Malware Analysis Report

2024-09-11 14:09

Sample ID 240614-e9ndeayhpl
Target main.v1.exe
SHA256 6666c3ef1bb36779fd6725d4ec308dd4a5a7677931844691d1d3fdba46c3278f
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6666c3ef1bb36779fd6725d4ec308dd4a5a7677931844691d1d3fdba46c3278f

Threat Level: Known bad

The file main.v1.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 04:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 04:38

Reported

2024-06-14 04:39

Platform

win10-20240611-en

Max time kernel

25s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main.v1.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vape.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\feds.lol.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vape.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vape.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1548 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\main.v1.exe C:\Users\Admin\AppData\Roaming\vape.exe
PID 1548 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\main.v1.exe C:\Users\Admin\AppData\Roaming\vape.exe
PID 1548 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\main.v1.exe C:\Users\Admin\AppData\Roaming\feds.lol.exe
PID 1548 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\main.v1.exe C:\Users\Admin\AppData\Roaming\feds.lol.exe
PID 3924 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 808 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\schtasks.exe
PID 3924 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\main.v1.exe

"C:\Users\Admin\AppData\Local\Temp\main.v1.exe"

C:\Users\Admin\AppData\Roaming\vape.exe

"C:\Users\Admin\AppData\Roaming\vape.exe"

C:\Users\Admin\AppData\Roaming\feds.lol.exe

"C:\Users\Admin\AppData\Roaming\feds.lol.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\vape.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vape.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\scvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "scvhost" /tr "C:\Users\Admin\AppData\Roaming\scvhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gift-scientists.gl.at.ply.gg udp
US 147.185.221.20:20443 gift-scientists.gl.at.ply.gg tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.1.1.9.5.f.f.f.f.6.a.e.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1548-0-0x00007FF966B63000-0x00007FF966B64000-memory.dmp

memory/1548-1-0x0000000000F60000-0x00000000010A6000-memory.dmp

C:\Users\Admin\AppData\Roaming\vape.exe

MD5 409c4205d1119c67e3ed65c16f9b71c7
SHA1 2dd6c500f1bc16e59764cd1ac13642463efa52e7
SHA256 924d8102157fd6dbcda4cac2b035be62d8aeeb3e3d8d5bea167989a33d0141fd
SHA512 1de55f5dd34b546078130cb5619295113200d7fc254ef32573db256ece2ebc89181ff0cb92900617728f04a11d688d9b4bbd32b3152d1a66c9d93a206d1d135d

memory/3924-9-0x0000000000AF0000-0x0000000000B06000-memory.dmp

C:\Users\Admin\AppData\Roaming\feds.lol.exe

MD5 9a5bbfcfd9311824e175ab98a346770c
SHA1 8c1473c9513364779b35a7a65ed71ef4f321a180
SHA256 08a07606f1cace7f9c7c2578ffa15d1aeb0406841ad3e520a0cf02ddab1d9edf
SHA512 2845bd3c99ae36a15054c2dcf2bd93d069781cde18f96bd844c8814916f195de407ec1cbddf8c4d4f0c23003bf4dbc182dca1ac7a672235c1024895f2dd74148

memory/3924-14-0x00007FF966B60000-0x00007FF96754C000-memory.dmp

memory/2544-19-0x000001B87E690000-0x000001B87E6B2000-memory.dmp

memory/2544-22-0x000001B87E960000-0x000001B87E9D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dl5o3slb.wr5.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f4cb732fb372d486b4f91a303b595f8d
SHA1 de650099cb28e658f809ab83736d85562274e596
SHA256 4d7b1d494298943e7135a7c040474db47fbcf06596e57de32f5a98e6838cd8a4
SHA512 c207190202cef569a3d288a3dbfade9c2d5db41680afe480445a561065ca65620f3143a93ef9fcb2743a002fcfa0d9ab6101e8874052d6999bbb47599ce1e721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bec24ea7dfc809d2c029912765457638
SHA1 de171a58cc294dfd93783aff0b942834baee7ea1
SHA256 4f1d58a4f2cfc668e6132da99f718f0c34132b1aedc6226ef5634f00dbe213e8
SHA512 5b37d498096272b8d8552e4346aec1b3d50b74bbddfeeb85f3fddb36df9e5759ad954a9a6d0f3506df259570fa7c429bd565e21d17c7d4f727b90e71ee836aca

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e39f9ea633a17eb676f731c392d0ab8d
SHA1 62b534289e241adbded9143e8ba122174893a700
SHA256 88c69edac73c2e0d75c3ce8cc503f9bc22c51587b5d000fde49363f438e75b6a
SHA512 07baa43cd7da2a7f68b708309f24a5b3e624c873002e1d1334317ee669d551611042f5a6cc954489c81f78f2ff9c46b69a512196a2fa29bacc13c186fb690dfa

memory/3924-191-0x00007FF966B60000-0x00007FF96754C000-memory.dmp

memory/3924-192-0x00007FF966B60000-0x00007FF96754C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 04:38

Reported

2024-06-14 04:41

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\main.v1.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\main.v1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\vape.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vape.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\feds.lol.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\scvhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\scvhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\scvhost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\vape.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vape.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\vape.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\scvhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\scvhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\main.v1.exe C:\Users\Admin\AppData\Roaming\vape.exe
PID 4980 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\main.v1.exe C:\Users\Admin\AppData\Roaming\vape.exe
PID 4980 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\main.v1.exe C:\Users\Admin\AppData\Roaming\feds.lol.exe
PID 4980 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\main.v1.exe C:\Users\Admin\AppData\Roaming\feds.lol.exe
PID 3824 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\schtasks.exe
PID 3824 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Roaming\vape.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\main.v1.exe

"C:\Users\Admin\AppData\Local\Temp\main.v1.exe"

C:\Users\Admin\AppData\Roaming\vape.exe

"C:\Users\Admin\AppData\Roaming\vape.exe"

C:\Users\Admin\AppData\Roaming\feds.lol.exe

"C:\Users\Admin\AppData\Roaming\feds.lol.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\vape.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'vape.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\scvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "scvhost" /tr "C:\Users\Admin\AppData\Roaming\scvhost.exe"

C:\Users\Admin\AppData\Roaming\scvhost.exe

C:\Users\Admin\AppData\Roaming\scvhost.exe

C:\Users\Admin\AppData\Roaming\scvhost.exe

C:\Users\Admin\AppData\Roaming\scvhost.exe

C:\Users\Admin\AppData\Roaming\scvhost.exe

C:\Users\Admin\AppData\Roaming\scvhost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
BE 88.221.83.249:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 249.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 gift-scientists.gl.at.ply.gg udp
US 147.185.221.20:20443 gift-scientists.gl.at.ply.gg tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 147.185.221.20:20443 gift-scientists.gl.at.ply.gg tcp
US 147.185.221.20:20443 gift-scientists.gl.at.ply.gg tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 147.185.221.20:20443 gift-scientists.gl.at.ply.gg tcp
US 147.185.221.20:20443 gift-scientists.gl.at.ply.gg tcp

Files

memory/4980-0-0x0000000000490000-0x00000000005D6000-memory.dmp

memory/4980-2-0x00007FFDC8C30000-0x00007FFDC8E25000-memory.dmp

C:\Users\Admin\AppData\Roaming\vape.exe

MD5 409c4205d1119c67e3ed65c16f9b71c7
SHA1 2dd6c500f1bc16e59764cd1ac13642463efa52e7
SHA256 924d8102157fd6dbcda4cac2b035be62d8aeeb3e3d8d5bea167989a33d0141fd
SHA512 1de55f5dd34b546078130cb5619295113200d7fc254ef32573db256ece2ebc89181ff0cb92900617728f04a11d688d9b4bbd32b3152d1a66c9d93a206d1d135d

C:\Users\Admin\AppData\Roaming\feds.lol.exe

MD5 9a5bbfcfd9311824e175ab98a346770c
SHA1 8c1473c9513364779b35a7a65ed71ef4f321a180
SHA256 08a07606f1cace7f9c7c2578ffa15d1aeb0406841ad3e520a0cf02ddab1d9edf
SHA512 2845bd3c99ae36a15054c2dcf2bd93d069781cde18f96bd844c8814916f195de407ec1cbddf8c4d4f0c23003bf4dbc182dca1ac7a672235c1024895f2dd74148

memory/3824-20-0x00007FFDC8C30000-0x00007FFDC8E25000-memory.dmp

memory/3824-22-0x0000000000D20000-0x0000000000D36000-memory.dmp

memory/4980-23-0x00007FFDC8C30000-0x00007FFDC8E25000-memory.dmp

memory/4168-25-0x0000025CE51D0000-0x0000025CE51F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fqisc5ep.mv3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22310ad6749d8cc38284aa616efcd100
SHA1 440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA256 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA512 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 735e7ecd39ed29e19993348e7e826f59
SHA1 0ab003c21fa5ae9f0f0669e66a6a28fc368b7c32
SHA256 7113df60d3d2df3db0ce1cd0cdb21fffa74beb6d3cb43ae15f451e4b16bcd33d
SHA512 9e60847bbd26a3288b8aa61febb68ca16bd16c660938dd742e73fcd5e09c62c405235ad078fb520d9130fa07e5127d032b104a8d330445c5279168645cc156f4

memory/3824-72-0x00007FFDC8C30000-0x00007FFDC8E25000-memory.dmp

memory/3824-76-0x00007FFDC8C30000-0x00007FFDC8E25000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\scvhost.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1