xworm | 8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe
Size

909KB
MD5

74b16801ca2365d3b29e6194237c665a
SHA1

9d172c5a08c68e8134eaad60063071662afd5057
SHA256

8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f
SHA512

8201c89ce2e7eab9b5bfe3f8da956c73604261e83a3bf5d267be6a9b44790ec714e22a0ddfbc9fd009395893ef68864e5fac54172aceb568aec2270de6700567
SSDEEP

24576:7/dTDkoRaidakIYibePZUM+TrxT1sS5GJ:7xDkoRaFYibE0TFJH5W

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

83.38.24.1:1603

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Signatures

Detect Xworm Payload 16 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012033-5.dat	family_xworm
behavioral1/memory/2256-15-0x0000000000A70000-0x0000000000A9A000-memory.dmp	family_xworm
behavioral1/memory/2068-14-0x0000000000C40000-0x0000000000C70000-memory.dmp	family_xworm
behavioral1/files/0x0008000000015d07-12.dat	family_xworm
behavioral1/files/0x0008000000015d19-18.dat	family_xworm
behavioral1/files/0x0007000000015d30-24.dat	family_xworm
behavioral1/files/0x0007000000015d48-26.dat	family_xworm
behavioral1/memory/2260-29-0x0000000001120000-0x0000000001144000-memory.dmp	family_xworm
behavioral1/memory/1504-31-0x0000000000BB0000-0x0000000000BD4000-memory.dmp	family_xworm
behavioral1/memory/1596-30-0x0000000000D70000-0x0000000000DB2000-memory.dmp	family_xworm
behavioral1/memory/1696-167-0x0000000001280000-0x00000000012A4000-memory.dmp	family_xworm
behavioral1/memory/1848-168-0x0000000001380000-0x00000000013C2000-memory.dmp	family_xworm
behavioral1/memory/1816-159-0x0000000000C80000-0x0000000000CB0000-memory.dmp	family_xworm
behavioral1/memory/2384-161-0x0000000001290000-0x00000000012BA000-memory.dmp	family_xworm
behavioral1/memory/1860-171-0x0000000000EF0000-0x0000000000F14000-memory.dmp	family_xworm
behavioral1/memory/2856-182-0x00000000010E0000-0x0000000001104000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2628	powershell.exe
1884	powershell.exe
1412	powershell.exe
1100	powershell.exe
2128	powershell.exe
688	powershell.exe
1676	powershell.exe
1768	powershell.exe
2928	powershell.exe
2044	powershell.exe
2148	powershell.exe
468	powershell.exe
1992	powershell.exe
2808	powershell.exe
3060	powershell.exe

Drops startup file 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk	regedit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk	regedit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe

Executes dropped EXE 15 IoCs

pid	Process
2068	OneDrive.exe
2256	SearchFilterHost.exe
1596	SecurityHealthSystray.exe
1504	WmiPrvSE.exe
2260	regedit.exe
1816	OneDrive.exe
2384	SearchFilterHost.exe
1696	WmiPrvSE.exe
1848	SecurityHealthSystray.exe
1860	regedit.exe
2408	SecurityHealthSystray.exe
2788	SearchFilterHost.exe
2564	OneDrive.exe
2856	regedit.exe
536	WmiPrvSE.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\ProgramData\\WmiPrvSE.exe"	WmiPrvSE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\regedit = "C:\\Users\\Public\\regedit.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchFilterHost = "C:\\Users\\Admin\\SearchFilterHost.exe"	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\ProgramData\\SecurityHealthSystray.exe"	SecurityHealthSystray.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\OneDrive.exe"	OneDrive.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs regedit.exe 3 IoCs

pid	Process
1860	regedit.exe
2856	regedit.exe
2260	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2776	schtasks.exe
876	schtasks.exe
1972	schtasks.exe
2948	schtasks.exe
2724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2928	powershell.exe
2808	powershell.exe
1992	powershell.exe
2628	powershell.exe
2044	powershell.exe
3060	powershell.exe
2148	powershell.exe
2128	powershell.exe
1884	powershell.exe
468	powershell.exe
688	powershell.exe
1676	powershell.exe
1412	powershell.exe
1768	powershell.exe
1100	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2068	OneDrive.exe
Token: SeDebugPrivilege	2256	SearchFilterHost.exe
Token: SeDebugPrivilege	2260	regedit.exe
Token: SeDebugPrivilege	1504	WmiPrvSE.exe
Token: SeDebugPrivilege	1596	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1504	WmiPrvSE.exe
Token: SeDebugPrivilege	2260	regedit.exe
Token: SeDebugPrivilege	2256	SearchFilterHost.exe
Token: SeDebugPrivilege	1596	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2068	OneDrive.exe
Token: SeDebugPrivilege	1848	SecurityHealthSystray.exe
Token: SeDebugPrivilege	1816	OneDrive.exe
Token: SeDebugPrivilege	2384	SearchFilterHost.exe
Token: SeDebugPrivilege	1696	WmiPrvSE.exe
Token: SeDebugPrivilege	1860	regedit.exe
Token: SeDebugPrivilege	2856	regedit.exe
Token: SeDebugPrivilege	2564	OneDrive.exe
Token: SeDebugPrivilege	2408	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2788	SearchFilterHost.exe
Token: SeDebugPrivilege	536	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2068	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	30
PID 2404 wrote to memory of 2068	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	30
PID 2404 wrote to memory of 2068	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	30
PID 2404 wrote to memory of 2256	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	31
PID 2404 wrote to memory of 2256	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	31
PID 2404 wrote to memory of 2256	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	31
PID 2404 wrote to memory of 1596	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	32
PID 2404 wrote to memory of 1596	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	32
PID 2404 wrote to memory of 1596	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	32
PID 2404 wrote to memory of 1504	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	33
PID 2404 wrote to memory of 1504	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	33
PID 2404 wrote to memory of 1504	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	33
PID 2404 wrote to memory of 2260	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	34
PID 2404 wrote to memory of 2260	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	34
PID 2404 wrote to memory of 2260	2404	SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe	34
PID 2256 wrote to memory of 1992	2256	SearchFilterHost.exe	35
PID 2256 wrote to memory of 1992	2256	SearchFilterHost.exe	35
PID 2256 wrote to memory of 1992	2256	SearchFilterHost.exe	35
PID 2068 wrote to memory of 2928	2068	OneDrive.exe	36
PID 2068 wrote to memory of 2928	2068	OneDrive.exe	36
PID 2068 wrote to memory of 2928	2068	OneDrive.exe	36
PID 2260 wrote to memory of 2808	2260	regedit.exe	39
PID 2260 wrote to memory of 2808	2260	regedit.exe	39
PID 2260 wrote to memory of 2808	2260	regedit.exe	39
PID 1504 wrote to memory of 2628	1504	WmiPrvSE.exe	42
PID 1504 wrote to memory of 2628	1504	WmiPrvSE.exe	42
PID 1504 wrote to memory of 2628	1504	WmiPrvSE.exe	42
PID 1596 wrote to memory of 2044	1596	SecurityHealthSystray.exe	41
PID 1596 wrote to memory of 2044	1596	SecurityHealthSystray.exe	41
PID 1596 wrote to memory of 2044	1596	SecurityHealthSystray.exe	41
PID 1504 wrote to memory of 2148	1504	WmiPrvSE.exe	46
PID 1504 wrote to memory of 2148	1504	WmiPrvSE.exe	46
PID 1504 wrote to memory of 2148	1504	WmiPrvSE.exe	46
PID 2260 wrote to memory of 3060	2260	regedit.exe	47
PID 2260 wrote to memory of 3060	2260	regedit.exe	47
PID 2260 wrote to memory of 3060	2260	regedit.exe	47
PID 1596 wrote to memory of 2128	1596	SecurityHealthSystray.exe	50
PID 1596 wrote to memory of 2128	1596	SecurityHealthSystray.exe	50
PID 1596 wrote to memory of 2128	1596	SecurityHealthSystray.exe	50
PID 2068 wrote to memory of 1884	2068	OneDrive.exe	52
PID 2068 wrote to memory of 1884	2068	OneDrive.exe	52
PID 2068 wrote to memory of 1884	2068	OneDrive.exe	52
PID 2256 wrote to memory of 468	2256	SearchFilterHost.exe	54
PID 2256 wrote to memory of 468	2256	SearchFilterHost.exe	54
PID 2256 wrote to memory of 468	2256	SearchFilterHost.exe	54
PID 2260 wrote to memory of 688	2260	regedit.exe	56
PID 2260 wrote to memory of 688	2260	regedit.exe	56
PID 2260 wrote to memory of 688	2260	regedit.exe	56
PID 2256 wrote to memory of 1676	2256	SearchFilterHost.exe	58
PID 2256 wrote to memory of 1676	2256	SearchFilterHost.exe	58
PID 2256 wrote to memory of 1676	2256	SearchFilterHost.exe	58
PID 1504 wrote to memory of 1412	1504	WmiPrvSE.exe	59
PID 1504 wrote to memory of 1412	1504	WmiPrvSE.exe	59
PID 1504 wrote to memory of 1412	1504	WmiPrvSE.exe	59
PID 1596 wrote to memory of 1768	1596	SecurityHealthSystray.exe	62
PID 1596 wrote to memory of 1768	1596	SecurityHealthSystray.exe	62
PID 1596 wrote to memory of 1768	1596	SecurityHealthSystray.exe	62
PID 2068 wrote to memory of 1100	2068	OneDrive.exe	64
PID 2068 wrote to memory of 1100	2068	OneDrive.exe	64
PID 2068 wrote to memory of 1100	2068	OneDrive.exe	64
PID 1504 wrote to memory of 2776	1504	WmiPrvSE.exe	66
PID 1504 wrote to memory of 2776	1504	WmiPrvSE.exe	66
PID 1504 wrote to memory of 2776	1504	WmiPrvSE.exe	66
PID 2260 wrote to memory of 876	2260	regedit.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.58.13925.29669.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2724
- C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe
  "C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SearchFilterHost" /tr "C:\Users\Admin\SearchFilterHost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1972
- C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
  "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe
  "C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\ProgramData\WmiPrvSE.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2776
- C:\Users\Admin\AppData\Local\Temp\regedit.exe
  "C:\Users\Admin\AppData\Local\Temp\regedit.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "regedit" /tr "C:\Users\Public\regedit.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:876

C:\Windows\system32\taskeng.exe
taskeng.exe {665BC745-FE95-41B3-A16F-78B4922FB55D} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
PID:2028
- C:\Users\Admin\OneDrive.exe
  C:\Users\Admin\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\ProgramData\SecurityHealthSystray.exe
  C:\ProgramData\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Users\Admin\SearchFilterHost.exe
  C:\Users\Admin\SearchFilterHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Users\Public\regedit.exe
  C:\Users\Public\regedit.exe
  2⤵
  - Executes dropped EXE
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\ProgramData\WmiPrvSE.exe
  C:\ProgramData\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Users\Admin\OneDrive.exe
  C:\Users\Admin\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\ProgramData\SecurityHealthSystray.exe
  C:\ProgramData\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Users\Public\regedit.exe
  C:\Users\Public\regedit.exe
  2⤵
  - Executes dropped EXE
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Users\Admin\SearchFilterHost.exe
  C:\Users\Admin\SearchFilterHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\ProgramData\WmiPrvSE.exe
  C:\ProgramData\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
163KB

MD5
abd4141118794cd94979dc12bcded7b7

SHA1
27b11caedb23ea8dab4f36f5865a96e6e7f55806

SHA256
be9f4292935c19f00dcf2a6e09bc63f50cf7caad0d8ea0a45ed7bf86fb14e904

SHA512
d4ddda6b8ac66683e78b78360326ee50edf5edc8278a2f82e414545d4dd2a3d5e4269fe1dd884926b2e6d7e52af030f0b66fcca50cad77b8a31837ff482c4809

Download Submit
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe

Filesize
145KB

MD5
40324e8a46ec891bcb5300f51ddfc335

SHA1
bc5c53d890371bd472c707da8e84c3925bf077d5

SHA256
cc7bcd68ad32d8490fd2d5217b5bace0068a7ebf96831f0373d88e27e6a3ff2c

SHA512
5b2c618234a6b14ea377604f08dd3c6f193be4f593f18b38ff9a3b88f939d61934c3ec4efca91ff98791051eeb79a53315168bfa0fe8466b60249f3bde9b86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe

Filesize
243KB

MD5
f32ac010fcdbc8f8a5582c339ec9d9ea

SHA1
20c06c5a174504c4e28c9aa0b51a62ab8f5c70cb

SHA256
88835382ffaf3f7f0730a0a7edab3d3214cbbfdbc35e7269b80a6bd05b7edd18

SHA512
9798b196315a1e463105b811a0937f763ae21826fa9bd9f346059b5f0a573d48a6f4ed7174fb4551a4ae7ccd089c9cae90c30b38ef6e7c12e896138a0fcaa8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe

Filesize
124KB

MD5
16caf66537fe87d8d9b6a4eb34d9dbff

SHA1
4a399f4229ea5b27963d467223fd4ceb89e545f5

SHA256
64cc787990be5cdc1c25f5cdbfd2a0e93d4c68a888fefa0b7e2b0d12cea4de26

SHA512
a034dba721d36b5396dbe08a581d06c692c84edb0946e45073a8e3eb78a685ad42011b8ffa970190e673e94350dc1feef8d8f51908b53bc23a80536f75bba9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\regedit.exe

Filesize
121KB

MD5
005b549e8fa8f966d1c0ce845cfaffce

SHA1
4dc69fa135bec170229863f4d7320b402698cef1

SHA256
8befb7faacdffeb7dd84b629ec7066ed1baf3947a6ed8c1ac8432335e3b2828b

SHA512
1169ec7a0628a03ecb8a924527fa03dd0d391f9d0bf2a537e9ee7022265bfeba57b85759507fbc4962f10a5f43f2ea86d8c18cbf00aa8f5b9a2323174a9663ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a4486a03e85d2ea2dc01d371d2bb4e06

SHA1
6dee9a27f9a9760a0bfd1bb6afa91f11228c969c

SHA256
ed8f8a0c3d3342e9c29fb98a17541b22a60fae4f33993c403618ce9305944cf0

SHA512
2d13b6c152f6b0dcaea2ced179b42e134b738235e9b42e060bbbc4496ef7a9d63e1acaf97fc8f62d46922a9bb348118bc055062c0f6f84d1eb9a7a32cfd1cef2

Download Submit
memory/1504-31-0x0000000000BB0000-0x0000000000BD4000-memory.dmp

Filesize
144KB

Download
memory/1596-30-0x0000000000D70000-0x0000000000DB2000-memory.dmp

Filesize
264KB

Download
memory/1696-167-0x0000000001280000-0x00000000012A4000-memory.dmp

Filesize
144KB

Download
memory/1816-159-0x0000000000C80000-0x0000000000CB0000-memory.dmp

Filesize
192KB

Download
memory/1848-168-0x0000000001380000-0x00000000013C2000-memory.dmp

Filesize
264KB

Download
memory/1860-171-0x0000000000EF0000-0x0000000000F14000-memory.dmp

Filesize
144KB

Download
memory/1992-48-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2068-151-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2068-14-0x0000000000C40000-0x0000000000C70000-memory.dmp

Filesize
192KB

Download
memory/2068-32-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2256-15-0x0000000000A70000-0x0000000000A9A000-memory.dmp

Filesize
168KB

Download
memory/2260-29-0x0000000001120000-0x0000000001144000-memory.dmp

Filesize
144KB

Download
memory/2384-161-0x0000000001290000-0x00000000012BA000-memory.dmp

Filesize
168KB

Download
memory/2404-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2404-1-0x0000000000220000-0x0000000000308000-memory.dmp

Filesize
928KB

Download
memory/2808-47-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2856-182-0x00000000010E0000-0x0000000001104000-memory.dmp

Filesize
144KB

Download