Malware Analysis Report

2024-09-23 02:07

Sample ID 240619-knyj5ssalj
Target xworm.js
SHA256 0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e
Tags
agenttesla stormkitty xworm execution keylogger rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ffef02908f711dc3b01b83a439e2aeaafa58b021a4c930ed47772e6d958931e

Threat Level: Known bad

The file xworm.js was found to be: Known bad.

Malicious Activity Summary

agenttesla stormkitty xworm execution keylogger rat spyware stealer trojan

StormKitty payload

StormKitty

AgentTesla

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Executes dropped EXE

Reads user/profile data of local email clients

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Command and Scripting Interpreter: JavaScript

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-19 08:45

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 08:45

Reported

2024-06-19 08:48

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\xworm.js

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3048 set thread context of 64 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 3048 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2320 wrote to memory of 3048 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2320 wrote to memory of 3048 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 3048 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3048 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 3048 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 3048 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 3048 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 3048 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 3048 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 3048 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 3048 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\xworm.js

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

"C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hmpDqhdDQk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmpDqhdDQk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7913.tmp"

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

"C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 2352

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 107.175.101.198:7000 tcp
US 8.8.8.8:53 198.101.175.107.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 107.175.101.198:7000 tcp
US 107.175.101.198:7000 tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

MD5 22269c9e26e7aa5d4168bb2b7acad1b3
SHA1 9c18f20bceeeb671f745458b4bf4f8d217a84173
SHA256 0ca04624018e1b0234ad520ab681fc7357f5dc1b537f860fc9a4849b4c207b11
SHA512 a3c0a97eed520fb5bd6578b48bf8992fd62ae913eb5b3940423800a2f913614b5c7eb39d0fd038f4edd98aa5512a16dabcc5f8c601ac93260af8d91dd9350e17

memory/3048-11-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/3048-12-0x0000000000950000-0x00000000009C2000-memory.dmp

memory/3048-13-0x0000000005A10000-0x0000000005FB4000-memory.dmp

memory/3048-14-0x00000000053A0000-0x0000000005432000-memory.dmp

memory/3048-15-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/3048-16-0x0000000005560000-0x000000000556A000-memory.dmp

memory/3048-17-0x0000000005660000-0x00000000056FC000-memory.dmp

memory/3048-18-0x0000000005640000-0x0000000005652000-memory.dmp

memory/3048-19-0x0000000005760000-0x0000000005768000-memory.dmp

memory/3048-20-0x0000000005960000-0x000000000596C000-memory.dmp

memory/3048-21-0x0000000007E10000-0x0000000007E60000-memory.dmp

memory/3048-22-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/3048-23-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/4532-27-0x0000000002930000-0x0000000002966000-memory.dmp

memory/4532-29-0x0000000005520000-0x0000000005B48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7913.tmp

MD5 06eaeb43ae7454cc606bfe1d4374831b
SHA1 50dbfe53529a207887dc1606ab391252628a8645
SHA256 199a4312e7cf27b4fba488950ffec15c59fc70ce4381879d9786d92264b9575a
SHA512 6c664d8f84934c2f3058b3a803bc740ea0c73c83fd181017296e27d46b9ffd2ef4a864de4832885835a398d1edf942935057a52f8b879f8714282f2d93809006

memory/4532-31-0x00000000052B0000-0x00000000052D2000-memory.dmp

memory/3964-32-0x00000000055D0000-0x0000000005636000-memory.dmp

memory/3964-33-0x0000000005640000-0x00000000056A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_klfaj5yl.buw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/64-34-0x0000000000400000-0x000000000040E000-memory.dmp

memory/3048-51-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/4532-56-0x0000000005CC0000-0x0000000006014000-memory.dmp

memory/4532-57-0x0000000004FD0000-0x0000000004FEE000-memory.dmp

memory/3964-58-0x00000000065D0000-0x000000000661C000-memory.dmp

memory/4532-59-0x00000000072B0000-0x00000000072E2000-memory.dmp

memory/3964-61-0x0000000074D40000-0x0000000074D8C000-memory.dmp

memory/4532-60-0x0000000074D40000-0x0000000074D8C000-memory.dmp

memory/4532-80-0x00000000068D0000-0x00000000068EE000-memory.dmp

memory/3964-81-0x0000000007550000-0x00000000075F3000-memory.dmp

memory/3964-82-0x0000000007ED0000-0x000000000854A000-memory.dmp

memory/4532-83-0x0000000007620000-0x000000000763A000-memory.dmp

memory/3964-84-0x0000000007900000-0x000000000790A000-memory.dmp

memory/4532-85-0x00000000078A0000-0x0000000007936000-memory.dmp

memory/3964-86-0x0000000007A80000-0x0000000007A91000-memory.dmp

memory/3964-88-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

memory/4532-87-0x0000000007850000-0x000000000785E000-memory.dmp

memory/3964-89-0x0000000007AC0000-0x0000000007AD4000-memory.dmp

memory/3964-90-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

memory/3964-91-0x0000000007BA0000-0x0000000007BA8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4b2538bb6263986cbe3605b03793e8c6
SHA1 a063e3de8f41a69c3642d154a6dd293d07281405
SHA256 a25e143a441be4010a1048c00ab49fa2dbac6464797f3b97a714234c9dc31612
SHA512 2102a41081e71af1f8909f92318602f6ffd13530e7599f3189cfae9cebfc10bbad1f13b2da78bb4ed4d987071cfd2d612604128c340bd39d82a0b89e636b7f75

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/64-97-0x0000000006450000-0x0000000006492000-memory.dmp

memory/64-98-0x0000000007670000-0x0000000007790000-memory.dmp

memory/64-99-0x00000000077D0000-0x0000000007B24000-memory.dmp

memory/64-100-0x0000000007E00000-0x0000000007E0E000-memory.dmp

memory/64-101-0x0000000007E10000-0x0000000007E5C000-memory.dmp

memory/64-102-0x00000000075B0000-0x0000000007600000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 08:45

Reported

2024-06-19 08:47

Platform

win7-20240221-en

Max time kernel

118s

Max time network

148s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\xworm.js

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1672 set thread context of 2632 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1672 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2192 wrote to memory of 1672 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2192 wrote to memory of 1672 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 2192 wrote to memory of 1672 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1672 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 1672 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 1672 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 1672 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Windows\SysWOW64\schtasks.exe
PID 1672 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe
PID 1672 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\xworm.js

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

"C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hmpDqhdDQk.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hmpDqhdDQk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69CB.tmp"

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

"C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

"C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe"

Network

Country Destination Domain Proto
US 107.175.101.198:7000 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 107.175.101.198:7000 tcp
US 107.175.101.198:7000 tcp

Files

C:\Users\Admin\AppData\Local\Temp\order_document_sheet#PO35642.exe

MD5 22269c9e26e7aa5d4168bb2b7acad1b3
SHA1 9c18f20bceeeb671f745458b4bf4f8d217a84173
SHA256 0ca04624018e1b0234ad520ab681fc7357f5dc1b537f860fc9a4849b4c207b11
SHA512 a3c0a97eed520fb5bd6578b48bf8992fd62ae913eb5b3940423800a2f913614b5c7eb39d0fd038f4edd98aa5512a16dabcc5f8c601ac93260af8d91dd9350e17

memory/1672-6-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/1672-7-0x0000000001350000-0x00000000013C2000-memory.dmp

memory/1672-8-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/1672-9-0x0000000000410000-0x0000000000422000-memory.dmp

memory/1672-10-0x00000000006E0000-0x00000000006E8000-memory.dmp

memory/1672-11-0x00000000006F0000-0x00000000006FC000-memory.dmp

memory/1672-12-0x0000000004B70000-0x0000000004BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp69CB.tmp

MD5 b3895a4d373e98f3f8f3982271002663
SHA1 158e2cae3d2856feecc29268c346e70cc2241694
SHA256 da562cd3f221136470d59bc68615b0c008c276f5ce4106edac5e28b7d2e2572c
SHA512 0f5af1cdf9271e68ec581474acdb44c949e861bc1b4dd205d7621d22d8aa848e07c635b81bd16b4e1fefd42c26673f4e36e4d4178352deeea367231079cf1cef

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 0b6b26e883b03474a983feb28a92a551
SHA1 941c1fb58191a4f1e9d990583cd2d2af4599351a
SHA256 98bb98dcaf1350efb94868299e985450a50f066edd32b74b18fdc51f29cd4def
SHA512 373ae75396858cc4d19a5b632c2c7d612f29f2f6c23c198b1b038bd4eea2cf735c991eb36c37d03edf2b9b311141fd4c809c526ed870563ba62cb75e476cf63c

memory/2632-37-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2632-40-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2632-39-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2632-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2632-34-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2632-32-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2632-30-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2632-28-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1672-41-0x0000000074AD0000-0x00000000751BE000-memory.dmp

memory/2632-42-0x0000000001270000-0x00000000012B2000-memory.dmp

memory/2632-43-0x0000000006F10000-0x0000000007030000-memory.dmp

memory/2632-67-0x0000000005320000-0x000000000532E000-memory.dmp

memory/2632-68-0x00000000077E0000-0x0000000007B30000-memory.dmp