Analysis Overview
SHA256
4a643c8ac145763b7e4a9b410a5dcc3562faf0f2204ec0d2613833923628f419
Threat Level: Known bad
The file Krampus.zip was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
UPX packed file
Executes dropped EXE
Drops startup file
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Looks up external IP address via web service
AutoIT Executable
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 04:56
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-27 04:55
Reported
2024-05-27 04:58
Platform
win11-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\Defender_Settings.vbs"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.22:443 | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-27 04:55
Reported
2024-05-27 04:58
Platform
win10-20240404-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe"
C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe
C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe
C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe" /TI
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
Files
memory/2676-0-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/4188-21-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2676-23-0x0000000000400000-0x00000000004CD000-memory.dmp
C:\Windows\Temp\4b1g8k8o.tmp
| MD5 | 3bc9acd9c4b8384fb7ce6c08db87df6d |
| SHA1 | 936c93e3a01d5ae30d05711a97bbf3dfa5e0921f |
| SHA256 | a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79 |
| SHA512 | f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375 |
memory/4188-45-0x0000000000400000-0x00000000004CD000-memory.dmp
C:\Windows\Temp\1b9g8k8o.tmp
| MD5 | e00dcc76e4dcd90994587375125de04b |
| SHA1 | 6677d2d6bd096ec1c0a12349540b636088da0e34 |
| SHA256 | c8709f5a8b971d136e2273d66e65449791ca8eba1f47dd767733ea52ee635447 |
| SHA512 | 8df7bc46ef0b2e2d4da6d8f31b102ff4813c6544cb751eb700b79fa0fae780814551b58ec8d19ff29cbf8547709add7eef637a52a217714d1a18b450f6755ec8 |
C:\Windows\Temp\aut6263.tmp
| MD5 | 9d5a0ef18cc4bb492930582064c5330f |
| SHA1 | 2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8 |
| SHA256 | 8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3 |
| SHA512 | 1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4 |
C:\Windows\Temp\aut6265.tmp
| MD5 | ecffd3e81c5f2e3c62bcdc122442b5f2 |
| SHA1 | d41567acbbb0107361c6ee1715fe41b416663f40 |
| SHA256 | 9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5 |
| SHA512 | 7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76 |
C:\Windows\Temp\aut6264.tmp
| MD5 | efe44d9f6e4426a05e39f99ad407d3e7 |
| SHA1 | 637c531222ee6a56780a7fdcd2b5078467b6e036 |
| SHA256 | 5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366 |
| SHA512 | 8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63 |
memory/1988-66-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-67-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-68-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-69-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-70-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-71-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-72-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-73-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-74-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-75-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-76-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-77-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-78-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-79-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1988-80-0x0000000000400000-0x00000000004CD000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-27 04:55
Reported
2024-05-27 04:58
Platform
win11-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
| Token: 0 | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe"
C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe
C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe
C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe
"C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\dControl.exe" /TI
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2304-0-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/1200-21-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2304-23-0x0000000000400000-0x00000000004CD000-memory.dmp
C:\Windows\Temp\1v2q0v0x.tmp
| MD5 | f156a4a8ffd8c440348d52ef8498231c |
| SHA1 | 4d2f5e731a0cc9155220b560eb6560f24b623032 |
| SHA256 | 7c3ca3161b9061c9b1ff70f401d9f02b2d01267bc76cbfcbc397a5aec60d4842 |
| SHA512 | 48f3c273f072a8c3c73a1b835ed320a6b8962c2f8b5037a3b6c1bea5431b17d9c03e8d771cc205bbc067975c78307f2306c55dbc4c72e0a7c15c6b17b3afa170 |
C:\Windows\Temp\1v2q0v0x.tmp
| MD5 | 3bc9acd9c4b8384fb7ce6c08db87df6d |
| SHA1 | 936c93e3a01d5ae30d05711a97bbf3dfa5e0921f |
| SHA256 | a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79 |
| SHA512 | f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375 |
memory/1200-45-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-46-0x0000000000400000-0x00000000004CD000-memory.dmp
C:\Windows\Temp\2b2a1u2o.tmp
| MD5 | e00dcc76e4dcd90994587375125de04b |
| SHA1 | 6677d2d6bd096ec1c0a12349540b636088da0e34 |
| SHA256 | c8709f5a8b971d136e2273d66e65449791ca8eba1f47dd767733ea52ee635447 |
| SHA512 | 8df7bc46ef0b2e2d4da6d8f31b102ff4813c6544cb751eb700b79fa0fae780814551b58ec8d19ff29cbf8547709add7eef637a52a217714d1a18b450f6755ec8 |
C:\Windows\Temp\aut99B0.tmp
| MD5 | 9d5a0ef18cc4bb492930582064c5330f |
| SHA1 | 2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8 |
| SHA256 | 8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3 |
| SHA512 | 1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4 |
C:\Windows\Temp\aut99D1.tmp
| MD5 | ecffd3e81c5f2e3c62bcdc122442b5f2 |
| SHA1 | d41567acbbb0107361c6ee1715fe41b416663f40 |
| SHA256 | 9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5 |
| SHA512 | 7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76 |
C:\Windows\Temp\aut99C0.tmp
| MD5 | efe44d9f6e4426a05e39f99ad407d3e7 |
| SHA1 | 637c531222ee6a56780a7fdcd2b5078467b6e036 |
| SHA256 | 5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366 |
| SHA512 | 8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63 |
memory/2212-67-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-68-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-69-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-70-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-71-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-72-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-73-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-74-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-75-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-76-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-77-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-78-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-79-0x0000000000400000-0x00000000004CD000-memory.dmp
memory/2212-80-0x0000000000400000-0x00000000004CD000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 04:55
Reported
2024-05-27 04:58
Platform
win10-20240404-en
Max time kernel
133s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\ProgramData\clientlol.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\ProgramData\clientlol.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\clientlol.exe | N/A |
| N/A | N/A | C:\ProgramData\KrampUI.exe | N/A |
| N/A | N/A | C:\ProgramData\svchost | N/A |
| N/A | N/A | C:\ProgramData\svchost | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" | C:\ProgramData\clientlol.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\clientlol.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\ProgramData\clientlol.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\KrampUI.exe | N/A |
| N/A | N/A | C:\ProgramData\KrampUI.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\KrampUI.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\clientlol.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\B1OdUv8CBH.exe
"C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\B1OdUv8CBH.exe"
C:\ProgramData\clientlol.exe
"C:\ProgramData\clientlol.exe"
C:\ProgramData\KrampUI.exe
"C:\ProgramData\KrampUI.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\clientlol.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'clientlol.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
C:\ProgramData\svchost
C:\ProgramData\svchost
C:\ProgramData\svchost
C:\ProgramData\svchost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| NL | 84.54.51.18:7000 | tcp | |
| US | 8.8.8.8:53 | 18.51.54.84.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/4616-0-0x00007FF804D63000-0x00007FF804D64000-memory.dmp
memory/4616-1-0x0000000000E10000-0x00000000020DE000-memory.dmp
C:\ProgramData\clientlol.exe
| MD5 | da4f713eda91ee257714127d761852a3 |
| SHA1 | 5901870facef99c9c850b141e8f8339721e932e4 |
| SHA256 | 9d27a2b70745480a42b83777ea3aa0399c63a55c6d9b699d67f1e95f7605ebe1 |
| SHA512 | 9964eca29700aefa97febdbca4e829a64ec6fd050d49c720f04963fab831b528319c9b3b054f36093ef9dc7236a681fba02f1f988ec19194f124d7a75abcddf7 |
memory/5064-7-0x00000000001F0000-0x0000000000208000-memory.dmp
memory/5064-8-0x00007FF804D60000-0x00007FF80574C000-memory.dmp
C:\ProgramData\KrampUI.exe
| MD5 | ec02c6962ff0994f0dbc06133cb32f28 |
| SHA1 | 1084bbf4c67fea18b2dd0232ad196f97ea17438c |
| SHA256 | 9663260edf06c3b9116a649af4c9fffa22f1bb3811f3e73e0f8fd6e3ba997565 |
| SHA512 | 8d00d5f21209bb7ffa24ee7717db4e9294c720a62d50ee416ab6e6e6520afde1d9cacc3c364c2c4d81d3eb565efba29f9e815d384774ba0de0671496952418f6 |
memory/5064-15-0x00007FF804D60000-0x00007FF80574C000-memory.dmp
memory/3576-21-0x00000218F8C00000-0x00000218F8C22000-memory.dmp
memory/3576-26-0x00000218F8CE0000-0x00000218F8D56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2lftx5jc.13k.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e70feea3e3dd66fb38669a354bd5422d |
| SHA1 | 04af0bf450b0aedef7eee29a2c0dd13fdac59b0e |
| SHA256 | e68d9f1710e6ddc6c593efc567903b7f41524fb204a3f0c379ca9b066539c9c4 |
| SHA512 | 1b264a3930ef2fb5198a33690741e4aa0fdac4720ae271bd78cba0598d065b1a8b5dfa6040c55af21eaa37488913d07420bb180ed04063fe9e01adf1bb39f616 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c1c2e2e8b3ac8d49845efeaafa0c84d8 |
| SHA1 | d0cf2a9b1c2230b6d113b4532f120cf5985deb42 |
| SHA256 | 3395cac974bc6a3f9de2c48da93f6ab33db8d4dfca88a03457eb69b902870312 |
| SHA512 | c36db67259f35c5ae33e25029d645c7706841a5dc2c6e52148b89345ec3f2d1a02ab03d525c1bbe4ee8002b23a468c78e8ba124c4d58c1f9676dd058d1d83a16 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 187d4e411941aa2f50b1bd47e314b224 |
| SHA1 | 440c4787378b50c760360f3b902bd414ba45f1b4 |
| SHA256 | b236c7aeed31f20140caf89cd9d496826953aba8e19cbd554326d0071a7779ce |
| SHA512 | f24da9f2eea6c43da01928e1a863cf97761a2655925824d7b25c62657c0ff2115feb39bab8ef87b329ed83fc407d76961f59263b497c651646ca9e3f8db913ca |
memory/5064-205-0x00007FF804D60000-0x00007FF80574C000-memory.dmp
memory/5064-206-0x00007FF804D60000-0x00007FF80574C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log
| MD5 | 16c5fce5f7230eea11598ec11ed42862 |
| SHA1 | 75392d4824706090f5e8907eee1059349c927600 |
| SHA256 | 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151 |
| SHA512 | 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 04:55
Reported
2024-05-27 04:58
Platform
win11-20240508-en
Max time kernel
109s
Max time network
147s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\ProgramData\clientlol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\ProgramData\clientlol.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\clientlol.exe | N/A |
| N/A | N/A | C:\ProgramData\KrampUI.exe | N/A |
| N/A | N/A | C:\ProgramData\svchost | N/A |
| N/A | N/A | C:\ProgramData\svchost | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" | C:\ProgramData\clientlol.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\clientlol.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\ProgramData\clientlol.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\clientlol.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\clientlol.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\svchost | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\svchost | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\KrampUI.exe | N/A |
| N/A | N/A | C:\ProgramData\KrampUI.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\KrampUI.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\clientlol.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\B1OdUv8CBH.exe
"C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\B1OdUv8CBH.exe"
C:\ProgramData\clientlol.exe
"C:\ProgramData\clientlol.exe"
C:\ProgramData\KrampUI.exe
"C:\ProgramData\KrampUI.exe"
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=KrampUI.exe --webview-exe-version=1.2.1 --user-data-dir="C:\Users\Admin\AppData\Local\KrampUI\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=1928.1844.14395672425902153983
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\KrampUI\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\KrampUI\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe8,0x1a8,0x7ffe21813cb8,0x7ffe21813cc8,0x7ffe21813cd8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\clientlol.exe'
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1756,17776653058565873785,13890487470199850164,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\KrampUI\EBWebView" --webview-exe-name=KrampUI.exe --webview-exe-version=1.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1792 /prefetch:2
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1756,17776653058565873785,13890487470199850164,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\KrampUI\EBWebView" --webview-exe-name=KrampUI.exe --webview-exe-version=1.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1888 /prefetch:3
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1756,17776653058565873785,13890487470199850164,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\KrampUI\EBWebView" --webview-exe-name=KrampUI.exe --webview-exe-version=1.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2344 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'clientlol.exe'
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1756,17776653058565873785,13890487470199850164,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\KrampUI\EBWebView" --webview-exe-name=KrampUI.exe --webview-exe-version=1.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
C:\ProgramData\svchost
C:\ProgramData\svchost
C:\ProgramData\svchost
C:\ProgramData\svchost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| NL | 84.54.51.18:7000 | tcp |
Files
memory/4952-0-0x00007FFE24F23000-0x00007FFE24F25000-memory.dmp
memory/4952-1-0x00000000009B0000-0x0000000001C7E000-memory.dmp
C:\ProgramData\clientlol.exe
| MD5 | da4f713eda91ee257714127d761852a3 |
| SHA1 | 5901870facef99c9c850b141e8f8339721e932e4 |
| SHA256 | 9d27a2b70745480a42b83777ea3aa0399c63a55c6d9b699d67f1e95f7605ebe1 |
| SHA512 | 9964eca29700aefa97febdbca4e829a64ec6fd050d49c720f04963fab831b528319c9b3b054f36093ef9dc7236a681fba02f1f988ec19194f124d7a75abcddf7 |
memory/3748-13-0x0000000000F20000-0x0000000000F38000-memory.dmp
memory/3748-14-0x00007FFE24F20000-0x00007FFE259E2000-memory.dmp
C:\ProgramData\KrampUI.exe
| MD5 | ec02c6962ff0994f0dbc06133cb32f28 |
| SHA1 | 1084bbf4c67fea18b2dd0232ad196f97ea17438c |
| SHA256 | 9663260edf06c3b9116a649af4c9fffa22f1bb3811f3e73e0f8fd6e3ba997565 |
| SHA512 | 8d00d5f21209bb7ffa24ee7717db4e9294c720a62d50ee416ab6e6e6520afde1d9cacc3c364c2c4d81d3eb565efba29f9e815d384774ba0de0671496952418f6 |
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Crashpad\settings.dat
| MD5 | 06660b044643b3e323eb87c9d52cfefd |
| SHA1 | 771ce64a12fc955ac54f5f91f49ac2a2b0cacf73 |
| SHA256 | c73e2335e1f5280603637a464faccbaaec44e9c943d16031c6b27cf07f5f7e64 |
| SHA512 | 0694bc0f3f3c2605458b3319314dd4341d562e864cdabf239d4f4d6147b7656bf736633c163bcd7623941a7d328f921f04ea04d5f1cc86a08e8b717b25ebed75 |
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Crashpad\throttle_store.dat
| MD5 | 9e4e94633b73f4a7680240a0ffd6cd2c |
| SHA1 | e68e02453ce22736169a56fdb59043d33668368f |
| SHA256 | 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304 |
| SHA512 | 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337 |
memory/3748-32-0x00007FFE24F20000-0x00007FFE259E2000-memory.dmp
memory/3112-37-0x0000018E50400000-0x0000018E50422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_beof1wee.1gp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3340-56-0x00007FFE44410000-0x00007FFE44411000-memory.dmp
\??\pipe\LOCAL\crashpad_1984_IPRBUTJPEUQCATKU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Default\Sync Data\LevelDB\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
memory/3112-95-0x0000018E50470000-0x0000018E505BF000-memory.dmp
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Crashpad\settings.dat
| MD5 | d9b2e131bd22acc5f6915165aaafd79b |
| SHA1 | 8acfe3e5fdacc5195fa1dcdfd412f379559f964a |
| SHA256 | 43532685e90b22a35b3b7f10acacbdd3a2c453e21119b86c425b08060fa17cfa |
| SHA512 | 2acfb8015fd719a23be24bd0fbf0b2b74f4815d8f3d172316a530ce4d10aa433321cca935531ebad810c47f9aa4853237309641574a641ba948e1f88e13acb59 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Default\GPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Default\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Default\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\8986a88f-b2ea-4de9-b09d-193b20cf4402.tmp
| MD5 | 3d70c8acb6330e028be6716077dc7418 |
| SHA1 | f2386ec23260fde3fab9a91b701690e36ea7883b |
| SHA256 | fd5c6f5156fc30a56467902d5afba32b5102095a2b0b09da7187b76a10ebe3af |
| SHA512 | 048dae201a85239610d8aa0303289ea3e1aa280688df2f772462d1713bc4224779c92696155dcd1628ca425832f22b43d0e4a5df76b7f6f68d2cf44f09859e2a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 05b3cd21c1ec02f04caba773186ee8d0 |
| SHA1 | 39e790bfe10abf55b74dfb3603df8fcf6b5e6edb |
| SHA256 | 911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8 |
| SHA512 | e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb |
memory/3948-214-0x0000029635440000-0x000002963558F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8cb7f4b4ab204cacd1af6b29c2a2042c |
| SHA1 | 244540c38e33eac05826d54282a0bfa60340d6a1 |
| SHA256 | 4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6 |
| SHA512 | 7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e |
memory/4876-225-0x000002001F2C0000-0x000002001F40F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1189a72e42e2321edf1ed3a8d5568687 |
| SHA1 | a2142fc754d6830de107d9d46f398483156f16a6 |
| SHA256 | 009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea |
| SHA512 | b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29 |
memory/3584-236-0x000002E4DA340000-0x000002E4DA48F000-memory.dmp
memory/3748-240-0x00007FFE24F20000-0x00007FFE259E2000-memory.dmp
memory/3748-241-0x00007FFE24F20000-0x00007FFE259E2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-27 04:55
Reported
2024-05-27 04:58
Platform
win10-20240404-en
Max time kernel
72s
Max time network
80s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2988 wrote to memory of 3920 | N/A | C:\Windows\System32\WScript.exe | C:\Program Files\Windows Defender\MSASCui.exe |
| PID 2988 wrote to memory of 3920 | N/A | C:\Windows\System32\WScript.exe | C:\Program Files\Windows Defender\MSASCui.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Krampus\Krampus\DefenderControl\Defender_Settings.vbs"
C:\Program Files\Windows Defender\MSASCui.exe
"C:\Program Files\Windows Defender\MSASCui.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |