xworm | adab3bc3b5ff06815461229d47960f67233e74a6e7771b80849956d8a1f3f603

Resubmissions

16/11/2024, 03:38

241116-d7cnfsylhx 10

16/11/2024, 03:34

241116-d46r5aylfy 10

Analysis

max time kernel
142s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16/11/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Calesial.exe
Size

167KB
MD5

dc87a72941b6080c4734c0c5d1ddd639
SHA1

2c28fcaf49352ed9eeb39137c1157831d3f4bb14
SHA256

adab3bc3b5ff06815461229d47960f67233e74a6e7771b80849956d8a1f3f603
SHA512

122e2dc75d332b507c0f33cc8a1726b475bc6552279b1a64acba55b939ac8c3760933b13f46842096c23a5d604bc2af1bf2dc3dc224ebc8ea8db8f2eefd92e9f
SSDEEP

3072:BAFLeHHWR38aZWbVQSobUzLOD57uvBz65/M6If+3Js+3JFkKeTnX:qlBWbmSbvxBt25

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

forums-advancement.gl.at.ply.gg:58291

Attributes

Install_directory
%Temp%
install_file
1336ffb22842d595e7ee3602982.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/236-1-0x0000000000080000-0x00000000000B0000-memory.dmp	family_xworm
behavioral1/files/0x001c00000002ab56-63.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4076	powershell.exe
3996	powershell.exe
2028	powershell.exe
1404	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1336ffb22842d595e7ee3602982.lnk	Calesial.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1336ffb22842d595e7ee3602982.lnk	Calesial.exe

Executes dropped EXE 3 IoCs

pid	Process
4488	1336ffb22842d595e7ee3602982.exe
5048	1336ffb22842d595e7ee3602982.exe
5124	1336ffb22842d595e7ee3602982.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\1336ffb22842d595e7ee3602982 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1336ffb22842d595e7ee3602982.exe"	Calesial.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
552	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5480	WINWORD.EXE
5480	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4076	powershell.exe
4076	powershell.exe
3996	powershell.exe
3996	powershell.exe
2028	powershell.exe
2028	powershell.exe
1404	powershell.exe
1404	powershell.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe
236	Calesial.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
236	Calesial.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	236	Calesial.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	236	Calesial.exe
Token: SeDebugPrivilege	4488	1336ffb22842d595e7ee3602982.exe
Token: SeDebugPrivilege	2568	firefox.exe
Token: SeDebugPrivilege	2568	firefox.exe
Token: SeDebugPrivilege	5048	1336ffb22842d595e7ee3602982.exe
Token: SeDebugPrivilege	5124	1336ffb22842d595e7ee3602982.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe
2568	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
236	Calesial.exe
2568	firefox.exe
5480	WINWORD.EXE
5480	WINWORD.EXE
5480	WINWORD.EXE
5480	WINWORD.EXE
5480	WINWORD.EXE
5480	WINWORD.EXE
5480	WINWORD.EXE
5480	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 4076	236	Calesial.exe	78
PID 236 wrote to memory of 4076	236	Calesial.exe	78
PID 236 wrote to memory of 3996	236	Calesial.exe	80
PID 236 wrote to memory of 3996	236	Calesial.exe	80
PID 236 wrote to memory of 2028	236	Calesial.exe	82
PID 236 wrote to memory of 2028	236	Calesial.exe	82
PID 236 wrote to memory of 1404	236	Calesial.exe	84
PID 236 wrote to memory of 1404	236	Calesial.exe	84
PID 236 wrote to memory of 552	236	Calesial.exe	87
PID 236 wrote to memory of 552	236	Calesial.exe	87
PID 3228 wrote to memory of 2568	3228	firefox.exe	93
PID 3228 wrote to memory of 2568	3228	firefox.exe	93
PID 3228 wrote to memory of 2568	3228	firefox.exe	93
PID 3228 wrote to memory of 2568	3228	firefox.exe	93
PID 3228 wrote to memory of 2568	3228	firefox.exe	93
PID 3228 wrote to memory of 2568	3228	firefox.exe	93
PID 3228 wrote to memory of 2568	3228	firefox.exe	93
PID 3228 wrote to memory of 2568	3228	firefox.exe	93
PID 3228 wrote to memory of 2568	3228	firefox.exe	93
PID 3228 wrote to memory of 2568	3228	firefox.exe	93
PID 3228 wrote to memory of 2568	3228	firefox.exe	93
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94
PID 2568 wrote to memory of 1016	2568	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Calesial.exe
"C:\Users\Admin\AppData\Local\Temp\Calesial.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Calesial.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Calesial.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1336ffb22842d595e7ee3602982.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1404
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "1336ffb22842d595e7ee3602982" /tr "C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:552

C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe
C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a406d97d-86c6-487e-b73f-dae343fbdd34} 2568 "\\.\pipe\gecko-crash-server-pipe.2568" gpu
    3⤵
    PID:1016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdb1f445-1c54-49d1-a8cc-b261e20ef332} 2568 "\\.\pipe\gecko-crash-server-pipe.2568" socket
    3⤵
    PID:1196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3104 -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3016 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77178c1b-f112-465c-b8b0-2718b247ef9c} 2568 "\\.\pipe\gecko-crash-server-pipe.2568" tab
    3⤵
    PID:5028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3668 -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3676 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc57e139-583e-40c9-badb-105d75b186f9} 2568 "\\.\pipe\gecko-crash-server-pipe.2568" tab
    3⤵
    PID:2932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dbf69be-161a-43f5-b022-9cde75776039} 2568 "\\.\pipe\gecko-crash-server-pipe.2568" utility
    3⤵
    - Checks processor information in registry
    PID:2952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4792 -childID 3 -isForBrowser -prefsHandle 5500 -prefMapHandle 5488 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec9e8fa8-c011-4f15-8963-1787d9148933} 2568 "\\.\pipe\gecko-crash-server-pipe.2568" tab
    3⤵
    PID:5696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5628 -childID 4 -isForBrowser -prefsHandle 5636 -prefMapHandle 5640 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22211abe-4902-4967-8fcf-0300bd723c0d} 2568 "\\.\pipe\gecko-crash-server-pipe.2568" tab
    3⤵
    PID:5708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5908 -childID 5 -isForBrowser -prefsHandle 5828 -prefMapHandle 5832 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {451bb186-f85b-4d24-9531-6d90b2203e68} 2568 "\\.\pipe\gecko-crash-server-pipe.2568" tab
    3⤵
    PID:5720

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:6052

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\FindProtect.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5480

C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe
C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe
C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1336ffb22842d595e7ee3602982.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10bc031fb0dd41ad7afd31f9d32bf1ef

SHA1
7bfd17df2c08043d0b4d12c74a497ca9c5a5df70

SHA256
2b97168494000f6b524660172b44dc021e91c67b2676856fe208f1e3b6f08c9d

SHA512
cdbc2c562d9947fd7b7efe962f762e92e441bac8c20c01d522d7155be46e9a7bd2c2705f563f0661c0f44cd4c64f955f99a299981ed4d15d022e84a91a150578

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
55f30089624be31af328ba4e012ae45a

SHA1
121c28de7a5afe828ea395d94be8f5273817b678

SHA256
28e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473

SHA512
ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\odgo8eah.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
19026230a626d39ddbaf1879b0157c7b

SHA1
759b1f96056adcb24297b2ecd5e0fa3e3a765980

SHA256
2f88d1228bcbc2891e75aa7da5152250cdd88d51a968678a802fbe2ec589f6a7

SHA512
86a1c68dee80c4a5dfe0ca5b0f9d7cf4e7cf93a4cd2b672ffe8d64934ec949b3f6db5e2e2bb9699e272d7e5991d16fe2db17dbd1a54bc46752f3657a86cc1e03

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\9085affd-f965-4b73-a707-95924a6c7e1e.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe

Filesize
167KB

MD5
dc87a72941b6080c4734c0c5d1ddd639

SHA1
2c28fcaf49352ed9eeb39137c1157831d3f4bb14

SHA256
adab3bc3b5ff06815461229d47960f67233e74a6e7771b80849956d8a1f3f603

SHA512
122e2dc75d332b507c0f33cc8a1726b475bc6552279b1a64acba55b939ac8c3760933b13f46842096c23a5d604bc2af1bf2dc3dc224ebc8ea8db8f2eefd92e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3n24ext.u2j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
334B

MD5
5934a6560877024ad689b168b0e29902

SHA1
29413aafdba00dc1efa21efa435d5bd2eaaa66c4

SHA256
7ce72694e70207ab232e585f04aacb831fd2578267aee5498cd9dcb0b2dd4b29

SHA512
bcbef95fa70a30a92ae21918a9de8ecf19bc2e8a60865b4935a6212ebf4bdfd673085d2013be97b9c5a6c742fdc8415b3c66c202d3e9e27dc1fa1f14716b64e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
814e7f64886ca136f9dac9283aadce71

SHA1
808729686f843c83d8a82a902931917aa82ef189

SHA256
68448e055ff9c0823e0ceaa8ae2c4a79ae750474fc84f2be077c1c2e7c80d519

SHA512
cc91245af5d854bb04c17f06116413e381005ec7a91bd6b4e9ee462dcf878ae9af6a81695a604251015bfd76e084c997181841fe28d087e007c29cdfec727d69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1336ffb22842d595e7ee3602982.lnk

Filesize
1KB

MD5
e6ecd26cdb26e472c5ea90443130bf0e

SHA1
4f41c323b69f75cf71dee436be5f3f945971ae06

SHA256
fd298395545c096257dac6fc395d3de8355b240086df020ee90c4aff085030ae

SHA512
2fd662c38d624ce3d9519b75c3f5e1eac54ab304d2702f63ab64ab8848a54fb54420393cbe68abf4b127c8e94f7302a1fea53ca026f67a87d5d2f03c5526881d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\AlternateServices.bin

Filesize
6KB

MD5
6527240516c710cb60487baf2ba2e1e8

SHA1
ca63b24771343ef457a03a62966c51af2b29e46a

SHA256
319f117df1c9ddf4afd321e0317c0f3755ee55b5537027c3dcf1c9d5604ff8df

SHA512
783f890674e4bb17f25169ade4e2e533d170f57b19c181ce406c791b5bac78dd0d803d519b5dec8bf0194693c28dac6073689d47ea7b97a0f3bcf93c39194008

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\AlternateServices.bin

Filesize
8KB

MD5
8ecb0eb2fbb1f0470db03ea4e235648e

SHA1
6c0939b055115b7c134683074d8a86652e268658

SHA256
c65674ab0b42422475900bf1387a80a75d0649510eb89f8dd989a3bbff2e37da

SHA512
020a49c092f5ad5604e1a6711a5d634bd1013cb910502ecd8043800006e46884f1e751c00386d42d1fdfea8ff098baa8fbb6ac54059709f473db8a775edf536e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
252563c6ee9d7afc0ea1989748633b9d

SHA1
da4f26f56e432df5c7219f1357a509401307ccaa

SHA256
443f1df850ab6897c152eed7b7fc50f76bead16aaf6827912c4a994518828252

SHA512
fb055a37d4a0270a676c26281c960f207ea5ed0cd4aec819033945301a0c7d648da233293f30e5f8c423c2223f60701bbf449ca1256c4fcdef63593225b47f49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
6c38d4ce4ae90007ac976f4af7c82c59

SHA1
107601fe5839f80b81a57e5b5e91b8df6a319090

SHA256
0c427a98e91d9bd50d9cbf7a02bd59e8cc59917494827c9b17bfdae66792fc01

SHA512
ecd17f1a4a8a5fc66778f7809ef619d02370beeb04fbee1bb64ec02585b4c943b22c6a500736d6a86c350523441b6401832c1d53c04d44d7863ea4d5d4953709

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
13375a1f64c22b92733e3c2bd3cabb79

SHA1
6feba6a2cf05d2c38a77dc7172c4f753e83f3fef

SHA256
a31f802a36519ce5120d36cca3a2712b9f92854a72d24c3033eedbe4ae98d84d

SHA512
6d9ccc839708479f7fee9d1ea6b41e4349e32aacdbb861ad5c5aa8d5200ab90769fc76fb88d7664f55212c862c49c49c75d79eb5b415183c4ed8af76b5fad8e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
6c486e90f98428a9ac27185e29a6f225

SHA1
57ef98823fbd7feddb6f4ac91a7cefd38fdf7c43

SHA256
0b90d62e4f29394d196249d85cd01c5b68b58d36f26301098a940972a7c96c45

SHA512
44888fe7bb113ef629491204a735dc4f74c288223d99ada30df3116b1aab65dc45152515ac49ba37373568bb8f83ddc7604792939e0ab3ebf30acdc2c52f0bf7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\9dcbe9e1-ab4c-44ab-836b-1c963f103404

Filesize
659B

MD5
21e36af87b31ca14b2d7fdcf58a6ab99

SHA1
67458a107516ca6467ee45aff18b0ff4903d316c

SHA256
d3d0a777b22bb6b51360a65c7ef45518cc985935a43e14ddd9d4c48bb560f2c5

SHA512
9895b387435d73c02f77f04c3e63f220999232e67ce43c10bb162d9f23440a22e2f3a1137f91f02d1ae7d6a5c018460ee7f7cf271fc1e154043fc9fbba40776d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\cb6f82f7-33ee-41a2-a8b6-e5ad0df8c74b

Filesize
982B

MD5
3c20472f8636dcc03fb4061403ad06ab

SHA1
72af8cceab826e68d6e09fa3892bfc4ad82244fe

SHA256
ba8a55737c08374ff14460c1b1c377226a9f1e81739fcf27fb60e901a92cbb8f

SHA512
a5d5a3b5e4ec2f7dced5f5d0e987d2421a129e1aa868fc753bd09df7a76b226e78dd3702cfcc947c437c8015d2eb135a847d84160f17784d40aa6dc8adc2c3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
11KB

MD5
c6d86df3efc5d6486b9ec542277b1679

SHA1
9832d4eba91fe59190b9aef23b68b17b761135a5

SHA256
66a264e0ee6093d4ee6cf1046a7d87fbfc09a8eb62c20f70ac046708ca74c920

SHA512
67fd42fd0169b629b3c5869528b8c6263d814e627f43d40289474c7476a34d3b9db1ceaea3218b85ca9485c6acbb694cac4dc2de24cf2dd122f60582fc92b7ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
11KB

MD5
9ab9472b91693aeb651397d34f6cf0e4

SHA1
edbda09a25a2cad44851569579dd36a66abf2060

SHA256
386f4ffa93a24f123c09aae4d5cbb0610c82a713802291209e3e65923833c173

SHA512
0fb35488dd66133eaaf647015be5758a57526afb861ea18218b35551df0b11b1e6e4a5f63a9ed2b2c4f29c83ee331356a6762ddc4cd69854e94d97b41cd92d82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs.js

Filesize
11KB

MD5
6d2457b58d2f8c3d49bdefb2ab710d15

SHA1
2fecf0ec03efd67db2b5e2adc267a452cd221a24

SHA256
b674012fdfe1dcbba22dea6f1ab7c325376e886615b015a12963eb138200072e

SHA512
7db042b19181b07948c40323e6496bef41ab19fb60aa9f84d8b3d552d34653e7033356fa330146f31bbec9e26616fb3e37822dbe9c5897c5de3eb4d322fd3b4a

Download Submit
memory/236-0-0x00007FFAFF0E3000-0x00007FFAFF0E5000-memory.dmp

Filesize
8KB

Download
memory/236-56-0x00007FFAFF0E0000-0x00007FFAFFBA2000-memory.dmp

Filesize
10.8MB

Download
memory/236-2-0x00007FFAFF0E0000-0x00007FFAFFBA2000-memory.dmp

Filesize
10.8MB

Download
memory/236-1-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/4076-3-0x00007FFAFF0E0000-0x00007FFAFFBA2000-memory.dmp

Filesize
10.8MB

Download
memory/4076-9-0x00007FFAFF0E0000-0x00007FFAFFBA2000-memory.dmp

Filesize
10.8MB

Download
memory/4076-18-0x00007FFAFF0E0000-0x00007FFAFFBA2000-memory.dmp

Filesize
10.8MB

Download
memory/4076-13-0x0000019C5B8E0000-0x0000019C5B902000-memory.dmp

Filesize
136KB

Download
memory/4076-19-0x00007FFAFF0E0000-0x00007FFAFFBA2000-memory.dmp

Filesize
10.8MB

Download
memory/4076-15-0x00007FFAFF0E0000-0x00007FFAFFBA2000-memory.dmp

Filesize
10.8MB

Download
memory/4076-14-0x00007FFAFF0E0000-0x00007FFAFFBA2000-memory.dmp

Filesize
10.8MB

Download
memory/5480-443-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/5480-442-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/5480-439-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/5480-441-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/5480-444-0x00007FFADD8A0000-0x00007FFADD8B0000-memory.dmp

Filesize
64KB

Download
memory/5480-440-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/5480-563-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/5480-566-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/5480-565-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/5480-564-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

Filesize
64KB

Download
memory/5480-445-0x00007FFADD8A0000-0x00007FFADD8B0000-memory.dmp

Filesize
64KB

Download