Overview
overview
10Static
static
3Luxury Cry...0.0.7z
windows7-x64
1Luxury Cry...0.0.7z
windows10-2004-x64
1Installati...er.exe
windows7-x64
3Installati...er.exe
windows10-2004-x64
3Installati...er.zip
windows7-x64
1Installati...er.zip
windows10-2004-x64
1DefenderRemover.exe
windows7-x64
3DefenderRemover.exe
windows10-2004-x64
3Installati...DME.md
windows7-x64
3Installati...DME.md
windows10-2004-x64
3Luxury Cry...ey.dll
windows7-x64
1Luxury Cry...ey.dll
windows10-2004-x64
1Luxury Cry...er.dll
windows7-x64
1Luxury Cry...er.dll
windows10-2004-x64
1Luxury Cry...I2.dll
windows7-x64
1Luxury Cry...I2.dll
windows10-2004-x64
1Luxury Cry...ge.exe
windows7-x64
1Luxury Cry...ge.exe
windows10-2004-x64
1Luxury Cry...��.exe
windows7-x64
10Luxury Cry...��.exe
windows10-2004-x64
10安装指�...er.exe
windows7-x64
3安装指�...er.exe
windows10-2004-x64
3安装指�...er.zip
windows7-x64
1安装指�...er.zip
windows10-2004-x64
1DefenderRemover.exe
windows7-x64
3DefenderRemover.exe
windows10-2004-x64
3安装指�...DME.md
windows7-x64
3安装指�...DME.md
windows10-2004-x64
3Analysis
-
max time kernel
599s -
max time network
602s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 15:41
Static task
static1
Behavioral task
behavioral1
Sample
Luxury Crypter 18.0.0.7z
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Luxury Crypter 18.0.0.7z
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Installation Guide/DefenderRemover.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Installation Guide/DefenderRemover.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Installation Guide/DefenderRemover.zip
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
Installation Guide/DefenderRemover.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
DefenderRemover.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
DefenderRemover.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Installation Guide/README.md
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
Installation Guide/README.md
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Luxury Crypter 18.0.0/Dynamitey.dll
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
Luxury Crypter 18.0.0/Dynamitey.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Luxury Crypter 18.0.0/FontsInstaller.dll
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
Luxury Crypter 18.0.0/FontsInstaller.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Luxury Crypter 18.0.0/Guna.UI2.dll
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
Luxury Crypter 18.0.0/Guna.UI2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Luxury Crypter 18.0.0/ILMerge.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
Luxury Crypter 18.0.0/ILMerge.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Luxury Crypter 18.0.0/Luxury Crypter.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
Luxury Crypter 18.0.0/Luxury Crypter.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
安装指南/DefenderRemover.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
安装指南/DefenderRemover.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
安装指南/DefenderRemover.zip
Resource
win7-20241010-en
Behavioral task
behavioral24
Sample
安装指南/DefenderRemover.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
DefenderRemover.exe
Resource
win7-20241010-en
Behavioral task
behavioral26
Sample
DefenderRemover.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
安装指南/README.md
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
安装指南/README.md
Resource
win10v2004-20241007-en
General
-
Target
Luxury Crypter 18.0.0/Luxury Crypter.exe
-
Size
2.9MB
-
MD5
ffaf52e43618a09017ba3b764c5e205f
-
SHA1
f2d6751870948308817dceda259111101eb2e3b2
-
SHA256
4efb2b692fd63845dc443f589f83d410905c7cf4a1013444d083120506a26076
-
SHA512
3d462f333c3c68b5fbad691949c57aeedba2fa3d7a1acc1e40f4e18a83d9db34e5e86e10a7d2fa1a991a053e2a5281b459f69c9228a534beb0d6b0f13443cd59
-
SSDEEP
49152:jOnLUriuqNoO3vKbITB5CtHHBzNYkd/xP9wUU4F8TEK7wzSrsjqz:in5TuiBwBCkd/NSUUB4K0uYjY
Malware Config
Extracted
xworm
146.190.110.91:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805
Extracted
gurcu
https://api.telegram.org/bot7558158256:AAEHTwnKaP3Xe69dD2Vmm9pirMBLikK6uhw/sendMessage?chat_id=8071457805
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral20/files/0x0009000000023cb2-18.dat family_xworm behavioral20/memory/3420-29-0x0000000000390000-0x00000000003A6000-memory.dmp family_xworm -
Blocklisted process makes network request 1 IoCs
flow pid Process 34 4444 cscript.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4900 powershell.exe 3184 powershell.exe 984 powershell.exe 3212 powershell.exe 4056 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Luxury Crypter.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Luxury Crypter.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation msedgewebview2.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedgewebview2.exe.lnk msedgewebview2.exe -
Executes dropped EXE 10 IoCs
pid Process 3880 Luxury Crypter.exe 3420 svchost.exe 1472 msedgewebview2.exe 772 msedgewebview2.exe 2208 msedgewebview2.exe 4884 msedgewebview2.exe 2632 msedgewebview2.exe 3496 msedgewebview2.exe 3848 msedgewebview2.exe 3012 msedgewebview2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Luxury Crypter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3604 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Luxury Crypter.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Luxury Crypter.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Luxury Crypter.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 cscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a cscript.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4432 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3420 svchost.exe 772 msedgewebview2.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 984 powershell.exe 984 powershell.exe 3212 powershell.exe 3212 powershell.exe 4056 powershell.exe 4056 powershell.exe 4900 powershell.exe 4900 powershell.exe 3420 svchost.exe 3420 svchost.exe 3184 powershell.exe 3184 powershell.exe 3184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 3420 svchost.exe Token: SeDebugPrivilege 3880 Luxury Crypter.exe Token: SeDebugPrivilege 984 powershell.exe Token: SeDebugPrivilege 3212 powershell.exe Token: SeDebugPrivilege 4056 powershell.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeDebugPrivilege 1472 msedgewebview2.exe Token: SeDebugPrivilege 3184 powershell.exe Token: SeDebugPrivilege 772 msedgewebview2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3420 svchost.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 100 wrote to memory of 3880 100 Luxury Crypter.exe 90 PID 100 wrote to memory of 3880 100 Luxury Crypter.exe 90 PID 100 wrote to memory of 3880 100 Luxury Crypter.exe 90 PID 100 wrote to memory of 3420 100 Luxury Crypter.exe 91 PID 100 wrote to memory of 3420 100 Luxury Crypter.exe 91 PID 3420 wrote to memory of 984 3420 svchost.exe 94 PID 3420 wrote to memory of 984 3420 svchost.exe 94 PID 3420 wrote to memory of 3212 3420 svchost.exe 97 PID 3420 wrote to memory of 3212 3420 svchost.exe 97 PID 3420 wrote to memory of 4056 3420 svchost.exe 99 PID 3420 wrote to memory of 4056 3420 svchost.exe 99 PID 3420 wrote to memory of 4900 3420 svchost.exe 101 PID 3420 wrote to memory of 4900 3420 svchost.exe 101 PID 3880 wrote to memory of 4172 3880 Luxury Crypter.exe 106 PID 3880 wrote to memory of 4172 3880 Luxury Crypter.exe 106 PID 100 wrote to memory of 1472 100 Luxury Crypter.exe 103 PID 100 wrote to memory of 1472 100 Luxury Crypter.exe 103 PID 1472 wrote to memory of 4432 1472 msedgewebview2.exe 108 PID 1472 wrote to memory of 4432 1472 msedgewebview2.exe 108 PID 1472 wrote to memory of 3184 1472 msedgewebview2.exe 109 PID 1472 wrote to memory of 3184 1472 msedgewebview2.exe 109 PID 3880 wrote to memory of 4444 3880 Luxury Crypter.exe 112 PID 3880 wrote to memory of 4444 3880 Luxury Crypter.exe 112 PID 3880 wrote to memory of 4444 3880 Luxury Crypter.exe 112 PID 1472 wrote to memory of 772 1472 msedgewebview2.exe 114 PID 1472 wrote to memory of 772 1472 msedgewebview2.exe 114 PID 1472 wrote to memory of 4700 1472 msedgewebview2.exe 115 PID 1472 wrote to memory of 4700 1472 msedgewebview2.exe 115 PID 4700 wrote to memory of 3604 4700 cmd.exe 117 PID 4700 wrote to memory of 3604 4700 cmd.exe 117 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\Luxury Crypter.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\ILMerge.exe"C:\Users\Admin\AppData\Local\Temp\Luxury Crypter 18.0.0\ILMerge.exe"3⤵PID:4172
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\System32\cscript.exe" "C:\Users\Admin\AppData\Roaming\WK.Libraries.FontsInstaller\\Unavailable\Installer.vbs"3⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:4444
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
-
C:\ProgramData\msedgewebview2.exe"C:\ProgramData\msedgewebview2.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks.exe" /create /tn msedgewebview2 /tr "C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe" /st 09:54 /du 23:59 /sc daily /ri 1 /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedgewebview2'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184
-
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp29BB.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\system32\timeout.exetimeout 64⤵
- Delays execution with timeout.exe
PID:3604
-
-
-
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
PID:2208
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
PID:4884
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
PID:2632
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
PID:3496
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
PID:3848
-
C:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exeC:\Users\Admin\AppData\Local\msedgewebview2\msedgewebview2.exe1⤵
- Executes dropped EXE
PID:3012
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
660B
MD51c5e1d0ff3381486370760b0f2eb656b
SHA1f9df6be8804ef611063f1ff277e323b1215372de
SHA256f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a
SHA51278f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5a83ce2908066654f712d1858746bc3c4
SHA114887f0537ce076cdc91801fb5fa584b25f1089f
SHA2567c32ae0eaa4fef7404ce708744116ab8ea17d9575bbb3b06eb41a443f963456f
SHA512991b20116815c7db3497d0ede9a216c7b78795e65f898847ffec513692f0c24d146a123725d14a2e1e3efb5744a626dd025a364f2f55f581e21640794a0cc551
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD515dde0683cd1ca19785d7262f554ba93
SHA1d039c577e438546d10ac64837b05da480d06bf69
SHA256d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA51257c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672
-
Filesize
944B
MD5ef72c47dbfaae0b9b0d09f22ad4afe20
SHA15357f66ba69b89440b99d4273b74221670129338
SHA256692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA5127514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4
-
Filesize
2.6MB
MD5a4a60f3b5d721833f9ffa0b957d71900
SHA12705f17e8ed9793daa2970af167ba24c41610fe3
SHA256f9488fbe7c1f411f07396de7cb57f76bca81ab354ca680c51a616ce1ceff1726
SHA512f168d29a9aa8ce3a2f6d2b8fb2c1f12c280fc20e807bdb96ab24d7bb0f2d5cc132f9a67d961ed1476c16372fc67a6272b6a12f2065984fb2feb4b3eb1b0a0d03
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
147B
MD5189107a02aa3e83809db89e18ae17f00
SHA1f558e6f64a9a34655f655074e78844d3ae818285
SHA256d3073e3397802fbaee0f21b753a9923b23b2ab19407ccfcfb18d45c59d5a3438
SHA51256d416208a51b64a22fd4c6a868f79e4e02a01a5d6a27f6eda85ab60ffc814818d84031babddd20d6f3bd596f1d11f16e5ae5de4b9da45abdf9d6def0944dedb
-
Filesize
103KB
MD5987e18dffd501e760afdbea36a4dbeed
SHA117352fd4b1929910ad99ec6b9d1e04cb40662147
SHA2560d12a5128d541738d925cc8dda9630be3fd808ab8c04f19a8b83bcdebf64498a
SHA51230ee46154728f6587a2cb89bacd3808209a635e745f4ffd7b909d44129a66894fa370d246228c9782e61569a175fb31ae381995334b75f23570cbbd95c03781d
-
Filesize
15KB
MD5f3040d44a71f07e4117dbf0755391d90
SHA1099fb8bbb44b1d83b9c0e942d3530870c32ffc47
SHA256590538e3897a340f3e9549155f93152afaf378d2cbee8027d3fb23bf5265a475
SHA51220385d05d2701a101069f760a1ca09cd8fc332daf4000c0d4e9e35d0d5d647c0cc7197e6a52ec796644f5fd5d9f3e07d2d54ea311633ce0c7ea44cb9f0df877a
-
Filesize
65KB
MD536dde308d5e09405a94dad6844ca0c44
SHA1c585d502f48206f767f97ac7f7acd4112c314ccc
SHA256c901ffc47365a32dcb7e1981386cc0d60833bab6addfc88b813a5a8cdc4fb11b
SHA5125964d137c5b510ae978b331161bc20c7ecfd4a35aa6c65c4d95a13c8568f774a483807c4ca555e3559a83712421c811d1af18f7aa2981367129244c1bfc74923