xworm | hxxps://gitlab[.]com/testef/lo/-/raw/main/XWorm_V5[.]6[.]rar?inline=false

Analysis

max time kernel
91s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gitlab.com/testef/lo/-/raw/main/XWorm_V5.6.rar?inline=false

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002ab38-335.dat	family_xworm
behavioral1/memory/1188-343-0x0000000000890000-0x00000000008BA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1888	powershell.exe
4760	powershell.exe
1276	powershell.exe
1320	powershell.exe

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x001900000002abdd-319.dat	net_reactor
behavioral1/files/0x001a00000002ab38-335.dat	net_reactor
behavioral1/memory/1188-343-0x0000000000890000-0x00000000008BA000-memory.dmp	net_reactor

Executes dropped EXE 4 IoCs

pid	Process
2792	XwormLoader.exe
1188	svchost.exe
1008	Xworm V5.6.exe
1880	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4004	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Xworm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Xworm V5.6.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XWorm_V5.6.rar:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
572	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1188	svchost.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1228	msedge.exe
1228	msedge.exe
4188	msedge.exe
4188	msedge.exe
3012	msedge.exe
3012	msedge.exe
3716	msedge.exe
3716	msedge.exe
3536	identity_helper.exe
3536	identity_helper.exe
1320	powershell.exe
1320	powershell.exe
1320	powershell.exe
1888	powershell.exe
1888	powershell.exe
1888	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
1276	powershell.exe
1276	powershell.exe
1276	powershell.exe
1188	svchost.exe
1188	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	784	7zG.exe
Token: 35	784	7zG.exe
Token: SeSecurityPrivilege	784	7zG.exe
Token: SeSecurityPrivilege	784	7zG.exe
Token: SeDebugPrivilege	2792	XwormLoader.exe
Token: SeDebugPrivilege	1188	svchost.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	1880	svchost.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
784	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe
4188	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1188	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 4596	4188	msedge.exe	77
PID 4188 wrote to memory of 4596	4188	msedge.exe	77
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 3392	4188	msedge.exe	78
PID 4188 wrote to memory of 1228	4188	msedge.exe	79
PID 4188 wrote to memory of 1228	4188	msedge.exe	79
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80
PID 4188 wrote to memory of 1252	4188	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gitlab.com/testef/lo/-/raw/main/XWorm_V5.6.rar?inline=false
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeafa03cb8,0x7ffeafa03cc8,0x7ffeafa03cd8
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,16525587822708218969,12169677918171295302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:2840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:828

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm_V5.6\" -spe -an -ai#7zMap15735:82:7zEvent31467
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:784

C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\XwormLoader.exe
"C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\XwormLoader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2792
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1276
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:572
- C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\Xworm V5.6.exe
  "C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2769.tmp.bat""
  2⤵
  PID:3904
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4004

C:\ProgramData\svchost.exe
C:\ProgramData\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
178B

MD5
712374e6dcf823da3b2febf3b5f44a25

SHA1
4a10b5d4e05557d8360b4fb8677d4bb9d7cce8e3

SHA256
7e778bd61778c159aa0609bffe63f3a88f288c7bf40fccf2954edde8f56a753c

SHA512
cb10c7b507ac5bf39b7fea4737f04fe711deb51b383baa5d62963ab00444718c4ad17cd4d63ef7742277ce5ff923227808e4697e9884b69720bb03fe0d5c3682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
73548bfeac71c3e4a850f954ec91a6f0

SHA1
20d96bc401f7574da53631407699b066530a6ae5

SHA256
bbd7d1655c4f6163b93a7bf210c11ec02af92a2a415b781513c6810ca9c503ef

SHA512
e0cd9b1bedf9548dbbbee1d8004c593ea68b65b10b02a784a3344a907b932b8ecf8e5c6f868a016bd53a6ea8c4d6e6548ef211bdad27e59a3b3cdcad8997b02a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3d54ce547b68f08b066d464d6026f570

SHA1
fdb2a5fa0aa74e15f9ae3fd98c29244b0d6f67cf

SHA256
f8f93fca64c3a01bfa3b21859f9c4172ff8f63cc6282c87351565eb22147c97b

SHA512
73f80ff05dc67e16d8018b1a9d3dcf073bb46b03b89d06300ff7e74576d7a346223bf70ff4c02b6ff58ac5546be9ccd04ed5033d3a3487917f1203c108841e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
94c99d397aea98531248fefff68cee4d

SHA1
8d1ae1b3c10feb73f37d70d4dad101b7d1a134b4

SHA256
c92992dfa6b1ba7855674367b1fcd7b07108b7869f38445d04e4ecc671bda5da

SHA512
e487d458a234e2e84b3ee3c91ed8de0f69abbaeb3d21bd89c03a7142aa0134d73d5018eca4aecf8002cbe171daed53af1a6ae982e61aa331d07e3a5bf74be3c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d16cb7038fb7c439b3942af46488e057

SHA1
264796cacf168ee8e0876ba768ae84b26c5f8cd8

SHA256
4c322a99e7222270eb1948071be327096f3f0c33bb57978536209a1f4d145106

SHA512
1a61315d4e73d9a0c58cfd2687346e92762c1579ab5a19f5a2adeda31ca72f5c152cb8ef47f7b75cd0d9ea9ef52a18c0311c769372f32a30367ac0afc14fce90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8cb7f4b4ab204cacd1af6b29c2a2042c

SHA1
244540c38e33eac05826d54282a0bfa60340d6a1

SHA256
4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6

SHA512
7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1aogxkd.rwq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
144KB

MD5
4b90399888a12fb85ccc3d0190d5a1d3

SHA1
3326c027bac28b9480b0c7f621481a6cc033db4e

SHA256
cede03d0ef98d200bd5b68f6ca4e0d74e2a62fc430a38083663c3031dbb1c77f

SHA512
899ec2df2f5d70716ad5d0686bfe0a6c66ccbcf7f0485efbdfc0615f90b3526cd3d31069fa66c7c6ae8bba6ce92200836c50da40a3731888b7326b970d93216a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2769.tmp.bat

Filesize
176B

MD5
06ae2d2b9f6ebfc92c882f9b3e1e71e1

SHA1
8ba5686faf43bda222138b461645177eb379aa39

SHA256
2ff7ce695dca5715dc0ed72411a7cccdbe1e39238c5d294cd6bd71903d30c1dc

SHA512
e9c48e62c9cd603f28fd818071dcfa6f928f1415b36a4af004e8ce28a86652472bc642988141fe919c8ab821a4d8c910d5bd9cbb18da576ed1c6da1bf52f9f4b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 549847.crdownload

Filesize
22.7MB

MD5
bf2914828889b9f53f5dca3d9bda6f17

SHA1
7155e7938a6474d637a83c692eb60d34a8c6e94b

SHA256
0a10a2d40d0d1af7fe2d6c90e6ec033bebac388c247845459c59a6cb3e1f1350

SHA512
304b612339c0698c4ced92672eb559be4bcdfcdf94c16621430d8822939b970ee9491a7686aa36c3e14527bf0137728c57462e5bbc2107aab32bdce2f929727f

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\Xworm V5.6.exe

Filesize
14.9MB

MD5
db51a102eab752762748a2dec8f7f67a

SHA1
194688ec1511b83063f7b0167ae250764b7591d1

SHA256
93e5e7f018053c445c521b010caff89e61f61743635db3500aad32d6e495abb2

SHA512
fb2fb6605a17fedb65e636cf3716568e85b8ea423c23e0513eb87f3a3441e2cabc4c3e6346225a9bf7b81e97470f3ab516feea649a7afb5cdf02faff8d7f09a5

Download Submit
C:\Users\Admin\Downloads\XWorm_V5.6\XWorm V5.6\XwormLoader.exe

Filesize
7.9MB

MD5
5b757c6d0af650a77ba1bf7edea18b36

SHA1
c2ee4e12ff4b70511dbcab25dbf8b0d45f2d52b3

SHA256
c2a9fefda9159dd2712510c1c9077a1885d0ebc45251285dad95ba7184b98856

SHA512
93ca04887c63c3a0a4a5d42c48d0f4f7cc7fe7f6dad4dd45136ac048639d2edab66a2d2459779b9a2a075fa8981ea40567b34e5ed0535c1deecfe5e838385960

Download Submit
memory/1008-359-0x00000179F1F90000-0x00000179F2E78000-memory.dmp

Filesize
14.9MB

Download
memory/1008-405-0x00000179F69D0000-0x00000179F6BC4000-memory.dmp

Filesize
2.0MB

Download
memory/1188-343-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/1320-361-0x000002277B510000-0x000002277B532000-memory.dmp

Filesize
136KB

Download
memory/2792-355-0x000000001EAC0000-0x000000001EF8E000-memory.dmp

Filesize
4.8MB

Download
memory/2792-330-0x000000001BF50000-0x000000001BFF6000-memory.dmp

Filesize
664KB

Download