Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-10-2024 18:47
Static task
static1
Behavioral task
behavioral1
Sample
Easy Beamer-cleaned.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Easy Beamer-cleaned.exe
Resource
win10v2004-20241007-en
General
-
Target
Easy Beamer-cleaned.exe
-
Size
21.4MB
-
MD5
b04e319c4790ffdfb8439a11c81921d4
-
SHA1
f97a36195b51f276569cdc4126a84df9291a2c7c
-
SHA256
21d51ebab060a061134f9ac72f6f4002ecc238e459eecc7bc7c4dd0d9ab17e7f
-
SHA512
30d337e1dd323dc4544a9a99ba73786fe4dbab926915a66f213804f530df5540576b703517e2e89e76ef9dbe891917425a7689132100ccdd6690ccf986f9f799
-
SSDEEP
393216:gL/MPnh2WU7c5pIP3cbVH2Pk6QNfghTY9uffSC+npRuaQaOft8pmA7rqFC:gL/2Dw3PsVxlghL3SCA8t8pmA3qFC
Malware Config
Extracted
xworm
192.168.1.45:24471
147.185.221.16:40745
-
Install_directory
%LocalAppData%
Signatures
-
Detect Xworm Payload 7 IoCs
resource yara_rule behavioral1/memory/2712-16-0x0000000000D00000-0x0000000000D14000-memory.dmp family_xworm behavioral1/files/0x0009000000017409-15.dat family_xworm behavioral1/files/0x000800000001748f-26.dat family_xworm behavioral1/memory/2756-87-0x0000000000A60000-0x0000000000A76000-memory.dmp family_xworm behavioral1/memory/2968-366-0x00000000013A0000-0x00000000013B6000-memory.dmp family_xworm behavioral1/memory/2024-369-0x0000000000900000-0x0000000000914000-memory.dmp family_xworm behavioral1/memory/832-397-0x0000000001130000-0x0000000001144000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1136 powershell.exe 2060 powershell.exe 2340 powershell.exe 1164 powershell.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk Essence Rat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk Essence Rat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegEdit.lnk remote.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegEdit.lnk remote.exe -
Executes dropped EXE 15 IoCs
pid Process 2804 Kyle Grabber.exe 2712 Essence Rat.exe 2756 remote.exe 1784 miner.exe 2860 Built.exe 2924 Kyle Grabber.exe 2512 Built.exe 1200 Process not Found 2948 svchost.exe 448 sihost64.exe 2968 RegEdit.exe 2024 Discord 564 svchost.exe 448 RegEdit.exe 832 Discord -
Loads dropped DLL 18 IoCs
pid Process 2648 Easy Beamer-cleaned.exe 2648 Easy Beamer-cleaned.exe 2648 Easy Beamer-cleaned.exe 2804 Kyle Grabber.exe 2924 Kyle Grabber.exe 2924 Kyle Grabber.exe 2924 Kyle Grabber.exe 2924 Kyle Grabber.exe 2924 Kyle Grabber.exe 2924 Kyle Grabber.exe 2924 Kyle Grabber.exe 2860 Built.exe 2512 Built.exe 1200 Process not Found 584 cmd.exe 2948 svchost.exe 1200 Process not Found 2352 conhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "C:\\Users\\Admin\\AppData\\Local\\Discord" Essence Rat.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegEdit = "C:\\Users\\Admin\\AppData\\Roaming\\RegEdit.exe" remote.exe -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
resource yara_rule behavioral1/files/0x000500000001a5c2-166.dat upx behavioral1/files/0x000500000001c8d4-171.dat upx behavioral1/memory/2924-172-0x000007FEF2490000-0x000007FEF2AF3000-memory.dmp upx behavioral1/memory/2512-174-0x000007FEF2020000-0x000007FEF2486000-memory.dmp upx behavioral1/memory/2512-315-0x000007FEF2020000-0x000007FEF2486000-memory.dmp upx -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x00300000000173e4-5.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs regedit.exe 2 IoCs
pid Process 448 RegEdit.exe 2968 RegEdit.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2044 schtasks.exe 2184 schtasks.exe 1272 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2368 powershell.exe 1316 powershell.exe 1784 miner.exe 1136 powershell.exe 2060 powershell.exe 2340 powershell.exe 1164 powershell.exe 2712 Essence Rat.exe 3000 powershell.exe 2388 powershell.exe 2948 svchost.exe 1996 powershell.exe 2628 powershell.exe 2764 powershell.exe 2368 powershell.exe 564 svchost.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2712 Essence Rat.exe Token: SeDebugPrivilege 2756 remote.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 1784 miner.exe Token: SeDebugPrivilege 1136 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 2340 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 2712 Essence Rat.exe Token: SeDebugPrivilege 2756 remote.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2948 svchost.exe Token: SeDebugPrivilege 2968 RegEdit.exe Token: SeDebugPrivilege 2024 Discord Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2368 powershell.exe Token: SeDebugPrivilege 564 svchost.exe Token: SeDebugPrivilege 448 RegEdit.exe Token: SeDebugPrivilege 832 Discord -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2712 Essence Rat.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2804 2648 Easy Beamer-cleaned.exe 30 PID 2648 wrote to memory of 2804 2648 Easy Beamer-cleaned.exe 30 PID 2648 wrote to memory of 2804 2648 Easy Beamer-cleaned.exe 30 PID 2648 wrote to memory of 2712 2648 Easy Beamer-cleaned.exe 31 PID 2648 wrote to memory of 2712 2648 Easy Beamer-cleaned.exe 31 PID 2648 wrote to memory of 2712 2648 Easy Beamer-cleaned.exe 31 PID 2648 wrote to memory of 2756 2648 Easy Beamer-cleaned.exe 32 PID 2648 wrote to memory of 2756 2648 Easy Beamer-cleaned.exe 32 PID 2648 wrote to memory of 2756 2648 Easy Beamer-cleaned.exe 32 PID 2648 wrote to memory of 1784 2648 Easy Beamer-cleaned.exe 33 PID 2648 wrote to memory of 1784 2648 Easy Beamer-cleaned.exe 33 PID 2648 wrote to memory of 1784 2648 Easy Beamer-cleaned.exe 33 PID 2648 wrote to memory of 2860 2648 Easy Beamer-cleaned.exe 34 PID 2648 wrote to memory of 2860 2648 Easy Beamer-cleaned.exe 34 PID 2648 wrote to memory of 2860 2648 Easy Beamer-cleaned.exe 34 PID 2804 wrote to memory of 2924 2804 Kyle Grabber.exe 35 PID 2804 wrote to memory of 2924 2804 Kyle Grabber.exe 35 PID 2804 wrote to memory of 2924 2804 Kyle Grabber.exe 35 PID 2860 wrote to memory of 2512 2860 Built.exe 36 PID 2860 wrote to memory of 2512 2860 Built.exe 36 PID 2860 wrote to memory of 2512 2860 Built.exe 36 PID 1784 wrote to memory of 2276 1784 miner.exe 37 PID 1784 wrote to memory of 2276 1784 miner.exe 37 PID 1784 wrote to memory of 2276 1784 miner.exe 37 PID 2276 wrote to memory of 2368 2276 cmd.exe 39 PID 2276 wrote to memory of 2368 2276 cmd.exe 39 PID 2276 wrote to memory of 2368 2276 cmd.exe 39 PID 2276 wrote to memory of 1316 2276 cmd.exe 40 PID 2276 wrote to memory of 1316 2276 cmd.exe 40 PID 2276 wrote to memory of 1316 2276 cmd.exe 40 PID 1784 wrote to memory of 2240 1784 miner.exe 42 PID 1784 wrote to memory of 2240 1784 miner.exe 42 PID 1784 wrote to memory of 2240 1784 miner.exe 42 PID 2240 wrote to memory of 1272 2240 cmd.exe 44 PID 2240 wrote to memory of 1272 2240 cmd.exe 44 PID 2240 wrote to memory of 1272 2240 cmd.exe 44 PID 2756 wrote to memory of 1136 2756 remote.exe 45 PID 2756 wrote to memory of 1136 2756 remote.exe 45 PID 2756 wrote to memory of 1136 2756 remote.exe 45 PID 2756 wrote to memory of 2060 2756 remote.exe 47 PID 2756 wrote to memory of 2060 2756 remote.exe 47 PID 2756 wrote to memory of 2060 2756 remote.exe 47 PID 2756 wrote to memory of 2340 2756 remote.exe 49 PID 2756 wrote to memory of 2340 2756 remote.exe 49 PID 2756 wrote to memory of 2340 2756 remote.exe 49 PID 2756 wrote to memory of 1164 2756 remote.exe 51 PID 2756 wrote to memory of 1164 2756 remote.exe 51 PID 2756 wrote to memory of 1164 2756 remote.exe 51 PID 2712 wrote to memory of 2044 2712 Essence Rat.exe 53 PID 2712 wrote to memory of 2044 2712 Essence Rat.exe 53 PID 2712 wrote to memory of 2044 2712 Essence Rat.exe 53 PID 2756 wrote to memory of 2184 2756 remote.exe 55 PID 2756 wrote to memory of 2184 2756 remote.exe 55 PID 2756 wrote to memory of 2184 2756 remote.exe 55 PID 1784 wrote to memory of 584 1784 miner.exe 57 PID 1784 wrote to memory of 584 1784 miner.exe 57 PID 1784 wrote to memory of 584 1784 miner.exe 57 PID 584 wrote to memory of 2948 584 cmd.exe 59 PID 584 wrote to memory of 2948 584 cmd.exe 59 PID 584 wrote to memory of 2948 584 cmd.exe 59 PID 2948 wrote to memory of 696 2948 svchost.exe 60 PID 2948 wrote to memory of 696 2948 svchost.exe 60 PID 2948 wrote to memory of 696 2948 svchost.exe 60 PID 696 wrote to memory of 3000 696 cmd.exe 62 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Easy Beamer-cleaned.exe"C:\Users\Admin\AppData\Local\Temp\Easy Beamer-cleaned.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\Kyle Grabber.exe"C:\Users\Admin\AppData\Local\Temp\Kyle Grabber.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\Kyle Grabber.exe"C:\Users\Admin\AppData\Local\Temp\Kyle Grabber.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924
-
-
-
C:\Users\Admin\AppData\Local\Temp\Essence Rat.exe"C:\Users\Admin\AppData\Local\Temp\Essence Rat.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Discord"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2044
-
-
-
C:\Users\Admin\AppData\Local\Temp\remote.exe"C:\Users\Admin\AppData\Local\Temp\remote.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\remote.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'remote.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RegEdit.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RegEdit.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RegEdit" /tr "C:\Users\Admin\AppData\Roaming\RegEdit.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2184
-
-
-
C:\Users\Admin\AppData\Local\Temp\miner.exe"C:\Users\Admin\AppData\Local\Temp\miner.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit3⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr "C:\Users\Admin\Microsoft\svchost.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr "C:\Users\Admin\Microsoft\svchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1272
-
-
-
C:\Windows\system32\cmd.exe"cmd" cmd /c "C:\Users\Admin\Microsoft\svchost.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\Microsoft\svchost.exeC:\Users\Admin\Microsoft\svchost.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit5⤵
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"5⤵
- Executes dropped EXE
PID:448 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "bchbxplvojdk"6⤵
- Loads dropped DLL
PID:2352 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit7⤵PID:1744
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="8⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
C:\Users\Admin\Microsoft\svchost.exe"C:\Users\Admin\Microsoft\svchost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564 -
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit8⤵PID:2112
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F9AB1324-C90D-451B-A38A-44CF260058EC} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵PID:1664
-
C:\Users\Admin\AppData\Roaming\RegEdit.exeC:\Users\Admin\AppData\Roaming\RegEdit.exe2⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
C:\Users\Admin\AppData\Local\DiscordC:\Users\Admin\AppData\Local\Discord2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Users\Admin\AppData\Roaming\RegEdit.exeC:\Users\Admin\AppData\Roaming\RegEdit.exe2⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Users\Admin\AppData\Local\DiscordC:\Users\Admin\AppData\Local\Discord2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:832
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD5f04571c3db7b42232744d0a53901a04c
SHA14ad20bc7b0c5b1078e9cdbbfefe7f6f9e953f106
SHA256851cbcd590bc4ece6da8c5e31a71bd5c828ca0c8e908d84faa83a72e73e515cd
SHA51263ab7353c791c9fe750daaeb18fb8bc992bf14753546943155051e289c52966ea5eb8ff6ffa3a27d27a0fe2fcfdf581b4cae9e72207847cd73bdf191b08d3c15
-
Filesize
21KB
MD51c58526d681efe507deb8f1935c75487
SHA10e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA5128edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1
-
Filesize
1.8MB
MD5d99ac8bac1343105b642295397ca2ffc
SHA193fd73c1fb9ee99ddc66d38885a657cf81f62836
SHA2569116e56cedeb1c4ae82b4bde560f2fe0b83a16764865012cbf5501673d3c5536
SHA51289d30bc84978daf469008ffc347cbd3e189f1df2c1a302dedfc2b700267cc28c671c7c35b5e95ba29a300e7fda75ccfc720d2173ea6db6eb69978772c0b8339f
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
62KB
MD524ff3baf7db43417842281fc5128d220
SHA1c86fb912ab11d05d2d1d10de21f60504065b2f0f
SHA256307a1318066e374d97c97d3c8f6bc306800463c632871ca472481733b19d4260
SHA5121ed457dc2c8efe8aff76312dab73ae582b8bfea39e9f16d3adce45281ee65c9a10ed9f10b3470a4ada8ce87ab1236134748a2e83e837c0281a9452e19affe593
-
Filesize
41KB
MD57df43888303d0bce2d40cb808f3c5e98
SHA13441037c61e828845663ec34520df5bf84460d53
SHA256bb7d737aa191414613e284f58aacd73772f59a5b78520896d70d12be24e253d3
SHA512490c90fd8c5c4f86b42cc6436a44c9e9e7614c54a25b148418740914bb6dcd9d1924be017d33c8395092766245fdef13d65b8b07668b8b2446b4057cff93e8b0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a388c9f70a25e48a5fc452a99bdc4dcb
SHA17885d9c47c4ebca96df689ae6e4af1efa824c474
SHA256f39c8f7fa6475f9f8ce56de7f3039f24426edf721b02535e861ad98f20336a78
SHA512c832dbd2dfdcf6b27c3b68589687f8945c3482eacaddd1a97632c97f5f6d5febe051f74d4b7cae4cd0678ea2fc48ec3ded26817474229d2ee7c24cbccdbc6671
-
Filesize
5.9MB
MD5eab12405bd1b374b31006c5856c95ada
SHA1e6ade755915b2559c37bbb7df68fa3e03a7d710e
SHA25694bbee749a9be2e19a8ecf597ae5829cb718ab1a5cd601428e9b3f1ddbff56c2
SHA512a196c4c84decd0c9a00f4d5eb3f4db28a6ff80d81eb02f7ea59d9a509c9360b4628a9323849da7f878dc9f362a28320ac5cedd8ed0245af0b9a0c2f6835adf20
-
Filesize
18.5MB
MD5049ed2569a2f0dab7e8d0ba4160a9c7f
SHA1a0f6217dc88d1aeffdfc33e3a797465fbdaef6f3
SHA2562cae0e502d0073849276fcb5ead53af32db7fab402e18fe193204b84e1858db8
SHA512b0b7ffb7a5a9ebe147ce8dd1a739169edac333b14a5ce7e2ea54dd5bfa39fb3b9a5165e47dd108bdceb68e8a76662a85880453c22c777bcc483df4d9083e69b6
-
Filesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
Filesize
21KB
MD5724223109e49cb01d61d63a8be926b8f
SHA1072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA2564e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA51219b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c
-
Filesize
21KB
MD5517eb9e2cb671ae49f99173d7f7ce43f
SHA14ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA25657cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be
-
Filesize
21KB
MD5d12403ee11359259ba2b0706e5e5111c
SHA103cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA5129004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0
-
Filesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
Filesize
2.9MB
MD55559a84abe3f1308a34521edb663ab63
SHA125bae0e25411e0f59bfb4ed2db004cffba1fd9b9
SHA25635f6d9d2b93574bd9c90e3a15a738fb161a42bdd58b4247ef31ecbeb117d6c40
SHA512850ab553b01b4a27d9843492050bd5996f9988fe1a12bc07c8d37e63b6bc734bd4da9bd6d8b092318d9f751d9e9f47a7f332812f4de79e942e5377542b909371