xworm | 66e240c85756cdd733ba77fd2a3f1807a2c960e47c220fcd646b9758c0b1905d

Analysis

max time kernel
149s
max time network
155s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-11-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Decryption.exe
Size

89KB
MD5

135041cb6c4e66156a9cc5af89db818e
SHA1

b80b813743bb5441ed38166f0975953631115a26
SHA256

66e240c85756cdd733ba77fd2a3f1807a2c960e47c220fcd646b9758c0b1905d
SHA512

6c7655a213d4990d7f63f880e5fb17f366e9d53f7c78310a7d11acde66116683305d630d98585583bd04c50e2a582173fc4722742ffa0249902de95d3ba67b7f
SSDEEP

1536:WaBsJpMRlSEwuW6Lp7h0YLgpTqNGOmoD/AVtgl2mYrJ/EEebWjD2mPsD:WagSWuW4Jh3QgGwMV6/Y1ab4VPsD

Score

10^/10

xworm evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

while-stuffed.gl.at.ply.gg:61275

Attributes

Install_directory
%ProgramData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2112-46-0x000000001C770000-0x000000001C788000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5008	powershell.exe
344	powershell.exe
4544	powershell.exe
4068	powershell.exe
4636	powershell.exe
1168	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Decryption.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption.lnk	Decryption.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption.lnk	Decryption.exe

Executes dropped EXE 2 IoCs

pid	Process
2572	Decryption.exe
5324	Decryption.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Decryption = "C:\\ProgramData\\Decryption.exe"	Decryption.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4860	schtasks.exe
772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
5008	powershell.exe
5008	powershell.exe
344	powershell.exe
344	powershell.exe
4544	powershell.exe
4544	powershell.exe
4068	powershell.exe
4068	powershell.exe
4636	powershell.exe
4636	powershell.exe
1168	powershell.exe
1168	powershell.exe
2112	Decryption.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	Decryption.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeIncreaseQuotaPrivilege	5008	powershell.exe
Token: SeSecurityPrivilege	5008	powershell.exe
Token: SeTakeOwnershipPrivilege	5008	powershell.exe
Token: SeLoadDriverPrivilege	5008	powershell.exe
Token: SeSystemProfilePrivilege	5008	powershell.exe
Token: SeSystemtimePrivilege	5008	powershell.exe
Token: SeProfSingleProcessPrivilege	5008	powershell.exe
Token: SeIncBasePriorityPrivilege	5008	powershell.exe
Token: SeCreatePagefilePrivilege	5008	powershell.exe
Token: SeBackupPrivilege	5008	powershell.exe
Token: SeRestorePrivilege	5008	powershell.exe
Token: SeShutdownPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeSystemEnvironmentPrivilege	5008	powershell.exe
Token: SeRemoteShutdownPrivilege	5008	powershell.exe
Token: SeUndockPrivilege	5008	powershell.exe
Token: SeManageVolumePrivilege	5008	powershell.exe
Token: 33	5008	powershell.exe
Token: 34	5008	powershell.exe
Token: 35	5008	powershell.exe
Token: 36	5008	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeIncreaseQuotaPrivilege	344	powershell.exe
Token: SeSecurityPrivilege	344	powershell.exe
Token: SeTakeOwnershipPrivilege	344	powershell.exe
Token: SeLoadDriverPrivilege	344	powershell.exe
Token: SeSystemProfilePrivilege	344	powershell.exe
Token: SeSystemtimePrivilege	344	powershell.exe
Token: SeProfSingleProcessPrivilege	344	powershell.exe
Token: SeIncBasePriorityPrivilege	344	powershell.exe
Token: SeCreatePagefilePrivilege	344	powershell.exe
Token: SeBackupPrivilege	344	powershell.exe
Token: SeRestorePrivilege	344	powershell.exe
Token: SeShutdownPrivilege	344	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeSystemEnvironmentPrivilege	344	powershell.exe
Token: SeRemoteShutdownPrivilege	344	powershell.exe
Token: SeUndockPrivilege	344	powershell.exe
Token: SeManageVolumePrivilege	344	powershell.exe
Token: 33	344	powershell.exe
Token: 34	344	powershell.exe
Token: 35	344	powershell.exe
Token: 36	344	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeIncreaseQuotaPrivilege	4544	powershell.exe
Token: SeSecurityPrivilege	4544	powershell.exe
Token: SeTakeOwnershipPrivilege	4544	powershell.exe
Token: SeLoadDriverPrivilege	4544	powershell.exe
Token: SeSystemProfilePrivilege	4544	powershell.exe
Token: SeSystemtimePrivilege	4544	powershell.exe
Token: SeProfSingleProcessPrivilege	4544	powershell.exe
Token: SeIncBasePriorityPrivilege	4544	powershell.exe
Token: SeCreatePagefilePrivilege	4544	powershell.exe
Token: SeBackupPrivilege	4544	powershell.exe
Token: SeRestorePrivilege	4544	powershell.exe
Token: SeShutdownPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeSystemEnvironmentPrivilege	4544	powershell.exe
Token: SeRemoteShutdownPrivilege	4544	powershell.exe
Token: SeUndockPrivilege	4544	powershell.exe
Token: SeManageVolumePrivilege	4544	powershell.exe
Token: 33	4544	powershell.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe
788	firefox.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2112	Decryption.exe
788	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 5008	2112	Decryption.exe	86
PID 2112 wrote to memory of 5008	2112	Decryption.exe	86
PID 2112 wrote to memory of 344	2112	Decryption.exe	92
PID 2112 wrote to memory of 344	2112	Decryption.exe	92
PID 2112 wrote to memory of 4544	2112	Decryption.exe	94
PID 2112 wrote to memory of 4544	2112	Decryption.exe	94
PID 2112 wrote to memory of 4860	2112	Decryption.exe	96
PID 2112 wrote to memory of 4860	2112	Decryption.exe	96
PID 2112 wrote to memory of 4068	2112	Decryption.exe	99
PID 2112 wrote to memory of 4068	2112	Decryption.exe	99
PID 2112 wrote to memory of 4636	2112	Decryption.exe	101
PID 2112 wrote to memory of 4636	2112	Decryption.exe	101
PID 2112 wrote to memory of 1168	2112	Decryption.exe	105
PID 2112 wrote to memory of 1168	2112	Decryption.exe	105
PID 2112 wrote to memory of 772	2112	Decryption.exe	107
PID 2112 wrote to memory of 772	2112	Decryption.exe	107
PID 4704 wrote to memory of 788	4704	firefox.exe	114
PID 4704 wrote to memory of 788	4704	firefox.exe	114
PID 4704 wrote to memory of 788	4704	firefox.exe	114
PID 4704 wrote to memory of 788	4704	firefox.exe	114
PID 4704 wrote to memory of 788	4704	firefox.exe	114
PID 4704 wrote to memory of 788	4704	firefox.exe	114
PID 4704 wrote to memory of 788	4704	firefox.exe	114
PID 4704 wrote to memory of 788	4704	firefox.exe	114
PID 4704 wrote to memory of 788	4704	firefox.exe	114
PID 4704 wrote to memory of 788	4704	firefox.exe	114
PID 4704 wrote to memory of 788	4704	firefox.exe	114
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115
PID 788 wrote to memory of 4856	788	firefox.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Decryption.exe
"C:\Users\Admin\AppData\Local\Temp\Decryption.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Decryption.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Decryption.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Decryption.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Decryption" /tr "C:\ProgramData\Decryption.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Decryption.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Decryption.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Decryption.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1168
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Decryption" /tr "C:\ProgramData\Decryption.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:772

C:\ProgramData\Decryption.exe
"C:\ProgramData\Decryption.exe"
1⤵
- Executes dropped EXE
PID:2572

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4bf464a-6f5e-446c-b788-889f00eb38f2} 788 "\\.\pipe\gecko-crash-server-pipe.788" gpu
    3⤵
    PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {344f2745-571d-4661-9654-8924f4e7a148} 788 "\\.\pipe\gecko-crash-server-pipe.788" socket
    3⤵
    PID:4404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3056 -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 2728 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c0d6267-6c6c-4e08-a7a1-fe7dcdabd926} 788 "\\.\pipe\gecko-crash-server-pipe.788" tab
    3⤵
    PID:2268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3936 -childID 2 -isForBrowser -prefsHandle 3916 -prefMapHandle 3912 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05176853-4f31-487a-9b2e-f6ead3163b41} 788 "\\.\pipe\gecko-crash-server-pipe.788" tab
    3⤵
    PID:4152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4924 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4920 -prefMapHandle 4916 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a818d38b-e69f-4488-a59b-5c2b3452a0ae} 788 "\\.\pipe\gecko-crash-server-pipe.788" utility
    3⤵
    - Checks processor information in registry
    PID:3724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 3 -isForBrowser -prefsHandle 5412 -prefMapHandle 5408 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e07a0043-4b60-4414-ba04-18eb53ab6431} 788 "\\.\pipe\gecko-crash-server-pipe.788" tab
    3⤵
    PID:5632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 4 -isForBrowser -prefsHandle 5572 -prefMapHandle 5576 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5e3048b-99fb-4c6b-a40a-5377d140191c} 788 "\\.\pipe\gecko-crash-server-pipe.788" tab
    3⤵
    PID:5652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5768 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1036 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45834614-d355-451b-8dbb-0f4a4001d980} 788 "\\.\pipe\gecko-crash-server-pipe.788" tab
    3⤵
    PID:5664

C:\ProgramData\Decryption.exe
"C:\ProgramData\Decryption.exe"
1⤵
- Executes dropped EXE
PID:5324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decryption.exe

Filesize
89KB

MD5
135041cb6c4e66156a9cc5af89db818e

SHA1
b80b813743bb5441ed38166f0975953631115a26

SHA256
66e240c85756cdd733ba77fd2a3f1807a2c960e47c220fcd646b9758c0b1905d

SHA512
6c7655a213d4990d7f63f880e5fb17f366e9d53f7c78310a7d11acde66116683305d630d98585583bd04c50e2a582173fc4722742ffa0249902de95d3ba67b7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Decryption.exe.log

Filesize
1KB

MD5
2b4889ecb49120375fdf2bccb3c0966e

SHA1
fc1ee2f1161887e3f8b0cdd2453ae441739b993a

SHA256
7bf24ff0f6791ef902937b3caba0de16814a2c898dfb103d922c48582b602379

SHA512
8d737276620add4738d3cb484bca8e1efe23247955d37ebad199d2428f2f494e10dbee98721a77c7fa9d55f662c230acb206894538da9b8a9d0314166b5549a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7a15ef6656cda886be3eebad5928946b

SHA1
7a3ce16434bf39ba0823c37159e65222db538fd4

SHA256
9aef12215208eea439624eef88c4ccbe5feffba5355a5a589570f150922d7ad2

SHA512
80d233332dc88f7b7506285e656321b80e08ed2130abec66f7b55501f0c6707eba38b520cefc38002a8941c2a9d58d7009c83c9399e76aaabfb0f09dfc301bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4bf4f82d55b33118107af2064a882b9b

SHA1
c759ef5968f69923d64de0f041d3a5503b04dbb6

SHA256
2d48d8ff18d8fc9c1fc69266bcc5ac72519adabfd9cd671b141fa71b5eec5a33

SHA512
1eb7f3ce1de10e1d59dd7e2bb55d524fb8840793e5d7d1a95cc89f6b281c61565ac74b825cbe8b145b52d788f5770c65fc3ae5c2bb1b5971f685923025eb58c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dcec5191f13bb6636a88c007351997fd

SHA1
bf0bc08eabddf39d11140aa2649a47a651bc127a

SHA256
28f7b9f42b7eee71f034ce52c308e7fbffc6160d9fa1fbc3de22d0c0a09384e3

SHA512
1ae1267beb7d09194e98f1dec281c1fa87d373f4c4ad09b709790efc72a20917d995b0fb4b5f36901e08f98a347e531b635789cd63aab673bd5c760e8d96ad05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d501c30532ff81c7de905a95def597e

SHA1
115f21f82f55d20ceb2bc349efaa782e75822b2e

SHA256
3ef6ffb06616044680e2f6e5e28d34e5f4fb6cae39a997a73cd4311df9021c68

SHA512
f09a3d5c7363855b2d8b6d54ac6d67e18c6b7acdfad941958234bb329b1af213c75791761889d25af645580a493cb0eadb20f921dc9b06d9d82d4fcabd20fe0d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\cache2\entries\0DB64982FEEBA15E3E30714246D80C02C00E1E61

Filesize
13.8MB

MD5
7bc1f38baceffb3a80695ac29ebe32a8

SHA1
12cb2a0263d7ab284b1be68e3595313bfd977de3

SHA256
a39ef3c08badc837092432b866c6c02b99bc688c80cf288ef137a9a216190778

SHA512
42eede31c8d88713247aad48e047a28ded9b5336e88988be40ddcb7a4908f9b94bd2483da0fe896a9a2f26bb5c2a5b025bf34456f2bab9bf460f3397eb9d74ee

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dom8snqr.default-release\cache2\entries\39DB9E847E680B765D7B04FCCE6BF5BC0225F878

Filesize
13KB

MD5
b53e613442c339a2b37abfe4bcf3601b

SHA1
3d40c99c490a7e672d4940239517916ae07b60e6

SHA256
84d23a403d14ed748974a6fb5124c0631201957ff4a5c94f195667dc5e91a9b2

SHA512
8ff71a708bb4005fc9367a03cd8a096a439b63f398b51af68d7e64e94366f0dda604d1a5c4f25a1a6f138e578be697341cf57ff9e602eb8489a730534dacc827

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ju1om00u.dd4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption.lnk

Filesize
687B

MD5
749300085fd954ff6e6233be693db080

SHA1
b962a7c25435b2c4ae5e4ed1f1f84f6c9f6421e9

SHA256
c49a3c172a6bb2a357a5d56705f8b98311bf77cf95613312efe823b8ce15d9c4

SHA512
d35907d51476dd6aa0be0db87269d3f19b6454a3e9044f34a373ad50c9f04052949fbccea38fe20cec6a5ba44fe3601cf2efc7b2d3a9347e7881803a70bf0229

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\AlternateServices.bin

Filesize
8KB

MD5
1788d96f7758eecc0c2050e37b37beb0

SHA1
7db042061a7dd1161cb4fcb868d79d2dc60e757e

SHA256
47366beaecb4fa8bb122db911908e33b51f568ab2e8bc5ae047a7668477363e5

SHA512
e620ea23f22824162bf5cb1e293855e78677a56a0913b2356043f27015c876bd1b0e2e0c723579408940af4ac204a44b34ecfd1752097d851f3c188eff4cf75f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6b761100c9aa2dbeea3b0df984882ac3

SHA1
a88e2ebba08a5836cfa7f6faf163ddb62aeadabb

SHA256
4fceb0a0351a12c39f4b72922db462e84fd136f438ecdd01c80146d137b667da

SHA512
3596615b8f99398888fb2f950bfec94a7073afc041672ed9d9964fa78a77a04c679a1637ed274fd1fe280e4d4e86a2d505a10e3e33e224cd4dc56a1ed49845dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
22e4e571e49b8723494b1aea77a4496b

SHA1
17d2d5df2333d5781aa0077f7ac292a58b0cefff

SHA256
82f4d4c2d2cb537ca6c8fbf3c47aaba7f49b99e6e3b3d7bc29cd6eed763c938d

SHA512
a1563ba31cf9829687bdc189394657329625688d29a27641c4edf68c1ea837653f8ab6b3fcb0cd43ecd676d210717781cff0268677efc747303fdbaaad90ff5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
8e06dd0cc93604c9afec6409f301d899

SHA1
e7d7944c205afa3fd2bd33140dc922ef80c3ae34

SHA256
92c263ffb675859561b18a7bcbfddd4a3ae220e0e37420d30d3972a68a66b082

SHA512
75de0b753d10b03da69572a9de47dff7b190c8bce8af55e3798659eef2bba8b79b992161f89b3506de8867b9c94c5c0d24b31ce01eea39796154ce900b0955d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\2858a8df-32a8-4e5f-870f-1127a9a040b2

Filesize
671B

MD5
208cc69df31e77720600c94a5ca505ea

SHA1
8813ab8e2e47d201424edf57c056dde3ab8e5ba3

SHA256
528144cad976f02ac5dafb955757d12abc46a1d0a84af2a2c2d3f800a21649ce

SHA512
aee86f9b3660e6855f0f2c4b8605f1db0e36b24b0787d2e33603aeaec91fa69f622e7a2d117a4609e5a31ae83e2955d8c36935b74e609519bad2d0cf659b4dbe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\61f585cb-f29c-4205-8154-a49a9aeec648

Filesize
982B

MD5
0130026ce08ef6da7caaafaa20980d18

SHA1
046e061bf71de8a6611d91804f9cfc1f0c6a34c4

SHA256
6fdce146267d1cf128341de395658d52d78f094cc1129dfb3a2d22996f4e20e1

SHA512
83d7b3927294eebfb48a30fa903d687be5b20e659ef35a4fe53a9a8f77702807cee2a954eb7081e940eba0cf6c60e723f5478a5f483c58500404453e00660f07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\ccb8b7d2-43ae-495c-a649-af1c41f336c7

Filesize
26KB

MD5
db7090ced0c4f01246a099048d4cf24d

SHA1
eb3506317782a064b39154ba85d45c86ed98e137

SHA256
36d57240ae32f1e6602ada337cc269141d691b45487473c9940e9b9f9ba21ed4

SHA512
54ca0b9b9ca689513628aaff0d8fc1e84357e5fda6577584d46b8b7ec0f2d2f571500efd95ca3aabb70b8fa4d019d05622b46fea6ad77d93e843947a922a0ca5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs-1.js

Filesize
11KB

MD5
04d550e1588a775651b840b7a6350f05

SHA1
f42f674dc7d046ca9ef566a43ebffe8365640c8f

SHA256
97a5ac126bcca89ac3d40c4de347b10f4b32c88499a2b6c1f68947d9c60aeb59

SHA512
7c76cf1b0391ba454ac9d49027266835e5d5b71504203c67dd1e04f7306f044941ceeff65263e1fdf431b68e15f0f61d906d370fec39a4de318d419a68d8cabd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs-1.js

Filesize
12KB

MD5
6d8e0e999948639c906b33d885d9ab57

SHA1
a9d7f808b1f364d1c14585408764e7969da73091

SHA256
cb27c50fe56b96d579cf9e130314e0361242252ce9c008dd4d805692d669e7b1

SHA512
a9653a89ac4b38413a017f285cde4880f1466741419f15c52ba9bedcdd644a6f5ae2018046a9622d80d096e9ed75fc83467f8e0bd9aef322a04ac778e3a85bd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs.js

Filesize
10KB

MD5
f013af4f312b31eb9a0f7b727781a990

SHA1
9b48bbdd8002cd18e737f0ab5323a74d0fbbf1e0

SHA256
f389d16c58a62a3bfc21853f47b5aaec2af42707c164e4ab7ffbacf578fad63a

SHA512
c01c8b261d5463b284a946a55e5a5b7e18bd47d6584b61398a892f3145203b92da42b7ed2985e83c4094aa3fa99e4d29222eb8a0b13b74088ee8da3d3d88d0af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs.js

Filesize
11KB

MD5
0c1ed5fa48121c32ba2b8a846ebbaf40

SHA1
abaff421595eb46939c704fcf0157028832565c2

SHA256
615b4e1463704993f15a99ce769a406bb147c6b8bf3050d57d3a9d23b2732af3

SHA512
323990e7f1840a2404a0bbe062def27e90dba57c6d60a9a4304a1f4a37001963e142c2cbb10bc0b9f44d58ca7e4ce75d465bc4b524777e7b2239a9f0dc93fc9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
736KB

MD5
15b1b49431edce80371f3017280414d0

SHA1
165224af8d61363175b33cf91782e473a86ec42b

SHA256
fb50ee067b54c13c5bf9acfb6b5c831002b46b6a7a360af6c7440824cf39b520

SHA512
443e040904ad04eab011c5df83bae9f0c36d6c37bde90ee87fa44578f7ee3a38ae2a444c239cca4d32564baf0c03b34360d74b5639ed1f225f36b6fa04f999f5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
2ddce6d2f571582854ce47b0e58ff211

SHA1
27804ec4b70cc010ca1481b5a71a72feb1dd619a

SHA256
0d209cf7d22a6ac2977d2ce1f794ca79dc5e565c1ffd692233019d0479f12981

SHA512
6a00cf9c6599fad816bec65f1f85fa6bdb057cc48bc320095720f7d1b6d5184cb3f0a7df64471653138a09ec99976e5f0d616d4f4c59514f5901e9fe14be7c31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.3MB

MD5
1e528ad3863591d442c978f791ab56e5

SHA1
be6684067137319631a5f655f964194d9341c946

SHA256
76e8ebfa2207a83af47216b3ae0a9721c6d5e9376c5cdd7c7477af70be87f8a8

SHA512
7efc7a310eaccc04ad7e990a7b6892437756cf8255e160fca8d670ac37cd5e6f3e6b44e6a35aecad833fbe4548a6fd32b1b537e17939f5224fc8287691b99e29

Download Submit
memory/2112-0-0x00007FFBE7183000-0x00007FFBE7185000-memory.dmp

Filesize
8KB

Download
memory/2112-89-0x000000001AC10000-0x000000001AC1C000-memory.dmp

Filesize
48KB

Download
memory/2112-17-0x00007FFBE7183000-0x00007FFBE7185000-memory.dmp

Filesize
8KB

Download
memory/2112-2-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download
memory/2112-18-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download
memory/2112-46-0x000000001C770000-0x000000001C788000-memory.dmp

Filesize
96KB

Download
memory/2112-1-0x0000000000170000-0x000000000018C000-memory.dmp

Filesize
112KB

Download
memory/5008-16-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download
memory/5008-14-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download
memory/5008-13-0x00000257A6810000-0x00000257A6832000-memory.dmp

Filesize
136KB

Download
memory/5008-3-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download
memory/5008-15-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download
memory/5008-21-0x00007FFBE7180000-0x00007FFBE7C42000-memory.dmp

Filesize
10.8MB

Download