f8ed25d648227480c94c7002e27e8c09c3501b5898cb8fdbbf9df9d5eddf0f15

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NulsultanLoader.exe
Size

459KB
MD5

94af4c079ad32d2f0667ad7949a482d6
SHA1

d4d513699b3b1a6348210e598b17527ff5aab2e9
SHA256

f8ed25d648227480c94c7002e27e8c09c3501b5898cb8fdbbf9df9d5eddf0f15
SHA512

a88526ff808518eb7a034a9add1a7004daa1b69fa98cd77aca859432f5ef76edc76ed1d5c1a18cc4cbab84063a676a7ce0fe48f777cc4a96f31c612e064a2b0c
SSDEEP

6144:SWR6MQer0SYX16re6VlWT8b9u9QLUOTo+MyXDv5AcJbEP41fMn:SJMQeoJ1mPVle8boko+HokfM

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Program Files\\xdwdSpotify.exe"	NulsultanLoader.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Loads dropped DLL 40 IoCs

pid	Process
4048	Process not Found
1708	Process not Found
1808	Process not Found
820	Process not Found
1256	WmiApSrv.exe
2672	Process not Found
3220	Process not Found
2560	Process not Found
5064	Process not Found
5040	Process not Found
4048	Process not Found
628	Process not Found
5048	Process not Found
1248	Process not Found
3468	Process not Found
1900	Process not Found
2004	Process not Found
2884	Process not Found
1028	Process not Found
2392	Process not Found
3972	Process not Found
3116	Process not Found
2136	Process not Found
2156	Process not Found
3872	Process not Found
5020	Process not Found
3888	Process not Found
2324	Process not Found
2156	Process not Found
1548	Process not Found
5112	Process not Found
3144	Process not Found
2272	Process not Found
4980	Process not Found
3160	Process not Found
2164	Process not Found
2124	Process not Found
2548	Process not Found
2832	Process not Found
4432	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\xdwdSpotify.exe	NulsultanLoader.exe
File opened for modification	C:\Program Files\xdwdSpotify.exe	NulsultanLoader.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\xdwd.dll	NulsultanLoader.exe

Creates scheduled task(s) 1 TTPs 40 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4868	schtasks.exe
2752	schtasks.exe
756	schtasks.exe
1000	schtasks.exe
3180	schtasks.exe
2716	schtasks.exe
2676	schtasks.exe
4704	schtasks.exe
1872	schtasks.exe
1708	schtasks.exe
4104	schtasks.exe
1816	schtasks.exe
3844	schtasks.exe
224	schtasks.exe
2168	schtasks.exe
4928	schtasks.exe
1704	schtasks.exe
4712	schtasks.exe
1588	schtasks.exe
2144	schtasks.exe
1708	schtasks.exe
2936	schtasks.exe
2920	schtasks.exe
2548	schtasks.exe
4672	schtasks.exe
3908	schtasks.exe
4632	schtasks.exe
4380	schtasks.exe
1736	schtasks.exe
2844	schtasks.exe
1912	schtasks.exe
1664	schtasks.exe
5068	schtasks.exe
2004	schtasks.exe
2084	schtasks.exe
5020	schtasks.exe
4524	schtasks.exe
2832	schtasks.exe
2500	schtasks.exe
4408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1644	NulsultanLoader.exe
1256	WmiApSrv.exe
1256	WmiApSrv.exe
1644	NulsultanLoader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	NulsultanLoader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1532	1644	NulsultanLoader.exe	95
PID 1644 wrote to memory of 1532	1644	NulsultanLoader.exe	95
PID 1532 wrote to memory of 2832	1532	CMD.exe	97
PID 1532 wrote to memory of 2832	1532	CMD.exe	97
PID 1644 wrote to memory of 2724	1644	NulsultanLoader.exe	98
PID 1644 wrote to memory of 2724	1644	NulsultanLoader.exe	98
PID 2724 wrote to memory of 4380	2724	CMD.exe	100
PID 2724 wrote to memory of 4380	2724	CMD.exe	100
PID 1644 wrote to memory of 4040	1644	NulsultanLoader.exe	101
PID 1644 wrote to memory of 4040	1644	NulsultanLoader.exe	101
PID 4040 wrote to memory of 5068	4040	CMD.exe	103
PID 4040 wrote to memory of 5068	4040	CMD.exe	103
PID 1644 wrote to memory of 4852	1644	NulsultanLoader.exe	104
PID 1644 wrote to memory of 4852	1644	NulsultanLoader.exe	104
PID 4852 wrote to memory of 2500	4852	CMD.exe	106
PID 4852 wrote to memory of 2500	4852	CMD.exe	106
PID 1644 wrote to memory of 2552	1644	NulsultanLoader.exe	108
PID 1644 wrote to memory of 2552	1644	NulsultanLoader.exe	108
PID 2552 wrote to memory of 2004	2552	CMD.exe	110
PID 2552 wrote to memory of 2004	2552	CMD.exe	110
PID 1644 wrote to memory of 4900	1644	NulsultanLoader.exe	112
PID 1644 wrote to memory of 4900	1644	NulsultanLoader.exe	112
PID 4900 wrote to memory of 4868	4900	CMD.exe	114
PID 4900 wrote to memory of 4868	4900	CMD.exe	114
PID 1644 wrote to memory of 2724	1644	NulsultanLoader.exe	115
PID 1644 wrote to memory of 2724	1644	NulsultanLoader.exe	115
PID 2724 wrote to memory of 2936	2724	CMD.exe	117
PID 2724 wrote to memory of 2936	2724	CMD.exe	117
PID 1644 wrote to memory of 4104	1644	NulsultanLoader.exe	121
PID 1644 wrote to memory of 4104	1644	NulsultanLoader.exe	121
PID 4104 wrote to memory of 2752	4104	CMD.exe	123
PID 4104 wrote to memory of 2752	4104	CMD.exe	123
PID 1644 wrote to memory of 3260	1644	NulsultanLoader.exe	124
PID 1644 wrote to memory of 3260	1644	NulsultanLoader.exe	124
PID 3260 wrote to memory of 1736	3260	CMD.exe	126
PID 3260 wrote to memory of 1736	3260	CMD.exe	126
PID 1644 wrote to memory of 3008	1644	NulsultanLoader.exe	127
PID 1644 wrote to memory of 3008	1644	NulsultanLoader.exe	127
PID 3008 wrote to memory of 4928	3008	CMD.exe	129
PID 3008 wrote to memory of 4928	3008	CMD.exe	129
PID 1644 wrote to memory of 1900	1644	NulsultanLoader.exe	130
PID 1644 wrote to memory of 1900	1644	NulsultanLoader.exe	130
PID 1900 wrote to memory of 3180	1900	CMD.exe	132
PID 1900 wrote to memory of 3180	1900	CMD.exe	132
PID 1644 wrote to memory of 3012	1644	NulsultanLoader.exe	133
PID 1644 wrote to memory of 3012	1644	NulsultanLoader.exe	133
PID 3012 wrote to memory of 1708	3012	CMD.exe	135
PID 3012 wrote to memory of 1708	3012	CMD.exe	135
PID 1644 wrote to memory of 5088	1644	NulsultanLoader.exe	136
PID 1644 wrote to memory of 5088	1644	NulsultanLoader.exe	136
PID 5088 wrote to memory of 2716	5088	CMD.exe	138
PID 5088 wrote to memory of 2716	5088	CMD.exe	138
PID 1644 wrote to memory of 624	1644	NulsultanLoader.exe	139
PID 1644 wrote to memory of 624	1644	NulsultanLoader.exe	139
PID 624 wrote to memory of 2920	624	CMD.exe	141
PID 624 wrote to memory of 2920	624	CMD.exe	141
PID 1644 wrote to memory of 3008	1644	NulsultanLoader.exe	143
PID 1644 wrote to memory of 3008	1644	NulsultanLoader.exe	143
PID 3008 wrote to memory of 1704	3008	CMD.exe	145
PID 3008 wrote to memory of 1704	3008	CMD.exe	145
PID 1644 wrote to memory of 3800	1644	NulsultanLoader.exe	146
PID 1644 wrote to memory of 3800	1644	NulsultanLoader.exe	146
PID 3800 wrote to memory of 2676	3800	CMD.exe	148
PID 3800 wrote to memory of 2676	3800	CMD.exe	148

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NulsultanLoader.exe
"C:\Users\Admin\AppData\Local\Temp\NulsultanLoader.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "GIMP (GNU Image Manipulation Program)" /tr "C:\Program Files\xdwdSpotify.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "GIMP (GNU Image Manipulation Program)" /tr "C:\Program Files\xdwdSpotify.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2832
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4380
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Zoom" /tr "C:\Users\Admin\AppData\Roaming\xdwdMalwarebytes Update.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo 5 /tn "Zoom" /tr "C:\Users\Admin\AppData\Roaming\xdwdMalwarebytes Update.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5068
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2500
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2004
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4868
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2936
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4104
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2752
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1736
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4928
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3180
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1708
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2716
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2920
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1704
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2676
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:4012
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4104
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:3676
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1816
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:5068
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3844
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:5076
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:224
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:2624
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4712
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:3588
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2548
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:5100
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2844
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1816
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2084
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:372
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1912
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1876
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4704
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:2372
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4408
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:4004
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4672
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1792
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2168
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:2516
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:756
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:4912
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5020
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:4808
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1588
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1736
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2144
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1436
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1664
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:4660
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:3908
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:4812
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4632
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1352
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1872
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:2396
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:4524
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1188
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1708
- C:\Windows\SYSTEM32\CMD.exe
  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST & exit
  2⤵
  PID:1336
- - C:\Windows\system32\schtasks.exe
    SchTaSKs /create /f /sc minute /mo -1 /tn "Autodesk Revit" /tr "C:\Program Files\xdwdSpotify.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1000

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/1644-0-0x0000000000B60000-0x0000000000BD8000-memory.dmp

Filesize
480KB

Download
memory/1644-1-0x00007FFA19893000-0x00007FFA19895000-memory.dmp

Filesize
8KB

Download
memory/1644-43-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp

Filesize
10.8MB

Download
memory/1644-104-0x000000001CE30000-0x000000001CEA6000-memory.dmp

Filesize
472KB

Download
memory/1644-105-0x0000000002E10000-0x0000000002E1C000-memory.dmp

Filesize
48KB

Download
memory/1644-106-0x000000001BED0000-0x000000001BEEE000-memory.dmp

Filesize
120KB

Download
memory/1644-120-0x00007FFA19893000-0x00007FFA19895000-memory.dmp

Filesize
8KB

Download
memory/1644-170-0x000000001E1E0000-0x000000001E326000-memory.dmp

Filesize
1.3MB

Download
memory/1644-264-0x00007FFA19890000-0x00007FFA1A351000-memory.dmp

Filesize
10.8MB

Download