Malware Analysis Report

2024-12-07 03:13

Sample ID 241113-29lwxavjgl
Target SAMX222C.exe
SHA256 b50d25c24ba5f1f096e883b3a9970d2c080afb37dfe2f55a25a1c7ed3ca36505
Tags
xworm discovery execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b50d25c24ba5f1f096e883b3a9970d2c080afb37dfe2f55a25a1c7ed3ca36505

Threat Level: Known bad

The file SAMX222C.exe was found to be: Known bad.

Malicious Activity Summary

xworm discovery execution persistence rat trojan

Detect Xworm Payload

Xworm

Xworm family

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

NSIS installer

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 23:16

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 23:16

Reported

2024-11-13 23:19

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Local\\Realtek HD Audio Universal Service.exe" C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
PID 2856 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
PID 2856 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe
PID 2856 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe
PID 2308 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2308 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe

"C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe"

C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

"C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"

C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe

"C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 104.26.0.5:443 keyauth.win tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 5.0.26.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 147.185.221.23:25808 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

MD5 066d90fb1d671648842a3b46622eb7ce
SHA1 6d0949bd4f494c9f8d80b705a79cfa9038c80e51
SHA256 8d2cf02c3005fb4bb7058df1f3a2e24b98077a8c5a8aab5c8184f4aa9ed951d8
SHA512 b22c8910e501de5fcb8e6197552396285366c9b43c4c6df4387b95a28830bf13a6ce634aadbf79e71b83879d19132c63414da5c5059edaa33be6bb71cee32745

memory/2308-14-0x00007FFD417E3000-0x00007FFD417E5000-memory.dmp

memory/2308-15-0x0000000000EF0000-0x0000000000F0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe

MD5 ad991add5af431b8d808cf9035a5cd46
SHA1 d7ac382fa834529219db1b76e4d928ff24f1245b
SHA256 a1dfdf32f2a82156bb3007896a9672fa05aba8ce4c668c3f4dce449a1a811a19
SHA512 b876e8380ab97dade3f875a7e0cee2dc598ba55143921bdd1f1d9d2d5be55c25d62b12aaef424227e1450f6ddf67a4e04e3f4fc846182abb842c4c821997cbbd

memory/3676-24-0x00000220A8BD0000-0x00000220A8F94000-memory.dmp

memory/3676-25-0x00007FFD417E0000-0x00007FFD422A1000-memory.dmp

memory/3676-26-0x00000220AAC40000-0x00000220AAC52000-memory.dmp

memory/3676-28-0x00000220C3670000-0x00000220C3884000-memory.dmp

memory/3676-27-0x00007FFD417E0000-0x00007FFD422A1000-memory.dmp

memory/3676-29-0x00000220C6480000-0x00000220C64BC000-memory.dmp

memory/2308-30-0x00007FFD417E0000-0x00007FFD422A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rjoj2q1y.gdg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/640-32-0x0000025707560000-0x0000025707582000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 0e3b2fb1305afa355fb0585c068cdbbd
SHA1 b4e9457bfdc38337f64e3b2606aa34861aa6b4ed
SHA256 43a303fed06d5928800280cb0bf716790d9f886c87f26faf9fbdfa59b55e9c0d
SHA512 6a754dbb33c549ace5f71e169511422284f688c9df1c1e5fac8a633feac24312ba39fa4c682bdc9fe1d1162e2a3bd6190013652e567909417579db4b8791554d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e0499ccf2f5e6b93d5e6e1e1d06afe73
SHA1 a0169a2e3fccbe56b91a30c2df5abdc0850a0d58
SHA256 fdb232420c104c1e639dd928a694b0c00914355df693c9eaa80d6f4d409a1891
SHA512 fe7968e8097047c1167325a3bd98485362d4b421a82801b558229a90888012b427f0e64ead460625715fb2b9fea78b2435e5af3d083c192430f7844f198e922b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3f038ac2e2ceadad0f78317ea7de6881
SHA1 f2ee66d1ab22d5594426a26e9d2628ce29b037a7
SHA256 475591875182108710538a2ea21a89e0ffa1df43f776689288e0fa96da46efb7
SHA512 f751f1f06b79550af211a9bf39d59712bb60f4e2c79a24d850970b1d40e871c2e53ce84ed4f5d974dad53cdbfb95d38a8eff9f871f22ae2d3e772deb731715f4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6e09573715495338a569f0316d59af57
SHA1 1a9fd3073801c241b276cdb8b3d7035afbcd0c8d
SHA256 bdad2d4c1b3475754cb3b9ef41a9eda243f46e30117539f81399c977a459b570
SHA512 61add4e0cfef5f138e95f0d941c39c0bce038a47fbc262d5622a0fdf46621231653adfcca3b81bef3a662a37c288e1e9644bed44591551aea5399a370afaeced

memory/2308-78-0x00007FFD417E3000-0x00007FFD417E5000-memory.dmp

memory/3676-79-0x00007FFD417E0000-0x00007FFD422A1000-memory.dmp

memory/3676-80-0x00007FFD417E0000-0x00007FFD422A1000-memory.dmp

memory/2308-81-0x00007FFD417E0000-0x00007FFD422A1000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 23:16

Reported

2024-11-13 23:19

Platform

win7-20241010-en

Max time kernel

135s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Local\\Realtek HD Audio Universal Service.exe" C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

"C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp

Files

memory/2200-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

memory/2200-1-0x0000000000020000-0x000000000003A000-memory.dmp

memory/2200-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

memory/2900-7-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

memory/2900-8-0x0000000002650000-0x0000000002658000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3421e1db590731def6ec1a7b02a21abb
SHA1 2b69177c40a1534c644152842cb318a0f7def310
SHA256 538fd9dd65dee4dbc05e7823b6588e3b606fce0c281d881a9d2ad65be7d83ed5
SHA512 2d8601ac59afd5406c5ada8757dc9f37b224e2fe71aa87fd7516137f60d77a708c061ed277115f0c38f7dc4055865f0ea8dace47a45eef382ea28dd3dd26684e

memory/2776-14-0x000000001B280000-0x000000001B562000-memory.dmp

memory/2776-15-0x0000000002310000-0x0000000002318000-memory.dmp

memory/2200-16-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2200-29-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 23:16

Reported

2024-11-13 23:19

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Local\\Realtek HD Audio Universal Service.exe" C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

"C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 147.185.221.23:25808 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp
US 8.8.8.8:53 udp

Files

memory/2292-0-0x00007FFA81943000-0x00007FFA81945000-memory.dmp

memory/2292-1-0x0000000000110000-0x000000000012A000-memory.dmp

memory/2292-2-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2284-3-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_egtrbu1r.pde.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2284-9-0x00000145ABED0000-0x00000145ABEF2000-memory.dmp

memory/2284-14-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2284-15-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

memory/2284-18-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 da5c82b0e070047f7377042d08093ff4
SHA1 89d05987cd60828cca516c5c40c18935c35e8bd3
SHA256 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA512 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c70f5fdb5161c221cb8341f486091374
SHA1 3d815ce68a4272adeaafee14447b69620c4bb00b
SHA256 84f83d3986bf995a502114b318f7ad836701a9f0061a86bdc75573a18094f1f4
SHA512 0623e131bf69373cd84a54455ea7236817f8f32a75dd5490a0223ea48eac370968bc92df0156acdd97ab57acf9b418b42540d703cea2b3c3a92c2e99c327a973

memory/2292-53-0x00007FFA81943000-0x00007FFA81945000-memory.dmp

memory/2292-55-0x00007FFA81940000-0x00007FFA82401000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 23:16

Reported

2024-11-13 23:19

Platform

win7-20241010-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe"

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe

"C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.0.5:443 keyauth.win tcp

Files

memory/2200-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

memory/2200-1-0x0000000000C30000-0x0000000000FF4000-memory.dmp

memory/2200-2-0x000000001C9F0000-0x000000001CC04000-memory.dmp

memory/2200-3-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

memory/2200-4-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

memory/2200-5-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

memory/2200-6-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

memory/2200-7-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 23:16

Reported

2024-11-13 23:19

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe"

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe

"C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

memory/2344-0-0x00007FF8CE2F3000-0x00007FF8CE2F5000-memory.dmp

memory/2344-1-0x0000029855D70000-0x0000029856134000-memory.dmp

memory/2344-2-0x0000029856530000-0x0000029856542000-memory.dmp

memory/2344-3-0x0000029870750000-0x0000029870964000-memory.dmp

memory/2344-4-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

memory/2344-5-0x0000029873600000-0x000002987363C000-memory.dmp

memory/2344-6-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

memory/2344-7-0x00007FF8CE2F3000-0x00007FF8CE2F5000-memory.dmp

memory/2344-8-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

memory/2344-9-0x00007FF8CE2F0000-0x00007FF8CEDB1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 23:16

Reported

2024-11-13 23:19

Platform

win7-20241010-en

Max time kernel

125s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Local\\Realtek HD Audio Universal Service.exe" C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
PID 2220 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
PID 2220 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
PID 2220 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe
PID 2220 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe
PID 2220 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe
PID 2220 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe
PID 2220 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe
PID 932 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 264 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 932 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe

"C:\Users\Admin\AppData\Local\Temp\SAMX222C.exe"

C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

"C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe"

C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe

"C:\Users\Admin\AppData\Local\Temp\SAM X222C#.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Realtek HD Audio Universal Service.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Realtek HD Audio Universal Service.exe'

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp
US 147.185.221.23:25808 tcp

Files

\Users\Admin\AppData\Local\Temp\Realtek HD Audio Universal Service.exe

MD5 066d90fb1d671648842a3b46622eb7ce
SHA1 6d0949bd4f494c9f8d80b705a79cfa9038c80e51
SHA256 8d2cf02c3005fb4bb7058df1f3a2e24b98077a8c5a8aab5c8184f4aa9ed951d8
SHA512 b22c8910e501de5fcb8e6197552396285366c9b43c4c6df4387b95a28830bf13a6ce634aadbf79e71b83879d19132c63414da5c5059edaa33be6bb71cee32745

memory/932-8-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

\Users\Admin\AppData\Local\Temp\SAM X222C#.exe

MD5 ad991add5af431b8d808cf9035a5cd46
SHA1 d7ac382fa834529219db1b76e4d928ff24f1245b
SHA256 a1dfdf32f2a82156bb3007896a9672fa05aba8ce4c668c3f4dce449a1a811a19
SHA512 b876e8380ab97dade3f875a7e0cee2dc598ba55143921bdd1f1d9d2d5be55c25d62b12aaef424227e1450f6ddf67a4e04e3f4fc846182abb842c4c821997cbbd

memory/932-13-0x0000000001260000-0x000000000127A000-memory.dmp

memory/2924-15-0x0000000000C20000-0x0000000000FE4000-memory.dmp

memory/2924-16-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

memory/2924-18-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

memory/2924-17-0x000000001CA00000-0x000000001CC14000-memory.dmp

memory/932-19-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

memory/264-26-0x0000000001E50000-0x0000000001E58000-memory.dmp

memory/264-25-0x000000001B350000-0x000000001B632000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2CCUZUWME3UBQC4L0E5T.temp

MD5 357608fb58fa8ce8de7168a21a7b1cbd
SHA1 775f53105b6b723fe823e5b29b6165f9d4767ab5
SHA256 b737768b1ade71b80ac2ad804387fb2f0976ed1af8e8bf121bbc0666252da3da
SHA512 6548c904ae704b481a5c1c0917577a2e9ab873ef6879d21025aeb9d8205c9c548d891fa8e06ef02a149cecfde62df602dce15e4bc5ecc794f7e286d48941fd0a

memory/2128-34-0x0000000002490000-0x0000000002498000-memory.dmp

memory/2128-33-0x000000001B430000-0x000000001B712000-memory.dmp

memory/932-32-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2924-41-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

memory/2924-47-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

memory/932-49-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp