xworm | 8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe
Size

909KB
MD5

74b16801ca2365d3b29e6194237c665a
SHA1

9d172c5a08c68e8134eaad60063071662afd5057
SHA256

8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f
SHA512

8201c89ce2e7eab9b5bfe3f8da956c73604261e83a3bf5d267be6a9b44790ec714e22a0ddfbc9fd009395893ef68864e5fac54172aceb568aec2270de6700567
SSDEEP

24576:7/dTDkoRaidakIYibePZUM+TrxT1sS5GJ:7xDkoRaFYibE0TFJH5W

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

83.38.24.1:1603

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 10 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023bca-6.dat	family_xworm
behavioral2/files/0x0007000000023ca7-17.dat	family_xworm
behavioral2/files/0x0007000000023caa-48.dat	family_xworm
behavioral2/files/0x0007000000023ca9-59.dat	family_xworm
behavioral2/memory/4908-62-0x0000000000CD0000-0x0000000000CF4000-memory.dmp	family_xworm
behavioral2/memory/1032-63-0x0000000000550000-0x0000000000574000-memory.dmp	family_xworm
behavioral2/memory/3716-61-0x0000000000D00000-0x0000000000D42000-memory.dmp	family_xworm
behavioral2/files/0x0007000000023ca8-57.dat	family_xworm
behavioral2/memory/1520-37-0x0000000000060000-0x000000000008A000-memory.dmp	family_xworm
behavioral2/memory/976-27-0x0000000000FC0000-0x0000000000FF0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4256	powershell.exe
1096	powershell.exe
4436	powershell.exe
1680	powershell.exe
1508	powershell.exe
4604	powershell.exe
1868	powershell.exe
3080	powershell.exe
4212	powershell.exe
2204	powershell.exe
1380	powershell.exe
1764	powershell.exe
2544	powershell.exe
4548	powershell.exe
3656	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SearchFilterHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	OneDrive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SecurityHealthSystray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	regedit.exe

Drops startup file 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk	regedit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk	regedit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe

Executes dropped EXE 15 IoCs

pid	Process
976	OneDrive.exe
1520	SearchFilterHost.exe
3716	SecurityHealthSystray.exe
1032	WmiPrvSE.exe
4908	regedit.exe
2400	SearchFilterHost.exe
3792	OneDrive.exe
1904	regedit.exe
4828	SecurityHealthSystray.exe
388	WmiPrvSE.exe
2076	regedit.exe
560	SearchFilterHost.exe
4276	OneDrive.exe
4272	SecurityHealthSystray.exe
4436	WmiPrvSE.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit = "C:\\Users\\Public\\regedit.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\ProgramData\\SecurityHealthSystray.exe"	SecurityHealthSystray.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\ProgramData\\WmiPrvSE.exe"	WmiPrvSE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchFilterHost = "C:\\Users\\Admin\\SearchFilterHost.exe"	SearchFilterHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs regedit.exe 3 IoCs

pid	Process
4908	regedit.exe
1904	regedit.exe
2076	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4504	schtasks.exe
4744	schtasks.exe
5004	schtasks.exe
3548	schtasks.exe
1296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2544	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
2544	powershell.exe
2544	powershell.exe
1868	powershell.exe
1868	powershell.exe
4256	powershell.exe
4256	powershell.exe
1096	powershell.exe
1096	powershell.exe
1096	powershell.exe
1868	powershell.exe
4256	powershell.exe
4548	powershell.exe
4548	powershell.exe
4548	powershell.exe
4436	powershell.exe
4436	powershell.exe
4436	powershell.exe
3656	powershell.exe
3656	powershell.exe
4212	powershell.exe
4212	powershell.exe
1508	powershell.exe
1508	powershell.exe
4604	powershell.exe
4604	powershell.exe
1508	powershell.exe
3656	powershell.exe
4212	powershell.exe
4604	powershell.exe
1680	powershell.exe
1680	powershell.exe
3080	powershell.exe
3080	powershell.exe
2204	powershell.exe
2204	powershell.exe
1380	powershell.exe
1380	powershell.exe
1680	powershell.exe
1380	powershell.exe
2204	powershell.exe
3080	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	SearchFilterHost.exe
Token: SeDebugPrivilege	976	OneDrive.exe
Token: SeDebugPrivilege	3716	SecurityHealthSystray.exe
Token: SeDebugPrivilege	4908	regedit.exe
Token: SeDebugPrivilege	1032	WmiPrvSE.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	4908	regedit.exe
Token: SeDebugPrivilege	1520	SearchFilterHost.exe
Token: SeDebugPrivilege	1032	WmiPrvSE.exe
Token: SeDebugPrivilege	3716	SecurityHealthSystray.exe
Token: SeDebugPrivilege	976	OneDrive.exe
Token: SeDebugPrivilege	2400	SearchFilterHost.exe
Token: SeDebugPrivilege	3792	OneDrive.exe
Token: SeDebugPrivilege	1904	regedit.exe
Token: SeDebugPrivilege	4828	SecurityHealthSystray.exe
Token: SeDebugPrivilege	388	WmiPrvSE.exe
Token: SeDebugPrivilege	2076	regedit.exe
Token: SeDebugPrivilege	560	SearchFilterHost.exe
Token: SeDebugPrivilege	4276	OneDrive.exe
Token: SeDebugPrivilege	4272	SecurityHealthSystray.exe
Token: SeDebugPrivilege	4436	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 976	4836	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	83
PID 4836 wrote to memory of 976	4836	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	83
PID 4836 wrote to memory of 1520	4836	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	84
PID 4836 wrote to memory of 1520	4836	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	84
PID 4836 wrote to memory of 3716	4836	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	85
PID 4836 wrote to memory of 3716	4836	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	85
PID 4836 wrote to memory of 1032	4836	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	86
PID 4836 wrote to memory of 1032	4836	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	86
PID 4836 wrote to memory of 4908	4836	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	87
PID 4836 wrote to memory of 4908	4836	8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe	87
PID 1520 wrote to memory of 1764	1520	SearchFilterHost.exe	92
PID 1520 wrote to memory of 1764	1520	SearchFilterHost.exe	92
PID 976 wrote to memory of 2544	976	OneDrive.exe	93
PID 976 wrote to memory of 2544	976	OneDrive.exe	93
PID 3716 wrote to memory of 4256	3716	SecurityHealthSystray.exe	96
PID 3716 wrote to memory of 4256	3716	SecurityHealthSystray.exe	96
PID 1032 wrote to memory of 1096	1032	WmiPrvSE.exe	98
PID 1032 wrote to memory of 1096	1032	WmiPrvSE.exe	98
PID 4908 wrote to memory of 1868	4908	regedit.exe	99
PID 4908 wrote to memory of 1868	4908	regedit.exe	99
PID 976 wrote to memory of 4548	976	OneDrive.exe	102
PID 976 wrote to memory of 4548	976	OneDrive.exe	102
PID 1520 wrote to memory of 4436	1520	SearchFilterHost.exe	104
PID 1520 wrote to memory of 4436	1520	SearchFilterHost.exe	104
PID 1032 wrote to memory of 3656	1032	WmiPrvSE.exe	106
PID 1032 wrote to memory of 3656	1032	WmiPrvSE.exe	106
PID 4908 wrote to memory of 4212	4908	regedit.exe	108
PID 4908 wrote to memory of 4212	4908	regedit.exe	108
PID 3716 wrote to memory of 1508	3716	SecurityHealthSystray.exe	110
PID 3716 wrote to memory of 1508	3716	SecurityHealthSystray.exe	110
PID 976 wrote to memory of 4604	976	OneDrive.exe	112
PID 976 wrote to memory of 4604	976	OneDrive.exe	112
PID 1520 wrote to memory of 1680	1520	SearchFilterHost.exe	114
PID 1520 wrote to memory of 1680	1520	SearchFilterHost.exe	114
PID 1032 wrote to memory of 3080	1032	WmiPrvSE.exe	116
PID 1032 wrote to memory of 3080	1032	WmiPrvSE.exe	116
PID 3716 wrote to memory of 2204	3716	SecurityHealthSystray.exe	117
PID 3716 wrote to memory of 2204	3716	SecurityHealthSystray.exe	117
PID 4908 wrote to memory of 1380	4908	regedit.exe	119
PID 4908 wrote to memory of 1380	4908	regedit.exe	119
PID 976 wrote to memory of 4504	976	OneDrive.exe	124
PID 976 wrote to memory of 4504	976	OneDrive.exe	124
PID 4908 wrote to memory of 4744	4908	regedit.exe	126
PID 4908 wrote to memory of 4744	4908	regedit.exe	126
PID 1520 wrote to memory of 5004	1520	SearchFilterHost.exe	127
PID 1520 wrote to memory of 5004	1520	SearchFilterHost.exe	127
PID 1032 wrote to memory of 3548	1032	WmiPrvSE.exe	130
PID 1032 wrote to memory of 3548	1032	WmiPrvSE.exe	130
PID 3716 wrote to memory of 1296	3716	SecurityHealthSystray.exe	132
PID 3716 wrote to memory of 1296	3716	SecurityHealthSystray.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe
"C:\Users\Admin\AppData\Local\Temp\8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4504
- C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe
  "C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SearchFilterHost" /tr "C:\Users\Admin\SearchFilterHost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5004
- C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
  "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1296
- C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe
  "C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3080
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\ProgramData\WmiPrvSE.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3548
- C:\Users\Admin\AppData\Local\Temp\regedit.exe
  "C:\Users\Admin\AppData\Local\Temp\regedit.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "regedit" /tr "C:\Users\Public\regedit.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4744

C:\Users\Public\regedit.exe
C:\Users\Public\regedit.exe
1⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Users\Admin\SearchFilterHost.exe
C:\Users\Admin\SearchFilterHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Users\Admin\OneDrive.exe
C:\Users\Admin\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3792

C:\ProgramData\SecurityHealthSystray.exe
C:\ProgramData\SecurityHealthSystray.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\ProgramData\WmiPrvSE.exe
C:\ProgramData\WmiPrvSE.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Users\Admin\SearchFilterHost.exe
C:\Users\Admin\SearchFilterHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Users\Admin\OneDrive.exe
C:\Users\Admin\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Users\Public\regedit.exe
C:\Users\Public\regedit.exe
1⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\ProgramData\SecurityHealthSystray.exe
C:\ProgramData\SecurityHealthSystray.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\ProgramData\WmiPrvSE.exe
C:\ProgramData\WmiPrvSE.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SecurityHealthSystray.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67668db6b58b27a901b0f39b4ecc4860

SHA1
53d610904acc243780be1f91773475bfa7cfd6ee

SHA256
1c7238f064efd555bf174b09b470b5c4126da5681efc8a8889e139a74f472ed4

SHA512
9cdb241e1e66da3cc2fa7d749d888f30d4c88e9e7f705ebb5b346dc6e831eae96503d2269f560099f67a25c91a67d9b2cbf414d6c5d4aeed5fd2506e1f89af41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
67e8893616f805af2411e2f4a1411b2a

SHA1
39bf1e1a0ddf46ce7c136972120f512d92827dcd

SHA256
ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

SHA512
164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
836B

MD5
92f6b07cc8cb99622767251034264d4e

SHA1
00af6aa0a2d4eaf87fc242dae00085c0e97621bd

SHA256
20356a2dc15cdcc13e45b93d12191b414438bd97ceca8355a753ede23a8cadaf

SHA512
1d2738823ea748ec38f7b6394aff336f99131174a51a3923677b62daf1a84f1457fe42cbf82cd8ea25ea86ad473ba795c54031d594be3294226cbdb90582f614

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
163KB

MD5
abd4141118794cd94979dc12bcded7b7

SHA1
27b11caedb23ea8dab4f36f5865a96e6e7f55806

SHA256
be9f4292935c19f00dcf2a6e09bc63f50cf7caad0d8ea0a45ed7bf86fb14e904

SHA512
d4ddda6b8ac66683e78b78360326ee50edf5edc8278a2f82e414545d4dd2a3d5e4269fe1dd884926b2e6d7e52af030f0b66fcca50cad77b8a31837ff482c4809

Download Submit
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe

Filesize
145KB

MD5
40324e8a46ec891bcb5300f51ddfc335

SHA1
bc5c53d890371bd472c707da8e84c3925bf077d5

SHA256
cc7bcd68ad32d8490fd2d5217b5bace0068a7ebf96831f0373d88e27e6a3ff2c

SHA512
5b2c618234a6b14ea377604f08dd3c6f193be4f593f18b38ff9a3b88f939d61934c3ec4efca91ff98791051eeb79a53315168bfa0fe8466b60249f3bde9b86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe

Filesize
243KB

MD5
f32ac010fcdbc8f8a5582c339ec9d9ea

SHA1
20c06c5a174504c4e28c9aa0b51a62ab8f5c70cb

SHA256
88835382ffaf3f7f0730a0a7edab3d3214cbbfdbc35e7269b80a6bd05b7edd18

SHA512
9798b196315a1e463105b811a0937f763ae21826fa9bd9f346059b5f0a573d48a6f4ed7174fb4551a4ae7ccd089c9cae90c30b38ef6e7c12e896138a0fcaa8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe

Filesize
124KB

MD5
16caf66537fe87d8d9b6a4eb34d9dbff

SHA1
4a399f4229ea5b27963d467223fd4ceb89e545f5

SHA256
64cc787990be5cdc1c25f5cdbfd2a0e93d4c68a888fefa0b7e2b0d12cea4de26

SHA512
a034dba721d36b5396dbe08a581d06c692c84edb0946e45073a8e3eb78a685ad42011b8ffa970190e673e94350dc1feef8d8f51908b53bc23a80536f75bba9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hrbr4sn.ynt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\regedit.exe

Filesize
121KB

MD5
005b549e8fa8f966d1c0ce845cfaffce

SHA1
4dc69fa135bec170229863f4d7320b402698cef1

SHA256
8befb7faacdffeb7dd84b629ec7066ed1baf3947a6ed8c1ac8432335e3b2828b

SHA512
1169ec7a0628a03ecb8a924527fa03dd0d391f9d0bf2a537e9ee7022265bfeba57b85759507fbc4962f10a5f43f2ea86d8c18cbf00aa8f5b9a2323174a9663ec

Download Submit
memory/976-60-0x00007FFEB3CD0000-0x00007FFEB4791000-memory.dmp

Filesize
10.8MB

Download
memory/976-252-0x00007FFEB3CD0000-0x00007FFEB4791000-memory.dmp

Filesize
10.8MB

Download
memory/976-27-0x0000000000FC0000-0x0000000000FF0000-memory.dmp

Filesize
192KB

Download
memory/1032-63-0x0000000000550000-0x0000000000574000-memory.dmp

Filesize
144KB

Download
memory/1520-64-0x00007FFEB3CD0000-0x00007FFEB4791000-memory.dmp

Filesize
10.8MB

Download
memory/1520-37-0x0000000000060000-0x000000000008A000-memory.dmp

Filesize
168KB

Download
memory/1520-273-0x00007FFEB3CD0000-0x00007FFEB4791000-memory.dmp

Filesize
10.8MB

Download
memory/1520-274-0x00007FFEB3CD0000-0x00007FFEB4791000-memory.dmp

Filesize
10.8MB

Download
memory/1520-275-0x00007FFEB3CD0000-0x00007FFEB4791000-memory.dmp

Filesize
10.8MB

Download
memory/1764-74-0x00000231CFCC0000-0x00000231CFCE2000-memory.dmp

Filesize
136KB

Download
memory/3716-61-0x0000000000D00000-0x0000000000D42000-memory.dmp

Filesize
264KB

Download
memory/4836-0-0x00007FFEB3CD3000-0x00007FFEB3CD5000-memory.dmp

Filesize
8KB

Download
memory/4836-1-0x0000000000580000-0x0000000000668000-memory.dmp

Filesize
928KB

Download
memory/4908-62-0x0000000000CD0000-0x0000000000CF4000-memory.dmp

Filesize
144KB

Download