Analysis
-
max time kernel
107s -
max time network
99s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-05-2024 11:16
Static task
static1
General
-
Target
Electron V3.exe
-
Size
7.1MB
-
MD5
fe184c85f884ef9a8f5bc56af80073b3
-
SHA1
3db462e1f2ed4d9c2bf95dad3aa1c32b395a679b
-
SHA256
b15e79c502e39a0502c37f4e087ba614b096b0ecd9c39aeebba9415941350eac
-
SHA512
c4096ae3f65a215c756972688144fed9bc3ed4ca7155558ba31303df72908df524de982a2d6650e555c527589c40d251073140341526c30bfc57bc628b625684
-
SSDEEP
196608:Z2B5I6msTfYsxOLDzUQzz02E7FGpgzmEWSyRy/16aGbl:8W6tDYicDzLz02AzqCm2al
Malware Config
Extracted
xworm
courses-disney.gl.at.ply.gg:21335
127.0.0.1:21335
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7006468177:AAEjUyc53owWdXWMasYo_ZE1Y7t2sH1O718/sendMessage?chat_id=809478226
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\XClient.exe family_xworm behavioral1/memory/4704-57-0x0000000000620000-0x000000000063A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 4 IoCs
Processes:
XClient.exetest.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk XClient.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe test.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe test.exe -
Executes dropped EXE 11 IoCs
Processes:
Result.exeIntel (R).exetest.exeXClient.exetest.exetest.exetest.exetest.exetest.exesvchost.exesvchost.exepid process 1144 Result.exe 2808 Intel (R).exe 1908 test.exe 4704 XClient.exe 3104 test.exe 1880 test.exe 960 test.exe 3372 test.exe 1904 test.exe 992 svchost.exe 4540 svchost.exe -
Loads dropped DLL 64 IoCs
Processes:
test.exetest.exetest.exetest.exetest.exetest.exepid process 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 1908 test.exe 3104 test.exe 3104 test.exe 1880 test.exe 1880 test.exe 960 test.exe 3372 test.exe 960 test.exe 3372 test.exe 960 test.exe 960 test.exe 960 test.exe 960 test.exe 960 test.exe 960 test.exe 960 test.exe 960 test.exe 960 test.exe 1904 test.exe 960 test.exe 1904 test.exe 960 test.exe 960 test.exe 960 test.exe 960 test.exe 960 test.exe 960 test.exe 960 test.exe 1880 test.exe 1880 test.exe 1880 test.exe 3104 test.exe 1880 test.exe 3104 test.exe 3104 test.exe 3104 test.exe 1880 test.exe 3104 test.exe 1880 test.exe 3104 test.exe 1880 test.exe 1880 test.exe 3104 test.exe 3104 test.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" XClient.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com 6 ipinfo.io 8 ipinfo.io -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
test.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
test.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI test.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI test.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
test.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 test.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString test.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 7 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2296 taskkill.exe 5056 taskkill.exe 3128 taskkill.exe 4604 taskkill.exe 2608 taskkill.exe 424 taskkill.exe 676 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
test.exetest.exeXClient.exepowershell.exetaskmgr.exepid process 1908 test.exe 1908 test.exe 1904 test.exe 1904 test.exe 4704 XClient.exe 2784 powershell.exe 2784 powershell.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 4704 XClient.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
XClient.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exesvchost.exetaskmgr.exesvchost.exedescription pid process Token: SeDebugPrivilege 4704 XClient.exe Token: SeDebugPrivilege 676 taskkill.exe Token: SeDebugPrivilege 3128 taskkill.exe Token: SeDebugPrivilege 5056 taskkill.exe Token: SeDebugPrivilege 2296 taskkill.exe Token: SeDebugPrivilege 4604 taskkill.exe Token: SeDebugPrivilege 2608 taskkill.exe Token: SeDebugPrivilege 424 taskkill.exe Token: SeDebugPrivilege 4704 XClient.exe Token: SeDebugPrivilege 2784 powershell.exe Token: SeDebugPrivilege 992 svchost.exe Token: SeDebugPrivilege 976 taskmgr.exe Token: SeSystemProfilePrivilege 976 taskmgr.exe Token: SeCreateGlobalPrivilege 976 taskmgr.exe Token: SeDebugPrivilege 4540 svchost.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
Processes:
taskmgr.exepid process 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe -
Suspicious use of SendNotifyMessage 63 IoCs
Processes:
taskmgr.exepid process 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe 976 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 4704 XClient.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
Electron V3.exeResult.exeIntel (R).exetest.exetest.exetest.exetest.exetest.execmd.execmd.execmd.execmd.exetest.execmd.execmd.execmd.exeXClient.execmd.exedescription pid process target process PID 2920 wrote to memory of 1144 2920 Electron V3.exe Result.exe PID 2920 wrote to memory of 1144 2920 Electron V3.exe Result.exe PID 2920 wrote to memory of 1144 2920 Electron V3.exe Result.exe PID 1144 wrote to memory of 2808 1144 Result.exe Intel (R).exe PID 1144 wrote to memory of 2808 1144 Result.exe Intel (R).exe PID 2808 wrote to memory of 1908 2808 Intel (R).exe test.exe PID 2808 wrote to memory of 1908 2808 Intel (R).exe test.exe PID 1144 wrote to memory of 4704 1144 Result.exe XClient.exe PID 1144 wrote to memory of 4704 1144 Result.exe XClient.exe PID 1908 wrote to memory of 3104 1908 test.exe test.exe PID 1908 wrote to memory of 3104 1908 test.exe test.exe PID 1908 wrote to memory of 1880 1908 test.exe test.exe PID 1908 wrote to memory of 1880 1908 test.exe test.exe PID 1908 wrote to memory of 960 1908 test.exe test.exe PID 1908 wrote to memory of 960 1908 test.exe test.exe PID 1908 wrote to memory of 3372 1908 test.exe test.exe PID 1908 wrote to memory of 3372 1908 test.exe test.exe PID 1908 wrote to memory of 1904 1908 test.exe test.exe PID 1908 wrote to memory of 1904 1908 test.exe test.exe PID 960 wrote to memory of 1464 960 test.exe cmd.exe PID 960 wrote to memory of 1464 960 test.exe cmd.exe PID 1880 wrote to memory of 2156 1880 test.exe cmd.exe PID 1880 wrote to memory of 2156 1880 test.exe cmd.exe PID 3372 wrote to memory of 4960 3372 test.exe cmd.exe PID 3372 wrote to memory of 4960 3372 test.exe cmd.exe PID 3104 wrote to memory of 3620 3104 test.exe cmd.exe PID 3104 wrote to memory of 3620 3104 test.exe cmd.exe PID 1464 wrote to memory of 676 1464 cmd.exe taskkill.exe PID 1464 wrote to memory of 676 1464 cmd.exe taskkill.exe PID 2156 wrote to memory of 3128 2156 cmd.exe taskkill.exe PID 2156 wrote to memory of 3128 2156 cmd.exe taskkill.exe PID 4960 wrote to memory of 5056 4960 cmd.exe taskkill.exe PID 4960 wrote to memory of 5056 4960 cmd.exe taskkill.exe PID 3620 wrote to memory of 2296 3620 cmd.exe taskkill.exe PID 3620 wrote to memory of 2296 3620 cmd.exe taskkill.exe PID 1904 wrote to memory of 1008 1904 test.exe cmd.exe PID 1904 wrote to memory of 1008 1904 test.exe cmd.exe PID 1008 wrote to memory of 4604 1008 cmd.exe taskkill.exe PID 1008 wrote to memory of 4604 1008 cmd.exe taskkill.exe PID 960 wrote to memory of 2188 960 test.exe cmd.exe PID 960 wrote to memory of 2188 960 test.exe cmd.exe PID 1880 wrote to memory of 4660 1880 test.exe cmd.exe PID 1880 wrote to memory of 4660 1880 test.exe cmd.exe PID 2188 wrote to memory of 2608 2188 cmd.exe taskkill.exe PID 2188 wrote to memory of 2608 2188 cmd.exe taskkill.exe PID 3372 wrote to memory of 860 3372 test.exe cmd.exe PID 3372 wrote to memory of 860 3372 test.exe cmd.exe PID 3372 wrote to memory of 1208 3372 test.exe cmd.exe PID 3372 wrote to memory of 1208 3372 test.exe cmd.exe PID 4660 wrote to memory of 424 4660 cmd.exe taskkill.exe PID 4660 wrote to memory of 424 4660 cmd.exe taskkill.exe PID 4704 wrote to memory of 4768 4704 XClient.exe schtasks.exe PID 4704 wrote to memory of 4768 4704 XClient.exe schtasks.exe PID 1908 wrote to memory of 392 1908 test.exe cmd.exe PID 1908 wrote to memory of 392 1908 test.exe cmd.exe PID 392 wrote to memory of 2784 392 cmd.exe powershell.exe PID 392 wrote to memory of 2784 392 cmd.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Electron V3.exe"C:\Users\Admin\AppData\Local\Temp\Electron V3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Result.exe"C:\Users\Admin\AppData\Local\Temp\Result.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Intel (R).exe"C:\Users\Admin\AppData\Local\Temp\Intel (R).exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\test.exe"C:\Users\Admin\AppData\Local\Temp\Intel (R).exe"4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\test.exe"C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\test.exe" "--multiprocessing-fork" "parent_pid=1908" "pipe_handle=684"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im opera.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\test.exe"C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\test.exe" "--multiprocessing-fork" "parent_pid=1908" "pipe_handle=664"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im opera.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /f /im browser.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im browser.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\test.exe"C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\test.exe" "--multiprocessing-fork" "parent_pid=1908" "pipe_handle=696"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /f /im chrome.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /f /im vivaldi.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im vivaldi.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\test.exe"C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\test.exe" "--multiprocessing-fork" "parent_pid=1908" "pipe_handle=724"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /f /im msedge.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im msedge.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"6⤵
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\test.exe"C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\test.exe" "--multiprocessing-fork" "parent_pid=1908" "pipe_handle=748"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /f /im brave.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im brave.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe'"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Intel (R).exeFilesize
7.0MB
MD588bebcc40765d7194d6cac3c6ed6a55a
SHA1d835737f7c4ff4a2cb4d24c4115e5c188fcb2c85
SHA256af9ed9165525d3a9fd0cc4f35f350024f4de2ba8dd6fc684bc6855010d277e0c
SHA5120048403367404a1a9092994229ded21d4ad94b6a9f290555f96047d56c0498e3657374dbf9683ebc3f306a09411a6a4aa4a60712853f3ec884fb368575c0d892
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pydFilesize
82KB
MD5a8a37ba5e81d967433809bf14d34e81d
SHA1e4d9265449950b5c5a665e8163f7dda2badd5c41
SHA25650e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b
SHA512b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pydFilesize
120KB
MD5496dcf8821ffc12f476878775999a8f3
SHA16b89b8fdd7cd610c08e28c3a14b34f751580cffd
SHA256b59e103f8ec6c1190ded21eef27bea01579220909c3968eeec37d46d2ed39e80
SHA51207118f44b83d58f333bc4b853e9be66dffb3f7db8e65e0226975297bf5794ebdaa2c7a51ef84971faf4d4233a68a6b5e9ac02e737d16c0ac19a6cf65fad9443f
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_elementtree.pydFilesize
125KB
MD5974d858b12d10c7ee9e8875f20e0e7af
SHA15f56ee3d0a26ce45857016c329984a1ef121fc61
SHA256a77b2de78310c0b2b4158202ee48734d4835b7ba235aa5f6169f89566357369d
SHA512cf35b43f28048013be4fa87cfbe7fde60a946784a833d3725aa9404502a75254a89d06da605d89fa59c2a84c20b5cfcb74a0a4f0ce2946618c6e495c6a845e08
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pydFilesize
63KB
MD51c88b53c50b5f2bb687b554a2fc7685d
SHA1bfe6fdb8377498bbefcaad1e6b8805473a4ccbf3
SHA25619dd3b5ebb840885543974a4cb6c8ea4539d76e3672be0f390a3a82443391778
SHA512a312b11c85aaa325ab801c728397d5c7049b55fa00f24d30f32bf5cc0ad160678b40f354d9d5ec34384634950b5d6eda601e21934c929b4bc7f6ef50f16e3f59
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pydFilesize
155KB
MD5bc07d7ac5fdc92db1e23395fde3420f2
SHA1e89479381beeba40992d8eb306850977d3b95806
SHA256ab822f7e846d4388b6f435d788a028942096ba1344297e0b7005c9d50814981b
SHA512b6105333bb15e65afea3cf976b3c2a8a4c0ebb09ce9a7898a94c41669e666ccfa7dc14106992502abf62f1deb057e926e1fd3368f2a2817bbf6845eada80803d
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pydFilesize
31KB
MD5e0cc8c12f0b289ea87c436403bc357c1
SHA1e342a4a600ef9358b3072041e66f66096fae4da4
SHA2569517689d7d97816dee9e6c01ffd35844a3af6cde3ff98f3a709d52157b1abe03
SHA5124d93f23db10e8640cd33e860241e7ea6a533daf64c36c4184844e6cca7b9f4bd41db007164a549e30f5aa9f983345318ff02d72815d51271f38c2e8750df4d77
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pydFilesize
77KB
MD5290dbf92268aebde8b9507b157bef602
SHA1bea7221d7abbbc48840b46a19049217b27d3d13a
SHA256e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe
SHA5129ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pydFilesize
117KB
MD5562fecc2467778f1179d36af8554849f
SHA1097c28814722c651f5af59967427f4beb64bf2d1
SHA25688b541d570afa0542135cc33e891650346997d5c99ae170ef724fa46c87d545a
SHA512e106ccdd100d0ce42e909d9a21b1ad3b12aee8350033f249ed4c69b195b00adaf441aa199d9885c9d16488db963c751746ce98786246d96568bade4c707d362a
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dllFilesize
686KB
MD586f2d9cc8cc54bbb005b15cabf715e5d
SHA1396833cba6802cb83367f6313c6e3c67521c51ad
SHA256d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771
SHA5120013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pyexpat.pydFilesize
194KB
MD5c5c1ca1b3641772e661f85ef0166fd6c
SHA1759a34eca7efa25321a76788fb7df74cfac9ee59
SHA2563d81d06311a8a15967533491783ea9c7fc88d594f40eee64076723cebdd58928
SHA5124f0d2a6f15ebeeb4f9151827bd0c2120f3ca17e07fca4d7661beece70fdcf1a0e4c4ff5300251f2550451f98ea0fdbf45e8903225b7d0cb8da2851cdf62cb8d0
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dllFilesize
1.4MB
MD5a98bb13828f662c599f2721ca4116480
SHA1ea993a7ae76688d6d384a0d21605ef7fb70625ee
SHA2566217e0d1334439f1ee9e1093777e9aa2e2b0925a3f8596d22a16f3f155262bf7
SHA5125f1d8c2f52cc976287ab9d952a46f1772c6cf1f2df734e10bbe30ce312f5076ef558df84dce662a108a146a63f7c6b0b5dc7230f96fa7241947645207a6420f4
-
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pydFilesize
1.1MB
MD52ab7e66dff1893fea6f124971221a2a9
SHA13be5864bc4176c552282f9da5fbd70cc1593eb02
SHA256a5db7900ecd5ea5ab1c06a8f94b2885f00dd2e1adf34bcb50c8a71691a97804f
SHA512985480fffcc7e1a25c0070f44492744c3820334a35b9a72b9147898395ab60c7a73ea8bbc761de5cc3b6f8799d07a96c2880a7b56953249230b05dd59a1390ad
-
C:\Users\Admin\AppData\Local\Temp\Result.exeFilesize
7.1MB
MD590c65634d9bc968c6208c9878699c1d9
SHA16c658a795006c1fcb9c71b5dafc0df936fe65472
SHA256263aefd4ee4383ab98d77b25678928db3b48f988ac044dd2919375b95ab5db53
SHA51240e927f6e6f7c6d5834362df3d437dfe9c5e0690b8f36c7a829cabaa0a218ca0ae9f113f3ad8f9b3225b60d7bdfbb566a9c1456f181e91bb9f85924f53c06e47
-
C:\Users\Admin\AppData\Local\Temp\XClient.exeFilesize
75KB
MD5e9041496abe05f2a878d7a575102936c
SHA1eced7c3e4f2f13db7b6b708f6a271f284ffe3189
SHA2568f3e26bc1e75c45c1de81b157b3f198506a4ec5e55930e4d6ffcf5713d1c894d
SHA5128f2643d71c5eed20a162008db3c33377ffbf2cbbca02f1c674d71803e501d65dcae2fe7b0815dbae9a6a8263ba878a5f2c1d71b2928db5d5481d574733fab540
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhbnxdck.4rp.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\VCRUNTIME140.dllFilesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\_multiprocessing.pydFilesize
33KB
MD515291d70d00d36ba9b079a4af91efb1a
SHA185a17ae766811246cf4b2346b50ba008b3b6d8fe
SHA25625cf4173fb40a3bb197c877742cb5ad13b6ef591b8195d5429a71dc7689f9ab5
SHA5122e96253d9a8978a162e580c3e122ddd0500857582f442a8b39dd34c39004cd7f25f977e710ad160d750502d17cd915f83ae3350fff8fce5aa8984166b0470e71
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\_ssl.pydFilesize
157KB
MD50a7eb5d67b14b983a38f82909472f380
SHA1596f94c4659a055d8c629bc21a719ce441d8b924
SHA2563bac94d8713a143095ef8e2f5d2b4a3765ebc530c8ca051080d415198cecf380
SHA5123b78fd4c03ee1b670e46822a7646e668fbaf1ef0f2d4cd53ccfcc4abc2399fcc74822f94e60af13b3cdcb522783c008096b0b265dc9588000b7a46c0ed5973e1
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\_uuid.pydFilesize
24KB
MD5a16b1acfdaadc7bb4f6ddf17659a8d12
SHA1482982d623d88627c447f96703e4d166f9e51db4
SHA2568af17a746533844b0f1b8f15f612e1cf0df76ac8f073388e80cfc60759e94de0
SHA51203d65f37efc6aba325109b5a982be71380210d41dbf8c068d6a994228888d805adac1264851cc6f378e61c3aff1485cc6c059e83218b239397eda0cec87bd533
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\libcrypto-1_1.dllFilesize
3.3MB
MD580b72c24c74d59ae32ba2b0ea5e7dad2
SHA175f892e361619e51578b312605201571bfb67ff8
SHA256eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d
SHA51208014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\libffi-8.dllFilesize
37KB
MD5d86a9d75380fab7640bb950aeb05e50e
SHA11c61aaf9022cd1f09a959f7b2a65fb1372d187d7
SHA25668fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b
SHA51218437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\python311.dllFilesize
5.5MB
MD51fe47c83669491bf38a949253d7d960f
SHA1de5cc181c0e26cbcb31309fe00d9f2f5264d2b25
SHA2560a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae
SHA51205cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\select.pydFilesize
29KB
MD54ac28414a1d101e94198ae0ac3bd1eb8
SHA1718fbf58ab92a2be2efdb84d26e4d37eb50ef825
SHA256b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5
SHA5122ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2
-
C:\Users\Admin\AppData\Local\Temp\onefile_2808_133610230118103423\test.exeFilesize
8.4MB
MD5c5d7f1b92a1453b5881e19386b912eaa
SHA19fbcf6820fb9c04f8777b236fbdf77ab402a490b
SHA256a1911f82a743114e613f56d9463d21a0ae4a23cdd72011064110d0fc20efddc8
SHA512aa9958607d50662e85710ecfe012763f00085cc6f7c5aee8547becf9522e204f83621e553da57fe6499a5c12e8787f143bbc4738e22b3c9a26c1d3790418fd78
-
memory/976-163-0x0000024EA09E0000-0x0000024EA09E1000-memory.dmpFilesize
4KB
-
memory/976-164-0x0000024EA09E0000-0x0000024EA09E1000-memory.dmpFilesize
4KB
-
memory/976-160-0x0000024EA09E0000-0x0000024EA09E1000-memory.dmpFilesize
4KB
-
memory/976-161-0x0000024EA09E0000-0x0000024EA09E1000-memory.dmpFilesize
4KB
-
memory/976-162-0x0000024EA09E0000-0x0000024EA09E1000-memory.dmpFilesize
4KB
-
memory/976-154-0x0000024EA09E0000-0x0000024EA09E1000-memory.dmpFilesize
4KB
-
memory/976-155-0x0000024EA09E0000-0x0000024EA09E1000-memory.dmpFilesize
4KB
-
memory/976-166-0x0000024EA09E0000-0x0000024EA09E1000-memory.dmpFilesize
4KB
-
memory/976-156-0x0000024EA09E0000-0x0000024EA09E1000-memory.dmpFilesize
4KB
-
memory/976-165-0x0000024EA09E0000-0x0000024EA09E1000-memory.dmpFilesize
4KB
-
memory/1144-56-0x0000000000400000-0x0000000000B1E000-memory.dmpFilesize
7.1MB
-
memory/2784-143-0x000001EDEBF00000-0x000001EDEC04F000-memory.dmpFilesize
1.3MB
-
memory/2784-140-0x000001EDD3D80000-0x000001EDD3DA2000-memory.dmpFilesize
136KB
-
memory/2920-7-0x0000000000400000-0x0000000000B29000-memory.dmpFilesize
7.2MB
-
memory/4704-57-0x0000000000620000-0x000000000063A000-memory.dmpFilesize
104KB