Malware Analysis Report

2024-09-11 08:41

Sample ID 240425-cnm5eadf8s
Target fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe
SHA256 fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43
Tags
redline sectoprat xworm cheat infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43

Threat Level: Known bad

The file fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe was found to be: Known bad.

Malicious Activity Summary

redline sectoprat xworm cheat infostealer persistence rat trojan

RedLine payload

Detect Xworm Payload

RedLine

SectopRAT

Xworm

SectopRAT payload

Detects Windows executables referencing non-Windows User-Agents

Detects executables using Telegram Chat Bot

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Drops startup file

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-25 02:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-25 02:13

Reported

2024-04-25 02:16

Platform

win7-20240221-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X1.lnk C:\Users\Admin\AppData\Roaming\X1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X1.lnk C:\Users\Admin\AppData\Roaming\X1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Roaming\X2.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Roaming\X2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Roaming\X2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\X1 = "C:\\Users\\Admin\\AppData\\Roaming\\X1.exe" C:\Users\Admin\AppData\Roaming\X1.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 2208 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 2208 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 2208 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\X2.exe
PID 2208 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\X2.exe
PID 2208 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\X2.exe
PID 2208 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\build.exe
PID 2208 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\build.exe
PID 2208 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\build.exe
PID 2208 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\build.exe
PID 2388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 860 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 596 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 596 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 596 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2388 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\schtasks.exe
PID 2388 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\schtasks.exe
PID 2388 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\schtasks.exe
PID 1396 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\schtasks.exe
PID 1396 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\schtasks.exe
PID 1396 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\schtasks.exe
PID 1604 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1604 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1604 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1604 wrote to memory of 2664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 1604 wrote to memory of 2664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 1604 wrote to memory of 2664 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 1604 wrote to memory of 3000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1604 wrote to memory of 3000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1604 wrote to memory of 3000 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1604 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 1604 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 1604 wrote to memory of 1520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 1604 wrote to memory of 1020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1604 wrote to memory of 1020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1604 wrote to memory of 1020 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\explorer.exe
PID 1604 wrote to memory of 708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 1604 wrote to memory of 708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 1604 wrote to memory of 708 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\X1.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe

"C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe"

C:\Users\Admin\AppData\Roaming\X1.exe

"C:\Users\Admin\AppData\Roaming\X1.exe"

C:\Users\Admin\AppData\Roaming\X2.exe

"C:\Users\Admin\AppData\Roaming\X2.exe"

C:\Users\Admin\AppData\Roaming\build.exe

"C:\Users\Admin\AppData\Roaming\build.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\X1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\X2.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X2.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\X1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X1" /tr "C:\Users\Admin\AppData\Roaming\X1.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {7D6CFA98-3342-49BC-A1A7-3E186AF8D8D3} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\X1.exe

C:\Users\Admin\AppData\Roaming\X1.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\X1.exe

C:\Users\Admin\AppData\Roaming\X1.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\X1.exe

C:\Users\Admin\AppData\Roaming\X1.exe

Network

Country Destination Domain Proto
NL 91.92.252.220:1337 tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 91.92.252.220:4442 tcp
NL 91.92.252.220:7000 tcp
NL 91.92.252.220:1337 tcp
N/A 127.0.0.1:7000 tcp
NL 91.92.252.220:4442 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
NL 91.92.252.220:1337 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
N/A 127.0.0.1:7000 tcp
NL 91.92.252.220:4442 tcp
NL 91.92.252.220:1337 tcp
NL 91.92.252.220:7000 tcp
NL 91.92.252.220:1337 tcp
NL 91.92.252.220:4442 tcp
NL 91.92.252.220:7000 tcp
NL 91.92.252.220:1337 tcp
NL 91.92.252.220:4442 tcp
NL 91.92.252.220:7000 tcp

Files

memory/2208-0-0x0000000000CF0000-0x0000000000D28000-memory.dmp

memory/2208-1-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\X1.exe

MD5 2ab2f26ab78dbd53cea3b71c00d568c2
SHA1 53f0a2fdde2f1fe6e1ad44b87b8325624cdeb3fa
SHA256 1f204b43acfdf5d1088f37b2159d98d5500bdaeec99cd3f0d6e8ceb77282351b
SHA512 677cf83b6ed165d8ba5734e95bb1b53305cc69cd6a98edd26f2d8ca75978828d734b36739dbb58bf5b7830fe9c6ff894d4d9bf2aebe7285ba1c7de73f5c90e8d

memory/1396-16-0x00000000003F0000-0x0000000000402000-memory.dmp

C:\Users\Admin\AppData\Roaming\build.exe

MD5 60e00124f9d54b2d423f02dc81b57127
SHA1 a250651ba1f3eb72bcf0f24a31ff2a66b0a39959
SHA256 ece58cdda5d85a7fe7d7262313b8041e3c988d814b7dd60f0468dbb7109596ba
SHA512 4a5b7529c9fd3325632a13fde5b01cd4bd21258fca2c358d3322127f9c74b86c69250a673d9fe9878a2c828870026661df62a3b95d5235b378bf83ff29a82add

memory/2388-18-0x0000000001010000-0x0000000001022000-memory.dmp

C:\Users\Admin\AppData\Roaming\X2.exe

MD5 f8c0512008daff966ef349e7178d1239
SHA1 2a74048cf5009ab0f850e3992ffe7a453e3e18a5
SHA256 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6
SHA512 f8c208da88e213f96531b09ea4cdffd82368373aeb9868f11e35135052cf80ffceb89c64da83969aa2df3505579fefc673a0e6346b3b6c361a7d29089f56a3fa

memory/2388-19-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/1396-21-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/2208-23-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/1988-22-0x0000000000360000-0x000000000037E000-memory.dmp

memory/1988-24-0x0000000074B00000-0x00000000751EE000-memory.dmp

memory/1988-25-0x00000000046C0000-0x0000000004700000-memory.dmp

memory/1396-26-0x000000001B250000-0x000000001B2D0000-memory.dmp

memory/2388-27-0x000000001B2A0000-0x000000001B320000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TWIJX8G4BA8269KJK6Z1.temp

MD5 e0467f4b771e6ae0dc0c0dce076180b2
SHA1 6fb755bc70a8c84a6c61416899899b40f64950b4
SHA256 2a4bc1409cd4fc53d5f9fb34f17768796a29ca73d5e24c69df25f0cdee159762
SHA512 090de919125f71a6fd43c0814a4414f5de8c8abbe9957126cf0de45bb52fc4d1eb9aaa805a32cca2a005be58f5a9d483bde8db0c67248b9ca02bb6d62dc2f0da

memory/2828-32-0x000000001B800000-0x000000001BAE2000-memory.dmp

memory/2828-38-0x0000000002240000-0x0000000002248000-memory.dmp

memory/2828-39-0x000007FEEEA00000-0x000007FEEF39D000-memory.dmp

memory/2828-40-0x0000000002E20000-0x0000000002EA0000-memory.dmp

memory/2828-42-0x000007FEEEA00000-0x000007FEEF39D000-memory.dmp

memory/2828-43-0x0000000002E2B000-0x0000000002E92000-memory.dmp

memory/1552-44-0x000007FEEEA00000-0x000007FEEF39D000-memory.dmp

memory/1552-45-0x0000000002BE0000-0x0000000002C60000-memory.dmp

memory/2828-41-0x0000000002E24000-0x0000000002E27000-memory.dmp

memory/1552-46-0x000007FEEEA00000-0x000007FEEF39D000-memory.dmp

memory/1552-48-0x0000000002BE0000-0x0000000002C60000-memory.dmp

memory/1552-47-0x0000000002BE4000-0x0000000002BE7000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2528-62-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/2528-63-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

memory/2528-64-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/2528-65-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

memory/2528-66-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/2388-61-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/860-68-0x0000000002800000-0x0000000002880000-memory.dmp

memory/860-70-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

memory/860-72-0x0000000002800000-0x0000000002880000-memory.dmp

memory/2528-73-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/2528-74-0x0000000002D30000-0x0000000002DB0000-memory.dmp

memory/860-71-0x000000000280B000-0x0000000002872000-memory.dmp

memory/860-69-0x0000000002800000-0x0000000002880000-memory.dmp

memory/860-67-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

memory/2528-54-0x000000001B620000-0x000000001B902000-memory.dmp

memory/2528-76-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

memory/1396-81-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

memory/596-82-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

memory/596-91-0x0000000002D94000-0x0000000002D97000-memory.dmp

memory/1828-93-0x0000000002AA0000-0x0000000002B20000-memory.dmp

memory/596-94-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

memory/1988-99-0x0000000074B00000-0x00000000751EE000-memory.dmp

memory/1828-100-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

memory/1988-106-0x00000000046C0000-0x0000000004700000-memory.dmp

memory/1828-98-0x0000000002AAB000-0x0000000002B12000-memory.dmp

memory/1916-107-0x000007FEEEA00000-0x000007FEEF39D000-memory.dmp

memory/1828-97-0x0000000002AA0000-0x0000000002B20000-memory.dmp

memory/1828-96-0x0000000002AA0000-0x0000000002B20000-memory.dmp

memory/1916-108-0x0000000002940000-0x00000000029C0000-memory.dmp

memory/1828-95-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

memory/1916-111-0x0000000002940000-0x00000000029C0000-memory.dmp

memory/1916-112-0x0000000002940000-0x00000000029C0000-memory.dmp

memory/1916-115-0x000007FEEEA00000-0x000007FEEF39D000-memory.dmp

memory/1916-110-0x0000000002940000-0x00000000029C0000-memory.dmp

memory/1916-109-0x000007FEEEA00000-0x000007FEEF39D000-memory.dmp

memory/596-92-0x000007FEEE060000-0x000007FEEE9FD000-memory.dmp

memory/596-90-0x0000000002D9B000-0x0000000002E02000-memory.dmp

memory/596-83-0x0000000002D90000-0x0000000002E10000-memory.dmp

memory/2388-121-0x000000001B2A0000-0x000000001B320000-memory.dmp

memory/1396-120-0x000000001B250000-0x000000001B2D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-25 02:13

Reported

2024-04-25 02:16

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\X2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\X1.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Roaming\X2.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X1.lnk C:\Users\Admin\AppData\Roaming\X1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X1.lnk C:\Users\Admin\AppData\Roaming\X1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk C:\Users\Admin\AppData\Roaming\X2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\X1 = "C:\\Users\\Admin\\AppData\\Roaming\\X1.exe" C:\Users\Admin\AppData\Roaming\X1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" C:\Users\Admin\AppData\Roaming\X2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\X1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\X2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4408 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 4408 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\X1.exe
PID 4408 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\X2.exe
PID 4408 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\X2.exe
PID 4408 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\build.exe
PID 4408 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\build.exe
PID 4408 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe C:\Users\Admin\AppData\Roaming\build.exe
PID 3520 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 64 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 64 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3520 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\schtasks.exe
PID 3520 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\X1.exe C:\Windows\System32\schtasks.exe
PID 4132 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\schtasks.exe
PID 4132 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Roaming\X2.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe

"C:\Users\Admin\AppData\Local\Temp\fd15b9b162dcbe4f16157d4b13f69a6b2ede55fcd5ddb2a19bce8eb68a363e43.exe"

C:\Users\Admin\AppData\Roaming\X1.exe

"C:\Users\Admin\AppData\Roaming\X1.exe"

C:\Users\Admin\AppData\Roaming\X2.exe

"C:\Users\Admin\AppData\Roaming\X2.exe"

C:\Users\Admin\AppData\Roaming\build.exe

"C:\Users\Admin\AppData\Roaming\build.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\X2.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\X1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X2.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\X1.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X1" /tr "C:\Users\Admin\AppData\Roaming\X1.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"

C:\Users\Admin\AppData\Roaming\X1.exe

C:\Users\Admin\AppData\Roaming\X1.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\X1.exe

C:\Users\Admin\AppData\Roaming\X1.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\X1.exe

C:\Users\Admin\AppData\Roaming\X1.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

C:\Users\Admin\AppData\Roaming\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 91.92.252.220:1337 tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
NL 91.92.252.220:4442 tcp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
NL 91.92.252.220:1337 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
NL 91.92.252.220:4442 tcp
N/A 127.0.0.1:7000 tcp
NL 91.92.252.220:7000 tcp
NL 91.92.252.220:1337 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
NL 91.92.252.220:4442 tcp
NL 91.92.252.220:7000 tcp
NL 91.92.252.220:1337 tcp
NL 91.92.252.220:4442 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
NL 91.92.252.220:1337 tcp
NL 91.92.252.220:7000 tcp
NL 91.92.252.220:4442 tcp
NL 91.92.252.220:1337 tcp
NL 91.92.252.220:7000 tcp
NL 91.92.252.220:4442 tcp

Files

memory/4408-0-0x0000000000910000-0x0000000000948000-memory.dmp

C:\Users\Admin\AppData\Roaming\X1.exe

MD5 2ab2f26ab78dbd53cea3b71c00d568c2
SHA1 53f0a2fdde2f1fe6e1ad44b87b8325624cdeb3fa
SHA256 1f204b43acfdf5d1088f37b2159d98d5500bdaeec99cd3f0d6e8ceb77282351b
SHA512 677cf83b6ed165d8ba5734e95bb1b53305cc69cd6a98edd26f2d8ca75978828d734b36739dbb58bf5b7830fe9c6ff894d4d9bf2aebe7285ba1c7de73f5c90e8d

memory/4408-9-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

C:\Users\Admin\AppData\Roaming\X2.exe

MD5 f8c0512008daff966ef349e7178d1239
SHA1 2a74048cf5009ab0f850e3992ffe7a453e3e18a5
SHA256 b019a47dc528a7197129adec69ea6813c28e60884c267cd297524296861a9ed6
SHA512 f8c208da88e213f96531b09ea4cdffd82368373aeb9868f11e35135052cf80ffceb89c64da83969aa2df3505579fefc673a0e6346b3b6c361a7d29089f56a3fa

C:\Users\Admin\AppData\Roaming\build.exe

MD5 60e00124f9d54b2d423f02dc81b57127
SHA1 a250651ba1f3eb72bcf0f24a31ff2a66b0a39959
SHA256 ece58cdda5d85a7fe7d7262313b8041e3c988d814b7dd60f0468dbb7109596ba
SHA512 4a5b7529c9fd3325632a13fde5b01cd4bd21258fca2c358d3322127f9c74b86c69250a673d9fe9878a2c828870026661df62a3b95d5235b378bf83ff29a82add

memory/3520-37-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/4408-38-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/4132-33-0x0000000000460000-0x0000000000472000-memory.dmp

memory/3520-34-0x00000000006F0000-0x0000000000702000-memory.dmp

memory/4132-39-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/4912-42-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/4912-41-0x0000000000280000-0x000000000029E000-memory.dmp

memory/4912-43-0x0000000005320000-0x0000000005938000-memory.dmp

memory/4912-44-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/4912-45-0x0000000004CA0000-0x0000000004CDC000-memory.dmp

memory/4912-46-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/4912-47-0x0000000004D00000-0x0000000004D4C000-memory.dmp

memory/4912-48-0x0000000004F50000-0x000000000505A000-memory.dmp

memory/4132-49-0x000000001B180000-0x000000001B190000-memory.dmp

memory/3520-50-0x0000000000F00000-0x0000000000F10000-memory.dmp

memory/3356-52-0x0000013AFF530000-0x0000013AFF540000-memory.dmp

memory/2796-51-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/3356-53-0x0000013AFF530000-0x0000013AFF540000-memory.dmp

memory/2796-54-0x0000016D74660000-0x0000016D74670000-memory.dmp

memory/3356-65-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/3356-64-0x0000013AFFEF0000-0x0000013AFFF12000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1iwe05qt.0yh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/3356-81-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/2796-80-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/2928-82-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/1416-102-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/2928-106-0x0000024A3F890000-0x0000024A3F8A0000-memory.dmp

memory/1416-105-0x0000018E92B50000-0x0000018E92B60000-memory.dmp

memory/1416-104-0x0000018E92B50000-0x0000018E92B60000-memory.dmp

memory/2928-103-0x0000024A3F890000-0x0000024A3F8A0000-memory.dmp

memory/2928-108-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/3520-109-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

memory/1416-112-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/1436-118-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/4132-124-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/1436-125-0x00000181BF880000-0x00000181BF890000-memory.dmp

memory/4912-126-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/1436-127-0x00000181BF880000-0x00000181BF890000-memory.dmp

memory/1436-139-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/64-140-0x000001B3DF790000-0x000001B3DF7A0000-memory.dmp

memory/64-138-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e88646a57424aa8953b2c771e3229055
SHA1 835ef35327be0c2c8f970ad03ac5f60a563246c7
SHA256 dcbbda89fbf07f270ca30be6b7be1d1bed40ba6ce5043d31cc0129da146df61d
SHA512 7c028158bbd9877f4b2c36d5af81d0e2d990553ef8a9398b9137351f17f6927b034d2abb255a9a9af5362f8d28029e82a714b3cc1df57c527443176e36d25398

memory/64-142-0x000001B3DF790000-0x000001B3DF7A0000-memory.dmp

memory/4912-143-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/4012-145-0x000002A726290000-0x000002A7262A0000-memory.dmp

memory/4012-144-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/64-156-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60945d1a2e48da37d4ce8d9c56b6845a
SHA1 83e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA512 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

memory/4012-159-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/4132-165-0x000000001B180000-0x000000001B190000-memory.dmp

memory/3520-166-0x0000000000F00000-0x0000000000F10000-memory.dmp

memory/4152-168-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/3220-171-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/4152-173-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/3220-175-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\X1.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/3360-180-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/2156-183-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/3360-184-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/2156-185-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/232-187-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp

memory/3512-189-0x00007FFEF7B70000-0x00007FFEF8631000-memory.dmp