xworm | c88ffa55d1136e9393fa642c508ab09e91da603eb036c0ca72fb77d806844c14

Analysis

max time kernel
189s
max time network
291s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1111.txt
Size

40B
MD5

1424606dbfeb39f90c1465f60bae2db2
SHA1

cf47c1441422f20f0c03ec05a88d1c9062518ec9
SHA256

c88ffa55d1136e9393fa642c508ab09e91da603eb036c0ca72fb77d806844c14
SHA512

6fa4d908ad553ab25ba461393baadd9b99d2134b05059b61ba80582551d8b517ff8cdfde010f48e652b8ab16034371b935717afcda5833cab4b63d31c6368635

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

connection-arizona.gl.at.ply.gg:65211

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001a499-356.dat	family_xworm
behavioral1/memory/1252-401-0x00000000013C0000-0x00000000013F0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1484	powershell.exe
1720	powershell.exe
2268	powershell.exe
1304	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
944	RTC_launcher.exe
1252	RTC-launcher.exe
2328	svchost.sfx.exe
1528	RTC_Launcher.exe
2000	svchost.exe
1252	svchost.exe
1936	svchost.exe
112	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
2920	chrome.exe
2936	chrome.exe
1864	chrome.exe
944	RTC_launcher.exe
1252	RTC-launcher.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1704	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1864	chrome.exe
1864	chrome.exe
1304	powershell.exe
1484	powershell.exe
1720	powershell.exe
2268	powershell.exe
1864	chrome.exe
1864	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeDebugPrivilege	1528	RTC_Launcher.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeDebugPrivilege	1252	svchost.exe
Token: SeShutdownPrivilege	1864	chrome.exe
Token: SeShutdownPrivilege	1864	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe
1864	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1308	1864	chrome.exe	32
PID 1864 wrote to memory of 1308	1864	chrome.exe	32
PID 1864 wrote to memory of 1308	1864	chrome.exe	32
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2708	1864	chrome.exe	34
PID 1864 wrote to memory of 2964	1864	chrome.exe	35
PID 1864 wrote to memory of 2964	1864	chrome.exe	35
PID 1864 wrote to memory of 2964	1864	chrome.exe	35
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36
PID 1864 wrote to memory of 1180	1864	chrome.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\1111.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68e9758,0x7fef68e9768,0x7fef68e9778
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:2
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1392 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2140 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2148 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:1
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1680 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:2
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1140 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3352 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2756 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4120 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4136 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2712 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3840 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3824 --field-trial-handle=1200,i,15451803442328612564,5559992560921442559,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2936
- C:\Users\Admin\Downloads\RTC_launcher.exe
  "C:\Users\Admin\Downloads\RTC_launcher.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:944
- - C:\Users\Admin\AppData\Roaming\RTC-launcher.exe
    "C:\Users\Admin\AppData\Roaming\RTC-launcher.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1252
  - - C:\Users\Admin\AppData\Roaming\svchost.sfx.exe
      "C:\Users\Admin\AppData\Roaming\svchost.sfx.exe"
      4⤵
      Executes dropped EXE
      PID:2328
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2000
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3056
  - - C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe
      "C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2920

C:\Windows\system32\taskeng.exe
taskeng.exe {FEBDBB62-03B2-4391-B5F2-F93E163AE82C} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
PID:2988
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1252
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  PID:112
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d6a1b78b0c63a0ba1d5904a8413fd6b

SHA1
51af8cbbca6a338e0ced934286d03511f08c3114

SHA256
d2cf7301eb4003b3a93c92b2a10c06a22503680a7a8dd548e61c39336400894f

SHA512
a58ddf19bcba0d78b7d0ff6aed419d2f4cb77fd3de2f7021602f3bf9cb15115a4a999fd3a5e07b477fa0595ee59502a9b0d3331baec8918a78ed622f7ee2391c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d518def2d5f88303e298a2911b3b0095

SHA1
6600fb59583c780e6340ef1eefee8abf80b17db8

SHA256
013de140f581d69d8e6649e90757acd6718b3471207dd1ac3f4440ccc63016b3

SHA512
bea1abf65cbee81482f048adf671b9018ff77cb68202b3824cdc7c273ef3710822379bce462d649735b96a89da44b6cb2a39812dff9831c0732c81d2734dbaf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e23958c72fdfd598755a7a381e6a620

SHA1
d67d017c260c4f3222b314cc96fc4bc1038b1980

SHA256
62dcabee69eb16bf56d4b6d5c9586c8e74a41606bad4e9ec0dc63bdf90a90f76

SHA512
c079674fa439c0abbf4555e345c8f15f767cae0c9685906901829115e72c3a35d0ef2bcd688ff517816138e4b5de24487784b852927ac9bef9d6a5fa2e8fff35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c31bfe2701c9a7191c8e449477ce334b

SHA1
dfcc0750d6700243758e49f292916dc5fe6eb497

SHA256
941485e5883b8c4d3490ea96fcfb4458f12a139ec7057cb1c56814f35a54c5b8

SHA512
463734e95d95b003d50d1f319636be1220a18e88015145c3fee77f5209ffee93df1afcb384ce3c560c4de988eca1f8667a4266a0dfcd0c18f8662c2c4fa81382

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7cfb8ab338fdea14920ca73a4353c8fa

SHA1
cdb0eae3f5fde49afdcfb92634cf2b755d83182c

SHA256
f94a101e3f5a18a51f9bd2eb59bb065905c685eb2d9602088787f50953ca9d50

SHA512
218e9959836c4a083c7efe84ed5f17792f567c26568eb4c062155f44e21debe6c1d48f9d2f0ca286c129a57594f37a0ad6141398821146b03eb140c74e799874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
835d7444422d567d39ab6080c5ce3493

SHA1
19ff2511a8cb741c5759fbdd9e49e86f860d298b

SHA256
2f0f1869e947171614aecb92f02ccdcd235da41f8ecf8cc121282fc68e91b1d9

SHA512
cb00b99c554afc3fdee7f11e80be7490b57ce603baa06c0dd7470cb061f34655ae07a1493b3d3610f0271aa3d5770ffd9ca7d0e24a65a1b6d70a6c0c69809ed5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
1d3861bbe27d98f0a2ee393333bc6bb9

SHA1
49bba137047461e89c6fe146753349701a6318dc

SHA256
2564f35ac7ec4e54528530cf4b2d4adec8a2a0964baa5bd0d3f31fc9106c0f16

SHA512
4ff94140497df9180968491b9e184a0350936f1e24dd0007285322e638fc4a5b3e61d9869f06113c064589464126c8a8798ff3aa1daeaffd31ad28e0ba1ae2e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
644cad264f0cfe862b3ff1bf524be792

SHA1
b463477d68e7892974c9638b04b3b846f4e0cf02

SHA256
ca5e19c85ed2ec91e28f762a51e051f9a487bdb1f92f0d3827bf647b8468f8ad

SHA512
7fb5025dcf66593019049a6de470b92272536e7ae25c3f784188f0bbbf4007e04e21136ff789cf28f52d0148e6bd348c6ea762ab7badd93d15c474864dad856b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3287.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3345.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
55ee2d296693bf6fcf30198bfa41e595

SHA1
88f9d8e36bdac6f12359c8adc14197177306d51c

SHA256
6be7930fe05d7bc514f1342aa59b52503feb9d35a3c4e08325463c25de2935cd

SHA512
64c97950bbe5b1ef791f6ba39d6685909fb2a299f5997e916d9bee4aa619f3f7fe5b98ee2ada95eaf8594286d8cedc7beed4a4e19fc5aa4216b9b061eb603f1e

Download Submit
C:\Users\Admin\AppData\Roaming\RTC_Launcher.exe

Filesize
758KB

MD5
cb1929328dea316fcb34f3486697d16e

SHA1
8c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b

SHA256
7a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9

SHA512
90ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
170KB

MD5
b4a592662f351fa139e2b2dbaacb6536

SHA1
effc55d139ca4b4fdd4bccce9c754661b626e624

SHA256
fae2b33e66e3f661f9ec876e263014cb89e97a66fff8eab2d311fc3ca8b1ec4c

SHA512
b31091654adc567b2fddf6e5a1e8f4f2f902d7a9471462070e0b6f5dea65a7bbc1424ddd7e1b618122bcb3310cb6b9e75a09b35e31f6fa50b4d6c563d7952c38

Download Submit
\Users\Admin\AppData\Roaming\RTC-launcher.exe

Filesize
1.2MB

MD5
bfe20aac9317925bcd8621db0946384c

SHA1
c739dfce077121bf2f7614210173966b9731cabd

SHA256
2d6d57ffff1c26183290ee15d1663283b98fba8c8981b00409bca5ccce49ee54

SHA512
3e82fe9df6e037911b6d73bbc38241fd25f96fa1047eafefa543a72e9ea7fa35e232a0e165c39ac5cc4fa864b439743d755545964347b6f9b3b39003dd1d4cb4

Download Submit
\Users\Admin\AppData\Roaming\svchost.sfx.exe

Filesize
505KB

MD5
0326c9fc30cea37fc3f9dfdc9c017260

SHA1
ef2548189632d87afef60c6c5c322daf95a6fe6a

SHA256
d88cd37c5dee7ef1a3bd7836150cfb63bee3ba792a71c08685fda46f31f1b9d5

SHA512
e7d256931d32502691c8ef9e54ac448b1b38d9574ae78dfcca6764fd3a653b175e01143cfb46f70af662bd8ee1c7521942a4d9dcfd8285e225bf732c4fc8ef7a

Download Submit
\Users\Admin\Downloads\RTC_launcher.exe

Filesize
1.5MB

MD5
e0e2f56b736c375d82c1668267f3fed4

SHA1
dd92ef585431f4d4295f05f04a044f84ab799b87

SHA256
2eef3ef0c91c8783544a4ea58131804dce6024fe5569ebdd1a497e0750693d54

SHA512
96ae6a0c5aa214bedc191c8eeb47c7bd17538387456d8af86680aaadf93cb3d2eb07c1714b3a597109789424584b52146ada4b67f9c04aec067c854caec30b68

Download Submit
memory/1252-401-0x00000000013C0000-0x00000000013F0000-memory.dmp

Filesize
192KB

Download
memory/1304-374-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1304-375-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/1484-381-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1484-382-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1528-357-0x0000000000020000-0x00000000000E4000-memory.dmp

Filesize
784KB

Download