xworm | 8641f88b89c9076ece3ee571baa4b3c93ba3ac3883e90fe5f894dc41e3b7bdc7

Analysis

max time kernel
36s
max time network
98s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02-05-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ro-exec/Defender_Settings.vbs
Size

313B
MD5

b0bf0a477bcca312021177572311e666
SHA1

ea77332d7779938ae8e92ad35d6dea4f4be37a92
SHA256

af42a17d428c8e9d6f4a6d3393ec268f4d12bbfd01a897d87275482a45c847e9
SHA512

09366608f2670d2eb0e8ddcacd081a7b2d7b680c4cdd02494d08821dbdf17595b30e88f6ce0888591592e7caa422414a895846a268fd63e8243074972c9f52d8

Score

10^/10

xworm execution rat trojan upx

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%Public%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/UWpQULMP

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2008-214-0x0000000000D40000-0x0000000000D58000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2332	powershell.exe
3060	powershell.exe
1532	powershell.exe
2724	powershell.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-116-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1700-138-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/612-139-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/612-161-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1736-182-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1736-213-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
61	pastebin.com
62	pastebin.com

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1700-138-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/612-139-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/612-161-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1736-182-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1736-213-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2952	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2556	chrome.exe
2556	chrome.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe
Token: SeShutdownPrivilege	2556	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe
2556	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2824	2156	WScript.exe	28
PID 2156 wrote to memory of 2824	2156	WScript.exe	28
PID 2156 wrote to memory of 2824	2156	WScript.exe	28
PID 2556 wrote to memory of 2224	2556	chrome.exe	30
PID 2556 wrote to memory of 2224	2556	chrome.exe	30
PID 2556 wrote to memory of 2224	2556	chrome.exe	30
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2728	2556	chrome.exe	32
PID 2556 wrote to memory of 2468	2556	chrome.exe	33
PID 2556 wrote to memory of 2468	2556	chrome.exe	33
PID 2556 wrote to memory of 2468	2556	chrome.exe	33
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34
PID 2556 wrote to memory of 2488	2556	chrome.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Ro-exec\Defender_Settings.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Program Files\Windows Defender\MSASCui.exe
  "C:\Program Files\Windows Defender\MSASCui.exe"
  2⤵
  PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef70d9758,0x7fef70d9768,0x7fef70d9778
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:2
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2164 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2292 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1260 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:2
  2⤵
  PID:1264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3224 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:1
  2⤵
  PID:928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3368 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3564 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3856 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:1
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3760 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2760 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3216 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:8
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 --field-trial-handle=1228,i,10152553751076486392,3020175725957137115,131072 /prefetch:8
  2⤵
  PID:2512

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2304

C:\Users\Admin\Downloads\krampus\Ro-exec\defcon.exe
"C:\Users\Admin\Downloads\krampus\Ro-exec\defcon.exe"
1⤵
PID:1700
- C:\Users\Admin\Downloads\krampus\Ro-exec\defcon.exe
  C:\Users\Admin\Downloads\krampus\Ro-exec\defcon.exe
  2⤵
  PID:612
- - C:\Users\Admin\Downloads\krampus\Ro-exec\defcon.exe
    "C:\Users\Admin\Downloads\krampus\Ro-exec\defcon.exe" /TI
    3⤵
    PID:1736

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240502185200.log C:\Windows\Logs\CBS\CbsPersist_20240502185200.cab
1⤵
PID:2500

C:\Users\Admin\Downloads\krampus\Ro-exec\loader-upd.exe
"C:\Users\Admin\Downloads\krampus\Ro-exec\loader-upd.exe"
1⤵
PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\krampus\Ro-exec\loader-upd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'loader-upd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2724
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2952

C:\Users\Admin\AppData\Local\Temp\Temp1_krampus (2).zip\krampus\loader-5.2.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_krampus (2).zip\krampus\loader-5.2.exe"
1⤵
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f246f41a7cfd8898bd9e99a2b322137

SHA1
f316850901614153549a46dee835bcda0e953e22

SHA256
5cae26239c7d0bcade886b16067a60970c77f7fb85cbd5a3a56a9868497e9869

SHA512
93e1771cfca32bc60da0fe61801801b4ca6231b36d4f4c880aa7d3318436213a0d2f083f8898644269ac9484f1ff0ad373b742f6857acfcade38aa9661da408c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97fe6fc0f72eb01abf499250ab71565c

SHA1
23dcaf8fb47f17f7aad0c1dbbc6a0d8c0da90a1e

SHA256
296120b15ebcbd2540e8b75ba103ae37b55031515fbbabb08956e79fb5c5e65e

SHA512
c26e4a8de633d088a94faa5e73a1fc3c262549102a2d38ec7f4adfd0944475ac901037afa5a603996f4649f9328815c5f560fe05632cfae666dc83d2ac2e65ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8e2513f4ce06808d6c3f49e2256f83fa

SHA1
25a1c9c24fb785cf606145af615376bc15806d49

SHA256
9452be600b69f760bd883dfce8b9f68c5b1a2de6095d00ece21e55585c8281cb

SHA512
29afb7c664d30fc6b9c17426c5812ddd244b560004207325aa8c18558809e3451541194749d1fc80fe38aab245e2021280411b3b46ff5c5e930e726b18fa3031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7f4a2584-624f-42d0-9d07-fb26bdbe292d.tmp

Filesize
6KB

MD5
9fe4c83c7e2dd15d3922ae840bc50cfa

SHA1
98d8b4782dbdbe901d1ccf714967fde1d1a7d27c

SHA256
33e77be17ff405384a722b365bca1babe045e44923fc4e06d132c9651bb9e4bd

SHA512
5f4a4d9ef737eb9e9aebbb0ad285b44eba4a74021502b900fbc796138de0f1278a5c1f5e397aef237dd0b314a24735c14343b8bb777ab0d1b12a9df89489357e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
2.3MB

MD5
67779feb2ad467d13e00aa85692b9395

SHA1
457bfde4f6d3651d91601254bc72e403e72109f6

SHA256
3bd1c3e8a64158ba90316a4edbbbcc77130dc0d05a720c4976d857bd9a26204c

SHA512
ec71da2fe8198b18901f38d5ad72ae35470350149733899c1e93a81ce9f13b951c7e48703b9e6a0bb6c25066d4e99a069071ff33cea4190611c4935a8b56b889

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
66d0fc9031fe4c609181a0ec5be61cd5

SHA1
50f59253de2f596641615a4c280c78e5a9c8e50f

SHA256
c2081c862e4d0cb3d73000edd96c138b5c1d299b0fb3f74a64994f1e9ac5ae28

SHA512
5974e3fec6f0597cc919586582463631c979c47d36a730bb003854f0626c72c4edf522b51b6e4ff21916d9dcdc135a050364ca095b945a70b99c00cb82dd58d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
66f1feda80dbe8284d04549da25647eb

SHA1
25c1fd0cacc1698c29e45b7622696aeb5367d703

SHA256
278756849f56c3fd34bd16f9ab78f72946d3a0b70304a8dd131a7656618de46a

SHA512
ae142b84f46d4d83d51e8b5fab9dffe3678263fda507b765578c86a259d591d7f6c33dca64cdbf9853222cf58b8431bb8a2cbd59fddbc4e6b3aeb0aa70c6f5a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
32d515ed2905e6593eba647c65e0b918

SHA1
e2260c65c487a2ba5643c97110455933b75652fc

SHA256
164875e7c6e6dc5d9b421f457620a72dea67f348b2bf5038e125d9b4908cfdfb

SHA512
ba0a58819986b3e195280bfe5f4b357e7a2dc0a91f865319daf08611bb9f09307676cb49929bca927ac3f67121989abcd957fff40a46c4b4add18d26c55db40d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
16f0f1f0c394ba5f0c3c1940d7babdf2

SHA1
7e02ac9f3185f93c11ae3d7d7bfc71a5bdd6fc0b

SHA256
faf7493d6beff77d7d59af5dfaf72b9bc5313d9cc8e651ff4f4ecca9ce312abe

SHA512
66648650358de133f4d2465b40917aa1ae2a96c8c03db9d6706dedea9c58a9dd6ad036746f401dbe7f1ba7929ed9162277e23de361c8fcaf7652c86dd9ead995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b41e73ca6a79915fad852f1edb526551

SHA1
869adcdaeb4206468830989be1e46e1f6a372260

SHA256
d762b9b3fbec1cdc6fd89a2c7f04a067a74e39e573c9bb066cd1ce1773fff5e3

SHA512
e8686c4041b13d5c72a4548792d804bc6e36797f12f444bc5cc522619c130bd92a24b79d33e15919b62351ca3597019f9759aab1bf5183d028cc7d96a7674206

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1g7z0e0x.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD22F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD350.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD232.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD3B3.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dd8ed33f332361afb768ce0f86ca6c4d

SHA1
e69463bc416a5e6de6fa27ff3d5fe93c3ca5af4b

SHA256
bb3210f62322d497bab97a87c134510d5f107e926e0e5d57e1b309b4cf29d220

SHA512
6009f473423a1423256a3dd9e10e4c081d0810ecb74aaf6c850b197828fab41cf92c51191f6989c539d986ebcee1bab23f3a5be10de8b6ec27ab9c6629683b72

Download Submit
C:\Users\Admin\Downloads\krampus.zip

Filesize
535KB

MD5
11e7644c95387c1860ce7e936c749f74

SHA1
a483dfec45aa156c31e5600b88ef043f23fbaaf1

SHA256
8641f88b89c9076ece3ee571baa4b3c93ba3ac3883e90fe5f894dc41e3b7bdc7

SHA512
d9ffbf735346887b7c4922fa6fb5a2c08d73cd8874cca3c36211b87138134ae718ecb16d593e7ca9aceb634ae7655cf61b2fd1d255be5f3b9f580aa072aef0f5

Download Submit
C:\Users\Admin\Downloads\krampus\Ro-exec\defcon.ini

Filesize
2KB

MD5
b59ad7be43529d3bb41d57d20ba0e11e

SHA1
201c2ece810632f5810f784a91e99a110f071440

SHA256
23337badaa5b912f8bb4eefd2e075924bc90fcffa5cf67817babd1d4239778e2

SHA512
df5a8dc7fa475d39b92f3fafebde40c9e5f465c1cd395414a2de5b21dbf496c6360b43ff21c79d8ffee29efa0b207f03aca49fff86159213999b292cab6b91d9

Download Submit
C:\Windows\Temp\autA8EC.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\autA8ED.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\autA8FE.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
memory/612-161-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/612-139-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1700-138-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1700-116-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1736-213-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1736-182-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2008-214-0x0000000000D40000-0x0000000000D58000-memory.dmp

Filesize
96KB

Download
memory/2332-220-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2332-219-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2824-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/3060-226-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/3060-227-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download