xworm | 686900f495cffbd18b113fe3662e98c000a2a6365926ebe0d950c7d5d1b759c6

Analysis

max time kernel
135s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/11/2024, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jjjjj.exe
Size

693KB
MD5

4c138aeb4795fde4e3d9c5b2c6765521
SHA1

d49e76214ec5e269435765b7921b9f159205942b
SHA256

686900f495cffbd18b113fe3662e98c000a2a6365926ebe0d950c7d5d1b759c6
SHA512

93211f44410170fe7f48daf43688aa0190959386aae3e783e8b4a11d4be9e638a55aaa17b8227de330da0b5dbadc56a71079b627ec1b293990f0c44779df3d7c
SSDEEP

12288:cAxwxpi8hWPrmq9oheVVFPuUlk80CyyIsFcJzr:vx0rh8rmJAtuUSDa2

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

83.38.24.1:1603

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Signatures

Detect Xworm Payload 19 IoCs

resource	yara_rule
behavioral1/files/0x00080000000120ff-5.dat	family_xworm
behavioral1/memory/2308-13-0x0000000000860000-0x0000000000890000-memory.dmp	family_xworm
behavioral1/files/0x0008000000015d6d-11.dat	family_xworm
behavioral1/files/0x0008000000015d75-17.dat	family_xworm
behavioral1/files/0x0008000000015d7f-23.dat	family_xworm
behavioral1/memory/2076-21-0x0000000000070000-0x00000000000B2000-memory.dmp	family_xworm
behavioral1/memory/1804-20-0x0000000000090000-0x00000000000BA000-memory.dmp	family_xworm
behavioral1/memory/2228-25-0x0000000001080000-0x00000000010A4000-memory.dmp	family_xworm
behavioral1/memory/2776-131-0x00000000002D0000-0x0000000000312000-memory.dmp	family_xworm
behavioral1/memory/2236-134-0x0000000000C40000-0x0000000000C70000-memory.dmp	family_xworm
behavioral1/memory/2724-138-0x0000000001230000-0x0000000001254000-memory.dmp	family_xworm
behavioral1/memory/316-140-0x0000000000980000-0x00000000009AA000-memory.dmp	family_xworm
behavioral1/memory/1168-146-0x0000000000860000-0x00000000008A2000-memory.dmp	family_xworm
behavioral1/memory/1856-149-0x0000000001180000-0x00000000011AA000-memory.dmp	family_xworm
behavioral1/memory/752-151-0x00000000003A0000-0x00000000003C4000-memory.dmp	family_xworm
behavioral1/memory/1956-152-0x0000000000DE0000-0x0000000000E10000-memory.dmp	family_xworm
behavioral1/memory/1656-155-0x00000000008F0000-0x0000000000932000-memory.dmp	family_xworm
behavioral1/memory/2424-156-0x00000000011A0000-0x00000000011D0000-memory.dmp	family_xworm
behavioral1/memory/808-159-0x0000000000B70000-0x0000000000B94000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1796	powershell.exe
2020	powershell.exe
1792	powershell.exe
2040	powershell.exe
2624	powershell.exe
2944	powershell.exe
2060	powershell.exe
2692	powershell.exe
2864	powershell.exe
2032	powershell.exe
2952	powershell.exe
1552	powershell.exe

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe

Executes dropped EXE 16 IoCs

pid	Process
2308	OneDrive.exe
1804	SearchFilterHost.exe
2076	SecurityHealthSystray.exe
2228	WmiPrvSE.exe
2776	SecurityHealthSystray.exe
2236	OneDrive.exe
2724	WmiPrvSE.exe
316	SearchFilterHost.exe
1168	SecurityHealthSystray.exe
752	WmiPrvSE.exe
1856	SearchFilterHost.exe
1956	OneDrive.exe
1656	SecurityHealthSystray.exe
2424	OneDrive.exe
808	WmiPrvSE.exe
2452	SearchFilterHost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchFilterHost = "C:\\Users\\Admin\\SearchFilterHost.exe"	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\ProgramData\\WmiPrvSE.exe"	WmiPrvSE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\ProgramData\\SecurityHealthSystray.exe"	SecurityHealthSystray.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe
1500	schtasks.exe
2972	schtasks.exe
808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2692	powershell.exe
2060	powershell.exe
2944	powershell.exe
2864	powershell.exe
1796	powershell.exe
2032	powershell.exe
1792	powershell.exe
2040	powershell.exe
2020	powershell.exe
2624	powershell.exe
2952	powershell.exe
1552	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	OneDrive.exe
Token: SeDebugPrivilege	1804	SearchFilterHost.exe
Token: SeDebugPrivilege	2076	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2228	WmiPrvSE.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2308	OneDrive.exe
Token: SeDebugPrivilege	1804	SearchFilterHost.exe
Token: SeDebugPrivilege	2228	WmiPrvSE.exe
Token: SeDebugPrivilege	2076	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2776	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2236	OneDrive.exe
Token: SeDebugPrivilege	2724	WmiPrvSE.exe
Token: SeDebugPrivilege	316	SearchFilterHost.exe
Token: SeDebugPrivilege	1168	SecurityHealthSystray.exe
Token: SeDebugPrivilege	1856	SearchFilterHost.exe
Token: SeDebugPrivilege	1956	OneDrive.exe
Token: SeDebugPrivilege	752	WmiPrvSE.exe
Token: SeDebugPrivilege	808	WmiPrvSE.exe
Token: SeDebugPrivilege	1656	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2424	OneDrive.exe
Token: SeDebugPrivilege	2452	SearchFilterHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2308	2124	jjjjj.exe	30
PID 2124 wrote to memory of 2308	2124	jjjjj.exe	30
PID 2124 wrote to memory of 2308	2124	jjjjj.exe	30
PID 2124 wrote to memory of 1804	2124	jjjjj.exe	31
PID 2124 wrote to memory of 1804	2124	jjjjj.exe	31
PID 2124 wrote to memory of 1804	2124	jjjjj.exe	31
PID 2124 wrote to memory of 2076	2124	jjjjj.exe	32
PID 2124 wrote to memory of 2076	2124	jjjjj.exe	32
PID 2124 wrote to memory of 2076	2124	jjjjj.exe	32
PID 2124 wrote to memory of 2228	2124	jjjjj.exe	33
PID 2124 wrote to memory of 2228	2124	jjjjj.exe	33
PID 2124 wrote to memory of 2228	2124	jjjjj.exe	33
PID 1804 wrote to memory of 2944	1804	SearchFilterHost.exe	34
PID 1804 wrote to memory of 2944	1804	SearchFilterHost.exe	34
PID 1804 wrote to memory of 2944	1804	SearchFilterHost.exe	34
PID 2228 wrote to memory of 2692	2228	WmiPrvSE.exe	35
PID 2228 wrote to memory of 2692	2228	WmiPrvSE.exe	35
PID 2228 wrote to memory of 2692	2228	WmiPrvSE.exe	35
PID 2076 wrote to memory of 2060	2076	SecurityHealthSystray.exe	38
PID 2076 wrote to memory of 2060	2076	SecurityHealthSystray.exe	38
PID 2076 wrote to memory of 2060	2076	SecurityHealthSystray.exe	38
PID 2308 wrote to memory of 2864	2308	OneDrive.exe	40
PID 2308 wrote to memory of 2864	2308	OneDrive.exe	40
PID 2308 wrote to memory of 2864	2308	OneDrive.exe	40
PID 2308 wrote to memory of 2032	2308	OneDrive.exe	42
PID 2308 wrote to memory of 2032	2308	OneDrive.exe	42
PID 2308 wrote to memory of 2032	2308	OneDrive.exe	42
PID 1804 wrote to memory of 1796	1804	SearchFilterHost.exe	43
PID 1804 wrote to memory of 1796	1804	SearchFilterHost.exe	43
PID 1804 wrote to memory of 1796	1804	SearchFilterHost.exe	43
PID 2228 wrote to memory of 1792	2228	WmiPrvSE.exe	44
PID 2228 wrote to memory of 1792	2228	WmiPrvSE.exe	44
PID 2228 wrote to memory of 1792	2228	WmiPrvSE.exe	44
PID 2076 wrote to memory of 2040	2076	SecurityHealthSystray.exe	48
PID 2076 wrote to memory of 2040	2076	SecurityHealthSystray.exe	48
PID 2076 wrote to memory of 2040	2076	SecurityHealthSystray.exe	48
PID 2308 wrote to memory of 2020	2308	OneDrive.exe	50
PID 2308 wrote to memory of 2020	2308	OneDrive.exe	50
PID 2308 wrote to memory of 2020	2308	OneDrive.exe	50
PID 1804 wrote to memory of 2624	1804	SearchFilterHost.exe	52
PID 1804 wrote to memory of 2624	1804	SearchFilterHost.exe	52
PID 1804 wrote to memory of 2624	1804	SearchFilterHost.exe	52
PID 2228 wrote to memory of 2952	2228	WmiPrvSE.exe	54
PID 2228 wrote to memory of 2952	2228	WmiPrvSE.exe	54
PID 2228 wrote to memory of 2952	2228	WmiPrvSE.exe	54
PID 2076 wrote to memory of 1552	2076	SecurityHealthSystray.exe	56
PID 2076 wrote to memory of 1552	2076	SecurityHealthSystray.exe	56
PID 2076 wrote to memory of 1552	2076	SecurityHealthSystray.exe	56
PID 2308 wrote to memory of 2924	2308	OneDrive.exe	59
PID 2308 wrote to memory of 2924	2308	OneDrive.exe	59
PID 2308 wrote to memory of 2924	2308	OneDrive.exe	59
PID 1804 wrote to memory of 1500	1804	SearchFilterHost.exe	61
PID 1804 wrote to memory of 1500	1804	SearchFilterHost.exe	61
PID 1804 wrote to memory of 1500	1804	SearchFilterHost.exe	61
PID 2228 wrote to memory of 2972	2228	WmiPrvSE.exe	63
PID 2228 wrote to memory of 2972	2228	WmiPrvSE.exe	63
PID 2228 wrote to memory of 2972	2228	WmiPrvSE.exe	63
PID 2076 wrote to memory of 808	2076	SecurityHealthSystray.exe	65
PID 2076 wrote to memory of 808	2076	SecurityHealthSystray.exe	65
PID 2076 wrote to memory of 808	2076	SecurityHealthSystray.exe	65
PID 2628 wrote to memory of 2776	2628	taskeng.exe	69
PID 2628 wrote to memory of 2776	2628	taskeng.exe	69
PID 2628 wrote to memory of 2776	2628	taskeng.exe	69
PID 2628 wrote to memory of 2724	2628	taskeng.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\jjjjj.exe
"C:\Users\Admin\AppData\Local\Temp\jjjjj.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2924
- C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe
  "C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SearchFilterHost" /tr "C:\Users\Admin\SearchFilterHost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1500
- C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
  "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:808
- C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe
  "C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\ProgramData\WmiPrvSE.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2972

C:\Windows\system32\taskeng.exe
taskeng.exe {90129CDC-513F-46A3-AF8C-347F29D7378B} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2628
- C:\ProgramData\SecurityHealthSystray.exe
  C:\ProgramData\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\ProgramData\WmiPrvSE.exe
  C:\ProgramData\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Users\Admin\OneDrive.exe
  C:\Users\Admin\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Users\Admin\SearchFilterHost.exe
  C:\Users\Admin\SearchFilterHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\ProgramData\SecurityHealthSystray.exe
  C:\ProgramData\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\ProgramData\WmiPrvSE.exe
  C:\ProgramData\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Users\Admin\SearchFilterHost.exe
  C:\Users\Admin\SearchFilterHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Users\Admin\OneDrive.exe
  C:\Users\Admin\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\ProgramData\SecurityHealthSystray.exe
  C:\ProgramData\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\ProgramData\WmiPrvSE.exe
  C:\ProgramData\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Users\Admin\OneDrive.exe
  C:\Users\Admin\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Users\Admin\SearchFilterHost.exe
  C:\Users\Admin\SearchFilterHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
163KB

MD5
abd4141118794cd94979dc12bcded7b7

SHA1
27b11caedb23ea8dab4f36f5865a96e6e7f55806

SHA256
be9f4292935c19f00dcf2a6e09bc63f50cf7caad0d8ea0a45ed7bf86fb14e904

SHA512
d4ddda6b8ac66683e78b78360326ee50edf5edc8278a2f82e414545d4dd2a3d5e4269fe1dd884926b2e6d7e52af030f0b66fcca50cad77b8a31837ff482c4809

Download Submit
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe

Filesize
145KB

MD5
40324e8a46ec891bcb5300f51ddfc335

SHA1
bc5c53d890371bd472c707da8e84c3925bf077d5

SHA256
cc7bcd68ad32d8490fd2d5217b5bace0068a7ebf96831f0373d88e27e6a3ff2c

SHA512
5b2c618234a6b14ea377604f08dd3c6f193be4f593f18b38ff9a3b88f939d61934c3ec4efca91ff98791051eeb79a53315168bfa0fe8466b60249f3bde9b86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe

Filesize
243KB

MD5
f32ac010fcdbc8f8a5582c339ec9d9ea

SHA1
20c06c5a174504c4e28c9aa0b51a62ab8f5c70cb

SHA256
88835382ffaf3f7f0730a0a7edab3d3214cbbfdbc35e7269b80a6bd05b7edd18

SHA512
9798b196315a1e463105b811a0937f763ae21826fa9bd9f346059b5f0a573d48a6f4ed7174fb4551a4ae7ccd089c9cae90c30b38ef6e7c12e896138a0fcaa8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe

Filesize
124KB

MD5
16caf66537fe87d8d9b6a4eb34d9dbff

SHA1
4a399f4229ea5b27963d467223fd4ceb89e545f5

SHA256
64cc787990be5cdc1c25f5cdbfd2a0e93d4c68a888fefa0b7e2b0d12cea4de26

SHA512
a034dba721d36b5396dbe08a581d06c692c84edb0946e45073a8e3eb78a685ad42011b8ffa970190e673e94350dc1feef8d8f51908b53bc23a80536f75bba9d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e24df14e6f0d7c750db68db367d1128a

SHA1
98796698fdd986526c219bdccd91f444a0583dea

SHA256
0785618eaf7875cba07e7f88e2af2ed56eef46284ea2be682c0df561fd5d2a37

SHA512
72d9a87ce00db0a7efd0b38016279964e28e8715c59da7d3f8142a8773ebdc2398dfb81c3b998c291b6ad5fa67af970ddf4d8803e1fb89e27ecdeb4006148001

Download Submit
memory/316-140-0x0000000000980000-0x00000000009AA000-memory.dmp

Filesize
168KB

Download
memory/752-151-0x00000000003A0000-0x00000000003C4000-memory.dmp

Filesize
144KB

Download
memory/808-159-0x0000000000B70000-0x0000000000B94000-memory.dmp

Filesize
144KB

Download
memory/1168-146-0x0000000000860000-0x00000000008A2000-memory.dmp

Filesize
264KB

Download
memory/1656-155-0x00000000008F0000-0x0000000000932000-memory.dmp

Filesize
264KB

Download
memory/1796-65-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/1804-20-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download
memory/1856-149-0x0000000001180000-0x00000000011AA000-memory.dmp

Filesize
168KB

Download
memory/1956-152-0x0000000000DE0000-0x0000000000E10000-memory.dmp

Filesize
192KB

Download
memory/2032-64-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2060-46-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2076-21-0x0000000000070000-0x00000000000B2000-memory.dmp

Filesize
264KB

Download
memory/2124-0-0x000007FEF58D3000-0x000007FEF58D4000-memory.dmp

Filesize
4KB

Download
memory/2124-1-0x0000000000230000-0x00000000002E4000-memory.dmp

Filesize
720KB

Download
memory/2228-25-0x0000000001080000-0x00000000010A4000-memory.dmp

Filesize
144KB

Download
memory/2236-134-0x0000000000C40000-0x0000000000C70000-memory.dmp

Filesize
192KB

Download
memory/2308-124-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2308-13-0x0000000000860000-0x0000000000890000-memory.dmp

Filesize
192KB

Download
memory/2308-26-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-156-0x00000000011A0000-0x00000000011D0000-memory.dmp

Filesize
192KB

Download
memory/2692-47-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2724-138-0x0000000001230000-0x0000000001254000-memory.dmp

Filesize
144KB

Download
memory/2776-131-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download