Analysis
-
max time kernel
89s -
max time network
90s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 02:04
Static task
static1
Behavioral task
behavioral1
Sample
Stand.Launchpad.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Stand.Launchpad.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
Stand.Launchpad.exe
-
Size
212KB
-
MD5
22ae86c6104a84186ae0c01df1e7abc4
-
SHA1
b863e83a52093041dc3542a4ae831a04f2598a76
-
SHA256
89f5545ab55f3eded4fc73b6dcc252d642c507f19d259618bc3464f30314fc57
-
SHA512
86dc9377aa9a108fbb6fbe780c14ee82f670cd1ef53a5279e5d58b512a438a63043547148d6fef1e6a1029a307b696f2936ea7556d6926154e410e64ddb078d7
-
SSDEEP
3072:IrT7Qg5ltZ2fWGp6Oc7bio0/T4RvdVJUXJV8I2nyV:4T7Qg6uGsOc7bq74gX78vny
Malware Config
Extracted
xworm
127.0.0.1:40971
us3.localto.net:40971
Name1442-40971.portmap.host:40971
-
Install_directory
%Temp%
-
install_file
Stand.exe
-
telegram
https://api.telegram.org/bot6916721041:AAGsGXyaplDWQ9HJlE88Z36KtBFClSB3E20
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm behavioral1/memory/2992-12-0x0000000001090000-0x00000000010B0000-memory.dmp family_xworm behavioral1/memory/1572-91-0x0000000000F80000-0x0000000000FA0000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1116 powershell.exe 1988 powershell.exe 2460 powershell.exe 2264 powershell.exe -
Downloads MZ/PE file
-
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stand.lnk XClient.exe -
Executes dropped EXE 5 IoCs
Processes:
XClient.exeStand.Launchpad.exeStand.exeStand.exepid process 2992 XClient.exe 1880 Stand.Launchpad.exe 1124 1572 Stand.exe 1904 Stand.exe -
Loads dropped DLL 1 IoCs
Processes:
Stand.Launchpad.exepid process 2968 Stand.Launchpad.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Stand = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Stand.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
Stand.Launchpad.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 Stand.Launchpad.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Stand.Launchpad.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Stand.Launchpad.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Stand.Launchpad.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
XClient.exepid process 2992 XClient.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Stand.Launchpad.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1116 powershell.exe 1988 powershell.exe 2460 powershell.exe 1880 Stand.Launchpad.exe 2264 powershell.exe 1880 Stand.Launchpad.exe 2992 XClient.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe 1880 Stand.Launchpad.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
XClient.exeStand.Launchpad.exepowershell.exepowershell.exepowershell.exepowershell.exeStand.exeStand.exeshutdown.exedescription pid process Token: SeDebugPrivilege 2992 XClient.exe Token: SeDebugPrivilege 1880 Stand.Launchpad.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2992 XClient.exe Token: SeDebugPrivilege 1572 Stand.exe Token: SeDebugPrivilege 1904 Stand.exe Token: SeShutdownPrivilege 2820 shutdown.exe Token: SeRemoteShutdownPrivilege 2820 shutdown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Stand.Launchpad.exepid process 1880 Stand.Launchpad.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 2992 XClient.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
Stand.Launchpad.exeXClient.exetaskeng.exedescription pid process target process PID 2968 wrote to memory of 2992 2968 Stand.Launchpad.exe XClient.exe PID 2968 wrote to memory of 2992 2968 Stand.Launchpad.exe XClient.exe PID 2968 wrote to memory of 2992 2968 Stand.Launchpad.exe XClient.exe PID 2968 wrote to memory of 1880 2968 Stand.Launchpad.exe Stand.Launchpad.exe PID 2968 wrote to memory of 1880 2968 Stand.Launchpad.exe Stand.Launchpad.exe PID 2968 wrote to memory of 1880 2968 Stand.Launchpad.exe Stand.Launchpad.exe PID 2992 wrote to memory of 1116 2992 XClient.exe powershell.exe PID 2992 wrote to memory of 1116 2992 XClient.exe powershell.exe PID 2992 wrote to memory of 1116 2992 XClient.exe powershell.exe PID 2992 wrote to memory of 1988 2992 XClient.exe powershell.exe PID 2992 wrote to memory of 1988 2992 XClient.exe powershell.exe PID 2992 wrote to memory of 1988 2992 XClient.exe powershell.exe PID 2992 wrote to memory of 2460 2992 XClient.exe powershell.exe PID 2992 wrote to memory of 2460 2992 XClient.exe powershell.exe PID 2992 wrote to memory of 2460 2992 XClient.exe powershell.exe PID 2992 wrote to memory of 2264 2992 XClient.exe powershell.exe PID 2992 wrote to memory of 2264 2992 XClient.exe powershell.exe PID 2992 wrote to memory of 2264 2992 XClient.exe powershell.exe PID 2992 wrote to memory of 2836 2992 XClient.exe schtasks.exe PID 2992 wrote to memory of 2836 2992 XClient.exe schtasks.exe PID 2992 wrote to memory of 2836 2992 XClient.exe schtasks.exe PID 1412 wrote to memory of 1572 1412 taskeng.exe Stand.exe PID 1412 wrote to memory of 1572 1412 taskeng.exe Stand.exe PID 1412 wrote to memory of 1572 1412 taskeng.exe Stand.exe PID 1412 wrote to memory of 1904 1412 taskeng.exe Stand.exe PID 1412 wrote to memory of 1904 1412 taskeng.exe Stand.exe PID 1412 wrote to memory of 1904 1412 taskeng.exe Stand.exe PID 2992 wrote to memory of 2820 2992 XClient.exe shutdown.exe PID 2992 wrote to memory of 2820 2992 XClient.exe shutdown.exe PID 2992 wrote to memory of 2820 2992 XClient.exe shutdown.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"C:\Users\Admin\AppData\Local\Temp\Stand.Launchpad.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Roaming\XClient.exe"C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Stand.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Stand.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Stand" /tr "C:\Users\Admin\AppData\Local\Temp\Stand.exe"3⤵
- Creates scheduled task(s)
PID:2836
-
-
C:\Windows\system32\shutdown.exeshutdown.exe /f /s /t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
-
C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"C:\Users\Admin\AppData\Roaming\Stand.Launchpad.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1880
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {A760FDA5-BF3B-49B6-8F43-251A80E80863} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\Stand.exeC:\Users\Admin\AppData\Local\Temp\Stand.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Users\Admin\AppData\Local\Temp\Stand.exeC:\Users\Admin\AppData\Local\Temp\Stand.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2160
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2188
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Calamity,_Inc\Stand.Launchpad.exe_Url_rxanxxbu4srmj115yvji3p4n1zoatvms\1.9.0.0\user.config
Filesize946B
MD5b4ae24f20e59e454d57443d663a7581e
SHA168ab33e7fcea8bf79d76728fc49338d0d10a12f6
SHA2568409dd0aa292b3bf50903a7ca1a1a0d6697d5c7b0ed3d1c5e43ebdf6f82db074
SHA51225a7cbc382609d298ecaedea567231ac6ba0856bc523550912fd7b8393a29664ad68e9490dff0ff25b18b7a018476798c4df1000ebc99174bb6f2d5604e383f5
-
C:\Users\Admin\AppData\Local\Calamity,_Inc\Stand.Launchpad.exe_Url_rxanxxbu4srmj115yvji3p4n1zoatvms\1.9.0.0\user.config
Filesize1KB
MD54914bef93f236a5cb24b4c07e9d4a98a
SHA1b53f8fb945a449dd8a76d4412c5439b29b929b9e
SHA2560abb6c072277956c8e3d6810dc9d9795544098f46a1fc79ab2e39c3f70d84a5a
SHA5123242dbf1f58263ab1409d558b5ba1846e235da17246f1abbab768ec1ed449367e30c6d17d4986aa117c42ea225e87ff2c438d46765f1b5841e3a5b9b571ccb10
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD52251043518b592782c5d272c73eed406
SHA13d4bd082d95be4075f0ecf072e3524ca7da41d35
SHA256efd81770646b127e6dd76919ab78c3553b3b8183c6fa9edf95d4146baad66865
SHA5122413844bbecf182d8571e4f5fb9f4a0654a1cc441843dc55b96dceb9afcae8720473bd8f57fa4cc69ac1f5a3b3ad3b6880217bf1fb346f73d71b85f70154207b
-
Filesize
107KB
MD5e685cc4873452d489409e0bbd16dca9b
SHA143394bfd90e8a4cb010ec9aeace520f18d981a9c
SHA256cd6e5a6025710aeee5a7b805d370f16bd1ded7bb5d4ffa1f8e7241c07ca05ac5
SHA51273d1efa4223f6f596f7036022bc91ca54b24e8befc3c6b1ea83942edf0e5746ecaf3394b3ae0ce1e64155a589722db654b34a92ce67f7f67b52651aacf536c27
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
74KB
MD59c6b82e8191fe81dc873b9aa936eafe3
SHA1fe0813eabfcd7f6c0c62ef01a327b0f1e222119f
SHA25687403d832ec357593e22d9fe211daa9f22964b3ecc59cd68a312fe3b8bc9f556
SHA512d122c04a250f285521fce7c12f6dc2971ad0e7f24c60350b99a128e96160c6da06834303ad9a485be833165752265e083c747c656bc62d854b2be4c41e89edec