xworm | 8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f

Analysis

max time kernel
130s
max time network
140s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe
Size

909KB
MD5

74b16801ca2365d3b29e6194237c665a
SHA1

9d172c5a08c68e8134eaad60063071662afd5057
SHA256

8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f
SHA512

8201c89ce2e7eab9b5bfe3f8da956c73604261e83a3bf5d267be6a9b44790ec714e22a0ddfbc9fd009395893ef68864e5fac54172aceb568aec2270de6700567
SSDEEP

24576:7/dTDkoRaidakIYibePZUM+TrxT1sS5GJ:7xDkoRaFYibE0TFJH5W

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

83.38.24.1:1603

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Signatures

Detect Xworm Payload 18 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012257-5.dat	family_xworm
behavioral1/memory/1380-13-0x00000000001B0000-0x00000000001E0000-memory.dmp	family_xworm
behavioral1/files/0x0007000000019490-14.dat	family_xworm
behavioral1/files/0x00060000000194da-27.dat	family_xworm
behavioral1/files/0x000700000001949d-26.dat	family_xworm
behavioral1/memory/944-23-0x0000000000C10000-0x0000000000C3A000-memory.dmp	family_xworm
behavioral1/files/0x00060000000194d0-21.dat	family_xworm
behavioral1/memory/2840-29-0x0000000000270000-0x0000000000294000-memory.dmp	family_xworm
behavioral1/memory/2752-30-0x00000000008C0000-0x00000000008E4000-memory.dmp	family_xworm
behavioral1/memory/2420-31-0x00000000013E0000-0x0000000001422000-memory.dmp	family_xworm
behavioral1/memory/1060-158-0x0000000001050000-0x0000000001074000-memory.dmp	family_xworm
behavioral1/memory/1996-162-0x0000000000890000-0x00000000008B4000-memory.dmp	family_xworm
behavioral1/memory/2484-165-0x00000000008C0000-0x0000000000902000-memory.dmp	family_xworm
behavioral1/memory/668-169-0x00000000012F0000-0x0000000001320000-memory.dmp	family_xworm
behavioral1/memory/3004-170-0x0000000001000000-0x000000000102A000-memory.dmp	family_xworm
behavioral1/memory/2932-178-0x00000000011C0000-0x0000000001202000-memory.dmp	family_xworm
behavioral1/memory/2608-180-0x0000000000E60000-0x0000000000E84000-memory.dmp	family_xworm
behavioral1/memory/484-183-0x00000000000F0000-0x0000000000114000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2808	powershell.exe
2472	powershell.exe
1828	powershell.exe
2512	powershell.exe
1604	powershell.exe
1240	powershell.exe
1012	powershell.exe
1936	powershell.exe
2664	powershell.exe
2744	powershell.exe
1732	powershell.exe
1712	powershell.exe
2620	powershell.exe
2224	powershell.exe
2536	powershell.exe

Drops startup file 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk	regedit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk	regedit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe

Executes dropped EXE 15 IoCs

pid	Process
1380	OneDrive.exe
944	SearchFilterHost.exe
2752	WmiPrvSE.exe
2420	SecurityHealthSystray.exe
2840	regedit.exe
2484	SecurityHealthSystray.exe
1060	regedit.exe
1996	WmiPrvSE.exe
3004	SearchFilterHost.exe
668	OneDrive.exe
2608	WmiPrvSE.exe
2932	SecurityHealthSystray.exe
2800	SearchFilterHost.exe
2844	OneDrive.exe
484	regedit.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\ProgramData\\SecurityHealthSystray.exe"	SecurityHealthSystray.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\ProgramData\\WmiPrvSE.exe"	WmiPrvSE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\regedit = "C:\\Users\\Public\\regedit.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchFilterHost = "C:\\Users\\Admin\\SearchFilterHost.exe"	SearchFilterHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs regedit.exe 3 IoCs

pid	Process
2840	regedit.exe
1060	regedit.exe
484	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
752	schtasks.exe
2888	schtasks.exe
2532	schtasks.exe
2968	schtasks.exe
2948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2744	powershell.exe
2664	powershell.exe
1240	powershell.exe
2472	powershell.exe
2808	powershell.exe
1828	powershell.exe
2512	powershell.exe
1712	powershell.exe
2620	powershell.exe
1012	powershell.exe
1732	powershell.exe
1604	powershell.exe
2224	powershell.exe
2536	powershell.exe
1936	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	944	SearchFilterHost.exe
Token: SeDebugPrivilege	1380	OneDrive.exe
Token: SeDebugPrivilege	2840	regedit.exe
Token: SeDebugPrivilege	2752	WmiPrvSE.exe
Token: SeDebugPrivilege	2420	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2840	regedit.exe
Token: SeDebugPrivilege	1380	OneDrive.exe
Token: SeDebugPrivilege	944	SearchFilterHost.exe
Token: SeDebugPrivilege	2420	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2752	WmiPrvSE.exe
Token: SeDebugPrivilege	1996	WmiPrvSE.exe
Token: SeDebugPrivilege	1060	regedit.exe
Token: SeDebugPrivilege	668	OneDrive.exe
Token: SeDebugPrivilege	3004	SearchFilterHost.exe
Token: SeDebugPrivilege	2484	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2608	WmiPrvSE.exe
Token: SeDebugPrivilege	2932	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2844	OneDrive.exe
Token: SeDebugPrivilege	484	regedit.exe
Token: SeDebugPrivilege	2800	SearchFilterHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1380	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	31
PID 2292 wrote to memory of 1380	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	31
PID 2292 wrote to memory of 1380	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	31
PID 2292 wrote to memory of 944	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	32
PID 2292 wrote to memory of 944	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	32
PID 2292 wrote to memory of 944	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	32
PID 2292 wrote to memory of 2420	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	33
PID 2292 wrote to memory of 2420	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	33
PID 2292 wrote to memory of 2420	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	33
PID 2292 wrote to memory of 2752	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	34
PID 2292 wrote to memory of 2752	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	34
PID 2292 wrote to memory of 2752	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	34
PID 2292 wrote to memory of 2840	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	35
PID 2292 wrote to memory of 2840	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	35
PID 2292 wrote to memory of 2840	2292	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	35
PID 944 wrote to memory of 2744	944	SearchFilterHost.exe	36
PID 944 wrote to memory of 2744	944	SearchFilterHost.exe	36
PID 944 wrote to memory of 2744	944	SearchFilterHost.exe	36
PID 2840 wrote to memory of 2664	2840	regedit.exe	37
PID 2840 wrote to memory of 2664	2840	regedit.exe	37
PID 2840 wrote to memory of 2664	2840	regedit.exe	37
PID 1380 wrote to memory of 1240	1380	OneDrive.exe	40
PID 1380 wrote to memory of 1240	1380	OneDrive.exe	40
PID 1380 wrote to memory of 1240	1380	OneDrive.exe	40
PID 2752 wrote to memory of 2808	2752	WmiPrvSE.exe	41
PID 2752 wrote to memory of 2808	2752	WmiPrvSE.exe	41
PID 2752 wrote to memory of 2808	2752	WmiPrvSE.exe	41
PID 2420 wrote to memory of 2472	2420	SecurityHealthSystray.exe	44
PID 2420 wrote to memory of 2472	2420	SecurityHealthSystray.exe	44
PID 2420 wrote to memory of 2472	2420	SecurityHealthSystray.exe	44
PID 2840 wrote to memory of 1828	2840	regedit.exe	46
PID 2840 wrote to memory of 1828	2840	regedit.exe	46
PID 2840 wrote to memory of 1828	2840	regedit.exe	46
PID 1380 wrote to memory of 2512	1380	OneDrive.exe	48
PID 1380 wrote to memory of 2512	1380	OneDrive.exe	48
PID 1380 wrote to memory of 2512	1380	OneDrive.exe	48
PID 944 wrote to memory of 1712	944	SearchFilterHost.exe	50
PID 944 wrote to memory of 1712	944	SearchFilterHost.exe	50
PID 944 wrote to memory of 1712	944	SearchFilterHost.exe	50
PID 2420 wrote to memory of 2620	2420	SecurityHealthSystray.exe	52
PID 2420 wrote to memory of 2620	2420	SecurityHealthSystray.exe	52
PID 2420 wrote to memory of 2620	2420	SecurityHealthSystray.exe	52
PID 2752 wrote to memory of 1012	2752	WmiPrvSE.exe	54
PID 2752 wrote to memory of 1012	2752	WmiPrvSE.exe	54
PID 2752 wrote to memory of 1012	2752	WmiPrvSE.exe	54
PID 2840 wrote to memory of 1732	2840	regedit.exe	56
PID 2840 wrote to memory of 1732	2840	regedit.exe	56
PID 2840 wrote to memory of 1732	2840	regedit.exe	56
PID 1380 wrote to memory of 1604	1380	OneDrive.exe	58
PID 1380 wrote to memory of 1604	1380	OneDrive.exe	58
PID 1380 wrote to memory of 1604	1380	OneDrive.exe	58
PID 944 wrote to memory of 2224	944	SearchFilterHost.exe	60
PID 944 wrote to memory of 2224	944	SearchFilterHost.exe	60
PID 944 wrote to memory of 2224	944	SearchFilterHost.exe	60
PID 2420 wrote to memory of 2536	2420	SecurityHealthSystray.exe	62
PID 2420 wrote to memory of 2536	2420	SecurityHealthSystray.exe	62
PID 2420 wrote to memory of 2536	2420	SecurityHealthSystray.exe	62
PID 2752 wrote to memory of 1936	2752	WmiPrvSE.exe	64
PID 2752 wrote to memory of 1936	2752	WmiPrvSE.exe	64
PID 2752 wrote to memory of 1936	2752	WmiPrvSE.exe	64
PID 1380 wrote to memory of 752	1380	OneDrive.exe	66
PID 1380 wrote to memory of 752	1380	OneDrive.exe	66
PID 1380 wrote to memory of 752	1380	OneDrive.exe	66
PID 2840 wrote to memory of 2888	2840	regedit.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe
"C:\Users\Admin\AppData\Local\Temp\8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:752
- C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe
  "C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SearchFilterHost" /tr "C:\Users\Admin\SearchFilterHost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2532
- C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
  "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2968
- C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe
  "C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1936
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\ProgramData\WmiPrvSE.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\regedit.exe
  "C:\Users\Admin\AppData\Local\Temp\regedit.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "regedit" /tr "C:\Users\Public\regedit.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2888

C:\Windows\system32\taskeng.exe
taskeng.exe {8D26B6D0-3B52-4D9D-B22D-24DBC88AADA4} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
PID:2876
- C:\ProgramData\WmiPrvSE.exe
  C:\ProgramData\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\ProgramData\SecurityHealthSystray.exe
  C:\ProgramData\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Users\Admin\SearchFilterHost.exe
  C:\Users\Admin\SearchFilterHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Users\Public\regedit.exe
  C:\Users\Public\regedit.exe
  2⤵
  - Executes dropped EXE
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  PID:1060
- C:\Users\Admin\OneDrive.exe
  C:\Users\Admin\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\ProgramData\WmiPrvSE.exe
  C:\ProgramData\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\ProgramData\SecurityHealthSystray.exe
  C:\ProgramData\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Users\Admin\OneDrive.exe
  C:\Users\Admin\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Users\Admin\SearchFilterHost.exe
  C:\Users\Admin\SearchFilterHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Users\Public\regedit.exe
  C:\Users\Public\regedit.exe
  2⤵
  - Executes dropped EXE
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
163KB

MD5
abd4141118794cd94979dc12bcded7b7

SHA1
27b11caedb23ea8dab4f36f5865a96e6e7f55806

SHA256
be9f4292935c19f00dcf2a6e09bc63f50cf7caad0d8ea0a45ed7bf86fb14e904

SHA512
d4ddda6b8ac66683e78b78360326ee50edf5edc8278a2f82e414545d4dd2a3d5e4269fe1dd884926b2e6d7e52af030f0b66fcca50cad77b8a31837ff482c4809

Download Submit
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe

Filesize
145KB

MD5
40324e8a46ec891bcb5300f51ddfc335

SHA1
bc5c53d890371bd472c707da8e84c3925bf077d5

SHA256
cc7bcd68ad32d8490fd2d5217b5bace0068a7ebf96831f0373d88e27e6a3ff2c

SHA512
5b2c618234a6b14ea377604f08dd3c6f193be4f593f18b38ff9a3b88f939d61934c3ec4efca91ff98791051eeb79a53315168bfa0fe8466b60249f3bde9b86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe

Filesize
243KB

MD5
f32ac010fcdbc8f8a5582c339ec9d9ea

SHA1
20c06c5a174504c4e28c9aa0b51a62ab8f5c70cb

SHA256
88835382ffaf3f7f0730a0a7edab3d3214cbbfdbc35e7269b80a6bd05b7edd18

SHA512
9798b196315a1e463105b811a0937f763ae21826fa9bd9f346059b5f0a573d48a6f4ed7174fb4551a4ae7ccd089c9cae90c30b38ef6e7c12e896138a0fcaa8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe

Filesize
124KB

MD5
16caf66537fe87d8d9b6a4eb34d9dbff

SHA1
4a399f4229ea5b27963d467223fd4ceb89e545f5

SHA256
64cc787990be5cdc1c25f5cdbfd2a0e93d4c68a888fefa0b7e2b0d12cea4de26

SHA512
a034dba721d36b5396dbe08a581d06c692c84edb0946e45073a8e3eb78a685ad42011b8ffa970190e673e94350dc1feef8d8f51908b53bc23a80536f75bba9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\regedit.exe

Filesize
121KB

MD5
005b549e8fa8f966d1c0ce845cfaffce

SHA1
4dc69fa135bec170229863f4d7320b402698cef1

SHA256
8befb7faacdffeb7dd84b629ec7066ed1baf3947a6ed8c1ac8432335e3b2828b

SHA512
1169ec7a0628a03ecb8a924527fa03dd0d391f9d0bf2a537e9ee7022265bfeba57b85759507fbc4962f10a5f43f2ea86d8c18cbf00aa8f5b9a2323174a9663ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c1e008874eb11915781d02b15eceee84

SHA1
c06dbdcca2aed66742a2e7fd141a94a52dad8bce

SHA256
7766f30e89b5c646801f0d99511745cbd490ce29cc7c7b81c67110cc3a217f1d

SHA512
fbc463f8d06efe1f7a2b877775d9044a01601253f53faa34ea5ee39e507af6359082238b9954930e6cb783de881a303ea95aa96c3b98494c6a4b77030b60b463

Download Submit
memory/484-183-0x00000000000F0000-0x0000000000114000-memory.dmp

Filesize
144KB

Download
memory/668-169-0x00000000012F0000-0x0000000001320000-memory.dmp

Filesize
192KB

Download
memory/944-23-0x0000000000C10000-0x0000000000C3A000-memory.dmp

Filesize
168KB

Download
memory/1060-158-0x0000000001050000-0x0000000001074000-memory.dmp

Filesize
144KB

Download
memory/1380-32-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1380-13-0x00000000001B0000-0x00000000001E0000-memory.dmp

Filesize
192KB

Download
memory/1380-150-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmp

Filesize
9.9MB

Download
memory/1996-162-0x0000000000890000-0x00000000008B4000-memory.dmp

Filesize
144KB

Download
memory/2292-0-0x000007FEF5B13000-0x000007FEF5B14000-memory.dmp

Filesize
4KB

Download
memory/2292-1-0x0000000001250000-0x0000000001338000-memory.dmp

Filesize
928KB

Download
memory/2420-31-0x00000000013E0000-0x0000000001422000-memory.dmp

Filesize
264KB

Download
memory/2484-165-0x00000000008C0000-0x0000000000902000-memory.dmp

Filesize
264KB

Download
memory/2608-180-0x0000000000E60000-0x0000000000E84000-memory.dmp

Filesize
144KB

Download
memory/2744-38-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2744-39-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2752-30-0x00000000008C0000-0x00000000008E4000-memory.dmp

Filesize
144KB

Download
memory/2840-29-0x0000000000270000-0x0000000000294000-memory.dmp

Filesize
144KB

Download
memory/2932-178-0x00000000011C0000-0x0000000001202000-memory.dmp

Filesize
264KB

Download
memory/3004-170-0x0000000001000000-0x000000000102A000-memory.dmp

Filesize
168KB

Download