xworm | hxxps://send[.]exploit[.]in/download/9c73994ce8965362/#aC_WKF2OO0Qz-OzCqgzzfg

Analysis

max time kernel
46s
max time network
58s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
06/06/2024, 02:44

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://send.exploit.in/download/9c73994ce8965362/#aC_WKF2OO0Qz-OzCqgzzfg

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:44454

Name1442-44454.portmap.host:44454

Attributes

Install_directory
%Temp%
install_file
LX.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000400000002a9d4-181.dat	family_xworm
behavioral1/memory/3104-191-0x00000000003C0000-0x00000000003FE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4920	powershell.exe
3424	powershell.exe
1912	powershell.exe
1972	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LX.lnk	LightningX.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LX.lnk	LightningX.exe

Executes dropped EXE 4 IoCs

pid	Process
2248	LightningX.exe
3104	LightningX.exe
2288	LXLoader.exe
1424	LightningX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\LX = "C:\\Users\\Admin\\AppData\\Local\\Temp\\LX.exe"	LightningX.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
928	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133621154836149298"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\LightningX.exe:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3104	LightningX.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1540	chrome.exe
1540	chrome.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
2248	LightningX.exe
3424	powershell.exe
3424	powershell.exe
3424	powershell.exe
1912	powershell.exe
1912	powershell.exe
1912	powershell.exe
1972	powershell.exe
1972	powershell.exe
1972	powershell.exe
4920	powershell.exe
4920	powershell.exe
4920	powershell.exe
3104	LightningX.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1540	chrome.exe
1540	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeDebugPrivilege	2248	LightningX.exe
Token: SeDebugPrivilege	3104	LightningX.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe
Token: SeShutdownPrivilege	1540	chrome.exe
Token: SeCreatePagefilePrivilege	1540	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe
1540	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2288	LXLoader.exe
2288	LXLoader.exe
3104	LightningX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2816	1540	chrome.exe	79
PID 1540 wrote to memory of 2816	1540	chrome.exe	79
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 784	1540	chrome.exe	81
PID 1540 wrote to memory of 1136	1540	chrome.exe	82
PID 1540 wrote to memory of 1136	1540	chrome.exe	82
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83
PID 1540 wrote to memory of 3320	1540	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://send.exploit.in/download/9c73994ce8965362/#aC_WKF2OO0Qz-OzCqgzzfg
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8eafab58,0x7fff8eafab68,0x7fff8eafab78
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1508 --field-trial-handle=1808,i,1723296428654197548,2525693501745700840,131072 /prefetch:2
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1808,i,1723296428654197548,2525693501745700840,131072 /prefetch:8
  2⤵
  PID:1136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2156 --field-trial-handle=1808,i,1723296428654197548,2525693501745700840,131072 /prefetch:8
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1808,i,1723296428654197548,2525693501745700840,131072 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1808,i,1723296428654197548,2525693501745700840,131072 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4280 --field-trial-handle=1808,i,1723296428654197548,2525693501745700840,131072 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 --field-trial-handle=1808,i,1723296428654197548,2525693501745700840,131072 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4792 --field-trial-handle=1808,i,1723296428654197548,2525693501745700840,131072 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4796 --field-trial-handle=1808,i,1723296428654197548,2525693501745700840,131072 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1808,i,1723296428654197548,2525693501745700840,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4688 --field-trial-handle=1808,i,1723296428654197548,2525693501745700840,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5044 --field-trial-handle=1808,i,1723296428654197548,2525693501745700840,131072 /prefetch:8
  2⤵
  PID:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1912

C:\Users\Admin\Downloads\LightningX.exe
"C:\Users\Admin\Downloads\LightningX.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248
- C:\Users\Admin\AppData\Local\Temp\LightningX.exe
  "C:\Users\Admin\AppData\Local\Temp\LightningX.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LightningX.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LightningX.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\LX.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LX.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4920
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "LX" /tr "C:\Users\Admin\AppData\Local\Temp\LX.exe"
    3⤵
    - Creates scheduled task(s)
    PID:928
- C:\Users\Admin\AppData\Local\Temp\LXLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\LXLoader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2288

C:\Users\Admin\Downloads\LightningX.exe
"C:\Users\Admin\Downloads\LightningX.exe"
1⤵
- Executes dropped EXE
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
56a856d3bd81bb811a424a63c65754e3

SHA1
5c01b6591b4e65cd50beeae334cc8e1afc4f57c9

SHA256
fc47619f1f1a10dbac069b352155659bff6dcdb3bd002733756f7e9b860d0f72

SHA512
bb34230e51142c2928549640905089e3f20744818ac4ba9f9376240bcd1293585bb7695ed890fe2aced5a83e3865351b6bfdc3b0ed01e2fa106a12fbcae63c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
9f84a8f91bec8b9a3e33e5e8dc80eeb4

SHA1
45addbacbac8a1ccef382c8c617b2b79c5a5e37c

SHA256
f92780dc27f926f0706fd9c09bad34f3596c384a5d10f208ca9145ad6908fe38

SHA512
a0d0caa992ab0cefcb8f19a3363e0cb48e8d1ba29f47eb4727a42112eb296a04b372308ffd4c6b0835af619e97b2c6e6656bb9fa9e12df8389bc045d2050e7e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
bcbac9588f152e57e50ec709ef4c5f92

SHA1
7eb9bac61e17267dc2ec88187e21666a684dc080

SHA256
292574cb585d6f6832cad980a87a67f71553cdd5d6855bd2760899115d9a7ae5

SHA512
088d66138037f18f94493d7aa9dc5d6115466f7198465ece7312985e5ce3b65852f638400f535f397d3654eedc87d4adefa33919d88d2b41b3d9f9e59db33151

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cce2d2cfa9f3de4a4a85f247c833b0c5

SHA1
5106a4030a4acb326d30af485382cc947f695a5c

SHA256
f8e853ab4ffe3b9627736fc9d6225c595ba46d774742b09ecf385fd10485cedb

SHA512
7ac57fe5ecf3f94bd4d88d984a61ef54d674886c8b972b2af44381d9b6d84d5c74d318ad673ba561425181ac1b22088429642aa9228000eb9ac11e9cff9a9960

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
62ea20619e15604f167f4035041a9a85

SHA1
eff4f0623f59f1710bf9ab2ec9fc1b6cb299b208

SHA256
a8af913397a98ce478d734f96ba56ed60ac3d5d428d57ece89635dc7b8f0360b

SHA512
246bdc8c90928beafcc86f0ff971e51a5f43a5d3f23670d596781b19b9b1cbed70af11aaf3bc5ebad5429b6be21d9611e996be9ff9223610fd8524f4f3b0899e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4ea6e46be70cd0500d27031dfb874d8aa52aadfa\e3f7dbd4-05cc-4cb9-9d75-6f17ec6bbb2c\index-dir\the-real-index

Filesize
192B

MD5
75d0e79b4fd4824e95a7bba7b689a27a

SHA1
6c21732884a962640b70b12088b8dfa7d447daaf

SHA256
e4b1b2c6116df9be4989501c3bb5b86843e1884bb856ef35b149e8e3b9b403e1

SHA512
cd644bd13d455c3d9453c9b913108b05e5e84b8824358e29b71de84a14b861f3e1479ecadb0f345a00098efe34a952e141ca856117ef161a2247239acb593a86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4ea6e46be70cd0500d27031dfb874d8aa52aadfa\e3f7dbd4-05cc-4cb9-9d75-6f17ec6bbb2c\index-dir\the-real-index~RFe57e157.TMP

Filesize
48B

MD5
ebb45dcaeb451418e5eb9bd92a53baac

SHA1
34b33a5c9d438094f3562fa6d07030b18e62c0a3

SHA256
01b0b141fe2029404a5bcc55d8cd7b418f097b55a1dc78b1f23e5e51cc8cda4f

SHA512
c5267992d99523b8b43792a41517744411f0998cff44ae40954e1c74063a60f630d6060b01f1c669fb183501cff9cc8eb8789008a6d3df47d14345713c9f5974

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4ea6e46be70cd0500d27031dfb874d8aa52aadfa\index.txt

Filesize
112B

MD5
f85200b0ccdddfa2bb8b19480796f220

SHA1
59c9bd15ed5ae4b1a269367d160147d8ff39d82b

SHA256
f118062312ae02464035b7de028f8c900d95dde4d2fcaa3dd4fe82c0d2b59f84

SHA512
7c25aa768315152244424526d7f722e1eef013650760e3339abdfcd4288ade7aeded6413ef9f0afb04f4e705cc56f7aae8d1a022e3d0c8b7b066dbc68bbeb216

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\4ea6e46be70cd0500d27031dfb874d8aa52aadfa\index.txt~RFe57e186.TMP

Filesize
117B

MD5
7643c8c09c1230dc255f0a083124f743

SHA1
53f69546830d691f8923a65707d7eb04b77c5af1

SHA256
88140a92ab24e5622ab353f4f2c44096d14a91295918c362ba7d3d1020920885

SHA512
08153b1933e677edf33220c82e75e8f2718676e910e67c3a8286b25d8d845a782ee8103a418f81b07f60c331682946afff5ec38a35513d5cf744740030d73722

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ff153e1aaf89cf1e74052913f2559c8c

SHA1
363acd1ca13b169e995f11f8d3d20237991111f8

SHA256
5ff6ae1a4d8d272d682950b6faeae39a19f254dabb090ffcaf30298c5152a4f5

SHA512
ddb5d2fc58c6ed1f3983e9b6f3a2b5c6e3137838efe63e386869770dea6f496267cf9441e31060e4fc70587d7d14f797c3d1366ae87b74b451c29fc77c5ef6ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57bca9.TMP

Filesize
48B

MD5
58af3442e90e4c53b6dc3f10bda561e9

SHA1
1af79f49ec85065d1781d763b3107d57d06bdfea

SHA256
231ae62702988caaac55bd05c64848c80a378460d8c4e2f77b681452d945c0d2

SHA512
720696067d046400e39d0375eb45e11e3a2a3506ba1805191b5093a04a4504645269c766f8e4fb50c6d81f0baf12708dc14d9971c8f53fc39ac43c29b04da514

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
5cb8feb3d9dc30955a85f52a4e9d4438

SHA1
1d8b4a54e4172a778b6b02a0fe7f025bf9d5a1a1

SHA256
52eb2fae2783e66165af39c1fc72d5ace6cc8cfd13d5d2cd03057a5c6c7f5ce7

SHA512
4e479dd1a7d5a611f223ad6d2da033bb5923d21687b6567a0df6a51d051389ce0166a36c433adafbe822889f77d758afc315e269557ddbe6e904d43a2748900c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\LightningX.exe.log

Filesize
1KB

MD5
5b803ddb883f65717e274c7499348290

SHA1
15ae51c43bc5f1cd04b5960b3260686cc647fe04

SHA256
904ba7080e51d73535b3e7506fa371759d9fd33529e04bde331ffa3cdb2d788c

SHA512
1a1ca16dfdb5523d1f49d45ed312b0aff0d16dcda2841d0616b39cad6930002b31351cfca05ed919898b1e9bbb14a7295c89d12922057d34a4864218bff1fd7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4a7f03a7ad1cae046d8ceac04256e5ae

SHA1
ef0bf767c91cba32b33c0b48f74f5eb153ae43d3

SHA256
e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60

SHA512
382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4093e5ab3812960039eba1a814c2ffb0

SHA1
b5e4a98a80be72fccd3cc910e93113d2febef298

SHA256
c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c

SHA512
f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXLoader.exe

Filesize
4.7MB

MD5
34800790fa19cb68a8b13605dd90e6bb

SHA1
5f77456cd51cef5541b4298b699991958c503436

SHA256
bcf0a8095f01354b6730956b62df81be30b2c1857bb222d31b9408c7012f9d3f

SHA512
f26bf53d881e4033c57935e67edbbd8132836057cf445dd561ad8be4d902a6ff346bcd9c2c0b9df3ae1f8454d820fb883e0c1c7181a35b87535c57ce75954f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LightningX.exe

Filesize
227KB

MD5
96d51c5bc5f9894d6fb5fe87cdd551df

SHA1
737b463a84885096242e1f3bff0d83b1a7c772dd

SHA256
ce4490082c9425b6df120c356b13b7d523c28dcb5007a8d84e50d03e79c459a7

SHA512
05cb6ebb7738bf28ab47690aa74341a9c4e5bae727b7221c21a8e9a5395ef497f1e77b025baff78ec4734395ecbfb45697c630c93729e7269045a6c403225f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zl0co41i.njg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\LightningX.exe

Filesize
4.9MB

MD5
71f66650c1bb33efe2764e20c79656b3

SHA1
f7635b4ed06ff1fe7ad69e9656b3b8c1e65ab14c

SHA256
bdf2fbf1cfcaf96d10c21cd0a127fcea69fc39ea1a2b226240bca757dbce690f

SHA512
37a7f3de7d198e2ed2f122700b20170742b40ac656da519a2ad190c53765f95762b7c793fe1b469a3b3dca047fd2a7c800d18914f4cfa1ce2868e99cc5084f9f

Download Submit
C:\Users\Admin\Downloads\LightningX.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2248-176-0x00007FFF7ABE0000-0x00007FFF7B6A2000-memory.dmp

Filesize
10.8MB

Download
memory/2248-166-0x0000000000E10000-0x00000000012F0000-memory.dmp

Filesize
4.9MB

Download
memory/2248-223-0x00007FFF7ABE0000-0x00007FFF7B6A2000-memory.dmp

Filesize
10.8MB

Download
memory/2248-165-0x00007FFF7ABE3000-0x00007FFF7ABE5000-memory.dmp

Filesize
8KB

Download
memory/2288-220-0x0000011998000000-0x00000119983D2000-memory.dmp

Filesize
3.8MB

Download
memory/2288-228-0x00000119993A0000-0x0000011999412000-memory.dmp

Filesize
456KB

Download
memory/2288-229-0x00000119FDC80000-0x00000119FDC9A000-memory.dmp

Filesize
104KB

Download
memory/2288-230-0x0000011999420000-0x0000011999426000-memory.dmp

Filesize
24KB

Download
memory/2288-225-0x00000119FDC40000-0x00000119FDC54000-memory.dmp

Filesize
80KB

Download
memory/2288-224-0x00000119983D0000-0x000001199851E000-memory.dmp

Filesize
1.3MB

Download
memory/2288-252-0x00000119FDC70000-0x00000119FDC7A000-memory.dmp

Filesize
40KB

Download
memory/2288-221-0x00000119FDC10000-0x00000119FDC16000-memory.dmp

Filesize
24KB

Download
memory/2288-267-0x000001199D4D0000-0x000001199D5D0000-memory.dmp

Filesize
1024KB

Download
memory/2288-219-0x00000119FFD40000-0x00000119FFE48000-memory.dmp

Filesize
1.0MB

Download
memory/2288-200-0x00000119FD350000-0x00000119FD806000-memory.dmp

Filesize
4.7MB

Download
memory/3104-191-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/3424-239-0x0000019BE7390000-0x0000019BE73B2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads