Malware Analysis Report

2024-12-07 03:18

Sample ID 241113-13jmja1aml
Target XBinderOutp2ut.exe
SHA256 e51e384406c40df27f4e87e40a1bf94f4222bbfdf180acb1e4027c2ef7a500d9
Tags
xworm evasion execution persistence pyinstaller rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e51e384406c40df27f4e87e40a1bf94f4222bbfdf180acb1e4027c2ef7a500d9

Threat Level: Known bad

The file XBinderOutp2ut.exe was found to be: Known bad.

Malicious Activity Summary

xworm evasion execution persistence pyinstaller rat trojan

Xworm family

Contains code to disable Windows Defender

Detect Xworm Payload

Xworm

Disables Task Manager via registry modification

Command and Scripting Interpreter: PowerShell

Drops startup file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 22:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 22:10

Reported

2024-11-13 22:11

Platform

win10ltsc2021-20241023-en

Max time kernel

39s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Windows\System32\Windows Data Complier.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Data Compiler.lnk C:\Windows\System32\Windows Data Complier.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Data Compiler.lnk C:\Windows\System32\Windows Data Complier.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\Windows Data Complier.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\s.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\s.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Data Complier = "C:\\Windows\\System32\\Windows Data Complier.exe" C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\Windows Data Complier.exe C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe N/A
File opened for modification C:\Windows\System32\Windows Data Complier.exe C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\Windows Data Complier.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Windows Data Complier.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\s.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\Windows Data Complier.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 732 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 732 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 732 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe C:\Windows\System32\schtasks.exe
PID 732 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe C:\Windows\System32\schtasks.exe
PID 732 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe C:\Windows\System32\Windows Data Complier.exe
PID 732 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe C:\Windows\System32\Windows Data Complier.exe
PID 732 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe C:\Users\Admin\AppData\Local\Temp\s.exe
PID 732 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe C:\Users\Admin\AppData\Local\Temp\s.exe
PID 2532 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\s.exe C:\Users\Admin\AppData\Local\Temp\s.exe
PID 2532 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\s.exe C:\Users\Admin\AppData\Local\Temp\s.exe
PID 1032 wrote to memory of 2324 N/A C:\Windows\System32\Windows Data Complier.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 2324 N/A C:\Windows\System32\Windows Data Complier.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 632 N/A C:\Windows\System32\Windows Data Complier.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 632 N/A C:\Windows\System32\Windows Data Complier.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 1480 N/A C:\Windows\System32\Windows Data Complier.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 1480 N/A C:\Windows\System32\Windows Data Complier.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 556 N/A C:\Windows\System32\Windows Data Complier.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1032 wrote to memory of 556 N/A C:\Windows\System32\Windows Data Complier.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe

"C:\Users\Admin\AppData\Local\Temp\XBinderOutp2ut.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows Data Complier.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "Windows Data Complier" /SC ONLOGON /TR "C:\Windows\System32\Windows Data Complier.exe" /RL HIGHEST

C:\Windows\System32\Windows Data Complier.exe

"C:\Windows\System32\Windows Data Complier.exe"

C:\Users\Admin\AppData\Local\Temp\s.exe

"C:\Users\Admin\AppData\Local\Temp\s.exe"

C:\Users\Admin\AppData\Local\Temp\s.exe

"C:\Users\Admin\AppData\Local\Temp\s.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows Data Complier.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Data Complier.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Windows Data Compiler.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Data Compiler.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.69.228:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 man-laughing.gl.at.ply.gg udp
US 147.185.221.23:57783 man-laughing.gl.at.ply.gg tcp
US 8.8.8.8:53 rentry.co udp
US 172.67.75.40:443 rentry.co tcp
US 8.8.8.8:53 23.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 40.75.67.172.in-addr.arpa udp
US 172.67.75.40:443 rentry.co tcp
US 172.67.75.40:443 rentry.co tcp
US 172.67.75.40:443 rentry.co tcp
US 172.67.75.40:443 rentry.co tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 172.67.75.40:443 rentry.co tcp
US 147.185.221.23:57783 man-laughing.gl.at.ply.gg tcp
US 172.67.75.40:443 rentry.co tcp
US 172.67.75.40:443 rentry.co tcp
US 172.67.75.40:443 rentry.co tcp

Files

memory/732-0-0x00007FFDD7883000-0x00007FFDD7885000-memory.dmp

memory/732-1-0x0000000000B60000-0x00000000010C0000-memory.dmp

memory/732-2-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

memory/4492-3-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_umhl1kvz.nvw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4492-13-0x000002B2D1430000-0x000002B2D1452000-memory.dmp

memory/4492-14-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

memory/4492-15-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

memory/4492-16-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

memory/4492-17-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

memory/4492-20-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

memory/732-21-0x00007FFDD7883000-0x00007FFDD7885000-memory.dmp

C:\Windows\System32\Windows Data Complier.exe

MD5 ac82021a4611e4f15c4eb33f9fc179d6
SHA1 dee75a9ea1e458448851c856b09b8e929f85b4b5
SHA256 8c81b95f5a7846df8685855e76e310606e626d9c9455fa72e824c733b4db3bdc
SHA512 057ab98f565f6a06a527ac4a8eaa5bbeecbeccd4cba0b1d442096a453232e3c4bebe684c75e38ad25c7e9d8dd18a245d950d0262e9be1de3c72932ed094149ed

memory/1032-38-0x0000000000170000-0x000000000018A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\s.exe

MD5 30feca7ddfac8b7a5dc39b4e9336a0d7
SHA1 1b524d54f524f4edfd96e9a5e2c540ee3463d18b
SHA256 d50ce8571ded39ccacf25c90fac12231ed6133f3e85b6ac29800115c61142328
SHA512 c36ab233191a1dec8b02396e874b4edbb357ae908a4c8ad850c23b334ef85682f8392fc825a597db8284bdca38c00116861fde41c0ba6b9f3832fd624f2ff230

C:\Users\Admin\AppData\Local\Temp\_MEI25322\python310.dll

MD5 deaf0c0cc3369363b800d2e8e756a402
SHA1 3085778735dd8badad4e39df688139f4eed5f954
SHA256 156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d
SHA512 5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

memory/732-64-0x00007FFDD7880000-0x00007FFDD8342000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25322\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

C:\Users\Admin\AppData\Local\Temp\_MEI25322\base_library.zip

MD5 fbd6be906ac7cd45f1d98f5cb05f8275
SHA1 5d563877a549f493da805b4d049641604a6a0408
SHA256 ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0
SHA512 1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

C:\Users\Admin\AppData\Local\Temp\_MEI25322\python3.dll

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

C:\Users\Admin\AppData\Local\Temp\_MEI25322\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI25322\_socket.pyd

MD5 0f5e64e33f4d328ef11357635707d154
SHA1 8b6dcb4b9952b362f739a3f16ae96c44bea94a0e
SHA256 8af6d70d44bb9398733f88bcfb6d2085dd1a193cd00e52120b96a651f6e35ebe
SHA512 4be9febb583364da75b6fb3a43a8b50ee29ca8fc1dda35b96c0fcc493342372f69b4f27f2604888bca099c8d00f38a16f4c9463c16eff098227d812c29563643

C:\Users\Admin\AppData\Local\Temp\_MEI25322\psutil\_psutil_windows.pyd

MD5 ebefbc98d468560b222f2d2d30ebb95c
SHA1 ee267e3a6e5bed1a15055451efcccac327d2bc43
SHA256 67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478
SHA512 ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

C:\Users\Admin\AppData\Local\Temp\_MEI25322\_lzma.pyd

MD5 0a94c9f3d7728cf96326db3ab3646d40
SHA1 8081df1dca4a8520604e134672c4be79eb202d14
SHA256 0a70e8546fa6038029f2a3764e721ceebea415818e5f0df6b90d6a40788c3b31
SHA512 6f047f3bdaead121018623f52a35f7e8b38c58d3a9cb672e8056a5274d02395188975de08cabae948e2cc2c1ca01c74ca7bc1b82e2c23d652e952f3745491087

C:\Users\Admin\AppData\Local\Temp\_MEI25322\_bz2.pyd

MD5 bbe89cf70b64f38c67b7bf23c0ea8a48
SHA1 44577016e9c7b463a79b966b67c3ecc868957470
SHA256 775fbc6e9a4c7e9710205157350f3d6141b5a9e8f44cb07b3eac38f2789c8723
SHA512 3ee72ba60541116bbca1a62db64074276d40ad8ed7d0ca199a9c51d65c3f0762a8ef6d0e1e9ebf04bf4efe1347f120e4bc3d502dd288339b4df646a59aad0ec1

C:\Users\Admin\AppData\Local\Temp\_MEI25322\select.pyd

MD5 c119811a40667dca93dfe6faa418f47a
SHA1 113e792b7dcec4366fc273e80b1fc404c309074c
SHA256 8f27cd8c5071cb740a2191b3c599e99595b121f461988166f07d9f841e7116b7
SHA512 107257dbd8cf2607e4a1c7bef928a6f61ebdfc21be1c4bdc3a649567e067e9bb7ea40c0ac8844d2cedd08682447b963148b52f85adb1837f243df57af94c04b3

C:\Users\Admin\AppData\Local\Temp\_MEI25322\_ctypes.pyd

MD5 ca4cef051737b0e4e56b7d597238df94
SHA1 583df3f7ecade0252fdff608eb969439956f5c4a
SHA256 e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b
SHA512 17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

memory/3900-95-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

memory/3900-94-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

memory/3900-93-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

memory/3900-103-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

memory/3900-105-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

memory/3900-101-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

memory/3900-102-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

memory/3900-100-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

memory/3900-104-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

memory/3900-99-0x0000021CE1550000-0x0000021CE1551000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 3eb3833f769dd890afc295b977eab4b4
SHA1 e857649b037939602c72ad003e5d3698695f436f
SHA256 c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512 c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 84063c0d1d9aae057e1c424279a859b9
SHA1 267a2c5851b5da21dea746f0417dd4b33f051a31
SHA256 8efb3b1ffff11a06d7fc95530ea8eb260de51e72cfb457cf10a6fd34c8d20ed8
SHA512 ed878d9e9632e0f9ca2a644a86dd142eb91ea74403e5829dd159f225b7230b48314d52f783aff3e80180815f95cb7daebfdc0a89e4d93eb233aebb53ebc7f111

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 63e59d8385512f774bcb7fffaa2f35c5
SHA1 38679e31788faaa240eb7266d7b45194816ee67e
SHA256 f2e5a289b526cdfe426939d44998caccafecc50ce8a07cdfd3fd38db3480fde8
SHA512 7922269d37ae9790527aed64c35a4bd5eea754bdaaa7d13ff10953f3e47481d8456daf10371bae7bccee33a3abe20365c9c9cd8cba61d68e1d64e81beb2f68a0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 14359ab04fb385861ffac85e495c5738
SHA1 c9abc53942ad000c711a7ff53fd19ae48fff7f98
SHA256 ac605ab47b791d2622c834454a9cab9b18c3a3d0c85f147fcc2b6d9517299efb
SHA512 3fb23705e50a6d3dfe45c3fcb5fec34e79071645a1a55ae38be0692aa7c007fa04cbfd9675f2f05799443ba3d49f292b1c3605827a039ea6b657119e951e5a96

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4d01b82df84c6f130e2e7b301c9edeb4
SHA1 79d37d4779cd7e46fe8c6c94206c84f69cbee332
SHA256 0fa5fc3b88a4f074db88919fabe589aa8fce90bef3f4cb08f9532752bda2255a
SHA512 b2055142979d1f74275b05e3e5a785ea0fc2590705ca5c6ba74ba82d5f1affd36ae2fbd3960ab0f797c80c707b97c32356dd9a3c221dbf80e6b223b41137b165

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Data Compiler.lnk

MD5 79874a1121d991122ea33e3ffdcc8349
SHA1 bca2c94d5f4afd6ec9566c19f588ec672244dc21
SHA256 92499e817b7ee5153a9e30d7d3710ac7c02a607ba0be3846d684aba7ce7641e9
SHA512 a523e2d50108a8d7b1a5441a7fba7c877094e65bf54a231a5b9ec47060f7abe3a4b8d1331464cbb144d72a336af34b7d0140f0668112097010a7d75404204614

memory/1032-157-0x000000001D430000-0x000000001D43E000-memory.dmp

memory/1032-158-0x000000001D340000-0x000000001D429000-memory.dmp

memory/1032-159-0x000000001D460000-0x000000001D46A000-memory.dmp

memory/1032-160-0x000000001D690000-0x000000001D6A2000-memory.dmp