xworm | abf05fddbb728e0cf67da50245a63c28b383c3d50573b3c96cd15032d0af38f5

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WebhookSpammerV1.exe
Size

206KB
MD5

c669b7aac0c6d6e5a2b09fa060835720
SHA1

cff60e01094fa203715b76820c1b37a680381108
SHA256

abf05fddbb728e0cf67da50245a63c28b383c3d50573b3c96cd15032d0af38f5
SHA512

d4ecafc845ed6430bb802c18811dd79227e568e9feef12dbba73ee983b98b1c87002c3e62ab5c39278dedf4da23ce16ba007dd970a564a6d87acaf1e692f803a
SSDEEP

6144:gm8K32BN6NqV27EG8oMa0UpLaAFMJU5Ma3qjFRlqXwmXRen:g82indvsa3qjFRlqXwmB

Score

10^/10

xworm defense_evasion discovery evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

since-searching.gl.at.ply.gg:64197

Attributes

Install_directory
%ProgramData%
install_file
Helper.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2228-69-0x0000000002030000-0x000000000204E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2512	powershell.exe
2924	powershell.exe
2548	powershell.exe
2796	powershell.exe
1640	powershell.exe
764	powershell.exe
1392	powershell.exe
3008	powershell.exe
1528	powershell.exe
1568	powershell.exe

Disables Task Manager via registry modification
evasion

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk	Latite Client_BetterV3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsDefender.lnk	Latite Client_BetterV3.exe

Executes dropped EXE 6 IoCs

pid	Process
2356	Latite_Client_betterV1.exe
2228	Latite Client_BetterV3.exe
1204	WindowsDefender
1336	Latite_Client_betterV1.exe
2552	WindowsDefender
1780	Latite_Client_betterV1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\ProgramData\\WindowsDefender"	Latite Client_BetterV3.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Latite_Client_betterV1.exe	WebhookSpammerV1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WebhookSpammerV1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1016	schtasks.exe
2316	schtasks.exe
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1872	powershell.exe
2008	powershell.exe
1640	powershell.exe
764	powershell.exe
2512	powershell.exe
1492	powershell.exe
1676	powershell.exe
1528	powershell.exe
2924	powershell.exe
1568	powershell.exe
1392	powershell.exe
3008	powershell.exe
2548	powershell.exe
2796	powershell.exe
2228	Latite Client_BetterV3.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	Latite_Client_betterV1.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2228	Latite Client_BetterV3.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2228	Latite Client_BetterV3.exe
Token: SeDebugPrivilege	1204	WindowsDefender
Token: SeDebugPrivilege	1336	Latite_Client_betterV1.exe
Token: SeDebugPrivilege	2552	WindowsDefender
Token: SeDebugPrivilege	1780	Latite_Client_betterV1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2228	Latite Client_BetterV3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2008	2368	WebhookSpammerV1.exe	30
PID 2368 wrote to memory of 2008	2368	WebhookSpammerV1.exe	30
PID 2368 wrote to memory of 2008	2368	WebhookSpammerV1.exe	30
PID 2368 wrote to memory of 2008	2368	WebhookSpammerV1.exe	30
PID 2368 wrote to memory of 1872	2368	WebhookSpammerV1.exe	32
PID 2368 wrote to memory of 1872	2368	WebhookSpammerV1.exe	32
PID 2368 wrote to memory of 1872	2368	WebhookSpammerV1.exe	32
PID 2368 wrote to memory of 1872	2368	WebhookSpammerV1.exe	32
PID 2368 wrote to memory of 2356	2368	WebhookSpammerV1.exe	34
PID 2368 wrote to memory of 2356	2368	WebhookSpammerV1.exe	34
PID 2368 wrote to memory of 2356	2368	WebhookSpammerV1.exe	34
PID 2368 wrote to memory of 2356	2368	WebhookSpammerV1.exe	34
PID 2356 wrote to memory of 1640	2356	Latite_Client_betterV1.exe	37
PID 2356 wrote to memory of 1640	2356	Latite_Client_betterV1.exe	37
PID 2356 wrote to memory of 1640	2356	Latite_Client_betterV1.exe	37
PID 2356 wrote to memory of 764	2356	Latite_Client_betterV1.exe	39
PID 2356 wrote to memory of 764	2356	Latite_Client_betterV1.exe	39
PID 2356 wrote to memory of 764	2356	Latite_Client_betterV1.exe	39
PID 2356 wrote to memory of 2512	2356	Latite_Client_betterV1.exe	41
PID 2356 wrote to memory of 2512	2356	Latite_Client_betterV1.exe	41
PID 2356 wrote to memory of 2512	2356	Latite_Client_betterV1.exe	41
PID 2356 wrote to memory of 1016	2356	Latite_Client_betterV1.exe	43
PID 2356 wrote to memory of 1016	2356	Latite_Client_betterV1.exe	43
PID 2356 wrote to memory of 1016	2356	Latite_Client_betterV1.exe	43
PID 2356 wrote to memory of 1492	2356	Latite_Client_betterV1.exe	45
PID 2356 wrote to memory of 1492	2356	Latite_Client_betterV1.exe	45
PID 2356 wrote to memory of 1492	2356	Latite_Client_betterV1.exe	45
PID 2356 wrote to memory of 1676	2356	Latite_Client_betterV1.exe	47
PID 2356 wrote to memory of 1676	2356	Latite_Client_betterV1.exe	47
PID 2356 wrote to memory of 1676	2356	Latite_Client_betterV1.exe	47
PID 2356 wrote to memory of 2228	2356	Latite_Client_betterV1.exe	49
PID 2356 wrote to memory of 2228	2356	Latite_Client_betterV1.exe	49
PID 2356 wrote to memory of 2228	2356	Latite_Client_betterV1.exe	49
PID 2228 wrote to memory of 1528	2228	Latite Client_BetterV3.exe	50
PID 2228 wrote to memory of 1528	2228	Latite Client_BetterV3.exe	50
PID 2228 wrote to memory of 1528	2228	Latite Client_BetterV3.exe	50
PID 2228 wrote to memory of 2924	2228	Latite Client_BetterV3.exe	52
PID 2228 wrote to memory of 2924	2228	Latite Client_BetterV3.exe	52
PID 2228 wrote to memory of 2924	2228	Latite Client_BetterV3.exe	52
PID 2228 wrote to memory of 1568	2228	Latite Client_BetterV3.exe	54
PID 2228 wrote to memory of 1568	2228	Latite Client_BetterV3.exe	54
PID 2228 wrote to memory of 1568	2228	Latite Client_BetterV3.exe	54
PID 2228 wrote to memory of 2316	2228	Latite Client_BetterV3.exe	56
PID 2228 wrote to memory of 2316	2228	Latite Client_BetterV3.exe	56
PID 2228 wrote to memory of 2316	2228	Latite Client_BetterV3.exe	56
PID 2228 wrote to memory of 1392	2228	Latite Client_BetterV3.exe	58
PID 2228 wrote to memory of 1392	2228	Latite Client_BetterV3.exe	58
PID 2228 wrote to memory of 1392	2228	Latite Client_BetterV3.exe	58
PID 2228 wrote to memory of 3008	2228	Latite Client_BetterV3.exe	60
PID 2228 wrote to memory of 3008	2228	Latite Client_BetterV3.exe	60
PID 2228 wrote to memory of 3008	2228	Latite Client_BetterV3.exe	60
PID 2228 wrote to memory of 2548	2228	Latite Client_BetterV3.exe	62
PID 2228 wrote to memory of 2548	2228	Latite Client_BetterV3.exe	62
PID 2228 wrote to memory of 2548	2228	Latite Client_BetterV3.exe	62
PID 2228 wrote to memory of 2796	2228	Latite Client_BetterV3.exe	64
PID 2228 wrote to memory of 2796	2228	Latite Client_BetterV3.exe	64
PID 2228 wrote to memory of 2796	2228	Latite Client_BetterV3.exe	64
PID 2228 wrote to memory of 2656	2228	Latite Client_BetterV3.exe	66
PID 2228 wrote to memory of 2656	2228	Latite Client_BetterV3.exe	66
PID 2228 wrote to memory of 2656	2228	Latite Client_BetterV3.exe	66
PID 1248 wrote to memory of 1204	1248	taskeng.exe	69
PID 1248 wrote to memory of 1204	1248	taskeng.exe	69
PID 1248 wrote to memory of 1204	1248	taskeng.exe	69
PID 1248 wrote to memory of 1336	1248	taskeng.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.exe
"C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAbgB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAeAB0ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAcwBvAHIAcgB5ACAAZABvAHcAbgAgAGYAbwByACAAbgBvAHcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGQAaQBlACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAagBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAcQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAbgBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAawB6ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\Latite_Client_betterV1.exe
  "C:\Windows\Latite_Client_betterV1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite_Client_betterV1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Latite_Client_betterV1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Latite_Client_betterV1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Latite_Client_betterV1" /tr "C:\ProgramData\Latite_Client_betterV1.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdABzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHQAbQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByACAAbgBvAHQAIAB3AG8AcgBrAGkAbgBnACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB6AHkAdAAjAD4A"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAeQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcwBmACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe
    "C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite Client_BetterV3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Latite Client_BetterV3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1568
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Latite Client_BetterV3" /tr "C:\ProgramData\Latite Client_BetterV3.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite Client_BetterV3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2796
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2656

C:\Windows\system32\taskeng.exe
taskeng.exe {EDAB2068-978B-4380-B96C-B5BBCE572815} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\ProgramData\WindowsDefender
  C:\ProgramData\WindowsDefender
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\ProgramData\Latite_Client_betterV1.exe
  C:\ProgramData\Latite_Client_betterV1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\ProgramData\WindowsDefender
  C:\ProgramData\WindowsDefender
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\ProgramData\Latite_Client_betterV1.exe
  C:\ProgramData\Latite_Client_betterV1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe

Filesize
143KB

MD5
a677d044cc4d2fe27653f8f285996134

SHA1
30c586c84ee5b9299450b5871ec7186dee562777

SHA256
960d607391f69a4213108dfd0beb8acd0278e6dbefd74dbcb70cac38fc1bde58

SHA512
ec75aa4f63a6989493641bf3aef6869856896e9accd7508a0eb155f8b8e7d790c5b3a444f99214f4044fa7a2c5334515142fe06818abe8712faa49308fb66a5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a7b703ddeae02913b25bf7e05e912720

SHA1
fad87dd356b62d1cdf17d1965fba2394420ff41d

SHA256
cbc4aecc9eda1c307ab507b7e5f14e2d967b0f5031be46a9ecd1697e820cc562

SHA512
abe29a6bccbd0d2ee988dc45eab237eac7bdc3ff88df28ebff9f01456db8aafad4a3f2a203aa53557623e1704a425b064f9579b9ce793ce4fdd99211b0333416

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7a8b839443832bdfa1d62aa41a81876c

SHA1
0a0defa4a50f91bb2bcc562fc60bfe61606fec5f

SHA256
3bacf690f7d42bacffd5aece24f4a05730a93c5c98de6b5fd1d62a412760a87d

SHA512
791df750bf2de2ed82a2ca93ae5b25f95454102a30c4a670c2f5951d650c9bf6a80dc6e6bdb43083a1ad705ecbbd7cdc263bd25a8934c3e7ce43b3cc7de2b4b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
59a2a6f05fce959ee5808f2cebe48939

SHA1
81d3fc817c1f27c2ec89feedab91cb9592dd7e76

SHA256
9a530be0537b09733787fdced210b8ec247717b97220319d99eaf14e6f0ba28c

SHA512
a57ce5572eaf15cb83e8701bd66bf4b9029103809d7d3341309838f9db85bfeb1200294df4ca970f31f46eea4101f9054d4f16784be3797f8c1efd313533d74f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
064f8cf413d4fb978fec435abcd872a4

SHA1
f6329d228f4956df1dd189fd5c38b2fc71227d16

SHA256
c4afeb33f28bdaf946a3f5f529bc1729519077ba2aff883f3d806a379b113cab

SHA512
b09dc55d5e444ffa460fa30f94dad49beffd532233b3d328c5d30d3ef857a1bc057c08ce06ef99f55c25e3668a870c099f597c1ae0d4c9ca48ac7ae43b59e8d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
702a61d3a42715decdc7c47008989681

SHA1
3b9409270f0d2412e03452b8f7e6be4dbaa39284

SHA256
babf7f9d273e1ef0e0aaef660924cd6673ab97e1f67feaf4b4137dc09fd27d0a

SHA512
0042c5d1296281bcc6477e6ca0230f03f1e782f11f660d3b0ba04efdd77fe82fc8e043682d868e5b54ee36c679f126c5451213c7b7a57676107db08884ea06a0

Download Submit
C:\Windows\Latite_Client_betterV1.exe

Filesize
196KB

MD5
ce0b8f899eaf246c39df74a3d6469c15

SHA1
5806a235161b97ff98b8d3788583700480b763be

SHA256
91fae5a53a72146265efb73813d170e6c261f3154e4b1d97e969169ea8b55669

SHA512
a652172836902b8b025bfd836787706d0ea8e6bb3f2385b54687e2ada84c9ed13f7c7ef9afa784c3c4d9a91ad2330be03cbaccabf20c8fb481a36758420740d4

Download Submit
memory/764-24-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/764-25-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1204-100-0x00000000009A0000-0x00000000009C8000-memory.dmp

Filesize
160KB

Download
memory/1336-101-0x00000000010E0000-0x0000000001118000-memory.dmp

Filesize
224KB

Download
memory/1640-18-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1640-17-0x000000001B8D0000-0x000000001BBB2000-memory.dmp

Filesize
2.9MB

Download
memory/1780-106-0x0000000000100000-0x0000000000138000-memory.dmp

Filesize
224KB

Download
memory/2228-46-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/2228-69-0x0000000002030000-0x000000000204E000-memory.dmp

Filesize
120KB

Download
memory/2356-12-0x0000000001090000-0x00000000010C8000-memory.dmp

Filesize
224KB

Download
memory/2356-35-0x0000000000D30000-0x0000000000D60000-memory.dmp

Filesize
192KB

Download
memory/2512-33-0x0000000002B80000-0x0000000002B88000-memory.dmp

Filesize
32KB

Download
memory/2512-32-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2552-105-0x0000000000170000-0x0000000000198000-memory.dmp

Filesize
160KB

Download