Malware Analysis Report

2024-09-11 14:03

Sample ID 240614-x2kxeswgpk
Target 1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4
SHA256 1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4

Threat Level: Known bad

The file 1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4 was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Detects executables using Telegram Chat Bot

Xworm family

Xworm

Detects Windows executables referencing non-Windows User-Agents

Detects Windows executables referencing non-Windows User-Agents

Detects executables using Telegram Chat Bot

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 19:20

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 19:20

Reported

2024-06-14 19:23

Platform

win7-20240221-en

Max time kernel

145s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77svchost.lnk C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77svchost.lnk C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\$77svchost.exe N/A
N/A N/A C:\ProgramData\$77svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77svchost = "C:\\ProgramData\\$77svchost.exe" C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\$77svchost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\$77svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\schtasks.exe
PID 2240 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\schtasks.exe
PID 2240 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\schtasks.exe
PID 2872 wrote to memory of 1952 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\$77svchost.exe
PID 2872 wrote to memory of 1952 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\$77svchost.exe
PID 2872 wrote to memory of 1952 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\$77svchost.exe
PID 2872 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\$77svchost.exe
PID 2872 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\$77svchost.exe
PID 2872 wrote to memory of 1988 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\$77svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe

"C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\$77svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77svchost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\ProgramData\$77svchost.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {34620620-8948-478A-8320-6DAF37CFFC9C} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\ProgramData\$77svchost.exe

C:\ProgramData\$77svchost.exe

C:\ProgramData\$77svchost.exe

C:\ProgramData\$77svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 rentry.co udp
US 104.26.2.16:443 rentry.co tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 heresfilly.ddns.net udp

Files

memory/2240-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

memory/2240-1-0x0000000000FE0000-0x0000000000FF4000-memory.dmp

memory/2588-6-0x00000000029B0000-0x0000000002A30000-memory.dmp

memory/2588-7-0x000000001B7A0000-0x000000001BA82000-memory.dmp

memory/2588-8-0x0000000002230000-0x0000000002238000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QI4KTRFOOGY2AHO36OLY.temp

MD5 bc44efdee71497cdeb57bfd501759e8a
SHA1 cacb660a4d0620b835d4b5ad3299940b3ee31712
SHA256 c00abb27cbb0e77152f7c19e2f131bacc7b0e4106a6a37ce1da5a836199a4486
SHA512 fabd1d70de5be5c7c1aa842403953269073958058c7d16db543fe3f50e0dcd45613a5c5e914925dc7cce1009e0428a9219ef5b09a70381a1c66f5989eaf466cb

memory/2484-14-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

memory/2484-15-0x00000000027E0000-0x00000000027E8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2240-31-0x000000001B2B0000-0x000000001B330000-memory.dmp

memory/2240-32-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

C:\ProgramData\$77svchost.exe

MD5 f68cad23c9bc135471958c4a3d4d8fa9
SHA1 c5194b77d6fa5e9e87ec138be44384531dc7e076
SHA256 1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4
SHA512 72b34dbac8c3bbfa3156059a1e48fd81e6683a367b01de972153472aadcfcba513a60d8dab4af06f8bc35d96421734f6d981e72a9d6192b08049272582b8db1a

memory/1952-37-0x00000000012B0000-0x00000000012C4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 19:20

Reported

2024-06-14 19:23

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables using Telegram Chat Bot

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77svchost.lnk C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77svchost.lnk C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\$77svchost.exe N/A
N/A N/A C:\ProgramData\$77svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77svchost = "C:\\ProgramData\\$77svchost.exe" C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\$77svchost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\$77svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2852 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\schtasks.exe
PID 2852 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe

"C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\$77svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77svchost.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77svchost" /tr "C:\ProgramData\$77svchost.exe"

C:\ProgramData\$77svchost.exe

C:\ProgramData\$77svchost.exe

C:\ProgramData\$77svchost.exe

C:\ProgramData\$77svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 rentry.co udp
US 8.8.8.8:53 rentry.co udp
US 8.8.8.8:53 rentry.co udp
US 8.8.8.8:53 rentry.co udp
US 8.8.8.8:53 rentry.co udp
US 8.8.8.8:53 rentry.co udp
US 8.8.8.8:53 rentry.co udp
US 8.8.8.8:53 rentry.co udp
US 8.8.8.8:53 rentry.co udp
US 8.8.8.8:53 rentry.co udp

Files

memory/2852-0-0x00007FFFE9CF3000-0x00007FFFE9CF5000-memory.dmp

memory/2852-1-0x0000000000980000-0x0000000000994000-memory.dmp

memory/4204-2-0x000001A9F3000000-0x000001A9F3022000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tmijh4vc.loy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4204-12-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/4204-13-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/4204-16-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d481e7f30eac3e890a306be239398c8f
SHA1 b04cc99d7f71a8300dbfbc012b7210f4aed1010b
SHA256 07ec77c4cfc632a8f0853941779e2c3a3feb86ed7a5517a90b328def91a2ef59
SHA512 a1e1108b3a7184b483044d8b1ba8fc137c9aca0c83054659db4fdbf1797e43e360040a2a4bc4cb2ed739fa165fb7a72684bb4cc1e6747024bc109f3cd0eede80

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3072fa0040b347c3941144486bf30c6f
SHA1 e6dc84a5bd882198583653592f17af1bf8cbfc68
SHA256 da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e
SHA512 62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

memory/2852-55-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

memory/2852-56-0x00007FFFE9CF0000-0x00007FFFEA7B1000-memory.dmp

C:\ProgramData\$77svchost.exe

MD5 f68cad23c9bc135471958c4a3d4d8fa9
SHA1 c5194b77d6fa5e9e87ec138be44384531dc7e076
SHA256 1c1d169d6719f3c05e3ea0e8c91d26b53524588b8ffcc64b273eeec359eb51a4
SHA512 72b34dbac8c3bbfa3156059a1e48fd81e6683a367b01de972153472aadcfcba513a60d8dab4af06f8bc35d96421734f6d981e72a9d6192b08049272582b8db1a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77svchost.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1