Analysis
-
max time kernel
1511s -
max time network
1463s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2024 16:35
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
asyncrat
1.0.7
def
37.18.62.18:8060
era2312swe12-1213rsgdkms23
-
delay
1
-
install
true
-
install_file
CCXProcess.exe
-
install_folder
%Temp%
Extracted
toxiceye
https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000b0000000224f3-263.dat family_asyncrat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation win-xworm-builder.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation wsappx.exe -
Executes dropped EXE 3 IoCs
pid Process 4836 win-xworm-builder.exe 1236 wsappx.exe 3272 sysfile32.exe -
Loads dropped DLL 1 IoCs
pid Process 2164 XHVNC.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/2164-411-0x00000000066F0000-0x0000000006914000-memory.dmp agile_net -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 79 raw.githubusercontent.com 81 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 220 schtasks.exe 4696 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1504 timeout.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 3268 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 3856 msedge.exe 3856 msedge.exe 1372 msedge.exe 1372 msedge.exe 688 identity_helper.exe 688 identity_helper.exe 4440 msedge.exe 4440 msedge.exe 4840 dnlib.exe 4840 dnlib.exe 1236 wsappx.exe 1236 wsappx.exe 1236 wsappx.exe 1236 wsappx.exe 1236 wsappx.exe 1512 DisAsClaimer.exe 1512 DisAsClaimer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2164 XHVNC.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 4684 XWorm-RAT-V2.1-builder.exe Token: SeDebugPrivilege 4836 win-xworm-builder.exe Token: SeDebugPrivilege 3268 tasklist.exe Token: SeDebugPrivilege 1236 wsappx.exe Token: SeDebugPrivilege 4840 dnlib.exe Token: SeDebugPrivilege 1512 DisAsClaimer.exe Token: SeManageVolumePrivilege 3584 svchost.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 2164 XHVNC.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe 1372 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1236 wsappx.exe 2164 XHVNC.exe 2164 XHVNC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1372 wrote to memory of 4600 1372 msedge.exe 85 PID 1372 wrote to memory of 4600 1372 msedge.exe 85 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3288 1372 msedge.exe 86 PID 1372 wrote to memory of 3856 1372 msedge.exe 87 PID 1372 wrote to memory of 3856 1372 msedge.exe 87 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 PID 1372 wrote to memory of 4204 1372 msedge.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/errias/XWorm-Rat-Remote-Administration-Tool-1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb32c46f8,0x7fffb32c4708,0x7fffb32c47182⤵PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵PID:3288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:82⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:3168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:82⤵PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:2348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3444 /prefetch:82⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:4836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:12⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,12920060550194240918,10518701602043929056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:12⤵PID:768
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2384
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3964
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2860
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"1⤵PID:4700
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWorm-RAT-V2.1-builder.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"C:\Users\Admin\AppData\Local\Temp\win-xworm-builder.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4836 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"3⤵
- Creates scheduled task(s)
PID:220
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpFF8E.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpFF8E.tmp.bat3⤵PID:4216
-
C:\Windows\system32\tasklist.exeTasklist /fi "PID eq 4836"4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
-
C:\Windows\system32\find.exefind ":"4⤵PID:5100
-
-
C:\Windows\system32\timeout.exeTimeout /T 1 /Nobreak4⤵
- Delays execution with timeout.exe
PID:1504
-
-
C:\Users\Static\wsappx.exe"wsappx.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1236 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "wsappx" /tr "C:\Users\Static\wsappx.exe"5⤵
- Creates scheduled task(s)
PID:4696
-
-
-
-
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\dnlib.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"C:\Users\Admin\AppData\Local\Temp\sysfile32.exe"2⤵
- Executes dropped EXE
PID:3272
-
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\DisAsClaimer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XHVNC.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2164
-
C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"C:\Users\Admin\Downloads\XWorm-Rat-Remote-Administration-Tool--main\XWorm-Rat-Remote-Administration-Tool--main\XWormUI.exe"1⤵PID:3728
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:2944
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD512898332fe5f9fb9788a338cb42b2b6e
SHA1dce87ad4a993b2d7b1c9c9690b3ef8babec83d01
SHA25675e7460a015f409a26d1a166f46d75153a4308948ef6e048d97f1a5b20b4e2e9
SHA51293d39f2714c8cab7c4f7aa7ffd27bb699c270a70ea18966bcedb03f3692bcded4c44a3bc2e4ba6388329a26683d1e0379abeac15683b81769428acb588eeb291
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD51ff784b84c22c16e60a15afae76f525f
SHA1273a8d6ccfe799d4e29d18d746d709090f954848
SHA256c38a32ba126c9fa77551ffbde892e0e120f3252756e5a6ed74974c179b39a6d0
SHA5129e3206562c4c24443721bf683d6c683342b2c3333cc361d787f403e9b07d5427ce8f7c4eae5c17d3ba4e85bd8e085b94da5e523a1c235e534ff0560ba1939ac8
-
Filesize
573B
MD5773fb4b4aee1fc711996decf4d943b6d
SHA15a0ff39895150d79afc75d6bb870eaf2a7411555
SHA256bf2541e5f818c85e94f249780776e0d5b6a4aafffc8ce5e97dc82070bebe30b9
SHA5127c55dc4ab11ace2db228705f5f4115ec5d3f42c80cbc9e31049bdbf657eb4e966335ef8899534bf449bf62aaf1a4bac9f52e92264323f0fbaab4de82c88aeee6
-
Filesize
6KB
MD560416d497f5ff7b802567978067652b4
SHA12f164bb5bef671010d729d4c6eb886ee22d6c360
SHA2561e4c7979c91371d205c0ad57cbaa47c742e6c078a31ae42051c783d1feab4e96
SHA512cb1516f600b3bd141b4eec4da14f2c504e2f2ced512daa66099e8e48d4d74b847a0747301ff4505305f1f77e2c192a5c6e0b36bd59f9c420b2ea44b0155f2dc6
-
Filesize
6KB
MD52d6871fc74bc8be4d377fcf63d78df28
SHA1c9bcedfff16b6936e7a201e72eecb096efb8f6a5
SHA256cc0d2acf9aa844295e563826e7c7188e5c541a5e8b5a8b99c615849080bf6a1c
SHA5127a692a59a74c58c05ce23e6114f93a5b204af2023ebe68478bfc612fa916f5c3367f0110e730407e4f33ff7f35f9ade6bbf5e3174ffac98f5c7b28ca874a2695
-
Filesize
6KB
MD5bb96a08207281f989b7fc4e88b9ffb13
SHA132d581c4f96afc9cd5513436086958e054449f8e
SHA2569e5072dfb4c514c0f698265bc103d0d2c6c125a22d4cd416e768c0a5e8fa5245
SHA5123faf174a5c0632e78f23883f26db28f2d96fa605c60ee5e17a30f68e92cfb5a2e60c324206064ce349a0b745d9c7f842076064058a8c2421469c2e68c09d4096
-
Filesize
6KB
MD56d4713a7c22540a927a2b16cdea250dd
SHA1af8bfef8883c683e1a2c0d3e3960b5eaa21be01a
SHA256ead51f9a0c85280a8d58702258c0bcd00a452e6216414077fa0cf9d1becfc787
SHA512255c796e50ad4ede4d08d6273f5a59823030e86da63f1dee1808a619d41e4b2b31d0ea952022e482366a59f747b7278763ebb8f1a7a038b845234bff991ceaa7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cd4c156a-80b9-47d0-b8f6-826d47e96487.tmp
Filesize111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD50dd810291c4e88f30fd5a041b049c80e
SHA11630b9c72a4e4c1a873a52b5989b07ebf8b2161f
SHA2561a424d66488280dd69f52a67dcf2e1d9f1b58512a3477613669ad6a56623e207
SHA512569fc93046dbf7a343355e210a90a1ae7008f433b4d92d42a2ba54766aafec0f5e3d9df76a3a64908129c8422061ce1207dfdac9c5dc3f0f69ead0d7ab5d585b
-
Filesize
11KB
MD573867d42751a4292298c393a58e8624d
SHA1b404584e8cd9c77809e1b313a6d3158491cab71e
SHA2562f8aff4fca98e8b9b9c69eb7fee70a67354855d77aef7d3255bfd509d28527e9
SHA51298d7804c88d9b58ba66a679679dacbb7b6bd08529609d467c05d19c031c11d07a01c9f920ae70f62894874b33b99810b310dc7913370a17112d713476f793daa
-
Filesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
52KB
MD50c2d61d64f4325ca752202e5bf792e9e
SHA1e7655910a124dd10beb774a693f7caccf849b438
SHA256d0dd06d26f09eed4755de33c63e29aeb8161cd9b0ca123af3474c5594df57ec1
SHA5121205a69419c38605e9a84200b1cc7731a3e169fae265dfc324a9edaf98bbc06f110bdf63d08f6b97d312cd0ce1fffe9ef8649f116ac27eb8b659ad88519d9c46
-
Filesize
195B
MD5eb2d3445c311dfbef301d1713cb9a427
SHA1e754210f36462de2552b43fd83597f9dce3fddb6
SHA256823642afbe54828820a8020b56b2cfcdb32a2e4e29f8bfa88914540912722e9b
SHA512f4df13720e495e8b9a1ee162b52bd72cb5fff6fdf89cdaab851dbbe03e93820e27fe3b5494da2e6c23fa1622845b99dec20b6cfc9a2934c903ed401639859c8d
-
Filesize
793KB
MD5835d21dc5baa96f1ce1bf6b66d92d637
SHA1e0fb2a01a9859f0d2c983b3850c76f8512817e2d
SHA256e67f2b34ef647d59eb8ebd4a88f85dc072346ca5c275cba1ee2307b80a560319
SHA512747a9b6cde0207c722a62904a2c8708188f7c9e65e94cf55667e90096f1d1852e145061bd8e764bf30aaca0fb0f4355668feccc951041af735677c4c644aba87
-
Filesize
5.0MB
MD5ed997c518b1affa39a5db6d5e1e38874
SHA1d0355de864604e0ba04d4d79753ee926b197f9cf
SHA2568a7d20fb5bc7ef8b02ab6e11ef78ebc0a31ba5376bd97d40fe5d1da521324556
SHA51250699cdd035c48e431102c703d7855dc85caa6feb7a7b34bdb23c7ccc298dbcc3ab261690c3dfb078451d3e299a0b037351edcbf54e79b6edaaacbf30ec68cb7