dmp

Filesize
4KB

Download
memory/228-34-0x0000018F1EE10000-0x0000018F1EE11000-memory.dmp

Filesize
4KB

Download
memory/228-38-0x0000018F1EE10000-0x0000018F1EE11000-memory.dmp

Filesize
4KB

Download
memory/228-39-0x0000018F1EE10000-0x0000018F1EE11000-memory.dmp

Filesize
4KB

Download
memory/228-40-0x0000018F1EE10000-0x0000018F1EE11000-memory.dmp

Filesize
4KB

Download
memory/228-41-0x0000018F1EE10000-0x0000018F1EE11000-memory.dmp

Filesize
4KB

Download
memory/228-43-0x0000018F1EE10000-0x0000018F1EE11000-memory.dmp

Filesize
4KB

Download
memory/1256-63-0x00007FF9CC9B0000-0x00007FF9CD471000-memory.dmp

Filesize
10.8MB

Download
memory/1256-64-0x00007FF9CC9B0000-0x00007FF9CD471000-memory.dmp

Filesize
10.8MB

Download
memory/2816-52-0x00007FF9CC9B0000-0x00007FF9CD471000-memory.dmp

Filesize
10.8MB

Download
memory/2816-53-0x000000001B180000-0x000000001B190000-memory.dmp

Filesize
64KB

Download
memory/2816-49-0x000000001B180000-0x000000001B190000-memory.dmp

Filesize
64KB

Download
memory/2816-22-0x0000000000490000-0x00000000004A8000-memory.dmp

Filesize
96KB

Download
memory/2816-24-0x00007FF9CC9B0000-0x00007FF9CD471000-memory.dmp

Filesize
10.8MB

Download
memory/4672-26-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/4672-28-0x00000000054C0000-0x00000000054D2000-memory.dmp

Filesize
72KB

Download
memory/4672-27-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/4672-31-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/4672-25-0x0000000005B10000-0x00000000060B4000-memory.dmp

Filesize
5.6MB

Download
memory/4672-29-0x0000000005740000-0x0000000005750000-memory.dmp

Filesize
64KB

Download
memory/4672-23-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/4672-30-0x0000000005600000-0x000000000560A000-memory.dmp

Filesize
40KB

Download
memory/4980-55-0x00007FF9CC9B0000-0x00007FF9CD471000-memory.dmp

Filesize
10.8MB

Download
memory/4980-57-0x00007FF9CC9B0000-0x00007FF9CD471000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads