xworm | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
45s
max time network
42s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

xworm discovery persistence pyinstaller rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.22:47930

127.0.0.1:47930

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000d000000016cd7-113.dat	family_xworm
behavioral1/memory/2052-118-0x00000000008C0000-0x00000000008DA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 7 IoCs

pid	Process
2052	svchost.exe
1824	vlst.exe
2340	cbchr.exe
2740	random.exe
2876	nurik.exe
1764	nurik.exe
1196	Process not Found

Loads dropped DLL 16 IoCs

pid	Process
2096	4363463463464363463463463.exe
2096	4363463463464363463463463.exe
2096	4363463463464363463463463.exe
2340	cbchr.exe
2096	4363463463464363463463463.exe
2096	4363463463464363463463463.exe
2096	4363463463464363463463463.exe
2876	nurik.exe
1764	nurik.exe
1764	nurik.exe
1764	nurik.exe
1764	nurik.exe
1764	nurik.exe
1764	nurik.exe
1764	nurik.exe
1196	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com
13	bitbucket.org
14	bitbucket.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00050000000186f1-317.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbchr.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2052	svchost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	4363463463464363463463463.exe
Token: SeDebugPrivilege	2052	svchost.exe
Token: SeDebugPrivilege	1824	vlst.exe
Token: SeBackupPrivilege	1824	vlst.exe
Token: SeSecurityPrivilege	1824	vlst.exe
Token: SeSecurityPrivilege	1824	vlst.exe
Token: SeSecurityPrivilege	1824	vlst.exe
Token: SeSecurityPrivilege	1824	vlst.exe
Token: SeDebugPrivilege	2052	svchost.exe
Token: SeBackupPrivilege	1824	vlst.exe
Token: SeSecurityPrivilege	1824	vlst.exe
Token: SeSecurityPrivilege	1824	vlst.exe
Token: SeSecurityPrivilege	1824	vlst.exe
Token: SeSecurityPrivilege	1824	vlst.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2052	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2052	2096	4363463463464363463463463.exe	31
PID 2096 wrote to memory of 2052	2096	4363463463464363463463463.exe	31
PID 2096 wrote to memory of 2052	2096	4363463463464363463463463.exe	31
PID 2096 wrote to memory of 2052	2096	4363463463464363463463463.exe	31
PID 2096 wrote to memory of 1824	2096	4363463463464363463463463.exe	33
PID 2096 wrote to memory of 1824	2096	4363463463464363463463463.exe	33
PID 2096 wrote to memory of 1824	2096	4363463463464363463463463.exe	33
PID 2096 wrote to memory of 1824	2096	4363463463464363463463463.exe	33
PID 2096 wrote to memory of 2340	2096	4363463463464363463463463.exe	36
PID 2096 wrote to memory of 2340	2096	4363463463464363463463463.exe	36
PID 2096 wrote to memory of 2340	2096	4363463463464363463463463.exe	36
PID 2096 wrote to memory of 2340	2096	4363463463464363463463463.exe	36
PID 2096 wrote to memory of 2740	2096	4363463463464363463463463.exe	38
PID 2096 wrote to memory of 2740	2096	4363463463464363463463463.exe	38
PID 2096 wrote to memory of 2740	2096	4363463463464363463463463.exe	38
PID 2096 wrote to memory of 2740	2096	4363463463464363463463463.exe	38
PID 2096 wrote to memory of 2876	2096	4363463463464363463463463.exe	39
PID 2096 wrote to memory of 2876	2096	4363463463464363463463463.exe	39
PID 2096 wrote to memory of 2876	2096	4363463463464363463463463.exe	39
PID 2096 wrote to memory of 2876	2096	4363463463464363463463463.exe	39
PID 2876 wrote to memory of 1764	2876	nurik.exe	40
PID 2876 wrote to memory of 1764	2876	nurik.exe	40
PID 2876 wrote to memory of 1764	2876	nurik.exe	40

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\Files\vlst.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\vlst.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\Files\cbchr.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cbchr.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\Files\random.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6741a2a08c3e65cd6236fd1c114241b9

SHA1
82ce04584210e557b1c647c2807deac388baccc9

SHA256
9cc223ae8dc54a0e0b0b9021620675c79c325a8ebbf22d8fc945927ad6b63b6f

SHA512
2b1cdc4833507411c2bdce0353073b54b461ee6b9c43adb56f76d613ecf00e8ae33574e42b978cee4514952f3f5a2333b33fea734af95c6d9d5e2f1b6fc70baa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b2c93661d4a5d7c7a1ae0b2f6a89161

SHA1
c721d6dc2dd28a87d2300e9fcd648e1b48a4488c

SHA256
8df4d377ce921fc4f2b098c3366d5d3bb3fc6956213f1fa069fb0510b01bab4a

SHA512
52be1c227c6ab17132f7519f941000822bb2b3edd1814cdbb2e47e2214cbb5f07102c997bb44ee246da90235657f63d5761b055a2509d7223f041eb36df04abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC1AC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cbchr.exe

Filesize
422KB

MD5
9a9afbcbaee06f115ea1b11f0405f2bd

SHA1
18cc3948891c6189d0ba1f872982c3fe69b3a85b

SHA256
231711e92fe376ed10c7111645e2a53f392726214c7958afcef4b2b5d0885f17

SHA512
dcb6b2e888ef234eb775efdac636ab3997bc04d48d50781b4ad4eb77991dfef4a7370441de8c89ff9d17ac5e8d337c5c991f221671fd424f571abbc0f2fe1670

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC1DE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-file-l1-2-0.dll

Filesize
22KB

MD5
de365479d82c17cd3b3d7500e28261cd

SHA1
de90e3493f339859b2f5812a719eef9bb9c32027

SHA256
3a7742c1d426538f923ca9503f0ac2bccd102ede5ac29d7d2a46dc4744717908

SHA512
e82379e512d1c7c0fb38c5a14a5fcdc716f5d3224256850b259abf193fe7a4260f5e677a2f0ccb2bc26d9c419fc72d6f35dab8d8626975d705a869542f3cde59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-file-l2-1-0.dll

Filesize
22KB

MD5
a33dbfc4243f2599fd2c9630b9354ee9

SHA1
b5197d0459165c7d2d2d4ada1d4421dcc153360a

SHA256
df3a3ed291be9a8fb1e7d4ee2c2390bd4d6869391cdca38ec123fb3f49086f13

SHA512
cf21a82cb346b0824a309d9f3b75a1806eb5ec1bf8f7eb184f054a61fdbb2d580af9558e6704ee8dfab254b9402e6e04de94b3d7bb498277a1cd9fd51fd9c37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-localization-l1-2-0.dll

Filesize
22KB

MD5
3e40ea95fbc64b2b291371fe4bac2d00

SHA1
6cb0b9b217e2c4b0b67a4501a54b5600484794f6

SHA256
0dd5f83106a08e0f750233c095b149c7a5fe085096518c66494700bc49273452

SHA512
3120f8726e8ecd056ce63b479f9e3885fcebae005c86b9a1f4796f86df0873a367fbb7ce9dc16fde3d8f4340bee0c5a16cada148047f113446cabd3c7ca1f132

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
22KB

MD5
753abec37cdc77e980db87629abacae2

SHA1
d049db76e6e2d142e177c2b107df10d3753797bb

SHA256
9eeae9e4ec99e3df81b182e22394bbc5582d38cbb756ffb8a8f36d2e915cf876

SHA512
1ae91b61e59cef89a3b3ad34666a388d4eeea276ae08a3ffd92d303d765f2fa5315a95bc886858214e5fbbc11040873698be01259dc3197e956f58588427431a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\python312.dll

Filesize
6.6MB

MD5
166cc2f997cba5fc011820e6b46e8ea7

SHA1
d6179213afea084f02566ea190202c752286ca1f

SHA256
c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546

SHA512
49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\ucrtbase.dll

Filesize
1.1MB

MD5
c28cafb11b2dcb4c2845a39556538f8e

SHA1
021fa38f027e3ddea6b9563d1eb7f9e686b4b11d

SHA256
adc785bdce4f5693b6a511a3a5a20a5de8f90d9ffc357b1b38173da170224e1a

SHA512
02089da9bf7fbc4e36c3099f2430510647a4467d6915c05cb56e26418b0a4e7c55c0669c737ff3361556ac1610daf159465923f82de60cf080b3caa714a4a4b7

Download Submit
\Users\Admin\AppData\Local\Temp\Files\nurik.exe

Filesize
11.2MB

MD5
f9b7e57e9d632443ed2c746aa221dad6

SHA1
4fbaeeefd561544f7223c74c864ffae8e1b80f2d

SHA256
954b49b361654e232e468cd0bf7b8f158efa158fde9414152145b64fa4f9af95

SHA512
76a3ad028aaa0236432ad9d6461abed91009bbb868b880453f5932270044e1441727330c3b6ae28ca44779ee70239ac1f7abbc71ed9d4b29198d6558050e49ac

Download Submit
\Users\Admin\AppData\Local\Temp\Files\random.exe

Filesize
734KB

MD5
98e538d63ec5a23a3acc374236ae20b6

SHA1
f3fec38f80199e346cac912bf8b65249988a2a7e

SHA256
4d8fbc7578dca954407746a1d73e3232cd8db79dccd57acbeef80da369069a91

SHA512
951a750998448cd3653153bdf24705101136305ff4744ee2092952d773121817fa36347cb797586c58d0f3efc9cfa40ae6d9ce6ea5d2e8ec41acf8d9a03b0827

Download Submit
\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
75KB

MD5
1ece670aaa09ac9e02ae27b7678b167c

SHA1
d98cffd5d00fe3b8a7a6f50a4cd2fc30b9ec565d

SHA256
b88c6884675cdb358f46c1fbfeddf24af749372a6c14c1c4a2757d7bde3fbc39

SHA512
ad8b877261b2f69c89aa429691da67100a054006504a2735948415eebdc38eba20f923d327347560d066e65b205e80ea8f0a296e586107dc051d9edc410b40c5

Download Submit
\Users\Admin\AppData\Local\Temp\Files\vlst.exe

Filesize
538KB

MD5
1b2583d84dca4708d7a0309cf1087a89

SHA1
cae0d1e16db95b9269b96c06caa66fa3dab99f48

SHA256
e0d9f3b8d36e9b4a44bc093b47ba3ba80cabd7e08b3f1a64dec7e3a2c5421bac

SHA512
a51b8ed6a6cf403b4b19fc7e9f22d5f60265b16cdf24a7033bc0ee0da8c31861caa212dc5fb3bf17e28842fc28a263564076ad4e9905afd483763859bafd4493

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28762\api-ms-win-core-timezone-l1-1-0.dll

Filesize
22KB

MD5
3b15cc8aab69fc0931e0d79be7878eb2

SHA1
ddb14a5ad8d8937c3d7dcede3fbc0b930a765290

SHA256
6333cba577889ac1b0f715c7b4cf66d7b566ce18555a81662e879192907e76e1

SHA512
1b6880b527d82de3fa770a51117e662efb3b6e2c84b5edc28ed0c60b1ae24f51622217c292e91121de4b9523d2a6ac51b824648fa2af688618188b904e04ce67

Download Submit
\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
173KB

MD5
ac2602b169e8948ea4ecd30aeefc5b03

SHA1
99a3458622b586477a4df3c1b173892d98de1bb1

SHA256
014c9d23f572e0df38c32e294f351c6c232f0118fc6aba8a2a2d70f3c55929f4

SHA512
9c9c3fc9c7164ad59564fdfd027b305396c3d589b95826f24a5fec1fe6bde84d3ddac52b8862994b2338e0ef7602fbc9a14999ff986f99d2c21256d53eb03d18

Download Submit
memory/1824-125-0x0000000000F80000-0x000000000100C000-memory.dmp

Filesize
560KB

Download
memory/2052-118-0x00000000008C0000-0x00000000008DA000-memory.dmp

Filesize
104KB

Download
memory/2052-314-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

Filesize
4KB

Download
memory/2052-117-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

Filesize
4KB

Download
memory/2096-285-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2096-257-0x000000007423E000-0x000000007423F000-memory.dmp

Filesize
4KB

Download
memory/2096-0-0x000000007423E000-0x000000007423F000-memory.dmp

Filesize
4KB

Download
memory/2096-2-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2096-1-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/2340-294-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/2340-293-0x0000000000B80000-0x0000000000BF2000-memory.dmp

Filesize
456KB

Download
memory/2740-312-0x00000000000D0000-0x000000000018E000-memory.dmp

Filesize
760KB

Download
memory/2740-313-0x000000001ABE0000-0x000000001AC62000-memory.dmp

Filesize
520KB

Download