Analysis Overview
SHA256
64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed
Threat Level: Known bad
The file 64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Umbral
njRAT/Bladabindi
Detect Umbral payload
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Unsigned PE
Uses Task Scheduler COM API
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Detects videocard installed
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-11 16:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-11 16:11
Reported
2024-07-11 16:13
Platform
win7-20240704-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
njRAT/Bladabindi
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\msxml6.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe
"C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe"
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
C:\Users\Admin\AppData\Local\Temp\msxml6.EXE
"C:\Users\Admin\AppData\Local\Temp\msxml6.EXE"
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Users\Admin\AppData\Roaming\conhost.exe
"C:\Users\Admin\AppData\Roaming\conhost.exe"
C:\Users\Admin\AppData\Roaming\Server.exe
"C:\Users\Admin\AppData\Roaming\Server.exe"
C:\Users\Admin\AppData\Roaming\conhost.exe
"C:\Users\Admin\AppData\Roaming\conhost.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\3.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\system32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\3.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Windows\system32\taskeng.exe
taskeng.exe {6EC83B88-1A77-48E9-A2B9-2CA68F99B8C2} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.187.195:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | testarosa.duckdns.org | udp |
| DE | 158.255.214.24:7110 | testarosa.duckdns.org | tcp |
| US | 147.185.221.20:49236 | tcp | |
| US | 147.185.221.20:49236 | tcp | |
| US | 147.185.221.20:49236 | tcp | |
| US | 147.185.221.20:49236 | tcp | |
| US | 147.185.221.20:49236 | tcp | |
| US | 147.185.221.20:49236 | tcp |
Files
memory/2548-0-0x000007FEF6533000-0x000007FEF6534000-memory.dmp
memory/2548-1-0x0000000000010000-0x00000000007D0000-memory.dmp
memory/2548-2-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Server.exe
| MD5 | f9b08bd21b40a938122b479095b7c70c |
| SHA1 | eb925e3927b83c20d8d24bdab2e587c10d6ac8cd |
| SHA256 | c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8 |
| SHA512 | fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee |
C:\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | ed59c6590b199b2ee53eec444322472b |
| SHA1 | 6c91f4e2489a9869ab971061fdd67a0eeb1e7007 |
| SHA256 | aa4abbb1305525b1703a23521db1e817dfd39f014527c319a16a153d2d9dcb0f |
| SHA512 | 7dd903995d2c673a3778c5f4f5006cdf3e177ad9093649e5e953894e49f386049ae1e58103095874f09b91d4e21d963d05f02ea9644ed67dd3054aa10b47ba97 |
memory/2856-11-0x0000000000960000-0x0000000000978000-memory.dmp
memory/2764-14-0x00000000003A0000-0x00000000003EA000-memory.dmp
memory/2856-18-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp
C:\Users\Admin\AppData\Roaming\conhost.exe
| MD5 | b37dd1a1f0507baf993471ae1b7a314c |
| SHA1 | 9aff9d71492ffff8d51f8e8d67f5770755899882 |
| SHA256 | e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc |
| SHA512 | ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460 |
\Users\Admin\AppData\Local\Temp\msxml6.EXE
| MD5 | 8b39a0c9d351c316ae38251db3e917da |
| SHA1 | 71c988393af62584e93ebe721a600c1a51fa7c29 |
| SHA256 | aacbefe172556a5df9e5bf52834aaa22893002edeb46533e1a85866cc7462a15 |
| SHA512 | 092f06c5f373a65be4f4784357596422df1bb50dcd81c0056464c70f99a0845d71e6819f01c8e7a2ca3f663ad4125588b6e48d88ec0736e7305a70bd8c59e9af |
memory/2772-29-0x0000000001270000-0x00000000012B0000-memory.dmp
memory/2548-35-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | 66d7e8125484efe9585adf807f3860ec |
| SHA1 | aad54a84cc6bfcd422631bfce7b187b001ec0128 |
| SHA256 | 9cc7b63b2a2c95cfdd1f0f9044f6f760d8dae0d622aa07cb18ce071d9c491d4e |
| SHA512 | f0eabf14bab037689568dc6f7bb6126d1c5922e08432b650e338567c7ae2d70d1ac3420dfec0501453a0e8fece11482071434137e70d62e1136dd482a791d5d5 |
C:\Users\Admin\AppData\Roaming\Server.exe
| MD5 | 32fe01ccb93b0233503d0aaaa451f7b2 |
| SHA1 | 58e5a63142150e8fb175dbb4dedea2ce405d7db0 |
| SHA256 | 6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43 |
| SHA512 | 76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6 |
memory/2744-40-0x0000000000180000-0x0000000000190000-memory.dmp
memory/2856-42-0x000007FEF6530000-0x000007FEF6F1C000-memory.dmp
memory/1428-47-0x000000001B240000-0x000000001B522000-memory.dmp
memory/1428-48-0x00000000023F0000-0x00000000023F8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 4b44d6a9b4157f7e5c708027e8cf5f03 |
| SHA1 | 90a97073b014839b7301ffed9354cdba378d0bec |
| SHA256 | f97f709534e5ddee9e2d277041059685f562fa1da7b4ef82711aa8d5d2ce3ec3 |
| SHA512 | 20f972d6126e7ae251926404e871a73ef71e4eeed6c6ca2d8b431a61e1b0fb502a0f7d9ff8666c0bacea8cda97bd2494038b069a790fc4ad72051be7b21425c2 |
memory/2924-54-0x000000001B2D0000-0x000000001B5B2000-memory.dmp
memory/2924-55-0x0000000002020000-0x0000000002028000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2880-109-0x0000000002560000-0x0000000002568000-memory.dmp
memory/1964-117-0x0000000001040000-0x0000000001050000-memory.dmp
memory/1688-119-0x00000000012E0000-0x00000000012F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-11 16:11
Reported
2024-07-11 16:13
Platform
win10v2004-20240704-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Xworm
njRAT/Bladabindi
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\msxml6.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ondrive.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." | C:\Users\Admin\AppData\Local\Temp\server.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\conhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe
"C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe"
C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
C:\Users\Admin\AppData\Local\Temp\msxml6.EXE
"C:\Users\Admin\AppData\Local\Temp\msxml6.EXE"
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Users\Admin\AppData\Roaming\Server.exe
"C:\Users\Admin\AppData\Roaming\Server.exe"
C:\Users\Admin\AppData\Roaming\conhost.exe
"C:\Users\Admin\AppData\Roaming\conhost.exe"
C:\Users\Admin\AppData\Roaming\conhost.exe
"C:\Users\Admin\AppData\Roaming\conhost.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\3.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\3.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.187.195:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | testarosa.duckdns.org | udp |
| DE | 158.255.214.24:7110 | testarosa.duckdns.org | tcp |
| US | 147.185.221.20:49236 | tcp | |
| US | 8.8.8.8:53 | 24.214.255.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 147.185.221.20:49236 | tcp | |
| US | 147.185.221.20:49236 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.20:49236 | tcp | |
| US | 147.185.221.20:49236 | tcp | |
| US | 147.185.221.20:49236 | tcp | |
| US | 8.8.8.8:53 | 200.201.50.20.in-addr.arpa | udp |
Files
memory/1900-0-0x00007FFB7C0C3000-0x00007FFB7C0C5000-memory.dmp
memory/1900-1-0x0000000000E70000-0x0000000001630000-memory.dmp
memory/1900-2-0x00007FFB7C0C0000-0x00007FFB7CB81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Server.exe
| MD5 | f9b08bd21b40a938122b479095b7c70c |
| SHA1 | eb925e3927b83c20d8d24bdab2e587c10d6ac8cd |
| SHA256 | c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8 |
| SHA512 | fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee |
C:\Users\Admin\AppData\Local\Temp\3.exe
| MD5 | ed59c6590b199b2ee53eec444322472b |
| SHA1 | 6c91f4e2489a9869ab971061fdd67a0eeb1e7007 |
| SHA256 | aa4abbb1305525b1703a23521db1e817dfd39f014527c319a16a153d2d9dcb0f |
| SHA512 | 7dd903995d2c673a3778c5f4f5006cdf3e177ad9093649e5e953894e49f386049ae1e58103095874f09b91d4e21d963d05f02ea9644ed67dd3054aa10b47ba97 |
memory/4548-24-0x00007FFB7C0C0000-0x00007FFB7CB81000-memory.dmp
memory/4548-26-0x0000000000C20000-0x0000000000C38000-memory.dmp
memory/3984-29-0x00007FFB7C0C0000-0x00007FFB7CB81000-memory.dmp
memory/3984-28-0x0000000000D50000-0x0000000000D9A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Server.exe
| MD5 | 32fe01ccb93b0233503d0aaaa451f7b2 |
| SHA1 | 58e5a63142150e8fb175dbb4dedea2ce405d7db0 |
| SHA256 | 6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43 |
| SHA512 | 76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6 |
C:\Users\Admin\AppData\Roaming\conhost.exe
| MD5 | b37dd1a1f0507baf993471ae1b7a314c |
| SHA1 | 9aff9d71492ffff8d51f8e8d67f5770755899882 |
| SHA256 | e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc |
| SHA512 | ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460 |
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | 66d7e8125484efe9585adf807f3860ec |
| SHA1 | aad54a84cc6bfcd422631bfce7b187b001ec0128 |
| SHA256 | 9cc7b63b2a2c95cfdd1f0f9044f6f760d8dae0d622aa07cb18ce071d9c491d4e |
| SHA512 | f0eabf14bab037689568dc6f7bb6126d1c5922e08432b650e338567c7ae2d70d1ac3420dfec0501453a0e8fece11482071434137e70d62e1136dd482a791d5d5 |
C:\Users\Admin\AppData\Local\Temp\msxml6.EXE
| MD5 | 8b39a0c9d351c316ae38251db3e917da |
| SHA1 | 71c988393af62584e93ebe721a600c1a51fa7c29 |
| SHA256 | aacbefe172556a5df9e5bf52834aaa22893002edeb46533e1a85866cc7462a15 |
| SHA512 | 092f06c5f373a65be4f4784357596422df1bb50dcd81c0056464c70f99a0845d71e6819f01c8e7a2ca3f663ad4125588b6e48d88ec0736e7305a70bd8c59e9af |
memory/4308-70-0x000001EC18680000-0x000001EC186C0000-memory.dmp
memory/836-84-0x00000000002D0000-0x00000000002E0000-memory.dmp
memory/4548-83-0x00007FFB7C0C0000-0x00007FFB7CB81000-memory.dmp
memory/3984-82-0x00007FFB7C0C0000-0x00007FFB7CB81000-memory.dmp
memory/1900-81-0x00007FFB7C0C0000-0x00007FFB7CB81000-memory.dmp
memory/1536-91-0x0000021E74020000-0x0000021E74042000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bglhk2tl.fog.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
memory/4308-111-0x000001EC1A3F0000-0x000001EC1A466000-memory.dmp
memory/4308-117-0x000001EC1A320000-0x000001EC1A370000-memory.dmp
memory/4308-122-0x000001EC18B40000-0x000001EC18B5E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 994d48c590292933efa0627922c9fc59 |
| SHA1 | 696a9fed9578a4f0f73e598f9d71a0c1f9d04090 |
| SHA256 | f61c0e17ef24ce95d3d00170c5553c9b5b536d24c0d8e6e7480b3e2eb3855a02 |
| SHA512 | f61d859fc00bf1009e6d72a0536fcd3d95d7f06016ed44dcdc1d91a872dad8abda02c7f409dcb9d0e5ea8c8c75b0d8683a60ea57045639402c37eca9eab77940 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 45d55cc71ae97d2e4037edb5737e5273 |
| SHA1 | b6f97bcab63117e2d6301212c0a4857942a2a1ee |
| SHA256 | 838018b5caf4eccbed97a4603cc02f0c48b0f379427b2f0ab6fe017e4c0f30ed |
| SHA512 | 95f3a9988236253d0c4cdc938d3e33e074c93faf2df592d44cf122c77ea60e9d4224185c91256b98152e663e165a541dc6f012253a5a6588abbf107c3618decb |
memory/4308-171-0x000001EC1A380000-0x000001EC1A38A000-memory.dmp
memory/4308-172-0x000001EC1A3B0000-0x000001EC1A3C2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 04114c0529b116bf66d764ff6a5a8fe3 |
| SHA1 | 0caeff17d1b2190f76c9bf539105f6c40c92bd14 |
| SHA256 | fd7092b4e273314186bad6ce71aa4cd69450736b6ec6cc746868997ff82a7532 |
| SHA512 | 6a718c330824346606ef24f71cca6be0bfafc626b1d2b060b36e919ab07f3d6a345f56cace8a5a84ffbe2183976eb197842c9fd2f3e3b8c8dd307057d59d6f26 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10890cda4b6eab618e926c4118ab0647 |
| SHA1 | 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d |
| SHA256 | 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14 |
| SHA512 | a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |