Malware Analysis Report

2024-09-11 14:54

Sample ID 240608-x5s27sfb3t
Target Microsoft Network Realtime inspection.exe
SHA256 267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788

Threat Level: Known bad

The file Microsoft Network Realtime inspection.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm

Xworm family

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-08 19:26

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 19:26

Reported

2024-06-08 19:29

Platform

win7-20240419-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dvywbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dvywbd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\TLauncher = "C:\\Users\\Admin\\AppData\\Roaming\\TLauncher" C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{57C8F5B1-25CD-11EF-9BF3-52E878ACFAD8} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dvywbd.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dvywbd.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 1700 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 1700 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 1580 wrote to memory of 2348 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1580 wrote to memory of 2348 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1580 wrote to memory of 2348 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1580 wrote to memory of 988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1580 wrote to memory of 988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1580 wrote to memory of 988 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1700 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 1700 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 1700 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 1700 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\dvywbd.exe
PID 1700 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\dvywbd.exe
PID 1700 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\dvywbd.exe
PID 1700 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Users\Admin\AppData\Local\Temp\dvywbd.exe
PID 1572 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\dvywbd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1572 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\dvywbd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1572 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\dvywbd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1572 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\dvywbd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1156 wrote to memory of 1776 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1156 wrote to memory of 1776 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1156 wrote to memory of 1776 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1156 wrote to memory of 1776 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1580 wrote to memory of 768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1580 wrote to memory of 768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher
PID 1580 wrote to memory of 768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\TLauncher

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"

C:\Windows\system32\taskeng.exe

taskeng.exe {C382553C-FA5C-4A6B-881A-3D8F51101C88} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\owzihn.mp4"

C:\Users\Admin\AppData\Local\Temp\dvywbd.exe

"C:\Users\Admin\AppData\Local\Temp\dvywbd.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://wonderwork.ucoz.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1156 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 listing-trackbacks.gl.at.ply.gg udp
US 147.185.221.20:15337 listing-trackbacks.gl.at.ply.gg tcp
US 147.185.221.20:15337 listing-trackbacks.gl.at.ply.gg tcp
US 147.185.221.20:15337 listing-trackbacks.gl.at.ply.gg tcp
US 8.8.8.8:53 wonderwork.ucoz.com udp
US 213.174.157.152:80 wonderwork.ucoz.com tcp
US 213.174.157.152:80 wonderwork.ucoz.com tcp
US 213.174.157.152:443 wonderwork.ucoz.com tcp
US 213.174.157.152:443 wonderwork.ucoz.com tcp
US 213.174.157.152:443 wonderwork.ucoz.com tcp
US 213.174.157.152:443 wonderwork.ucoz.com tcp
US 213.174.157.152:443 wonderwork.ucoz.com tcp
US 213.174.157.152:443 wonderwork.ucoz.com tcp
US 8.8.8.8:53 s107.ucoz.net udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.cy-pr.com udp
US 8.8.8.8:53 fxprimer.ru udp
US 213.174.157.152:443 s107.ucoz.net tcp
US 213.174.157.152:443 s107.ucoz.net tcp
FR 172.217.20.196:443 www.google.com tcp
FR 172.217.20.196:443 www.google.com tcp
NL 31.210.170.12:80 www.cy-pr.com tcp
NL 31.210.170.12:80 www.cy-pr.com tcp
DE 130.162.245.89:80 fxprimer.ru tcp
DE 130.162.245.89:80 fxprimer.ru tcp
US 8.8.8.8:53 counter.yadro.ru udp
RU 88.212.201.204:443 counter.yadro.ru tcp
RU 88.212.201.204:443 counter.yadro.ru tcp
DE 130.162.245.89:443 fxprimer.ru tcp
US 8.8.8.8:53 share.pluso.ru udp
FR 216.58.214.163:80 www.gstatic.com tcp
FR 216.58.214.163:80 www.gstatic.com tcp

Files

memory/1700-0-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmp

memory/1700-1-0x00000000008B0000-0x00000000008CA000-memory.dmp

memory/1700-2-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

memory/2824-7-0x0000000002AA0000-0x0000000002B20000-memory.dmp

memory/2824-8-0x000000001B660000-0x000000001B942000-memory.dmp

memory/2824-9-0x0000000002860000-0x0000000002868000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCTZ0OFAQKFL8QMP4I1Z.temp

MD5 91a822d337bddb5269ca871880e5c01b
SHA1 a62d8ad1e62faf8a97150d00311a51fb70e64b91
SHA256 57d7ddce7cc468ceda6883fe261e28d9f2e227d80389b8a59a2d6fc120cef030
SHA512 afa7ac3916dd6b0a6b73e2c95a7d0c725b6be773418b5c2b8a2b846e2775c527f77c720ddce07a951c69c84e14b6cb41ae1309267141ba73ce53540f70a6c5c1

memory/2716-16-0x0000000001E00000-0x0000000001E08000-memory.dmp

memory/2716-15-0x000000001B570000-0x000000001B852000-memory.dmp

memory/2348-33-0x0000000000F10000-0x0000000000F2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\TLauncher

MD5 5c888eddae30076bd7aaa2e5d5fea097
SHA1 6a5b5c290d24bcd984a7083f934dbf35f56ec888
SHA256 267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
SHA512 4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1

memory/1700-34-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmp

memory/1700-35-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

memory/1700-36-0x00000000003D0000-0x00000000003DC000-memory.dmp

memory/1700-39-0x000000001A8A0000-0x000000001A8B0000-memory.dmp

memory/988-41-0x0000000001360000-0x000000000137A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\owzihn.mp4

MD5 e8653029eedb0e8e72a610d15c77907c
SHA1 1eb9f618ef3d2f2711e166721d3f5047313073e5
SHA256 9c066096d1c6c277bb85c2c1e2f1371a964ff544b8187658cd35a79544f30c1b
SHA512 6665da01a2b1923c0064856f60d99114dfe266a2660cd749da195d19b42b8e2e2c93232b548029e725b09d5657bb6c3a609b806086d522751e185f3925ddb915

memory/2600-50-0x000007FEFA8D0000-0x000007FEFA904000-memory.dmp

memory/2600-49-0x000000013FFB0000-0x00000001400A8000-memory.dmp

memory/2600-58-0x000007FEF1150000-0x000007FEF1161000-memory.dmp

memory/2600-51-0x000007FEF12E0000-0x000007FEF1596000-memory.dmp

memory/2600-57-0x000007FEF1170000-0x000007FEF118D000-memory.dmp

memory/2600-56-0x000007FEF1190000-0x000007FEF11A1000-memory.dmp

memory/2600-59-0x000007FEF0D20000-0x000007FEF0F2B000-memory.dmp

memory/2600-55-0x000007FEF58E0000-0x000007FEF58F7000-memory.dmp

memory/2600-54-0x000007FEF5900000-0x000007FEF5911000-memory.dmp

memory/2600-53-0x000007FEF66A0000-0x000007FEF66B7000-memory.dmp

memory/2600-52-0x000007FEFA670000-0x000007FEFA688000-memory.dmp

memory/2600-76-0x000007FEF0F80000-0x000007FEF0F97000-memory.dmp

memory/2600-75-0x000007FEEE9E0000-0x000007FEEEB60000-memory.dmp

memory/2600-73-0x000007FEF0FA0000-0x000007FEF0FB1000-memory.dmp

memory/2600-72-0x000007FEF0C30000-0x000007FEF0CAC000-memory.dmp

memory/2600-60-0x000007FEEC770000-0x000007FEED820000-memory.dmp

memory/2600-74-0x000007FEF0BD0000-0x000007FEF0C27000-memory.dmp

memory/2600-71-0x000007FEF0CB0000-0x000007FEF0D17000-memory.dmp

memory/2600-70-0x000007FEF0FC0000-0x000007FEF0FF0000-memory.dmp

memory/2600-86-0x000007FEF0590000-0x000007FEF05A1000-memory.dmp

memory/2600-99-0x000007FEE9E60000-0x000007FEE9ED4000-memory.dmp

memory/2600-103-0x000007FEE9960000-0x000007FEE9994000-memory.dmp

memory/2600-102-0x000007FEE99A0000-0x000007FEE99F7000-memory.dmp

memory/2600-77-0x000007FEEAF00000-0x000007FEEC76F000-memory.dmp

memory/2600-101-0x000007FEE9A00000-0x000007FEE9A4E000-memory.dmp

memory/2600-100-0x000007FEE9CF0000-0x000007FEE9D01000-memory.dmp

memory/2600-98-0x000007FEE9EE0000-0x000007FEE9F27000-memory.dmp

memory/2600-97-0x000007FEE9F30000-0x000007FEE9F91000-memory.dmp

memory/2600-96-0x000007FEE9FA0000-0x000007FEE9FB1000-memory.dmp

memory/2600-95-0x000007FEEA360000-0x000007FEEA371000-memory.dmp

memory/2600-94-0x000007FEEA380000-0x000007FEEA486000-memory.dmp

memory/2600-90-0x000007FEEA520000-0x000007FEEA7D0000-memory.dmp

memory/2600-93-0x000007FEEA490000-0x000007FEEA4A3000-memory.dmp

memory/2600-92-0x000007FEEA4B0000-0x000007FEEA4D3000-memory.dmp

memory/2600-91-0x000007FEEA500000-0x000007FEEA515000-memory.dmp

memory/2600-89-0x000007FEF0520000-0x000007FEF0562000-memory.dmp

memory/2600-88-0x000007FEEA860000-0x000007FEEA925000-memory.dmp

memory/2600-87-0x000007FEF0570000-0x000007FEF0586000-memory.dmp

memory/2600-85-0x000007FEF05B0000-0x000007FEF05DF000-memory.dmp

memory/2600-84-0x000007FEFB0F0000-0x000007FEFB100000-memory.dmp

memory/2600-83-0x000007FEEA930000-0x000007FEEAB71000-memory.dmp

memory/2600-82-0x000007FEF0AB0000-0x000007FEF0B07000-memory.dmp

memory/2600-81-0x000007FEF0B10000-0x000007FEF0B5D000-memory.dmp

memory/2600-80-0x000007FEF0B60000-0x000007FEF0BA2000-memory.dmp

memory/2600-79-0x000007FEF0BB0000-0x000007FEF0BC2000-memory.dmp

memory/2600-78-0x000007FEEACF0000-0x000007FEEAEF6000-memory.dmp

memory/2600-69-0x000007FEF0FF0000-0x000007FEF1008000-memory.dmp

memory/2600-68-0x000007FEF1010000-0x000007FEF1021000-memory.dmp

memory/2600-67-0x000007FEF1030000-0x000007FEF104B000-memory.dmp

memory/2600-66-0x000007FEF1050000-0x000007FEF1061000-memory.dmp

memory/2600-65-0x000007FEF1070000-0x000007FEF1081000-memory.dmp

memory/2600-64-0x000007FEF1090000-0x000007FEF10A1000-memory.dmp

memory/2600-63-0x000007FEF10B0000-0x000007FEF10C8000-memory.dmp

memory/2600-62-0x000007FEF10D0000-0x000007FEF10F1000-memory.dmp

memory/2600-61-0x000007FEF1100000-0x000007FEF1141000-memory.dmp

memory/2600-106-0x000007FEF12E0000-0x000007FEF1596000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dvywbd.exe

MD5 ab1d6a0b504e8302bfa1761e8ab6198d
SHA1 982fbb07d7b18bf160f3111711fe5c194f7347d9
SHA256 33a4b7269c1ff49c478d1da7a466d64a6ffdd8aa34f627a284bb5e6ee0cccb4a
SHA512 8c88f1c61ac71a8dd2a2e89c0278c64576555a24e5f011898a4941fa1ebf501d0d2b19a9ea64053c55f703ca4440d2e30d30abfcc7a9f814a9f010c8dc156e17

C:\Users\Admin\AppData\Local\Temp\dvywbd.ini

MD5 c00ce9ed943065e34ae082f0dc82bb89
SHA1 c5d364ac6c9cf5a132104a9aba36306d84ef877b
SHA256 fefd534f4da1143b737a1b024203aadd65154ff969b3fa5ecd2b8cb05caf066f
SHA512 86645fe0983989c98a11f84f60a292298679df5b0f79b52b01e1eab3af4fdda73b5a6405ef6d27329311cdcd5798ccbf29b2a31dcf177986a08e77248417a752

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFE15.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 003406aa8c397a334961e278f3f96d4c
SHA1 8b1c49d36ad9cc65b65ef9689db07ea0243afa29
SHA256 1826112f2f04cb5f78d0890a6661fafb4a60652cd56eb519d090388cc94511a9
SHA512 d63296a6bd6c4b2ca2a67236e1cf7c6fcf1ccd1428df91886ee4de229e8a3d573444ce0e21b7f71d793379e1138f96db25b9b620fa699974bf36667043986def

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 4103aa0700f2dc439d4c321ebe22936e
SHA1 94f723d73f9deda4e4db60e5b8a7a0018f0f52e2
SHA256 4f4f709cfd21c76526c769225e57ebeb1691197b6529299bd28950def897dc79
SHA512 da522d7d963f89907379439d042c4600eb8c1f64c76485cfc282cbb75692690d20950a8b37227ea23147b8a0362e867d96a6031c619d12aebdbe2a31c1b01fd3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322

MD5 1fa17325918e618db3a2beb022df7a8c
SHA1 44fcfd4cc2aaae0b2f45bcee0b04d5346fdfcc2a
SHA256 3e4903996b66e24f58f2c9acb3f98ad734c9aa3113d27f6c44b33ad450693930
SHA512 417eab3dc9b6460247f02d50829b7027a8a6d445c43521f3d680cacab54dac132c94a36dcff7fd95004f154b6abbfd3e923deecc80619a8249468b70c1ac17b8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\favicon[1].png

MD5 40520d030be304644ead991b25de54dc
SHA1 13c417cc8d9fe72b115670ab232adebc9adf6be4
SHA256 3d29a578e7032ae64fafb00220be63f34e2771ee2ddb5ac1c80a917e47d1f38e
SHA512 98cc818b669880254cb0f35fc6a6d9a2e76f5afcbef2e4d3d17c428543f55e06af47f6223546775428860442f150ecec6a5e266c33f032eaca24fb6c1925246d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wi962z5\imagestore.dat

MD5 cbd094c301d4d4bb4c7bf213c63fecb6
SHA1 68e5c47b951f70b7b960ab72f2ec03148fe25718
SHA256 80115e73e15057e377678bd249f34c6669035d492caf03fc047610147a9fc553
SHA512 812400aa4ed25a7b8970ebfdd1391af65f04973b5511d825ede443a58e47581cf513229b8514841225e6189aa857861353212ad447beca6198bf05ecc8c094de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8dd04646fd13b9e7a3aec946de6b7e4
SHA1 5c6870abe00e1381289aaacf68e2882da827b6df
SHA256 97c4e4f67aedd6a4fa3c3ab368157f71040d31e6cf7f242624153cd184a3d4c1
SHA512 98e9b8b8b87de8fced53aa1ed3eef37f5894afbeaaa8729b6a2f78853a9784e68e0738ec0d5847cde78c22874726696aac7317c417ccf264aa1d18190845455c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b50f22631818918a46132385e213b141
SHA1 4ffa098ff794f3c994a6cd33fc2893e9e0ccebb2
SHA256 28d31e5a06db0868ed1ff42ad3aa19fc5cb38ba7888e6cc649a06113db1c5461
SHA512 a8f8ef63d3ae7967721bb3ce9ad8aaeff1f36566a5dd45b6dbb3b1a4039c04b2f3c189db03a99da632c4f866026c226553984c9ebf46f1699522136418f9d7af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e5c06719286f4eecc6b3dda4918a048
SHA1 5c66d9cc0b3febb12161edf316dc1fdc0413c893
SHA256 42fa255f1232d525993d5c0c49a5a8f9c86971bad84bed39524cf1522d296dfe
SHA512 0dfe3ac34f70b40bc93ee320fdf9935577994479ca24489b32844947cb8bd5f8bf78b70c6dd882d2bfe2e52392d6fceb5b9049c73dc597ca6f0147dab49dc02a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2665408e477eafb52537d4d9a850d2b
SHA1 722842883996d5f6f3cb44e48806b3e82595b4e2
SHA256 a01e484286e301bd3579752eb615f65f4649bc1966304122500254fe05801a12
SHA512 068dbe6e69a4cda7944b545e937294183c7fdabcc462d560a4364eb18ab24e60684853a4985743daff4d92cc9d804657a82597396d9e5ee7f37478a3902e1f6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a577a4e89ff0110d3bd18ce86fd7f50a
SHA1 db2c9dd96eaf6e3eb23183f70cf4a013b72c3bf1
SHA256 3c0c267ebe54979d7771e30e7afe4bf409dc20c4d8d323f82275c7dc75eaa71c
SHA512 3337a4bdec9ecca3b0a2718c01ac2f70c20fe95e6a0bd7d0cdc8632a3773460dc73a11c5faeb319bd6557c729adc84bd0e37d77fec25c3959a24606006260e0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fd36db6ca6fb9de12912656ff2ee36fb
SHA1 cb31f5547170c352e9e87f9bbb8436c968e58b71
SHA256 686106cc40dfd90304ef786b1325a4f82c3ec32146b03d2371eb72dc05ef903e
SHA512 46f1a05c697c01aaa13eae2ddcaf8a7a480ccedee404ede240770b7c105d925101b0d8adb8948d2b17f9529b342fc975927966694388f75a060825ca8bf72002

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3b47935003fce2af3128d93a5d0e042
SHA1 13670d397b890dfe66c943cc193dd8e6e92266d4
SHA256 6ae1930dc3d428976d8555e5b8093d563fd700055200bde617c1a99f3b1f7a50
SHA512 571fc2894a6b158e2e794ca5fac399523d91d89b3fb0f4fb6427d95017e5a4258f2b6659ffcca8e632504ab4897abe7e8322dc46a18d25c7ff16764adb387294

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7e37ecf2f204f95a2deb0028e557f6d
SHA1 0fbafbaf47974e601231bc0966ddd8780797da13
SHA256 e87fa38b6d44538da32c609b0a2920d4e56fdc4c2153ce51214a458ab7a97375
SHA512 9fa23a13326f07f683675f484d96f847e761650e2710eba3b0af4058cb8455bec0cee6d8304e64ec4985f853ecf548aa13195aaf220e7ef20c8ff9ae11376e5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81598c9d4aa23a2f91e88cd06b5a46e9
SHA1 c8dd575ea6f25e4d9ef5ca02f28b898b89174010
SHA256 152714fab5e3fe27673a05986075ea62dcb5d46264d95b1cdd0308210d2b02f0
SHA512 86b9c920446974cd4b85d502d8c51221c8687df8574627dfd32f49ecef1224dec7ae05e4c28cd232d22376c04c7da75818ab2c34ff5e58beb8c0d36cba086974

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63ce644e11ecf45b043a3e757580379b
SHA1 7420127ba442d8943ab680a0697407470ffb0a02
SHA256 b1d20ac3faae102ea147fcda97e276a9ab46a51acacd09a3374ed6d833759088
SHA512 2eebd295f4494077537c3fd13744989f06ae32985e5cf079ff87ffa42e125c130132db9c28191a72d4c0a5ccc76a3f5d80cf42bf30cb28de8705284804e4835e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 19:26

Reported

2024-06-08 19:29

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLauncher.lnk C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TLauncher = "C:\\Users\\Admin\\AppData\\Roaming\\TLauncher" C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\TLauncher N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3952 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe
PID 3952 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Network Realtime inspection.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\TLauncher'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'TLauncher'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "TLauncher" /tr "C:\Users\Admin\AppData\Roaming\TLauncher"

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

C:\Users\Admin\AppData\Roaming\TLauncher

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 listing-trackbacks.gl.at.ply.gg udp
US 147.185.221.20:15337 listing-trackbacks.gl.at.ply.gg tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 147.185.221.20:15337 listing-trackbacks.gl.at.ply.gg tcp
US 8.8.8.8:53 129.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/3952-1-0x0000000000910000-0x000000000092A000-memory.dmp

memory/3952-0-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp

memory/3952-2-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/4196-3-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oflucuxd.vz1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4196-4-0x00000178D2710000-0x00000178D2732000-memory.dmp

memory/4196-14-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/4196-15-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/4196-18-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

memory/4196-19-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8e36164c76778c19637405adc15c138d
SHA1 5a84b55368cc3c58c628aef578b658fede2a27f4
SHA256 bc9323059bc4e6793598b39d942be6720745037ded472e084f2b2b4b60d07f87
SHA512 d2dade91b8654b52857af12addc756817910463d5cd366fe9a13d6b23c3f2024ee2603b094bc03815b5f0f28891142d914aa65950e8a073961a4a5a312c25ff4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2c8179aaa149c0b9791b73ce44c04d1
SHA1 703361b0d43ec7f669304e7c0ffbbfdeb1e484ff
SHA256 c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a
SHA512 2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

C:\Users\Admin\AppData\Roaming\TLauncher

MD5 5c888eddae30076bd7aaa2e5d5fea097
SHA1 6a5b5c290d24bcd984a7083f934dbf35f56ec888
SHA256 267d1802344caba41d174d5e9750695c446724e6c480bee1b79100a64931e788
SHA512 4a17d517772d0efff6fea2074af232c90f47b370fa9269d36970bec3a8204e1e3df8f273f21287f712d26117a803b428ffd3683581b85498515e1d908c5b3dd1

memory/3952-60-0x00007FFA94B33000-0x00007FFA94B35000-memory.dmp

memory/3952-61-0x00007FFA94B30000-0x00007FFA955F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TLauncher.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1