xworm | 1252c59f28ed87f9236af0b045978c17351faf34649e639b1dc8fdfdd5ccc0ae

Analysis

max time kernel
583s
max time network
595s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Luxury Crypter 18.0.0/Luxury Crypter‌.exe
Size

2.9MB
MD5

ffaf52e43618a09017ba3b764c5e205f
SHA1

f2d6751870948308817dceda259111101eb2e3b2
SHA256

4efb2b692fd63845dc443f589f83d410905c7cf4a1013444d083120506a26076
SHA512

3d462f333c3c68b5fbad691949c57aeedba2fa3d7a1acc1e40f4e18a83d9db34e5e86e10a7d2fa1a991a053e2a5281b459f69c9228a534beb0d6b0f13443cd59
SSDEEP

49152:jOnLUriuqNoO3vKbITB5CtHHBzNYkd/xP9wUU4F8TEK7wzSrsjqz:in5TuiBwBCkd/NSUUB4K0uYjY

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

146.190.110.91:3389

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svchost.exe	family_xworm
behavioral19/memory/3016-15-0x0000000000A40000-0x0000000000A56000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 3 IoCs

Processes:

cscript.exe

flow pid process

6 2732 cscript.exe
8 2732 cscript.exe
10 2732 cscript.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2256 powershell.exe
2936 powershell.exe
1912 powershell.exe
2900 powershell.exe
1136 powershell.exe

flow	pid	process
6	2732	cscript.exe
8	2732	cscript.exe
10	2732	cscript.exe

pid	process
2256	powershell.exe
2936	powershell.exe
1912	powershell.exe
2900	powershell.exe
1136	powershell.exe

Drops startup file 3 IoCs

Processes:

svchost.exemsedgewebview2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.exe.lnk	msedgewebview2.exe

Executes dropped EXE 10 IoCs

Processes:

Luxury Crypter.exesvchost.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

pid	process
2832	Luxury Crypter.exe
3016	svchost.exe
2516	msedgewebview2.exe
964	msedgewebview2.exe
2968	msedgewebview2.exe
836	msedgewebview2.exe
2540	msedgewebview2.exe
888	msedgewebview2.exe
1568	msedgewebview2.exe
2976	msedgewebview2.exe

Drops file in Windows directory 2 IoCs

Processes:

cscript.exe

description ioc process

File created C:\Windows\Fonts\Mulish.ttf cscript.exe
File opened for modification C:\Windows\Fonts\Mulish.ttf cscript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Fonts\Mulish.ttf	cscript.exe
File opened for modification	C:\Windows\Fonts\Mulish.ttf	cscript.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Luxury Crypter.execscript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Luxury Crypter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1468 timeout.exe

pid	process
1468	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Luxury Crypter.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Luxury Crypter.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Luxury Crypter.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Luxury Crypter.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	cscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	cscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	cscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3064 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

svchost.exemsedgewebview2.exe

pid process

3016 svchost.exe
964 msedgewebview2.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exe

pid process

2900 powershell.exe
1136 powershell.exe
2256 powershell.exe
2936 powershell.exe
3016 svchost.exe
1912 powershell.exe

pid	process
3064	schtasks.exe

pid	process
3016	svchost.exe
964	msedgewebview2.exe

pid	process
2900	powershell.exe
1136	powershell.exe
2256	powershell.exe
2936	powershell.exe
3016	svchost.exe
1912	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

svchost.exepowershell.exeLuxury Crypter.exepowershell.exepowershell.exepowershell.exemsedgewebview2.exepowershell.exemsedgewebview2.exe

description	pid	process
Token: SeDebugPrivilege	3016	svchost.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2832	Luxury Crypter.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2516	msedgewebview2.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	964	msedgewebview2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

3016 svchost.exe

pid	process
3016	svchost.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

Luxury Crypter‌.exesvchost.exemsedgewebview2.exeLuxury Crypter.execmd.exetaskeng.exe

description	pid	process	target process
PID 2880 wrote to memory of 2832	2880	Luxury Crypter‌.exe	Luxury Crypter.exe
PID 2880 wrote to memory of 2832	2880	Luxury Crypter‌.exe	Luxury Crypter.exe
PID 2880 wrote to memory of 2832	2880	Luxury Crypter‌.exe	Luxury Crypter.exe
PID 2880 wrote to memory of 2832	2880	Luxury Crypter‌.exe	Luxury Crypter.exe
PID 2880 wrote to memory of 3016	2880	Luxury Crypter‌.exe	svchost.exe
PID 2880 wrote to memory of 3016	2880	Luxury Crypter‌.exe	svchost.exe
PID 2880 wrote to memory of 3016	2880	Luxury Crypter‌.exe	svchost.exe
PID 3016 wrote to memory of 2900	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2900	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2900	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 1136	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 1136	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 1136	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2256	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2256	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2256	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2936	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2936	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 2936	3016	svchost.exe	powershell.exe
PID 2880 wrote to memory of 2516	2880	Luxury Crypter‌.exe	msedgewebview2.exe
PID 2880 wrote to memory of 2516	2880	Luxury Crypter‌.exe	msedgewebview2.exe
PID 2880 wrote to memory of 2516	2880	Luxury Crypter‌.exe	msedgewebview2.exe
PID 2516 wrote to memory of 1912	2516	msedgewebview2.exe	powershell.exe
PID 2516 wrote to memory of 1912	2516	msedgewebview2.exe	powershell.exe
PID 2516 wrote to memory of 1912	2516	msedgewebview2.exe	powershell.exe
PID 2516 wrote to memory of 3064	2516	msedgewebview2.exe	schtasks.exe
PID 2516 wrote to memory of 3064	2516	msedgewebview2.exe	schtasks.exe
PID 2516 wrote to memory of 3064	2516	msedgewebview2.exe	schtasks.exe
PID 2832 wrote to memory of 2400	2832	Luxury Crypter.exe	ILMerge.exe
PID 2832 wrote to memory of 2400	2832	Luxury Crypter.exe	ILMerge.exe
PID 2832 wrote to memory of 2400	2832	Luxury Crypter.exe	ILMerge.exe
PID 2832 wrote to memory of 2400	2832	Luxury Crypter.exe	ILMerge.exe
PID 2832 wrote to memory of 2732	2832	Luxury Crypter.exe	cscript.exe
PID 2832 wrote to memory of 2732	2832	Luxury Crypter.exe	cscript.exe
PID 2832 wrote to memory of 2732	2832	Luxury Crypter.exe	cscript.exe
PID 2832 wrote to memory of 2732	2832	Luxury Crypter.exe	cscript.exe
PID 2516 wrote to memory of 964	2516	msedgewebview2.exe	msedgewebview2.exe
PID 2516 wrote to memory of 964	2516	msedgewebview2.exe	msedgewebview2.exe
PID 2516 wrote to memory of 964	2516	msedgewebview2.exe	msedgewebview2.exe
PID 2516 wrote to memory of 2624	2516	msedgewebview2.exe	cmd.exe
PID 2516 wrote to memory of 2624	2516	msedgewebview2.exe	cmd.exe
PID 2516 wrote to memory of 2624	2516	msedgewebview2.exe	cmd.exe
PID 2624 wrote to memory of 1468	2624	cmd.exe	timeout.exe
PID 2624 wrote to memory of 1468	2624	cmd.exe	timeout.exe
PID 2624 wrote to memory of 1468	2624	cmd.exe	timeout.exe
PID 2444 wrote to memory of 2968	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 2968	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 2968	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 836	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 836	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 836	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 2540	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 2540	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 2540	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 888	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 888	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 888	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 1568	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 1568	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 1568	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 2976	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 2976	2444	taskeng.exe	msedgewebview2.exe
PID 2444 wrote to memory of 2976	2444	taskeng.exe	msedgewebview2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter‌.exe
"C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter‌.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter.exe
  "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\ILMerge.exe
    "C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\ILMerge.exe"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cscript.exe
    "C:\Windows\System32\cscript.exe" "C:\Users\Admin\AppData\Roaming\WK.Libraries.FontsInstaller\\Unavailable\Installer.vbs"
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:2732
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- C:\ProgramData\msedgewebview2.exe
  "C:\ProgramData\msedgewebview2.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedgewebview2'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\system32\schtasks.exe
    "schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe" /st 18:53 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3064
- - C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
    "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:964
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC5DE.tmp.cmd""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\timeout.exe
      timeout 6
      4⤵
      Delays execution with timeout.exe
      PID:1468

C:\Windows\system32\taskeng.exe
taskeng.exe {9BF62B89-5B34-4392-8379-4B8029899589} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
  C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
  C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
  C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
  C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
  C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
  C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe
  2⤵
  - Executes dropped EXE
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB2CD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter.exe

Filesize
2.6MB

MD5
a4a60f3b5d721833f9ffa0b957d71900

SHA1
2705f17e8ed9793daa2970af167ba24c41610fe3

SHA256
f9488fbe7c1f411f07396de7cb57f76bca81ab354ca680c51a616ce1ceff1726

SHA512
f168d29a9aa8ce3a2f6d2b8fb2c1f12c280fc20e807bdb96ab24d7bb0f2d5cc132f9a67d961ed1476c16372fc67a6272b6a12f2065984fb2feb4b3eb1b0a0d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB4A4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC5DE.tmp.cmd

Filesize
147B

MD5
4c096edc46c03766c993c45d2da107e3

SHA1
cce76ed10970a6c68665f6da97819eea7c63320b

SHA256
d4518ea9303f4ef1d125542f7457729953f9fbefed8b71381ba804485dfa8095

SHA512
c79b2c23ca5b51a372bf3c8931bd7c802769b640fec810f35d1189db6bf930c271397db041e0561662674ef2f2f99ae0b9cfa3c67dc46921f06707d45b997a9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
944e65332c4adcb8b9162dc333caa021

SHA1
244bdedd9d504571d1f6236fbe398daff1f09345

SHA256
82c242078b73c0480ddc80042e50c668e1bfd94e2fc763c291084af0f6eb283d

SHA512
1a946255a3d4a4bfeee996417a3903cc93c704599d83b95e73bf04f99f432f0c86419d8b2b40cbd6a678c94104d130e5377188adf076417db4286a2df9980ec8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
283b22ef84f4f2648189d60dc24e1ef8

SHA1
6a2a15a0ff7042d0734bea35e2474782144528fb

SHA256
752cb75930f2632e43d62067dd6514f251fa30dc60ee04d5c42d860282280c46

SHA512
4181c25d68a524c674a78e7a4b2b51c719cb2b4d3df61af171221e8c93b1e5476cda91f57b9167d41cb761802301e4527cddf3af7c3e2293301218d7de7ab3a5

Download Submit
C:\Users\Admin\AppData\Roaming\WK.Libraries.FontsInstaller\Mulish.ttf

Filesize
103KB

MD5
987e18dffd501e760afdbea36a4dbeed

SHA1
17352fd4b1929910ad99ec6b9d1e04cb40662147

SHA256
0d12a5128d541738d925cc8dda9630be3fd808ab8c04f19a8b83bcdebf64498a

SHA512
30ee46154728f6587a2cb89bacd3808209a635e745f4ffd7b909d44129a66894fa370d246228c9782e61569a175fb31ae381995334b75f23570cbbd95c03781d

Download Submit
C:\Users\Admin\AppData\Roaming\WK.Libraries.FontsInstaller\Unavailable\Installer.vbs

Filesize
15KB

MD5
f3040d44a71f07e4117dbf0755391d90

SHA1
099fb8bbb44b1d83b9c0e942d3530870c32ffc47

SHA256
590538e3897a340f3e9549155f93152afaf378d2cbee8027d3fb23bf5265a475

SHA512
20385d05d2701a101069f760a1ca09cd8fc332daf4000c0d4e9e35d0d5d647c0cc7197e6a52ec796644f5fd5d9f3e07d2d54ea311633ce0c7ea44cb9f0df877a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
65KB

MD5
36dde308d5e09405a94dad6844ca0c44

SHA1
c585d502f48206f767f97ac7f7acd4112c314ccc

SHA256
c901ffc47365a32dcb7e1981386cc0d60833bab6addfc88b813a5a8cdc4fb11b

SHA512
5964d137c5b510ae978b331161bc20c7ecfd4a35aa6c65c4d95a13c8568f774a483807c4ca555e3559a83712421c811d1af18f7aa2981367129244c1bfc74923

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/964-915-0x0000000000E50000-0x0000000000E92000-memory.dmp

Filesize
264KB

Download
memory/1136-33-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1136-32-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1912-64-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/1912-63-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/2516-55-0x00000000008D0000-0x0000000000912000-memory.dmp

Filesize
264KB

Download
memory/2832-23-0x0000000006180000-0x0000000006394000-memory.dmp

Filesize
2.1MB

Download
memory/2832-24-0x0000000000750000-0x00000000007B2000-memory.dmp

Filesize
392KB

Download
memory/2832-17-0x0000000000D80000-0x0000000001028000-memory.dmp

Filesize
2.7MB

Download
memory/2832-18-0x0000000004EF0000-0x000000000504C000-memory.dmp

Filesize
1.4MB

Download
memory/2832-40-0x0000000005050000-0x00000000051E2000-memory.dmp

Filesize
1.6MB

Download
memory/2832-66-0x0000000006020000-0x0000000006046000-memory.dmp

Filesize
152KB

Download
memory/2832-65-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/2880-0-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

Filesize
4KB

Download
memory/2880-56-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-48-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-41-0x000007FEF5A53000-0x000007FEF5A54000-memory.dmp

Filesize
4KB

Download
memory/2880-16-0x000007FEF5A50000-0x000007FEF643C000-memory.dmp

Filesize
9.9MB

Download
memory/2880-1-0x0000000001190000-0x000000000147E000-memory.dmp

Filesize
2.9MB

Download
memory/2900-25-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/2900-26-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/3016-15-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download