xworm | 192933cb274a687f0072e0db4064e4ee9080b95e303fd0ab9347760bc091e3c2

Analysis

max time kernel
18s
max time network
23s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

downloader.exe
Size

70.1MB
MD5

de8c4fd7ed1b7623ab3c9a4e55c17211
SHA1

40f68eb4eb8194fa236f13e980d7d0940db0a9fe
SHA256

192933cb274a687f0072e0db4064e4ee9080b95e303fd0ab9347760bc091e3c2
SHA512

85c4bd56d6187c10baf3278de30268379b23131025e9fb6f21cf040d29c7291db6d3d1beefe0c9a7c814d932f34b0a22bf3443184f30dc4e0244eab2230c374b
SSDEEP

393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qEsGg4GUo3Nf:lWoI7zGi5ahWc3Im9

Score

10^/10

xworm agilenet evasion execution persistence rat themida trojan

Malware Config

Extracted

Family

xworm

Version

5.0

88.0.183.177:1603

88.0.172.65:1603

83.36.190.196:1603

83.38.30.219:1603

Mutex

XpRJMNcN9dWrZEo0

Attributes

Install_directory
%ProgramData%
install_file
RuntimeBroker.exe

aes.plain

Extracted

Family

xworm

88.0.183.177:1603

88.0.172.65:1603

83.36.190.196:1603

83.38.30.219:1603

Attributes

Install_directory
%Temp%
install_file
SecurityHealthSystray.exe

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000700000001a2df-49.dat	family_xworm
behavioral1/files/0x000700000001a310-56.dat	family_xworm
behavioral1/memory/3068-57-0x0000000000890000-0x00000000008A0000-memory.dmp	family_xworm
behavioral1/memory/2104-59-0x0000000000D60000-0x0000000000DA2000-memory.dmp	family_xworm
behavioral1/files/0x000500000001a419-62.dat	family_xworm
behavioral1/memory/2160-64-0x0000000000BD0000-0x0000000000BF4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	sdsd_1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	notepadd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	notepadd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1428	powershell.exe
2852	powershell.exe
2568	powershell.exe
1728	powershell.exe
2956	powershell.exe
1984	powershell.exe
780	powershell.exe
2364	powershell.exe
1860	powershell.exe
2828	powershell.exe
1788	powershell.exe
1716	powershell.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	notepadd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	notepadd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	notepadd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	notepadd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sdsd_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sdsd_1.exe

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.lnk	sdsd_1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.lnk	sdsd_1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe

Executes dropped EXE 6 IoCs

pid	Process
2272	sdsd_1.exe
2872	notepadd.exe
3068	RuntimeBroker.exe
2104	SecurityHealthSystray.exe
2160	WmiPrvSE.exe
2816	notepadd.exe

Loads dropped DLL 3 IoCs

pid	Process
2272	sdsd_1.exe
2872	notepadd.exe
2816	notepadd.exe

Obfuscated with Agile.Net obfuscator 5 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x000d000000012248-2.dat	agile_net
behavioral1/memory/2272-5-0x0000000000AF0000-0x00000000011F8000-memory.dmp	agile_net
behavioral1/files/0x00090000000190c0-9.dat	agile_net
behavioral1/memory/2872-18-0x0000000001230000-0x00000000019A6000-memory.dmp	agile_net
behavioral1/memory/2816-69-0x0000000000FD0000-0x0000000001746000-memory.dmp	agile_net

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0008000000019276-14.dat	themida
behavioral1/memory/2272-17-0x000007FEEDA20000-0x000007FEEE5A4000-memory.dmp	themida
behavioral1/memory/2872-25-0x000007FEECE90000-0x000007FEEDA14000-memory.dmp	themida
behavioral1/memory/2272-27-0x000007FEEDA20000-0x000007FEEE5A4000-memory.dmp	themida
behavioral1/memory/2872-37-0x000007FEECE90000-0x000007FEEDA14000-memory.dmp	themida
behavioral1/memory/2872-63-0x000007FEECE90000-0x000007FEEDA14000-memory.dmp	themida
behavioral1/memory/2816-72-0x000007FEEC300000-0x000007FEECE84000-memory.dmp	themida
behavioral1/memory/2816-75-0x000007FEEC300000-0x000007FEECE84000-memory.dmp	themida
behavioral1/memory/2816-103-0x000007FEEC300000-0x000007FEECE84000-memory.dmp	themida
behavioral1/memory/2272-161-0x000007FEEDA20000-0x000007FEEE5A4000-memory.dmp	themida
behavioral1/memory/2272-162-0x000007FEEDA20000-0x000007FEEE5A4000-memory.dmp	themida

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Users\\Public\\WmiPrvSE.exe"	WmiPrvSE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\ProgramData\\RuntimeBroker.exe"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SecurityHealthSystray.exe"	SecurityHealthSystray.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	sdsd_1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepadd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepadd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2272	sdsd_1.exe
2872	notepadd.exe
2816	notepadd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
792	schtasks.exe
2356	schtasks.exe
2816	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2272	sdsd_1.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2272	sdsd_1.exe
1716	powershell.exe
2956	powershell.exe
1788	powershell.exe
1984	powershell.exe
780	powershell.exe
2364	powershell.exe
1428	powershell.exe
1860	powershell.exe
2852	powershell.exe
2568	powershell.exe
2828	powershell.exe
1728	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	sdsd_1.exe
Token: SeDebugPrivilege	3068	RuntimeBroker.exe
Token: SeDebugPrivilege	2104	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2160	WmiPrvSE.exe
Token: SeDebugPrivilege	2272	sdsd_1.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	3068	RuntimeBroker.exe
Token: SeDebugPrivilege	2104	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2160	WmiPrvSE.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2272	sdsd_1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2428	2280	downloader.exe	32
PID 2280 wrote to memory of 2428	2280	downloader.exe	32
PID 2280 wrote to memory of 2428	2280	downloader.exe	32
PID 2428 wrote to memory of 2272	2428	cmd.exe	33
PID 2428 wrote to memory of 2272	2428	cmd.exe	33
PID 2428 wrote to memory of 2272	2428	cmd.exe	33
PID 2280 wrote to memory of 2856	2280	downloader.exe	34
PID 2280 wrote to memory of 2856	2280	downloader.exe	34
PID 2280 wrote to memory of 2856	2280	downloader.exe	34
PID 2856 wrote to memory of 2872	2856	cmd.exe	35
PID 2856 wrote to memory of 2872	2856	cmd.exe	35
PID 2856 wrote to memory of 2872	2856	cmd.exe	35
PID 2872 wrote to memory of 3068	2872	notepadd.exe	36
PID 2872 wrote to memory of 3068	2872	notepadd.exe	36
PID 2872 wrote to memory of 3068	2872	notepadd.exe	36
PID 2872 wrote to memory of 2104	2872	notepadd.exe	37
PID 2872 wrote to memory of 2104	2872	notepadd.exe	37
PID 2872 wrote to memory of 2104	2872	notepadd.exe	37
PID 2872 wrote to memory of 2160	2872	notepadd.exe	38
PID 2872 wrote to memory of 2160	2872	notepadd.exe	38
PID 2872 wrote to memory of 2160	2872	notepadd.exe	38
PID 2280 wrote to memory of 2552	2280	downloader.exe	39
PID 2280 wrote to memory of 2552	2280	downloader.exe	39
PID 2280 wrote to memory of 2552	2280	downloader.exe	39
PID 2552 wrote to memory of 2816	2552	cmd.exe	40
PID 2552 wrote to memory of 2816	2552	cmd.exe	40
PID 2552 wrote to memory of 2816	2552	cmd.exe	40
PID 3068 wrote to memory of 1788	3068	RuntimeBroker.exe	41
PID 3068 wrote to memory of 1788	3068	RuntimeBroker.exe	41
PID 3068 wrote to memory of 1788	3068	RuntimeBroker.exe	41
PID 2104 wrote to memory of 1716	2104	SecurityHealthSystray.exe	43
PID 2104 wrote to memory of 1716	2104	SecurityHealthSystray.exe	43
PID 2104 wrote to memory of 1716	2104	SecurityHealthSystray.exe	43
PID 2160 wrote to memory of 2956	2160	WmiPrvSE.exe	44
PID 2160 wrote to memory of 2956	2160	WmiPrvSE.exe	44
PID 2160 wrote to memory of 2956	2160	WmiPrvSE.exe	44
PID 3068 wrote to memory of 1984	3068	RuntimeBroker.exe	47
PID 3068 wrote to memory of 1984	3068	RuntimeBroker.exe	47
PID 3068 wrote to memory of 1984	3068	RuntimeBroker.exe	47
PID 2160 wrote to memory of 780	2160	WmiPrvSE.exe	50
PID 2160 wrote to memory of 780	2160	WmiPrvSE.exe	50
PID 2160 wrote to memory of 780	2160	WmiPrvSE.exe	50
PID 2104 wrote to memory of 2364	2104	SecurityHealthSystray.exe	52
PID 2104 wrote to memory of 2364	2104	SecurityHealthSystray.exe	52
PID 2104 wrote to memory of 2364	2104	SecurityHealthSystray.exe	52
PID 3068 wrote to memory of 1428	3068	RuntimeBroker.exe	54
PID 3068 wrote to memory of 1428	3068	RuntimeBroker.exe	54
PID 3068 wrote to memory of 1428	3068	RuntimeBroker.exe	54
PID 2160 wrote to memory of 1860	2160	WmiPrvSE.exe	56
PID 2160 wrote to memory of 1860	2160	WmiPrvSE.exe	56
PID 2160 wrote to memory of 1860	2160	WmiPrvSE.exe	56
PID 2104 wrote to memory of 2852	2104	SecurityHealthSystray.exe	58
PID 2104 wrote to memory of 2852	2104	SecurityHealthSystray.exe	58
PID 2104 wrote to memory of 2852	2104	SecurityHealthSystray.exe	58
PID 3068 wrote to memory of 2568	3068	RuntimeBroker.exe	60
PID 3068 wrote to memory of 2568	3068	RuntimeBroker.exe	60
PID 3068 wrote to memory of 2568	3068	RuntimeBroker.exe	60
PID 2104 wrote to memory of 2828	2104	SecurityHealthSystray.exe	62
PID 2104 wrote to memory of 2828	2104	SecurityHealthSystray.exe	62
PID 2104 wrote to memory of 2828	2104	SecurityHealthSystray.exe	62
PID 2160 wrote to memory of 1728	2160	WmiPrvSE.exe	64
PID 2160 wrote to memory of 1728	2160	WmiPrvSE.exe	64
PID 2160 wrote to memory of 1728	2160	WmiPrvSE.exe	64
PID 3068 wrote to memory of 792	3068	RuntimeBroker.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\downloader.exe
"C:\Users\Admin\AppData\Local\Temp\downloader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\sdsd_1.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\sdsd_1.exe
    "C:\Users\Admin\AppData\Local\Temp\sdsd_1.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\notepadd.exe
    "C:\Users\Admin\AppData\Local\Temp\notepadd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Users\Admin\RuntimeBroker.exe
      "C:\Users\Admin\RuntimeBroker.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\ProgramData\RuntimeBroker.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:792
  - - C:\Users\Admin\SecurityHealthSystray.exe
      "C:\Users\Admin\SecurityHealthSystray.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2356
  - - C:\Users\Admin\WmiPrvSE.exe
      "C:\Users\Admin\WmiPrvSE.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Public\WmiPrvSE.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\notepadd.exe
    "C:\Users\Admin\AppData\Local\Temp\notepadd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab510.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar123A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepadd.exe

Filesize
7.4MB

MD5
c694c8301947af8b5c65e6132581044b

SHA1
d1c7cbb77eff86db70df4feae1c2a849fb695b65

SHA256
0e18f1cd01243a43de369982b88a586b585f2dc34f0c8a942f54f21069e5c71c

SHA512
babe000cade9afcc76cf41b0bd064c0124d5a97ff4e3e52024e25ad39fe8f9f26ac3a4027f4194d19ead2a502df4dbc916f1b2f870a14d4a2ae28a3115804775

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdsd_1.exe

Filesize
7.0MB

MD5
47d346922b3f771ddf7c8bb6561f7d4e

SHA1
9b9f255438265bf69e2aaf009500da72df23d416

SHA256
839519c001ba1fdb59d646c9ccc02e6d0db57d1948d6c6efd2b1a40607b9c99b

SHA512
4a8a5ad173d5c2b72d70fbd49e12df47fc6bd4e6b35f154ce6ce7f7ea7fc3de0a1422439c152221a1b000870e87299de58bc9cbcf68dbaf637377b4f6266e7d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b39be52b4d25d98e120efe678765d14e

SHA1
614f4f5e925f0d7668a5e3da9dd89116670aa735

SHA256
cea190ab620f311c9fc280728ddb801888df0d0baff8fc885691e95545323f34

SHA512
01f36eab3e19b67545306f58be34dd11e05a4435c0db19959bcc81ca1a7e4ae688f14ca53d7fad20e3f22a6a2a1ef8319feb1834c9cafcfcb8e37336a3c369cd

Download Submit
C:\Users\Admin\RuntimeBroker.exe

Filesize
36KB

MD5
51b33fef6848fd52da62f31ebe64e1a5

SHA1
740fc31cd7b69aacc11a2377f52ef725fc1d3d77

SHA256
058eb738227f17552cedd86fde447ff319d4b354bef777ff8149a9df30dc6e7f

SHA512
c0727a6ee074dff2b5ac36d086ec86660b287e515fe7422cfc947df47328553a99af0812126d2243f4fefd1a784881dc283e8bac65007b77d487756734a4c0d6

Download Submit
C:\Users\Admin\SecurityHealthSystray.exe

Filesize
244KB

MD5
f16d02b68f259d19e504bedd54d59e39

SHA1
d9102d345fceafd22b5b9a69f62e933f79a10a19

SHA256
b062135658f9e98a3dd7ae2cde12de8db784fd87cce6bf4c42aa0e9b3a775877

SHA512
ab0ea68c5dced9a6b2441f58a5ca6392071f82c700692c7438472be253c51eba2f44a0fdeebd18508af9a6e25ad689219c502cd2b7790a2bb7387a840375b007

Download Submit
C:\Users\Admin\WmiPrvSE.exe

Filesize
127KB

MD5
b57e530c98da33302694a3da8d773e31

SHA1
476a5c20a5ae2e644442057635ea2da77c72a311

SHA256
3ff319a9cc09b0b02a5881a55e15d309f47a8d615912434875a9346153bade6b

SHA512
80ef2f24e6090d9c6c9bf9f54d6796a0066f2c90abcdda16c994b3864096678d9f0a98ff2a479b36acc174bc2d7b3ac15b58b9eefbbe6d88a92364f19206fc60

Download Submit
\Users\Admin\AppData\Local\Temp\02b390f5-8dce-407c-af26-9d9d549adeb7\AgileDotNetRT64.dll

Filesize
4.2MB

MD5
05b012457488a95a05d0541e0470d392

SHA1
74f541d6a8365508c794ef7b4ac7c297457f9ce3

SHA256
1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

SHA512
6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

Download Submit
memory/1716-101-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/1716-102-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1984-110-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/1984-111-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2104-59-0x0000000000D60000-0x0000000000DA2000-memory.dmp

Filesize
264KB

Download
memory/2160-64-0x0000000000BD0000-0x0000000000BF4000-memory.dmp

Filesize
144KB

Download
memory/2272-155-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2272-161-0x000007FEEDA20000-0x000007FEEE5A4000-memory.dmp

Filesize
11.5MB

Download
memory/2272-122-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

Filesize
4KB

Download
memory/2272-27-0x000007FEEDA20000-0x000007FEEE5A4000-memory.dmp

Filesize
11.5MB

Download
memory/2272-6-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2272-162-0x000007FEEDA20000-0x000007FEEE5A4000-memory.dmp

Filesize
11.5MB

Download
memory/2272-4-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

Filesize
4KB

Download
memory/2272-35-0x000007FEF4970000-0x000007FEF4A9C000-memory.dmp

Filesize
1.2MB

Download
memory/2272-17-0x000007FEEDA20000-0x000007FEEE5A4000-memory.dmp

Filesize
11.5MB

Download
memory/2272-5-0x0000000000AF0000-0x00000000011F8000-memory.dmp

Filesize
7.0MB

Download
memory/2816-75-0x000007FEEC300000-0x000007FEECE84000-memory.dmp

Filesize
11.5MB

Download
memory/2816-85-0x000007FEF4970000-0x000007FEF4A9C000-memory.dmp

Filesize
1.2MB

Download
memory/2816-103-0x000007FEEC300000-0x000007FEECE84000-memory.dmp

Filesize
11.5MB

Download
memory/2816-72-0x000007FEEC300000-0x000007FEECE84000-memory.dmp

Filesize
11.5MB

Download
memory/2816-69-0x0000000000FD0000-0x0000000001746000-memory.dmp

Filesize
7.5MB

Download
memory/2872-37-0x000007FEECE90000-0x000007FEEDA14000-memory.dmp

Filesize
11.5MB

Download
memory/2872-63-0x000007FEECE90000-0x000007FEEDA14000-memory.dmp

Filesize
11.5MB

Download
memory/2872-18-0x0000000001230000-0x00000000019A6000-memory.dmp

Filesize
7.5MB

Download
memory/2872-25-0x000007FEECE90000-0x000007FEEDA14000-memory.dmp

Filesize
11.5MB

Download
memory/2872-45-0x000007FEF4970000-0x000007FEF4A9C000-memory.dmp

Filesize
1.2MB

Download
memory/3068-57-0x0000000000890000-0x00000000008A0000-memory.dmp

Filesize
64KB

Download