xworm | 430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe
Size

909KB
MD5

35ecb550a5026574deeb24f33fc71fd6
SHA1

0c1e4e7370d34279e42b0b0a00d58a03fa20433a
SHA256

430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a
SHA512

918c2d2b0d42f367d30327bb5c048ecb8166217419d084b6291a04aeb4fe6a777b6725031b10f67a401ab93c1ab2d2f1ab6469404020f47b225fdc2b2e3a4f00
SSDEEP

24576:7/dTDkoRaidakIYibePZUM+TrxT1sS5GJx:7xDkoRaFYibE0TFJH5Wx

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

83.38.24.1:1603

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Signatures

Detect Xworm Payload 19 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001202c-5.dat	family_xworm
behavioral1/memory/2328-8-0x00000000000C0000-0x00000000000F0000-memory.dmp	family_xworm
behavioral1/files/0x0008000000016875-11.dat	family_xworm
behavioral1/files/0x0008000000016c66-16.dat	family_xworm
behavioral1/memory/1956-21-0x0000000001210000-0x000000000123A000-memory.dmp	family_xworm
behavioral1/files/0x0007000000016c80-25.dat	family_xworm
behavioral1/memory/2072-23-0x0000000000A30000-0x0000000000A72000-memory.dmp	family_xworm
behavioral1/files/0x0007000000016c88-27.dat	family_xworm
behavioral1/memory/1816-31-0x00000000003F0000-0x0000000000414000-memory.dmp	family_xworm
behavioral1/memory/2284-30-0x0000000000810000-0x0000000000834000-memory.dmp	family_xworm
behavioral1/memory/2572-164-0x0000000000170000-0x0000000000194000-memory.dmp	family_xworm
behavioral1/memory/2400-165-0x0000000000050000-0x000000000007A000-memory.dmp	family_xworm
behavioral1/memory/1860-170-0x0000000001080000-0x00000000010C2000-memory.dmp	family_xworm
behavioral1/memory/1728-173-0x00000000010D0000-0x0000000001100000-memory.dmp	family_xworm
behavioral1/memory/2612-174-0x0000000000C30000-0x0000000000C54000-memory.dmp	family_xworm
behavioral1/memory/2312-184-0x0000000001100000-0x0000000001142000-memory.dmp	family_xworm
behavioral1/memory/660-186-0x00000000012E0000-0x0000000001304000-memory.dmp	family_xworm
behavioral1/memory/2216-187-0x00000000008D0000-0x00000000008F4000-memory.dmp	family_xworm
behavioral1/memory/2732-188-0x0000000000950000-0x000000000097A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1332	powershell.exe
2028	powershell.exe
2244	powershell.exe
2952	powershell.exe
2468	powershell.exe
1496	powershell.exe
2860	powershell.exe
2644	powershell.exe
1548	powershell.exe
1560	powershell.exe
2512	powershell.exe
2276	powershell.exe
2052	powershell.exe
2760	powershell.exe
1312	powershell.exe

Drops startup file 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk	regedit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk	regedit.exe

Executes dropped EXE 15 IoCs

pid	Process
2328	OneDrive.exe
1956	SearchFilterHost.exe
2072	SecurityHealthSystray.exe
2284	WmiPrvSE.exe
1816	regedit.exe
1860	SecurityHealthSystray.exe
2400	SearchFilterHost.exe
2572	WmiPrvSE.exe
1728	OneDrive.exe
2612	regedit.exe
2312	SecurityHealthSystray.exe
2216	WmiPrvSE.exe
660	regedit.exe
1328	OneDrive.exe
2732	SearchFilterHost.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\ProgramData\\SecurityHealthSystray.exe"	SecurityHealthSystray.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\regedit = "C:\\Users\\Public\\regedit.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchFilterHost = "C:\\Users\\Admin\\SearchFilterHost.exe"	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\ProgramData\\WmiPrvSE.exe"	WmiPrvSE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs regedit.exe 3 IoCs

pid	Process
1816	regedit.exe
2612	regedit.exe
660	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2772	schtasks.exe
3060	schtasks.exe
1708	schtasks.exe
2972	schtasks.exe
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2860	powershell.exe
2952	powershell.exe
2244	powershell.exe
2760	powershell.exe
2644	powershell.exe
2512	powershell.exe
1312	powershell.exe
2276	powershell.exe
2468	powershell.exe
2052	powershell.exe
1332	powershell.exe
1548	powershell.exe
2028	powershell.exe
1496	powershell.exe
1560	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	OneDrive.exe
Token: SeDebugPrivilege	1956	SearchFilterHost.exe
Token: SeDebugPrivilege	2072	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2284	WmiPrvSE.exe
Token: SeDebugPrivilege	1816	regedit.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	2328	OneDrive.exe
Token: SeDebugPrivilege	1816	regedit.exe
Token: SeDebugPrivilege	2284	WmiPrvSE.exe
Token: SeDebugPrivilege	1956	SearchFilterHost.exe
Token: SeDebugPrivilege	2072	SecurityHealthSystray.exe
Token: SeDebugPrivilege	1860	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2572	WmiPrvSE.exe
Token: SeDebugPrivilege	2400	SearchFilterHost.exe
Token: SeDebugPrivilege	1728	OneDrive.exe
Token: SeDebugPrivilege	2612	regedit.exe
Token: SeDebugPrivilege	2312	SecurityHealthSystray.exe
Token: SeDebugPrivilege	660	regedit.exe
Token: SeDebugPrivilege	1328	OneDrive.exe
Token: SeDebugPrivilege	2216	WmiPrvSE.exe
Token: SeDebugPrivilege	2732	SearchFilterHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2328	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	30
PID 1644 wrote to memory of 2328	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	30
PID 1644 wrote to memory of 2328	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	30
PID 1644 wrote to memory of 1956	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	31
PID 1644 wrote to memory of 1956	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	31
PID 1644 wrote to memory of 1956	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	31
PID 1644 wrote to memory of 2072	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	32
PID 1644 wrote to memory of 2072	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	32
PID 1644 wrote to memory of 2072	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	32
PID 1644 wrote to memory of 2284	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	33
PID 1644 wrote to memory of 2284	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	33
PID 1644 wrote to memory of 2284	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	33
PID 1644 wrote to memory of 1816	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	34
PID 1644 wrote to memory of 1816	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	34
PID 1644 wrote to memory of 1816	1644	430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe	34
PID 1956 wrote to memory of 2244	1956	SearchFilterHost.exe	36
PID 1956 wrote to memory of 2244	1956	SearchFilterHost.exe	36
PID 1956 wrote to memory of 2244	1956	SearchFilterHost.exe	36
PID 2328 wrote to memory of 2760	2328	OneDrive.exe	37
PID 2328 wrote to memory of 2760	2328	OneDrive.exe	37
PID 2328 wrote to memory of 2760	2328	OneDrive.exe	37
PID 2072 wrote to memory of 2952	2072	SecurityHealthSystray.exe	40
PID 2072 wrote to memory of 2952	2072	SecurityHealthSystray.exe	40
PID 2072 wrote to memory of 2952	2072	SecurityHealthSystray.exe	40
PID 1816 wrote to memory of 2860	1816	regedit.exe	42
PID 1816 wrote to memory of 2860	1816	regedit.exe	42
PID 1816 wrote to memory of 2860	1816	regedit.exe	42
PID 2284 wrote to memory of 2644	2284	WmiPrvSE.exe	44
PID 2284 wrote to memory of 2644	2284	WmiPrvSE.exe	44
PID 2284 wrote to memory of 2644	2284	WmiPrvSE.exe	44
PID 1956 wrote to memory of 1312	1956	SearchFilterHost.exe	46
PID 1956 wrote to memory of 1312	1956	SearchFilterHost.exe	46
PID 1956 wrote to memory of 1312	1956	SearchFilterHost.exe	46
PID 2328 wrote to memory of 2468	2328	OneDrive.exe	48
PID 2328 wrote to memory of 2468	2328	OneDrive.exe	48
PID 2328 wrote to memory of 2468	2328	OneDrive.exe	48
PID 2072 wrote to memory of 2512	2072	SecurityHealthSystray.exe	49
PID 2072 wrote to memory of 2512	2072	SecurityHealthSystray.exe	49
PID 2072 wrote to memory of 2512	2072	SecurityHealthSystray.exe	49
PID 1816 wrote to memory of 2276	1816	regedit.exe	52
PID 1816 wrote to memory of 2276	1816	regedit.exe	52
PID 1816 wrote to memory of 2276	1816	regedit.exe	52
PID 2284 wrote to memory of 2052	2284	WmiPrvSE.exe	54
PID 2284 wrote to memory of 2052	2284	WmiPrvSE.exe	54
PID 2284 wrote to memory of 2052	2284	WmiPrvSE.exe	54
PID 1956 wrote to memory of 1548	1956	SearchFilterHost.exe	56
PID 1956 wrote to memory of 1548	1956	SearchFilterHost.exe	56
PID 1956 wrote to memory of 1548	1956	SearchFilterHost.exe	56
PID 1816 wrote to memory of 1332	1816	regedit.exe	57
PID 1816 wrote to memory of 1332	1816	regedit.exe	57
PID 1816 wrote to memory of 1332	1816	regedit.exe	57
PID 2328 wrote to memory of 2028	2328	OneDrive.exe	60
PID 2328 wrote to memory of 2028	2328	OneDrive.exe	60
PID 2328 wrote to memory of 2028	2328	OneDrive.exe	60
PID 2284 wrote to memory of 1496	2284	WmiPrvSE.exe	62
PID 2284 wrote to memory of 1496	2284	WmiPrvSE.exe	62
PID 2284 wrote to memory of 1496	2284	WmiPrvSE.exe	62
PID 2072 wrote to memory of 1560	2072	SecurityHealthSystray.exe	64
PID 2072 wrote to memory of 1560	2072	SecurityHealthSystray.exe	64
PID 2072 wrote to memory of 1560	2072	SecurityHealthSystray.exe	64
PID 2328 wrote to memory of 2772	2328	OneDrive.exe	66
PID 2328 wrote to memory of 2772	2328	OneDrive.exe	66
PID 2328 wrote to memory of 2772	2328	OneDrive.exe	66
PID 1816 wrote to memory of 3060	1816	regedit.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe
"C:\Users\Admin\AppData\Local\Temp\430db8e66c679f507097efe4daa8c7f3099cdeaf91a23d57bc7e3a4036239f4a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2772
- C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe
  "C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SearchFilterHost" /tr "C:\Users\Admin\SearchFilterHost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2972
- C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
  "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2628
- C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe
  "C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\ProgramData\WmiPrvSE.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1708
- C:\Users\Admin\AppData\Local\Temp\regedit.exe
  "C:\Users\Admin\AppData\Local\Temp\regedit.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "regedit" /tr "C:\Users\Public\regedit.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3060

C:\Windows\system32\taskeng.exe
taskeng.exe {85FF6AE8-699C-4254-B586-51EF3A0E1449} S-1-5-21-1163522206-1469769407-485553996-1000:PJCSDMRP\Admin:Interactive:[1]
1⤵
PID:1564
- C:\ProgramData\SecurityHealthSystray.exe
  C:\ProgramData\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Users\Admin\SearchFilterHost.exe
  C:\Users\Admin\SearchFilterHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Users\Admin\OneDrive.exe
  C:\Users\Admin\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\ProgramData\WmiPrvSE.exe
  C:\ProgramData\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Users\Public\regedit.exe
  C:\Users\Public\regedit.exe
  2⤵
  - Executes dropped EXE
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\ProgramData\SecurityHealthSystray.exe
  C:\ProgramData\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\ProgramData\WmiPrvSE.exe
  C:\ProgramData\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2216
- C:\Users\Public\regedit.exe
  C:\Users\Public\regedit.exe
  2⤵
  - Executes dropped EXE
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Users\Admin\SearchFilterHost.exe
  C:\Users\Admin\SearchFilterHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Users\Admin\OneDrive.exe
  C:\Users\Admin\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
163KB

MD5
abd4141118794cd94979dc12bcded7b7

SHA1
27b11caedb23ea8dab4f36f5865a96e6e7f55806

SHA256
be9f4292935c19f00dcf2a6e09bc63f50cf7caad0d8ea0a45ed7bf86fb14e904

SHA512
d4ddda6b8ac66683e78b78360326ee50edf5edc8278a2f82e414545d4dd2a3d5e4269fe1dd884926b2e6d7e52af030f0b66fcca50cad77b8a31837ff482c4809

Download Submit
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe

Filesize
145KB

MD5
40324e8a46ec891bcb5300f51ddfc335

SHA1
bc5c53d890371bd472c707da8e84c3925bf077d5

SHA256
cc7bcd68ad32d8490fd2d5217b5bace0068a7ebf96831f0373d88e27e6a3ff2c

SHA512
5b2c618234a6b14ea377604f08dd3c6f193be4f593f18b38ff9a3b88f939d61934c3ec4efca91ff98791051eeb79a53315168bfa0fe8466b60249f3bde9b86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe

Filesize
243KB

MD5
f32ac010fcdbc8f8a5582c339ec9d9ea

SHA1
20c06c5a174504c4e28c9aa0b51a62ab8f5c70cb

SHA256
88835382ffaf3f7f0730a0a7edab3d3214cbbfdbc35e7269b80a6bd05b7edd18

SHA512
9798b196315a1e463105b811a0937f763ae21826fa9bd9f346059b5f0a573d48a6f4ed7174fb4551a4ae7ccd089c9cae90c30b38ef6e7c12e896138a0fcaa8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe

Filesize
124KB

MD5
16caf66537fe87d8d9b6a4eb34d9dbff

SHA1
4a399f4229ea5b27963d467223fd4ceb89e545f5

SHA256
64cc787990be5cdc1c25f5cdbfd2a0e93d4c68a888fefa0b7e2b0d12cea4de26

SHA512
a034dba721d36b5396dbe08a581d06c692c84edb0946e45073a8e3eb78a685ad42011b8ffa970190e673e94350dc1feef8d8f51908b53bc23a80536f75bba9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\regedit.exe

Filesize
121KB

MD5
005b549e8fa8f966d1c0ce845cfaffce

SHA1
4dc69fa135bec170229863f4d7320b402698cef1

SHA256
8befb7faacdffeb7dd84b629ec7066ed1baf3947a6ed8c1ac8432335e3b2828b

SHA512
1169ec7a0628a03ecb8a924527fa03dd0d391f9d0bf2a537e9ee7022265bfeba57b85759507fbc4962f10a5f43f2ea86d8c18cbf00aa8f5b9a2323174a9663ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d35dcdd22ada280e188982e563882560

SHA1
4472ae34ce14d998e14132db45376a9cac750aec

SHA256
11d3d3ad5499143b3ac26a9814b64f4774d5e4dca817a4e818bf346a305e290c

SHA512
40fa723c3b0bc500b42b42e6081806a6f12d4558a618c0da89c51f6c28bbd4152b560da5d9b3b3105aa63b4cf6a88c838850008097451831f2df3b1b83570302

Download Submit
memory/660-186-0x00000000012E0000-0x0000000001304000-memory.dmp

Filesize
144KB

Download
memory/1644-1-0x0000000000C70000-0x0000000000D58000-memory.dmp

Filesize
928KB

Download
memory/1644-0-0x000007FEF54B3000-0x000007FEF54B4000-memory.dmp

Filesize
4KB

Download
memory/1728-173-0x00000000010D0000-0x0000000001100000-memory.dmp

Filesize
192KB

Download
memory/1816-31-0x00000000003F0000-0x0000000000414000-memory.dmp

Filesize
144KB

Download
memory/1860-170-0x0000000001080000-0x00000000010C2000-memory.dmp

Filesize
264KB

Download
memory/1956-21-0x0000000001210000-0x000000000123A000-memory.dmp

Filesize
168KB

Download
memory/2072-23-0x0000000000A30000-0x0000000000A72000-memory.dmp

Filesize
264KB

Download
memory/2216-187-0x00000000008D0000-0x00000000008F4000-memory.dmp

Filesize
144KB

Download
memory/2244-52-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2284-30-0x0000000000810000-0x0000000000834000-memory.dmp

Filesize
144KB

Download
memory/2312-184-0x0000000001100000-0x0000000001142000-memory.dmp

Filesize
264KB

Download
memory/2328-154-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-32-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2328-8-0x00000000000C0000-0x00000000000F0000-memory.dmp

Filesize
192KB

Download
memory/2400-165-0x0000000000050000-0x000000000007A000-memory.dmp

Filesize
168KB

Download
memory/2512-71-0x0000000002850000-0x0000000002858000-memory.dmp

Filesize
32KB

Download
memory/2512-70-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2572-164-0x0000000000170000-0x0000000000194000-memory.dmp

Filesize
144KB

Download
memory/2612-174-0x0000000000C30000-0x0000000000C54000-memory.dmp

Filesize
144KB

Download
memory/2732-188-0x0000000000950000-0x000000000097A000-memory.dmp

Filesize
168KB

Download
memory/2860-58-0x0000000001CD0000-0x0000000001CD8000-memory.dmp

Filesize
32KB

Download