Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-05-2024 10:48
Static task
static1
Behavioral task
behavioral1
Sample
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Resource
win11-20240426-en
General
-
Target
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
-
Size
515KB
-
MD5
148b2c38cf0726535d760a703f803c80
-
SHA1
107503ca149f547d4745fe9b9a3fbae03d60126c
-
SHA256
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
-
SHA512
6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd
-
SSDEEP
12288:EMbx504bFjsNfn8lmwaYy//2hWc8CYBMQI4aqNA:Lbw4bR689aYy//2hDPYBMQI4aqN
Malware Config
Extracted
xworm
127.0.0.1:7000
beshomandotestbesnd.run.place:7000
-
Install_directory
%ProgramData%
-
install_file
cmd.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4792-51-0x0000000000400000-0x0000000000418000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4208 powershell.exe 2096 powershell.exe 3164 powershell.exe 3252 powershell.exe 552 powershell.exe 1512 powershell.exe 1900 powershell.exe 1912 powershell.exe 3224 powershell.exe 2872 powershell.exe -
Drops startup file 2 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe -
Executes dropped EXE 5 IoCs
Processes:
cmd.execmd.execmd.execmd.execmd.exepid process 2140 cmd.exe 1980 cmd.exe 1464 cmd.exe 4752 cmd.exe 4848 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\ProgramData\\cmd.exe" 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.execmd.exedescription pid process target process PID 448 set thread context of 4792 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 2140 set thread context of 1980 2140 cmd.exe cmd.exe PID 1464 set thread context of 4848 1464 cmd.exe cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4880 schtasks.exe 1384 schtasks.exe 4184 schtasks.exe 4104 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepid process 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepid process 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 1512 powershell.exe 1512 powershell.exe 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 4208 powershell.exe 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 4208 powershell.exe 1900 powershell.exe 1900 powershell.exe 2096 powershell.exe 2096 powershell.exe 3164 powershell.exe 3164 powershell.exe 1912 powershell.exe 1912 powershell.exe 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 2140 cmd.exe 3252 powershell.exe 3252 powershell.exe 2140 cmd.exe 552 powershell.exe 552 powershell.exe 1464 cmd.exe 3224 powershell.exe 3224 powershell.exe 1464 cmd.exe 1464 cmd.exe 1464 cmd.exe 2872 powershell.exe 1464 cmd.exe 2872 powershell.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepowershell.exepowershell.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.execmd.exepowershell.exepowershell.execmd.exedescription pid process Token: SeDebugPrivilege 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe Token: SeDebugPrivilege 1512 powershell.exe Token: SeDebugPrivilege 4208 powershell.exe Token: SeDebugPrivilege 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe Token: SeDebugPrivilege 1900 powershell.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 1912 powershell.exe Token: SeDebugPrivilege 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe Token: SeDebugPrivilege 2140 cmd.exe Token: SeDebugPrivilege 3252 powershell.exe Token: SeDebugPrivilege 552 powershell.exe Token: SeDebugPrivilege 1980 cmd.exe Token: SeDebugPrivilege 1464 cmd.exe Token: SeDebugPrivilege 3224 powershell.exe Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 4848 cmd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepid process 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.execmd.exedescription pid process target process PID 448 wrote to memory of 1512 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 448 wrote to memory of 1512 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 448 wrote to memory of 1512 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 448 wrote to memory of 4208 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 448 wrote to memory of 4208 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 448 wrote to memory of 4208 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 448 wrote to memory of 4104 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe schtasks.exe PID 448 wrote to memory of 4104 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe schtasks.exe PID 448 wrote to memory of 4104 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe schtasks.exe PID 448 wrote to memory of 4792 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 448 wrote to memory of 4792 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 448 wrote to memory of 4792 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 448 wrote to memory of 4792 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 448 wrote to memory of 4792 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 448 wrote to memory of 4792 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 448 wrote to memory of 4792 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 448 wrote to memory of 4792 448 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe PID 4792 wrote to memory of 1900 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 4792 wrote to memory of 1900 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 4792 wrote to memory of 1900 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 4792 wrote to memory of 2096 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 4792 wrote to memory of 2096 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 4792 wrote to memory of 2096 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 4792 wrote to memory of 3164 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 4792 wrote to memory of 3164 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 4792 wrote to memory of 3164 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 4792 wrote to memory of 1912 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 4792 wrote to memory of 1912 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 4792 wrote to memory of 1912 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe powershell.exe PID 4792 wrote to memory of 4880 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe schtasks.exe PID 4792 wrote to memory of 4880 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe schtasks.exe PID 4792 wrote to memory of 4880 4792 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe schtasks.exe PID 2140 wrote to memory of 3252 2140 cmd.exe powershell.exe PID 2140 wrote to memory of 3252 2140 cmd.exe powershell.exe PID 2140 wrote to memory of 3252 2140 cmd.exe powershell.exe PID 2140 wrote to memory of 552 2140 cmd.exe powershell.exe PID 2140 wrote to memory of 552 2140 cmd.exe powershell.exe PID 2140 wrote to memory of 552 2140 cmd.exe powershell.exe PID 2140 wrote to memory of 1384 2140 cmd.exe schtasks.exe PID 2140 wrote to memory of 1384 2140 cmd.exe schtasks.exe PID 2140 wrote to memory of 1384 2140 cmd.exe schtasks.exe PID 2140 wrote to memory of 1980 2140 cmd.exe cmd.exe PID 2140 wrote to memory of 1980 2140 cmd.exe cmd.exe PID 2140 wrote to memory of 1980 2140 cmd.exe cmd.exe PID 2140 wrote to memory of 1980 2140 cmd.exe cmd.exe PID 2140 wrote to memory of 1980 2140 cmd.exe cmd.exe PID 2140 wrote to memory of 1980 2140 cmd.exe cmd.exe PID 2140 wrote to memory of 1980 2140 cmd.exe cmd.exe PID 2140 wrote to memory of 1980 2140 cmd.exe cmd.exe PID 1464 wrote to memory of 3224 1464 cmd.exe powershell.exe PID 1464 wrote to memory of 3224 1464 cmd.exe powershell.exe PID 1464 wrote to memory of 3224 1464 cmd.exe powershell.exe PID 1464 wrote to memory of 2872 1464 cmd.exe powershell.exe PID 1464 wrote to memory of 2872 1464 cmd.exe powershell.exe PID 1464 wrote to memory of 2872 1464 cmd.exe powershell.exe PID 1464 wrote to memory of 4184 1464 cmd.exe schtasks.exe PID 1464 wrote to memory of 4184 1464 cmd.exe schtasks.exe PID 1464 wrote to memory of 4184 1464 cmd.exe schtasks.exe PID 1464 wrote to memory of 4752 1464 cmd.exe cmd.exe PID 1464 wrote to memory of 4752 1464 cmd.exe cmd.exe PID 1464 wrote to memory of 4752 1464 cmd.exe cmd.exe PID 1464 wrote to memory of 4848 1464 cmd.exe cmd.exe PID 1464 wrote to memory of 4848 1464 cmd.exe cmd.exe PID 1464 wrote to memory of 4848 1464 cmd.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F83.tmp"2⤵
- Creates scheduled task(s)
PID:4104
-
-
C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"3⤵
- Creates scheduled task(s)
PID:4880
-
-
-
C:\ProgramData\cmd.exeC:\ProgramData\cmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3252
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1855.tmp"2⤵
- Creates scheduled task(s)
PID:1384
-
-
C:\ProgramData\cmd.exe"C:\ProgramData\cmd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1980
-
-
C:\ProgramData\cmd.exeC:\ProgramData\cmd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2E4.tmp"2⤵
- Creates scheduled task(s)
PID:4184
-
-
C:\ProgramData\cmd.exe"C:\ProgramData\cmd.exe"2⤵
- Executes dropped EXE
PID:4752
-
-
C:\ProgramData\cmd.exe"C:\ProgramData\cmd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
515KB
MD5148b2c38cf0726535d760a703f803c80
SHA1107503ca149f547d4745fe9b9a3fbae03d60126c
SHA25630a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
SHA5126b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd
-
Filesize
1KB
MD57e1ed0055c3eaa0bbc4a29ec1ef15a6a
SHA1765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d
SHA2564c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce
SHA512de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8
-
Filesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
Filesize
18KB
MD535cc1083b96d6fdf3b354595d023b416
SHA132a189877e258c0abacdb5ed5a4852494499fed6
SHA2563d70cab2c75d1087dd2ec9b00c45dac33241870faebbdc087aa5f05e2f155598
SHA512668e9f75bf611e0a2a1084485ff7b9f74e3deac00b7f5a969634d16c215e4ba273150077f879049de39b6ec4c0e9f7e5a85638298b4645df2e33dc600ea17f54
-
Filesize
18KB
MD5586be1631dfb052b572c3f8c5532d17b
SHA159b7969e8fe6d72a4bf5a9b2aebdda2524445565
SHA2569209f52e842b7fbf2d2a3339a5c5157b5dbef8ebad211458682213f22752ba17
SHA512ab4790f084cf26709036e6ee5716d86da904a11344c9c549163c9f3a98d2c5e97113febf46038005ae3f4a6839a98af3e429652bf01188df7c41a4768a84c2ea
-
Filesize
18KB
MD5b4bb961a0ab70bd4e45ea6e9a091383d
SHA1b48c8b1b87bdfc328b4c50088ba91bfe7bb31729
SHA256deeb959c44207caa7bd042d4fec295c510a47fa3a4bbb766a84c9e518bc80d7f
SHA512ab0aeeee0b99cadecb9d27ba1c00129ee84db29818c02ee1748e971c6fec63a7ea87c05265afbb6be2708aeb279a085bd3a564c3ee84f27d2485333eb3a436f8
-
Filesize
18KB
MD50dfed1a3a2692cc64f6714ddb146b3c7
SHA130338478a9eeb58136d592bea7b40a4a00cf86e1
SHA256f33e040f5c83c0247ea4f19cc9cdbcb82e9c8286a57da4c000c7635cc74fdb61
SHA51272e49732690f31b2a8719286969b1e383a08c5470bd930eac98aa781b0d95d91a174f3a51224929ec1986b54a7e2fdc22d5aa2fd59fe4c9a38ee93864bc5ffa4
-
Filesize
764B
MD539f866b4629c3c663c8fde18b8fc0c67
SHA143ae5ac9ff79697eb16653e317078ceef83f041d
SHA2564fb494dab2f5566e5343110239107204560e7e42c6d91cdb8d385ca6d723f780
SHA512db553f197329c3a93912f8283a06678b69d161c641797478b20e116b8ae93e548cccde1bdb1f998c92e0789b73cbed35f6e3506495ad9ed28c513466be093854
-
Filesize
18KB
MD51be91d3b16f687cb8650641c0e954365
SHA1b15ac5a31e6d30b9b39d2b8d242555bfb4a42e61
SHA2567a1402c8dfd35609c44655a2a0ab550d9e2c0581d666ac43dcf5711b93263715
SHA5120ab6681dc15d8d5e40861b8e8a6498166a13148d881999c6eba2b8698ba9ac678619e593c2be4f0324d512a98d60329a24ecb2c9ed37024e85fbe151c93b43a3
-
Filesize
933B
MD50b3e181e6fe0a4c3f6a2c4faef295d62
SHA179d05d6dbd8d3eb96a951c7e7d050b9ccf55b5ff
SHA25620df32390747f60380eb83c99f6303744e92a93641576327d08bb25339c08d93
SHA5128ff98c549a671ed48553344bbe09fd2885d7fa2bca49baa4808689cdbea2235636fdaafda784d1d6e2ace520d116ae524d22efa5f74c71a1ce4ef6503e9be80b
-
Filesize
18KB
MD5849845ec2e46f54e714eb21fa6a6b70a
SHA189db2ad9c3e0555c7777f240de03280296b4ab8e
SHA256bfabef46490fa7834586a22bf1d2612c52c0ebeb33abe37596ff490d1b97f4b0
SHA51264bb0b7675ea16a82b48d0f781134d53d040094b2f63b305c77bccd57b449bb0c2c370201bcd85f3b1ccba06f33acf78c50d051a3940b1a3f3937d31f0f55af2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5d57d916875a6fb8584172de1562bce6d
SHA18e2e584fa99c2db2990785f635d5cc734cf24835
SHA25615035952ee61f538b5ef91c1ea1f3d1a3156ab10487fb79645bd25050a2140b1
SHA512fcc3f0a554250cee3fb0d1e425ce88d366d37c9da04da061c8dff58524e3a5f247df24781e3d59819732ed862158a0f5d80c866994182eb43670230f4f3cb3c8
-
Filesize
1KB
MD56d06702e536b9150559a6f5d70b87f51
SHA1837588b879ccd6484939b5988965206e98efe89b
SHA2568979278847e0049fb08bcc8cb839e9a77549e656d35eeb0c182d0af929cfc40f
SHA512e29d38649bff45e84bc369d01aefc97569e610bf4d301aede6ba78819016c9bbbb2e6feddb278915ccf33c10c28214f8834bfcd11311325367a4454369ca1d8d
-
Filesize
1KB
MD58176c83c8f4957d82ba48d41c9040fe1
SHA135ad0cbc2346beff9497b5e36635d0b23310584b
SHA25636fcc2294027cd8438fe15c26569c943c7b3b285beb8ac9d1811d994d4bb218f
SHA512e5171a49130605547ba576bf50981829ccd438c067b36b145e9432ece74b7a3da06b8b5f7a428e65581c36cb974c0f83b3ceed5d3b0d1f7555c4c69484add128
-
Filesize
1KB
MD5505f641ceb834335fc54278230b88237
SHA1da70556b826880706513ce85fdd52cf708269c6e
SHA256e2443a7e94ad3497df971a33d8d3a86f9ca145a35a6f74f44299ec49a1fe8c3e
SHA5129e938624f445a1b82778d43594a46c090386735c38548635a93b2283ae60aa7991ed6b5a07d9a6c2eb31cb4e8db70aabc09d1e632e950a2adc349c24bfe1cc31