Malware Analysis Report

2024-11-16 13:38

Sample ID 240530-ddhbvabh5w
Target b162133322f47da52b67dab3f9b3b21e.bin
SHA256 4e2b6ba1d497e94c32d71d48df0082fe95c97ce3ad20f2e1ebca82af86d11bee
Tags
themida xworm evasion execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e2b6ba1d497e94c32d71d48df0082fe95c97ce3ad20f2e1ebca82af86d11bee

Threat Level: Known bad

The file b162133322f47da52b67dab3f9b3b21e.bin was found to be: Known bad.

Malicious Activity Summary

themida xworm evasion execution persistence rat trojan

Detect Xworm Payload

Xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Themida packer

Drops startup file

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 02:53

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 02:53

Reported

2024-05-30 02:56

Platform

win7-20240221-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\ProgramData\\cmd.exe" C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2528 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\schtasks.exe
PID 2528 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe

"C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3FC132C2-964D-4B55-9F1A-BFD15F1854B8} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 beshomandotestbesnd.run.place udp
US 45.88.186.125:7000 beshomandotestbesnd.run.place tcp
US 45.88.186.125:7000 beshomandotestbesnd.run.place tcp
US 45.88.186.125:7000 beshomandotestbesnd.run.place tcp

Files

memory/2528-0-0x0000000000920000-0x0000000000D84000-memory.dmp

memory/2528-3-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-2-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-5-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-11-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-10-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-9-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-8-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-20-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-23-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-22-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-21-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-19-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-18-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-17-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-16-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-24-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-15-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-14-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-13-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-12-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-7-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-6-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-4-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-1-0x0000000075884000-0x0000000075885000-memory.dmp

memory/2528-28-0x0000000000920000-0x0000000000D84000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 faef7a080116cd295e0f21b2ce5f3639
SHA1 2c902891b99049502641778a29c0e9e2d50706bf
SHA256 57edf688c641b0ea7c4b38033de3e0f9bad578d422afd445dbaad155a056a7e6
SHA512 ef93d759a676019e67ec73b6e631d15b162c920ff8d4a5590257c7d7c62f078af9c7e2adb19957c65d9248cbe6dd6682d772407f3d37bb4ec4e61ad154767d5e

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2528-49-0x0000000000920000-0x0000000000D84000-memory.dmp

memory/2528-50-0x0000000075884000-0x0000000075885000-memory.dmp

memory/2528-51-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-53-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-54-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2528-59-0x00000000049C0000-0x00000000049CC000-memory.dmp

memory/2528-64-0x00000000051A0000-0x00000000051DA000-memory.dmp

\Users\Admin\AppData\Local\Temp\tmpA860.tmp

MD5 c38b245b97fea00a08141af793a76f87
SHA1 c9c5c786f8e8d3c5670ef64f4f3ae35c556bb640
SHA256 b6647006cf5e920db52c66a2028f2492df03c4deceda32fb021ebe4126bfe261
SHA512 6d4a19aff6c2999f2369ae8831a8208aeefcb6fe7620a86bd8343690a155c055d0327ec4b42af3929fd6997ad5ce28d0e7f9a980567b244f3e373409cf2e5d38

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-30 02:53

Reported

2024-05-30 02:56

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\ProgramData\\cmd.exe" C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4836 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4836 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4836 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4836 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4836 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4836 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4836 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4836 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4836 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4836 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4836 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4836 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\schtasks.exe
PID 4836 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\schtasks.exe
PID 4836 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe

"C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c8edbc2a072ac9e68a46868aeb7c996aa5d1fe5f8afb3d8ff15b1be4cb3a52a1.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:7000 tcp
US 8.8.8.8:53 beshomandotestbesnd.run.place udp
US 45.88.186.125:7000 beshomandotestbesnd.run.place tcp
US 8.8.8.8:53 125.186.88.45.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 45.88.186.125:7000 beshomandotestbesnd.run.place tcp

Files

memory/4836-0-0x0000000000630000-0x0000000000A94000-memory.dmp

memory/4836-1-0x0000000075E70000-0x0000000075E71000-memory.dmp

memory/4836-2-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-7-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-6-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-5-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-4-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-3-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-8-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-11-0x0000000000630000-0x0000000000A94000-memory.dmp

memory/4836-12-0x0000000005260000-0x00000000052FC000-memory.dmp

memory/1620-13-0x0000000004E30000-0x0000000004E66000-memory.dmp

memory/1620-14-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/1620-15-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/1620-16-0x0000000005520000-0x0000000005B48000-memory.dmp

memory/1620-17-0x0000000005400000-0x0000000005422000-memory.dmp

memory/1620-19-0x0000000005DA0000-0x0000000005E06000-memory.dmp

memory/1620-18-0x0000000005CC0000-0x0000000005D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2gamawr.qxm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1620-29-0x0000000005F10000-0x0000000006264000-memory.dmp

memory/1620-30-0x00000000063B0000-0x00000000063CE000-memory.dmp

memory/1620-31-0x0000000006400000-0x000000000644C000-memory.dmp

memory/1620-32-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/1620-33-0x0000000006980000-0x00000000069B2000-memory.dmp

memory/1620-34-0x0000000070340000-0x000000007038C000-memory.dmp

memory/1620-45-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/1620-44-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/1620-46-0x00000000069C0000-0x00000000069DE000-memory.dmp

memory/1620-47-0x00000000075E0000-0x0000000007683000-memory.dmp

memory/1620-48-0x0000000007D20000-0x000000000839A000-memory.dmp

memory/1620-49-0x00000000076E0000-0x00000000076FA000-memory.dmp

memory/1620-50-0x0000000007750000-0x000000000775A000-memory.dmp

memory/1620-51-0x0000000007960000-0x00000000079F6000-memory.dmp

memory/1620-52-0x00000000078E0000-0x00000000078F1000-memory.dmp

memory/1620-53-0x0000000007910000-0x000000000791E000-memory.dmp

memory/1620-54-0x0000000007920000-0x0000000007934000-memory.dmp

memory/1620-55-0x0000000007A20000-0x0000000007A3A000-memory.dmp

memory/1620-56-0x0000000007A00000-0x0000000007A08000-memory.dmp

memory/1620-59-0x0000000075E50000-0x0000000075F40000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/624-64-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/624-63-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-62-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-61-0x0000000000630000-0x0000000000A94000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a57b92fee30a90cde0550b7e5ac5561
SHA1 9313fa85cc88a59638bb747f7eb323276c2f5e51
SHA256 ef390c92ade44db916cd0c7ea18df1e51a4a9b795ddc8af20be910d8087f3c10
SHA512 0820ffb98e9feb04e11766153043f467581ae7dbde4bbc30cda86a612d2a33eefbe584980da6498febce774b48f498dda72410c56caf1b2bdc09846a8884d22c

memory/624-75-0x0000000070340000-0x000000007038C000-memory.dmp

memory/624-86-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/1428-96-0x0000000005CD0000-0x0000000006024000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 23ba9c68c9c02e85cf0b6f581e45b0be
SHA1 77510b160b8925e5d0f77d5d5b897ad85e9be731
SHA256 929a84f0a2b1bd872cc1ae07d52b3f3ea1826eb227b34a6bea40f5741cc6a863
SHA512 5aa61a56cbe98ff5d323e1f303d4ffa45ff1006eb3d080e8f430bc454a4dc29124386254980b5b1e42b2aea75539b7b66b84192f51fa8ea2b270e09bb0c340c3

memory/4836-99-0x0000000075E70000-0x0000000075E71000-memory.dmp

memory/1428-100-0x0000000070340000-0x000000007038C000-memory.dmp

memory/1300-117-0x0000000006220000-0x0000000006574000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 80abe68711c3cb48b293dafd32e3124f
SHA1 4fe3046ce727685514fbaf18f5936c951e4e2926
SHA256 658d8864163f0a3255054405a3e10322838918e2d2ee55f228025db1e925053d
SHA512 54549321581f2d2d3d07e037bffbd2fda07567d2bc1d336cbf210f8833d42e4e2767fd25282181d4dc718393e836b52fc66c6c8c957f1ccef0e3987bb553bb80

memory/1300-122-0x0000000070340000-0x000000007038C000-memory.dmp

memory/4836-132-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-133-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-134-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-136-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/4836-138-0x0000000006590000-0x0000000006B34000-memory.dmp

memory/4836-139-0x0000000006390000-0x0000000006422000-memory.dmp

memory/4836-140-0x0000000006D50000-0x0000000006D5A000-memory.dmp

memory/4836-149-0x0000000000FD0000-0x000000000100A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC668.tmp

MD5 c38b245b97fea00a08141af793a76f87
SHA1 c9c5c786f8e8d3c5670ef64f4f3ae35c556bb640
SHA256 b6647006cf5e920db52c66a2028f2492df03c4deceda32fb021ebe4126bfe261
SHA512 6d4a19aff6c2999f2369ae8831a8208aeefcb6fe7620a86bd8343690a155c055d0327ec4b42af3929fd6997ad5ce28d0e7f9a980567b244f3e373409cf2e5d38