Analysis
-
max time kernel
1795s -
max time network
1800s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 14:40
Behavioral task
behavioral1
Sample
shtorm_sb.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
shtorm_sb.exe
Resource
win10v2004-20240709-en
General
-
Target
shtorm_sb.exe
-
Size
238KB
-
MD5
2faf13feda202796051c439b5abd8d48
-
SHA1
5c2d1f4be4f7dcef2f5577a15ea3f31c59ddbe8b
-
SHA256
cde6b414622136dd14a5a025f6d8fe2313c36a347086fceb168b5dff1a6c288b
-
SHA512
dd46a3f553ff3bf0a39b8f4132d1053ac1758b2befb8a1b096455bd7812f2bcaf29fc9dcf00ef0bb972b4c27e47cc2b347f3fe4e58bab7708be1855fd7bdf2b9
-
SSDEEP
1536:tDeWitn1NIohnWQoJ0GSbhdp2QfV9XBqn6MHxOwz3i+7BanqY5DW1T:VePbVnhuSbvppn8ROwzrirDcT
Malware Config
Extracted
xworm
127.0.0.1:13244
close-material.gl.at.ply.gg:13244
-
Install_directory
%AppData%
-
install_file
svсhost.exe
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload 18 IoCs
Processes:
resource yara_rule behavioral1/memory/2372-1-0x00000000008B0000-0x00000000008F2000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svсhost.exe family_xworm behavioral1/memory/2128-33-0x0000000001110000-0x0000000001152000-memory.dmp family_xworm behavioral1/memory/1648-37-0x0000000001380000-0x00000000013C2000-memory.dmp family_xworm behavioral1/memory/3040-114-0x00000000003E0000-0x0000000000422000-memory.dmp family_xworm behavioral1/memory/1780-123-0x0000000000390000-0x00000000003D2000-memory.dmp family_xworm behavioral1/memory/2208-131-0x0000000000BF0000-0x0000000000C32000-memory.dmp family_xworm behavioral1/memory/3040-138-0x00000000003A0000-0x00000000003E2000-memory.dmp family_xworm behavioral1/memory/2440-147-0x0000000000890000-0x00000000008D2000-memory.dmp family_xworm behavioral1/memory/1356-154-0x0000000000930000-0x0000000000972000-memory.dmp family_xworm behavioral1/memory/680-169-0x0000000000EB0000-0x0000000000EF2000-memory.dmp family_xworm behavioral1/memory/1068-192-0x0000000001340000-0x0000000001382000-memory.dmp family_xworm behavioral1/memory/2796-207-0x0000000000080000-0x00000000000C2000-memory.dmp family_xworm behavioral1/memory/960-215-0x0000000001080000-0x00000000010C2000-memory.dmp family_xworm behavioral1/memory/652-237-0x00000000002C0000-0x0000000000302000-memory.dmp family_xworm behavioral1/memory/1028-245-0x0000000001130000-0x0000000001172000-memory.dmp family_xworm behavioral1/memory/1728-267-0x00000000001D0000-0x0000000000212000-memory.dmp family_xworm behavioral1/memory/2908-275-0x0000000000DB0000-0x0000000000DF2000-memory.dmp family_xworm -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\qvoafb.exe dcrat C:\Windows\mssessionbroker.exe dcrat behavioral1/memory/740-58-0x0000000000830000-0x0000000000B6A000-memory.dmp dcrat behavioral1/memory/296-68-0x0000000000400000-0x00000000021CF000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2884 powershell.exe 2580 powershell.exe 1660 powershell.exe 2920 powershell.exe -
Executes dropped EXE 35 IoCs
Processes:
svсhost.exesvсhost.exesvсhost.exeycbjdh.exeqvoafb.exemssessionbroker.exe(DL) Nivea-Man.exe(DL) Nivea-Man.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exepid process 2128 svсhost.exe 2456 svсhost.exe 1648 svсhost.exe 2272 ycbjdh.exe 296 qvoafb.exe 740 mssessionbroker.exe 2800 (DL) Nivea-Man.exe 3044 (DL) Nivea-Man.exe 280 svсhost.exe 2840 svсhost.exe 1284 svсhost.exe 3040 svсhost.exe 1780 svсhost.exe 2208 svсhost.exe 3040 svсhost.exe 2440 svсhost.exe 1356 svсhost.exe 864 svсhost.exe 680 svсhost.exe 2276 svсhost.exe 3024 svсhost.exe 1068 svсhost.exe 3048 svсhost.exe 2796 svсhost.exe 960 svсhost.exe 2248 svсhost.exe 2728 svсhost.exe 652 svсhost.exe 1028 svсhost.exe 2824 svсhost.exe 2776 svсhost.exe 1728 svсhost.exe 2908 svсhost.exe 2272 svсhost.exe 3016 svсhost.exe -
Loads dropped DLL 4 IoCs
Processes:
qvoafb.exe(DL) Nivea-Man.exepid process 296 qvoafb.exe 296 qvoafb.exe 2800 (DL) Nivea-Man.exe 2800 (DL) Nivea-Man.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
shtorm_sb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svсhost = "C:\\Users\\Admin\\AppData\\Roaming\\svсhost.exe" shtorm_sb.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
qvoafb.exedescription ioc process File created C:\Windows\mssessionbroker.exe qvoafb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeshtorm_sb.exepid process 2884 powershell.exe 2580 powershell.exe 1660 powershell.exe 2920 powershell.exe 2372 shtorm_sb.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
(DL) Nivea-Man.exeshtorm_sb.exepid process 3044 (DL) Nivea-Man.exe 2372 shtorm_sb.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
shtorm_sb.exepowershell.exepowershell.exepowershell.exepowershell.exesvсhost.exesvсhost.exesvсhost.exemssessionbroker.exesvсhost.exeAUDIODG.EXEsvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exesvсhost.exedescription pid process Token: SeDebugPrivilege 2372 shtorm_sb.exe Token: SeDebugPrivilege 2884 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2372 shtorm_sb.exe Token: SeDebugPrivilege 2128 svсhost.exe Token: SeDebugPrivilege 2456 svсhost.exe Token: SeDebugPrivilege 1648 svсhost.exe Token: SeDebugPrivilege 740 mssessionbroker.exe Token: SeDebugPrivilege 280 svсhost.exe Token: 33 2844 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2844 AUDIODG.EXE Token: 33 2844 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2844 AUDIODG.EXE Token: SeDebugPrivilege 2840 svсhost.exe Token: SeDebugPrivilege 1284 svсhost.exe Token: SeDebugPrivilege 3040 svсhost.exe Token: SeDebugPrivilege 1780 svсhost.exe Token: SeDebugPrivilege 2208 svсhost.exe Token: SeDebugPrivilege 3040 svсhost.exe Token: SeDebugPrivilege 2440 svсhost.exe Token: SeDebugPrivilege 1356 svсhost.exe Token: SeDebugPrivilege 864 svсhost.exe Token: SeDebugPrivilege 680 svсhost.exe Token: SeDebugPrivilege 2276 svсhost.exe Token: SeDebugPrivilege 3024 svсhost.exe Token: SeDebugPrivilege 1068 svсhost.exe Token: SeDebugPrivilege 3048 svсhost.exe Token: SeDebugPrivilege 2796 svсhost.exe Token: SeDebugPrivilege 960 svсhost.exe Token: SeDebugPrivilege 2248 svсhost.exe Token: SeDebugPrivilege 2728 svсhost.exe Token: SeDebugPrivilege 652 svсhost.exe Token: SeDebugPrivilege 1028 svсhost.exe Token: SeDebugPrivilege 2824 svсhost.exe Token: SeDebugPrivilege 2776 svсhost.exe Token: SeDebugPrivilege 1728 svсhost.exe Token: SeDebugPrivilege 2908 svсhost.exe Token: SeDebugPrivilege 2272 svсhost.exe Token: SeDebugPrivilege 3016 svсhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
shtorm_sb.exepid process 2372 shtorm_sb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
shtorm_sb.exetaskeng.exeqvoafb.exe(DL) Nivea-Man.exedescription pid process target process PID 2372 wrote to memory of 2884 2372 shtorm_sb.exe powershell.exe PID 2372 wrote to memory of 2884 2372 shtorm_sb.exe powershell.exe PID 2372 wrote to memory of 2884 2372 shtorm_sb.exe powershell.exe PID 2372 wrote to memory of 2580 2372 shtorm_sb.exe powershell.exe PID 2372 wrote to memory of 2580 2372 shtorm_sb.exe powershell.exe PID 2372 wrote to memory of 2580 2372 shtorm_sb.exe powershell.exe PID 2372 wrote to memory of 1660 2372 shtorm_sb.exe powershell.exe PID 2372 wrote to memory of 1660 2372 shtorm_sb.exe powershell.exe PID 2372 wrote to memory of 1660 2372 shtorm_sb.exe powershell.exe PID 2372 wrote to memory of 2920 2372 shtorm_sb.exe powershell.exe PID 2372 wrote to memory of 2920 2372 shtorm_sb.exe powershell.exe PID 2372 wrote to memory of 2920 2372 shtorm_sb.exe powershell.exe PID 2372 wrote to memory of 840 2372 shtorm_sb.exe schtasks.exe PID 2372 wrote to memory of 840 2372 shtorm_sb.exe schtasks.exe PID 2372 wrote to memory of 840 2372 shtorm_sb.exe schtasks.exe PID 660 wrote to memory of 2128 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 2128 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 2128 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 2456 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 2456 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 2456 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 1648 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 1648 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 1648 660 taskeng.exe svсhost.exe PID 2372 wrote to memory of 2272 2372 shtorm_sb.exe ycbjdh.exe PID 2372 wrote to memory of 2272 2372 shtorm_sb.exe ycbjdh.exe PID 2372 wrote to memory of 2272 2372 shtorm_sb.exe ycbjdh.exe PID 2372 wrote to memory of 2272 2372 shtorm_sb.exe ycbjdh.exe PID 2372 wrote to memory of 296 2372 shtorm_sb.exe qvoafb.exe PID 2372 wrote to memory of 296 2372 shtorm_sb.exe qvoafb.exe PID 2372 wrote to memory of 296 2372 shtorm_sb.exe qvoafb.exe PID 2372 wrote to memory of 296 2372 shtorm_sb.exe qvoafb.exe PID 296 wrote to memory of 740 296 qvoafb.exe mssessionbroker.exe PID 296 wrote to memory of 740 296 qvoafb.exe mssessionbroker.exe PID 296 wrote to memory of 740 296 qvoafb.exe mssessionbroker.exe PID 296 wrote to memory of 740 296 qvoafb.exe mssessionbroker.exe PID 296 wrote to memory of 2800 296 qvoafb.exe (DL) Nivea-Man.exe PID 296 wrote to memory of 2800 296 qvoafb.exe (DL) Nivea-Man.exe PID 296 wrote to memory of 2800 296 qvoafb.exe (DL) Nivea-Man.exe PID 296 wrote to memory of 2800 296 qvoafb.exe (DL) Nivea-Man.exe PID 2800 wrote to memory of 3044 2800 (DL) Nivea-Man.exe (DL) Nivea-Man.exe PID 2800 wrote to memory of 3044 2800 (DL) Nivea-Man.exe (DL) Nivea-Man.exe PID 2800 wrote to memory of 3044 2800 (DL) Nivea-Man.exe (DL) Nivea-Man.exe PID 2800 wrote to memory of 3044 2800 (DL) Nivea-Man.exe (DL) Nivea-Man.exe PID 660 wrote to memory of 280 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 280 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 280 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 2840 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 2840 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 2840 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 1284 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 1284 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 1284 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 3040 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 3040 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 3040 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 1780 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 1780 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 1780 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 2208 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 2208 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 2208 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 3040 660 taskeng.exe svсhost.exe PID 660 wrote to memory of 3040 660 taskeng.exe svсhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe"C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\shtorm_sb.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'shtorm_sb.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svсhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svсhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svсhost" /tr "C:\Users\Admin\AppData\Roaming\svсhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:840 -
C:\Users\Admin\AppData\Local\Temp\ycbjdh.exe"C:\Users\Admin\AppData\Local\Temp\ycbjdh.exe"2⤵
- Executes dropped EXE
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\qvoafb.exe"C:\Users\Admin\AppData\Local\Temp\qvoafb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\mssessionbroker.exe"C:\Windows\mssessionbroker.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740 -
C:\Users\Admin\AppData\Local\Temp\(DL) Nivea-Man.exe"C:\Users\Admin\AppData\Local\Temp\(DL) Nivea-Man.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\7427.tmp\(DL) Nivea-Man.exe"C:\Users\Admin\AppData\Local\Temp\7427.tmp\(DL) Nivea-Man.exe" -window_title "(DL) Nivea-Man" "C:\Users\Admin\AppData\Local\Temp\7427.tmp\(DL) Nivea-Man"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3044
-
C:\Windows\system32\taskeng.exetaskeng.exe {A15E35D5-E14A-445F-AC3C-C470C92FAE13} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:280 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1284 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1356 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:680 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:960 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2728 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:652 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1728 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Users\Admin\AppData\Roaming\svсhost.exeC:\Users\Admin\AppData\Roaming\svсhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD589fcf4c656705a2596d335313c6c2ce6
SHA11b449658ce64f51e9490678b50056c1247e8c1e6
SHA256d9740cf98cd90d309f6c416de11116821e98932f5aa4e3f0caffd8deac298d97
SHA51270d658a96249bec692dbbce76fb7d8c2e42a2499954402231121f1786b8c5d129d154f4e2f9058a29b107623d648ff10f8f51f690f15db90ae82a48e3a357851
-
Filesize
29.8MB
MD56e272b8474169998bc3f0ec4478e0171
SHA1713ad762decb0d2e2994c79f2795fd38352b2ea6
SHA2569c92031bc960410a3207e53c6223d60d2d6f08c1c6be7d2ab5581612ff478888
SHA512676ee151d8b6b7fe313bb0efe60b615fc27ee065faef22d6f09fb9f26c2054cb8b0d02c0aadfb6e42ba86c3ad5c8b36429069c77eee99fe04d86b1cca1acf506
-
Filesize
439KB
MD5df2f4fe97492b1655354f2727648e083
SHA12d1835c7f35b04056a2f36412ca2ba398dcc4661
SHA2567e1d01a3daa51e2a19e78890912a44fd0aa1446582531cc897771c675046f83d
SHA512b53c369c7df267e0980e12dbfbea76b35069a192017bc5e8487a2500ac1e591b1a6857392bda47f57c1b2e565af1448c5f5f6cd8c4f693c780a415c701048e2c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R2OFUKY2SGCDCR6PLVS5.temp
Filesize7KB
MD5ada4259560f6f01796eed495958c6778
SHA1b4d3d669998f23bcfd29edd86c8086924618760b
SHA256b85ac37a4811a0191b73c652a5fedf10ae53aa84973577f81aa77fe07e3fa878
SHA51224d7c51142158e6d38df69e97ba8c7dbbdd7ab0fe07f269d26dafcc18fae90003a627570b23354bae6891482a73217989fd91c3f399720fbc879fee4a06b0a7c
-
Filesize
238KB
MD52faf13feda202796051c439b5abd8d48
SHA15c2d1f4be4f7dcef2f5577a15ea3f31c59ddbe8b
SHA256cde6b414622136dd14a5a025f6d8fe2313c36a347086fceb168b5dff1a6c288b
SHA512dd46a3f553ff3bf0a39b8f4132d1053ac1758b2befb8a1b096455bd7812f2bcaf29fc9dcf00ef0bb972b4c27e47cc2b347f3fe4e58bab7708be1855fd7bdf2b9
-
Filesize
3.2MB
MD592a5e51542295394c53461b13e665c43
SHA1a08c4add16ed45d29438e738f7596bf49515158b
SHA2569a2840d13c3c8084fea89ebd5ab0db184f6133369ce2f84f3759bf9a2594bca9
SHA512203d4d81e05729d24422f96bc6ddea249d3f3a5779580a46d40b705b63f2aa3a3f51e5100af871b35c52f455611e2e0dcdd8eb7671bc066b3452ef0e440813bd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
26.4MB
MD5a93dbfca3fd421c8c41d7c30b330533e
SHA1d69b2f10f6dc9a1a784d3bab2d88a77fa2ab4cc1
SHA25609461701c82c17bc4e0c168ddc67d1ec17a3d1bb58a727bc0444e116261e1432
SHA512b7ce11d658a215b40f3440515b97e755341c2ae6867f5d4a290ef865d05d79e5f527dd55ccdb5b14f41c3512c997865127685b84a615138899f752e4001cb297
-
Filesize
45.9MB
MD579786ad55686b649dc45f84fbce344be
SHA10bb8bc9ebcde6f093a1a41f71c7bd7a21ee3b406
SHA2569ffb6d0a907fc8fde590301ad78fa7aca2dc9372066e2eb62b08bcc58f0d2ae4
SHA5129358156124fd65351960e2a1034e547fbc0ab1403824702f198213c017c7626c890ab54008531484866eb1f745e1ef8f0e6eaede7869039768983aa90ef3221a