stormkitty | 8d6eda15b51552fce75401a9cd2f5c57a4af4fbc5f7a7262385f0d2652024bcb

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GhostBinder-FUD.exe
Size

11.7MB
MD5

c26e5cbca0f6cc30fc2af85f95942a82
SHA1

13c9a25bb4a57a119d6a10b7a940fc3a23906065
SHA256

8d6eda15b51552fce75401a9cd2f5c57a4af4fbc5f7a7262385f0d2652024bcb
SHA512

a54bd316887f4ebdbf51a614437733a3cbd0f9810e86ad3684b2c00db353f122cd349e0366c9c733b0d08282ba1f748155dcc01a6055465e5710e10b5a45507e
SSDEEP

196608:q9qMTFBJ82JYp3n780E998EFcCsqeaLJaAjEi71IUfvd3QzUy5kB2UQn2x/XZ3RT:q95lup3nI5vRTeeh71IUfvd35HLQni/3

Score

10^/10

stormkitty xworm credential_access discovery execution persistence pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

EEarXqazEvX73BCq

Attributes

Install_directory
%AppData%
install_file
Chrome Update.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

Signatures

Detect Xworm Payload 11 IoCs

resource	yara_rule
behavioral1/files/0x000800000001711a-5.dat	family_xworm
behavioral1/memory/2488-9-0x0000000001020000-0x000000000104C000-memory.dmp	family_xworm
behavioral1/files/0x00080000000172a7-17.dat	family_xworm
behavioral1/files/0x000800000001722a-13.dat	family_xworm
behavioral1/memory/2716-18-0x0000000000B80000-0x0000000000BA8000-memory.dmp	family_xworm
behavioral1/memory/2220-19-0x0000000000D10000-0x0000000000D3E000-memory.dmp	family_xworm
behavioral1/memory/1620-166-0x00000000011E0000-0x000000000120E000-memory.dmp	family_xworm
behavioral1/memory/2292-167-0x00000000012C0000-0x00000000012E8000-memory.dmp	family_xworm
behavioral1/memory/1868-174-0x0000000000240000-0x000000000026E000-memory.dmp	family_xworm
behavioral1/memory/956-246-0x00000000000E0000-0x0000000000108000-memory.dmp	family_xworm
behavioral1/memory/1688-247-0x0000000000B50000-0x0000000000B7E000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/memory/2220-175-0x000000001DB70000-0x000000001DC90000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2088	powershell.exe
804	powershell.exe
1876	powershell.exe
1440	powershell.exe
1316	powershell.exe
1512	powershell.exe
2684	powershell.exe
2272	powershell.exe
2320	powershell.exe
2212	powershell.exe
2300	powershell.exe
2808	powershell.exe
1728	powershell.exe
1416	powershell.exe
2868	powershell.exe
2408	powershell.exe
2000	powershell.exe
2688	powershell.exe
2564	powershell.exe
900	powershell.exe

Drops startup file 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe

Executes dropped EXE 12 IoCs

pid	Process
2488	Chrome Update.exe
2220	msedge.exe
2716	OneDrive.exe
2264	run.exe
2392	run.exe
1144	Process not Found
2292	OneDrive.exe
1620	msedge.exe
1872	OneDrive.exe
1868	msedge.exe
956	OneDrive.exe
1688	msedge.exe

Loads dropped DLL 2 IoCs

pid	Process
1640	GhostBinder-FUD.exe
2392	run.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
21	pastebin.com
6	pastebin.com
7	pastebin.com
8	pastebin.com
9	pastebin.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00060000000186fa-22.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2920	timeout.exe
1876	timeout.exe
2212	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1924	schtasks.exe
3024	schtasks.exe
2396	schtasks.exe
2340	schtasks.exe
2964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2808	powershell.exe
2684	powershell.exe
2088	powershell.exe
804	powershell.exe
2000	powershell.exe
2320	powershell.exe
2212	powershell.exe
2272	powershell.exe
1876	powershell.exe
1728	powershell.exe
1440	powershell.exe
900	powershell.exe
2488	Chrome Update.exe
2716	OneDrive.exe
2220	msedge.exe
1316	powershell.exe
2688	powershell.exe
2300	powershell.exe
1416	powershell.exe
2868	powershell.exe
2564	powershell.exe
2408	powershell.exe
1512	powershell.exe
956	OneDrive.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	Chrome Update.exe
Token: SeDebugPrivilege	2716	OneDrive.exe
Token: SeDebugPrivilege	2220	msedge.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2488	Chrome Update.exe
Token: SeDebugPrivilege	2716	OneDrive.exe
Token: SeDebugPrivilege	2220	msedge.exe
Token: SeDebugPrivilege	1620	msedge.exe
Token: SeDebugPrivilege	2292	OneDrive.exe
Token: SeDebugPrivilege	1872	OneDrive.exe
Token: SeDebugPrivilege	1868	msedge.exe
Token: SeDebugPrivilege	956	OneDrive.exe
Token: SeDebugPrivilege	1688	msedge.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	956	OneDrive.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2488	Chrome Update.exe
2716	OneDrive.exe
2220	msedge.exe
956	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2488	1640	GhostBinder-FUD.exe	31
PID 1640 wrote to memory of 2488	1640	GhostBinder-FUD.exe	31
PID 1640 wrote to memory of 2488	1640	GhostBinder-FUD.exe	31
PID 1640 wrote to memory of 2220	1640	GhostBinder-FUD.exe	32
PID 1640 wrote to memory of 2220	1640	GhostBinder-FUD.exe	32
PID 1640 wrote to memory of 2220	1640	GhostBinder-FUD.exe	32
PID 1640 wrote to memory of 2716	1640	GhostBinder-FUD.exe	33
PID 1640 wrote to memory of 2716	1640	GhostBinder-FUD.exe	33
PID 1640 wrote to memory of 2716	1640	GhostBinder-FUD.exe	33
PID 1640 wrote to memory of 2264	1640	GhostBinder-FUD.exe	34
PID 1640 wrote to memory of 2264	1640	GhostBinder-FUD.exe	34
PID 1640 wrote to memory of 2264	1640	GhostBinder-FUD.exe	34
PID 2264 wrote to memory of 2392	2264	run.exe	35
PID 2264 wrote to memory of 2392	2264	run.exe	35
PID 2264 wrote to memory of 2392	2264	run.exe	35
PID 2488 wrote to memory of 2808	2488	Chrome Update.exe	36
PID 2488 wrote to memory of 2808	2488	Chrome Update.exe	36
PID 2488 wrote to memory of 2808	2488	Chrome Update.exe	36
PID 2716 wrote to memory of 2684	2716	OneDrive.exe	38
PID 2716 wrote to memory of 2684	2716	OneDrive.exe	38
PID 2716 wrote to memory of 2684	2716	OneDrive.exe	38
PID 2220 wrote to memory of 2088	2220	msedge.exe	40
PID 2220 wrote to memory of 2088	2220	msedge.exe	40
PID 2220 wrote to memory of 2088	2220	msedge.exe	40
PID 2716 wrote to memory of 2000	2716	OneDrive.exe	42
PID 2716 wrote to memory of 2000	2716	OneDrive.exe	42
PID 2716 wrote to memory of 2000	2716	OneDrive.exe	42
PID 2488 wrote to memory of 804	2488	Chrome Update.exe	43
PID 2488 wrote to memory of 804	2488	Chrome Update.exe	43
PID 2488 wrote to memory of 804	2488	Chrome Update.exe	43
PID 2488 wrote to memory of 2272	2488	Chrome Update.exe	46
PID 2488 wrote to memory of 2272	2488	Chrome Update.exe	46
PID 2488 wrote to memory of 2272	2488	Chrome Update.exe	46
PID 2220 wrote to memory of 2320	2220	msedge.exe	47
PID 2220 wrote to memory of 2320	2220	msedge.exe	47
PID 2220 wrote to memory of 2320	2220	msedge.exe	47
PID 2716 wrote to memory of 2212	2716	OneDrive.exe	50
PID 2716 wrote to memory of 2212	2716	OneDrive.exe	50
PID 2716 wrote to memory of 2212	2716	OneDrive.exe	50
PID 2220 wrote to memory of 1876	2220	msedge.exe	52
PID 2220 wrote to memory of 1876	2220	msedge.exe	52
PID 2220 wrote to memory of 1876	2220	msedge.exe	52
PID 2488 wrote to memory of 1728	2488	Chrome Update.exe	54
PID 2488 wrote to memory of 1728	2488	Chrome Update.exe	54
PID 2488 wrote to memory of 1728	2488	Chrome Update.exe	54
PID 2716 wrote to memory of 1440	2716	OneDrive.exe	56
PID 2716 wrote to memory of 1440	2716	OneDrive.exe	56
PID 2716 wrote to memory of 1440	2716	OneDrive.exe	56
PID 2488 wrote to memory of 1924	2488	Chrome Update.exe	58
PID 2488 wrote to memory of 1924	2488	Chrome Update.exe	58
PID 2488 wrote to memory of 1924	2488	Chrome Update.exe	58
PID 2220 wrote to memory of 900	2220	msedge.exe	60
PID 2220 wrote to memory of 900	2220	msedge.exe	60
PID 2220 wrote to memory of 900	2220	msedge.exe	60
PID 2716 wrote to memory of 3024	2716	OneDrive.exe	62
PID 2716 wrote to memory of 3024	2716	OneDrive.exe	62
PID 2716 wrote to memory of 3024	2716	OneDrive.exe	62
PID 2220 wrote to memory of 2396	2220	msedge.exe	64
PID 2220 wrote to memory of 2396	2220	msedge.exe	64
PID 2220 wrote to memory of 2396	2220	msedge.exe	64
PID 2836 wrote to memory of 1620	2836	taskeng.exe	68
PID 2836 wrote to memory of 1620	2836	taskeng.exe	68
PID 2836 wrote to memory of 1620	2836	taskeng.exe	68
PID 2836 wrote to memory of 2292	2836	taskeng.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\GhostBinder-FUD.exe
"C:\Users\Admin\AppData\Local\Temp\GhostBinder-FUD.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Roaming\Chrome Update.exe
  "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1924
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "Chrome Update"
    3⤵
    PID:1668
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1F5.tmp.bat""
    3⤵
    PID:2156
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2920
- C:\Users\Admin\AppData\Roaming\msedge.exe
  "C:\Users\Admin\AppData\Roaming\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2396
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "msedge"
    3⤵
    PID:2188
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1F4.tmp.bat""
    3⤵
    PID:2832
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2212
- C:\Users\Admin\AppData\Roaming\OneDrive.exe
  "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3024
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "OneDrive"
    3⤵
    PID:2984
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1F6.tmp.bat""
    3⤵
    PID:2808
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1876
- C:\Users\Admin\AppData\Roaming\run.exe
  "C:\Users\Admin\AppData\Roaming\run.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Roaming\run.exe
    "C:\Users\Admin\AppData\Roaming\run.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2392

C:\Windows\system32\taskeng.exe
taskeng.exe {92B242D3-26DE-4844-88AE-1C91E5072107} S-1-5-21-1385883288-3042840365-2734249351-1000:RPXOCQRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2340
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI22642\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
e9f2e3741abff7d4188651a9e69873c6

SHA1
d88cb3308280331f58255cde50ff777b97efa297

SHA256
745d6651594a1d1782fe331987bbcb5b4d0c397e68adb3d3151bec00c4631c49

SHA512
a9ea5378d438db5ed6d72fc586c8aa2114e1b92608d55f98029286a92cc8b4e76e823f03bde3a18a299d6579b9c32a711ddfad117adb5cbd55d43854c0adb59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E71.tmp.dat

Filesize
92KB

MD5
de7d702f13db499233da2c87959d7696

SHA1
8d51283dc6b41cae89ac01928cd0460604ff1d3e

SHA256
78e689d13f1ff71daeb36634831fa7457a8c90ea465a3e342aef921d8ca82b34

SHA512
a57e198ff5e32453ac99d6aefb5ab71f9cb4c80006f2a75d3c3e0ef28a0ca00f387110788edc1df1e0a7ab9a2503571e82749e51acf7c67e654a586503754045

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA084.tmp.dat

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA085.tmp.dat

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA086.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA098.tmp.dat

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF1F4.tmp.bat

Filesize
155B

MD5
59b74bb5e1e539644ac7ac1478a440fa

SHA1
1a03f0846853a6fee723b7fd0a2093a5b096acc4

SHA256
4149beae60053e7608d37ff0fe91c4451a3c6795c0c74cab094f5d7226068088

SHA512
9022780b6d547520be4a3d3b970319da032af78389b5bf9053ac23afa73d967754e453077314516674e0ff3399ccb03c1ef2c3f49084d42ac7eef417001bdec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF1F5.tmp.bat

Filesize
162B

MD5
58abc8c61cdabd8138cdc025f8d739f3

SHA1
12d52cb2bcddb0e917f297be6389cf31babdb6c6

SHA256
f38ede1d12acfb719163f38205d0a08d88cd8a638ff04115882417f78327c65f

SHA512
b67cd2f0f5426864872a801bdff73c9af5fe64ce8408d2d775860235386ffc8fe51060277c59dde6d76b2cddaa19d38c25804f25751a67ce6d4d1b79801d43d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF1F6.tmp.bat

Filesize
157B

MD5
1b7867f21af44cb81157794006b90595

SHA1
54e52bff28b5dbcda9cb9b4f65464760f062e9db

SHA256
f77604fe8d3d4613e65c27a14739ede110615b1e9c7f77bbd2a494ffba25a419

SHA512
f07e8afe25599fd1e07904c228b72f5703765ace229fa76589285b4fd1b1950436232bcafaf0ee61282852b905c0056c807bb178e5398758ae7d991bfa3cad86

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome Update.exe

Filesize
152KB

MD5
16cdd301591c6af35a03cd18caee2e59

SHA1
92c6575b57eac309c8664d4ac76d87f2906e8ef3

SHA256
11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

SHA512
a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6448c10eec56dac40a81ac1f3f6cb1b2

SHA1
6dab4ba85ab6a39d5943d8c595a12fa6371ab03e

SHA256
0d375f1954064733a4878a8f404645f3f53552bcda38811ea5b84929ab180fcc

SHA512
df1db4e87e9cccb97f2e954b9f6b64e4b6cd65ea6a1d3c2a8560db7905f02039e367894e03db272f852f3b2a06b0dd72db02544c960a48775437dc99dc17872c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8df3677e7883b670f890484ace9e4617

SHA1
6409b9442f59162d744a7bf9770223463fd38fa5

SHA256
b9c1f8d343f28741059ff5642c3439dd7236142eaf649d0cea84dda30827d7df

SHA512
8077e8dac833f27874d2e0c03af98b19bbf835ff0ddb8c3f9ea3d777668fdcd5e7a27d8fff1998695d8a8e8faf71765dfc239c4b762e7346dcc45b898624318b

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
\Users\Admin\AppData\Roaming\run.exe

Filesize
11.2MB

MD5
b0f1c2cda8253f6235965f7f011b7eb8

SHA1
97628130056d62bf2d23aae2139fde9ab6efcc19

SHA256
bacae921eb0f1074c8d44976019fe58fb6721e707ab06c57ec640bbcbe1fc27c

SHA512
49326009dd6bb2a46b1afb8e5dfb820fb27b53673013468c4fb8c9bd8273d5bd248e5d61c6e3e2a0d70cfc3e1a4e66be00d3dd556b74402159da62a8bb3c8525

Download Submit
memory/956-246-0x00000000000E0000-0x0000000000108000-memory.dmp

Filesize
160KB

Download
memory/1620-166-0x00000000011E0000-0x000000000120E000-memory.dmp

Filesize
184KB

Download
memory/1640-1-0x0000000000330000-0x0000000000EDE000-memory.dmp

Filesize
11.7MB

Download
memory/1640-0-0x000007FEF6183000-0x000007FEF6184000-memory.dmp

Filesize
4KB

Download
memory/1688-247-0x0000000000B50000-0x0000000000B7E000-memory.dmp

Filesize
184KB

Download
memory/1868-174-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/1876-106-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2220-19-0x0000000000D10000-0x0000000000D3E000-memory.dmp

Filesize
184KB

Download
memory/2220-175-0x000000001DB70000-0x000000001DC90000-memory.dmp

Filesize
1.1MB

Download
memory/2292-167-0x00000000012C0000-0x00000000012E8000-memory.dmp

Filesize
160KB

Download
memory/2320-100-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2320-99-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2488-46-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2488-9-0x0000000001020000-0x000000000104C000-memory.dmp

Filesize
176KB

Download
memory/2488-277-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2488-168-0x000007FEF6180000-0x000007FEF6B6C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-67-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2716-18-0x0000000000B80000-0x0000000000BA8000-memory.dmp

Filesize
160KB

Download
memory/2808-72-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2868-306-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download