xworm | 05026b12b16aa7ffb8aa35c47e1d967b17459eb313f443dfaffd528842df5ba2

General

Target

Vbucks-gen.exe
Size

229KB
MD5

6b8f6f416051d2947c802eeb3710077b
SHA1

02f986ff007d5867d1d638f72c61e7231c0374d2
SHA256

05026b12b16aa7ffb8aa35c47e1d967b17459eb313f443dfaffd528842df5ba2
SHA512

0ea970a737ca8d49af5d1008eb254027d939aea1d98af5b8bdae2b092279c2420b1c52f49becda0f23f955e02fbf33c4a78af74935cf94743f553bad6db64480
SSDEEP

3072:y85g8Zl3CCzlgJQmzcAkWENrrlKVAvYkzQfQj7oIhGwubdjdhO9dRgeX77fizS:jpZlSIWpqnloO9oqgbLsAeX3az

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

C2

192.168.0.197:9999

Mutex

7u0t4YhJyvkbGmU0

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5116-0-0x0000000000E10000-0x0000000000E4E000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vbucks-gen.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

Vbucks-gen.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vbucks-gen.exe	Vbucks-gen.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vbucks-gen.exe	Vbucks-gen.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

flow	ioc
3	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587584021195691"	chrome.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1692	chrome.exe
1692	chrome.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1692 chrome.exe
1692 chrome.exe
1692 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Vbucks-gen.exechrome.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	5116	Vbucks-gen.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeDebugPrivilege	3992	taskmgr.exe
Token: SeSystemProfilePrivilege	3992	taskmgr.exe
Token: SeCreateGlobalPrivilege	3992	taskmgr.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe

Suspicious use of SendNotifyMessage 60 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe
3992	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1692 wrote to memory of 2104	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2104	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 2088	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1916	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 1916	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe
PID 1692 wrote to memory of 3468	1692	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Vbucks-gen.exe
"C:\Users\Admin\AppData\Local\Temp\Vbucks-gen.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0x78,0x104,0x7ffc12d1cc40,0x7ffc12d1cc4c,0x7ffc12d1cc58
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,15341010517147211563,4409056699683956554,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1944 /prefetch:2
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,15341010517147211563,4409056699683956554,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2192 /prefetch:3
2⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,15341010517147211563,4409056699683956554,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2316 /prefetch:8
2⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,15341010517147211563,4409056699683956554,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3180 /prefetch:1
2⤵
PID:3696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,15341010517147211563,4409056699683956554,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3692,i,15341010517147211563,4409056699683956554,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3724 /prefetch:1
2⤵
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4772,i,15341010517147211563,4409056699683956554,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4784 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3024

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
Filesize
649B

MD5
5580afc001648f5c12f1003919f75812

SHA1
9db600114e7d29814c64b5589d82bde9a8b76ca9

SHA256
376d9675b5ac99e37970ef1e48e3a05a69b6928319208a167e26d86c64a91eee

SHA512
a600b9d11ac5610f70101bd5a5fe7f4dc1400edfd47a917664d523130466cb885640aa8947dbe69f4f6b737f8688343d7e440a521142d0ef376138eef1a0c4f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
6e83c59671a6f876d94aaac0fb2246c6

SHA1
000ee513ddaf7082d59fcb139bfccf4d215c1111

SHA256
b5cf94f651158a72b7cb741cd0132578c7965a6fb3d5085f55a2e0ffd6102810

SHA512
74ffe113effa7027c6cb74a8146a3f51d20477d4a69fba141e74b3ca2e20c9da1c550f00a9bd2bcd7bd3029187fdd369ff09d0f433c2e23863b497b829a84810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
0cd305c8487e8171604742a374bb7924

SHA1
e3b7fc4ba83a560980840741ed6f6e7bdb1f1f95

SHA256
3164b8aa479575e95c1985dfda04edd0c0d800fe09a14aacac539027991c7588

SHA512
9d251fe646be136f9ba01cbcfdcebdbb163cc890a70450b99b7dff035eb4a76240fff3b5f500c909704e673944b38fd7f6e02eb3750e0d141dea6ee5174f0f49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
77KB

MD5
d7910d7c8e886c64f8c49986716c88b5

SHA1
f1b4b47b5555891be2e805aa7ddfd5b873064cdb

SHA256
4d5850b8bae91421d0be244e8c188d79192ab30e66c1996a73dbb42e666e55e3

SHA512
4ac9a24afa5a01064ac2bc96d5d49ad908dd06a108bf32564d70be88756507f850d48d5537e4978469cbd665d2c265ce0293ab88add1bc191a87e56a5b8f6792

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vbucks-gen.exe
Filesize
229KB

MD5
6b8f6f416051d2947c802eeb3710077b

SHA1
02f986ff007d5867d1d638f72c61e7231c0374d2

SHA256
05026b12b16aa7ffb8aa35c47e1d967b17459eb313f443dfaffd528842df5ba2

SHA512
0ea970a737ca8d49af5d1008eb254027d939aea1d98af5b8bdae2b092279c2420b1c52f49becda0f23f955e02fbf33c4a78af74935cf94743f553bad6db64480

Download Submit
\??\pipe\crashpad_1692_CVGTNPRZMYODYPGP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3992-50-0x00000260FC340000-0x00000260FC341000-memory.dmp

Filesize
4KB

Download
memory/3992-59-0x00000260FC340000-0x00000260FC341000-memory.dmp

Filesize
4KB

Download
memory/3992-54-0x00000260FC340000-0x00000260FC341000-memory.dmp

Filesize
4KB

Download
memory/3992-55-0x00000260FC340000-0x00000260FC341000-memory.dmp

Filesize
4KB

Download
memory/3992-49-0x00000260FC340000-0x00000260FC341000-memory.dmp

Filesize
4KB

Download
memory/3992-48-0x00000260FC340000-0x00000260FC341000-memory.dmp

Filesize
4KB

Download
memory/3992-60-0x00000260FC340000-0x00000260FC341000-memory.dmp

Filesize
4KB

Download
memory/3992-56-0x00000260FC340000-0x00000260FC341000-memory.dmp

Filesize
4KB

Download
memory/3992-58-0x00000260FC340000-0x00000260FC341000-memory.dmp

Filesize
4KB

Download
memory/3992-57-0x00000260FC340000-0x00000260FC341000-memory.dmp

Filesize
4KB

Download
memory/5116-36-0x00007FFC1B380000-0x00007FFC1BE41000-memory.dmp

Filesize
10.8MB

Download
memory/5116-0-0x0000000000E10000-0x0000000000E4E000-memory.dmp

Filesize
248KB

Download
memory/5116-47-0x000000001BB80000-0x000000001BB90000-memory.dmp

Filesize
64KB

Download
memory/5116-2-0x000000001BB80000-0x000000001BB90000-memory.dmp

Filesize
64KB

Download
memory/5116-1-0x00007FFC1B380000-0x00007FFC1BE41000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads