xworm | 54e8a0545faac8f1de60cfacd3baf32135ee0a2b296f5ff36a0bd4a87abe1394

Analysis

max time kernel
132s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm V6.0.exe
Size

15.5MB
MD5

fae9f588f8bf2ea148c92de1083eb8a2
SHA1

8103ee4ad2ba5c5ab6fafa80fbc536646fdabaa9
SHA256

54e8a0545faac8f1de60cfacd3baf32135ee0a2b296f5ff36a0bd4a87abe1394
SHA512

f05ddbcc784d3903e3d151155060a6fccbda672c183c2b71d7601e7c16579ff225a00156d3203ee3990b6a19cce7022644352f3db8b5b862928d6b3b0034ec0e
SSDEEP

393216:DjrikmL1xyfdd124DII+WNCKkSblVnUN:P+BxyfJ24DqW7S

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

jrutcxTxqD08SKSB

Attributes

Install_directory
%ProgramData%
install_file
OneDrive.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

Signatures

Detect Xworm Payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000e000000013a51-5.dat	family_xworm
behavioral1/memory/2336-11-0x0000000001100000-0x0000000001128000-memory.dmp	family_xworm
behavioral1/files/0x00060000000186f8-10.dat	family_xworm
behavioral1/files/0x0006000000018731-17.dat	family_xworm
behavioral1/memory/2956-19-0x00000000011D0000-0x00000000011FE000-memory.dmp	family_xworm
behavioral1/memory/2988-18-0x0000000000A00000-0x0000000000A2C000-memory.dmp	family_xworm
behavioral1/memory/1876-111-0x00000000012F0000-0x0000000001318000-memory.dmp	family_xworm
behavioral1/memory/2368-112-0x00000000000B0000-0x00000000000DE000-memory.dmp	family_xworm
behavioral1/memory/1068-119-0x0000000000890000-0x00000000008BE000-memory.dmp	family_xworm
behavioral1/memory/1784-122-0x0000000000080000-0x00000000000A8000-memory.dmp	family_xworm
behavioral1/memory/1896-123-0x0000000000DB0000-0x0000000000DDE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2868	powershell.exe
788	powershell.exe
2692	powershell.exe
2012	powershell.exe
1292	powershell.exe
1928	powershell.exe
2276	powershell.exe
1524	powershell.exe
2812	powershell.exe
2720	powershell.exe
2340	powershell.exe
2268	powershell.exe

Drops startup file 6 IoCs

Processes:

OneDrive.exemsedge.exeChrome Update.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe

Executes dropped EXE 10 IoCs

Processes:

OneDrive.exemsedge.exeChrome Update.exeXworm V5.6.exemsedge.exeOneDrive.exeOneDrive.exemsedge.exeOneDrive.exemsedge.exe

pid	Process
2336	OneDrive.exe
2956	msedge.exe
2988	Chrome Update.exe
2776	Xworm V5.6.exe
2368	msedge.exe
1876	OneDrive.exe
484	OneDrive.exe
1068	msedge.exe
1784	OneDrive.exe
1896	msedge.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Chrome Update.exeOneDrive.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
6	pastebin.com
7	pastebin.com
8	pastebin.com
9	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid	Process
1396	schtasks.exe
1872	schtasks.exe
2408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeChrome Update.exemsedge.exeOneDrive.exe

pid	Process
2692	powershell.exe
2720	powershell.exe
2812	powershell.exe
2268	powershell.exe
2340	powershell.exe
2012	powershell.exe
2276	powershell.exe
1524	powershell.exe
1292	powershell.exe
1928	powershell.exe
2868	powershell.exe
788	powershell.exe
2988	Chrome Update.exe
2956	msedge.exe
2336	OneDrive.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

OneDrive.exeChrome Update.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeOneDrive.exemsedge.exemsedge.exeOneDrive.exeOneDrive.exemsedge.exe

description	pid	Process
Token: SeDebugPrivilege	2336	OneDrive.exe
Token: SeDebugPrivilege	2988	Chrome Update.exe
Token: SeDebugPrivilege	2956	msedge.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	2988	Chrome Update.exe
Token: SeDebugPrivilege	2336	OneDrive.exe
Token: SeDebugPrivilege	2956	msedge.exe
Token: SeDebugPrivilege	1876	OneDrive.exe
Token: SeDebugPrivilege	2368	msedge.exe
Token: SeDebugPrivilege	1068	msedge.exe
Token: SeDebugPrivilege	484	OneDrive.exe
Token: SeDebugPrivilege	1784	OneDrive.exe
Token: SeDebugPrivilege	1896	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Chrome Update.exemsedge.exeOneDrive.exe

pid	Process
2988	Chrome Update.exe
2956	msedge.exe
2336	OneDrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Xworm V6.0.exemsedge.exeChrome Update.exeOneDrive.exeXworm V5.6.exetaskeng.exe

description	pid	Process	procid_target
PID 2356 wrote to memory of 2336	2356	Xworm V6.0.exe	31
PID 2356 wrote to memory of 2336	2356	Xworm V6.0.exe	31
PID 2356 wrote to memory of 2336	2356	Xworm V6.0.exe	31
PID 2356 wrote to memory of 2956	2356	Xworm V6.0.exe	32
PID 2356 wrote to memory of 2956	2356	Xworm V6.0.exe	32
PID 2356 wrote to memory of 2956	2356	Xworm V6.0.exe	32
PID 2356 wrote to memory of 2988	2356	Xworm V6.0.exe	33
PID 2356 wrote to memory of 2988	2356	Xworm V6.0.exe	33
PID 2356 wrote to memory of 2988	2356	Xworm V6.0.exe	33
PID 2356 wrote to memory of 2776	2356	Xworm V6.0.exe	34
PID 2356 wrote to memory of 2776	2356	Xworm V6.0.exe	34
PID 2356 wrote to memory of 2776	2356	Xworm V6.0.exe	34
PID 2956 wrote to memory of 2720	2956	msedge.exe	35
PID 2956 wrote to memory of 2720	2956	msedge.exe	35
PID 2956 wrote to memory of 2720	2956	msedge.exe	35
PID 2988 wrote to memory of 2692	2988	Chrome Update.exe	36
PID 2988 wrote to memory of 2692	2988	Chrome Update.exe	36
PID 2988 wrote to memory of 2692	2988	Chrome Update.exe	36
PID 2336 wrote to memory of 2812	2336	OneDrive.exe	39
PID 2336 wrote to memory of 2812	2336	OneDrive.exe	39
PID 2336 wrote to memory of 2812	2336	OneDrive.exe	39
PID 2988 wrote to memory of 2340	2988	Chrome Update.exe	41
PID 2988 wrote to memory of 2340	2988	Chrome Update.exe	41
PID 2988 wrote to memory of 2340	2988	Chrome Update.exe	41
PID 2956 wrote to memory of 2268	2956	msedge.exe	43
PID 2956 wrote to memory of 2268	2956	msedge.exe	43
PID 2956 wrote to memory of 2268	2956	msedge.exe	43
PID 2336 wrote to memory of 2012	2336	OneDrive.exe	45
PID 2336 wrote to memory of 2012	2336	OneDrive.exe	45
PID 2336 wrote to memory of 2012	2336	OneDrive.exe	45
PID 2956 wrote to memory of 1524	2956	msedge.exe	47
PID 2956 wrote to memory of 1524	2956	msedge.exe	47
PID 2956 wrote to memory of 1524	2956	msedge.exe	47
PID 2988 wrote to memory of 2276	2988	Chrome Update.exe	49
PID 2988 wrote to memory of 2276	2988	Chrome Update.exe	49
PID 2988 wrote to memory of 2276	2988	Chrome Update.exe	49
PID 2336 wrote to memory of 1928	2336	OneDrive.exe	51
PID 2336 wrote to memory of 1928	2336	OneDrive.exe	51
PID 2336 wrote to memory of 1928	2336	OneDrive.exe	51
PID 2956 wrote to memory of 1292	2956	msedge.exe	53
PID 2956 wrote to memory of 1292	2956	msedge.exe	53
PID 2956 wrote to memory of 1292	2956	msedge.exe	53
PID 2988 wrote to memory of 2868	2988	Chrome Update.exe	55
PID 2988 wrote to memory of 2868	2988	Chrome Update.exe	55
PID 2988 wrote to memory of 2868	2988	Chrome Update.exe	55
PID 2336 wrote to memory of 788	2336	OneDrive.exe	57
PID 2336 wrote to memory of 788	2336	OneDrive.exe	57
PID 2336 wrote to memory of 788	2336	OneDrive.exe	57
PID 2956 wrote to memory of 2408	2956	msedge.exe	59
PID 2956 wrote to memory of 2408	2956	msedge.exe	59
PID 2956 wrote to memory of 2408	2956	msedge.exe	59
PID 2988 wrote to memory of 1396	2988	Chrome Update.exe	61
PID 2988 wrote to memory of 1396	2988	Chrome Update.exe	61
PID 2988 wrote to memory of 1396	2988	Chrome Update.exe	61
PID 2336 wrote to memory of 1872	2336	OneDrive.exe	63
PID 2336 wrote to memory of 1872	2336	OneDrive.exe	63
PID 2336 wrote to memory of 1872	2336	OneDrive.exe	63
PID 2776 wrote to memory of 2136	2776	Xworm V5.6.exe	65
PID 2776 wrote to memory of 2136	2776	Xworm V5.6.exe	65
PID 2776 wrote to memory of 2136	2776	Xworm V5.6.exe	65
PID 2924 wrote to memory of 1876	2924	taskeng.exe	68
PID 2924 wrote to memory of 1876	2924	taskeng.exe	68
PID 2924 wrote to memory of 1876	2924	taskeng.exe	68
PID 2924 wrote to memory of 2368	2924	taskeng.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Xworm V6.0.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm V6.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:788
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1872
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2408
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1396
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2776 -s 732
    3⤵
    PID:2136

C:\Windows\system32\taskeng.exe
taskeng.exe {C303373C-9372-4C35-94C1-02921CF07CAF} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2924
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe

Filesize
152KB

MD5
16cdd301591c6af35a03cd18caee2e59

SHA1
92c6575b57eac309c8664d4ac76d87f2906e8ef3

SHA256
11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

SHA512
a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
664b77b68e984aab58e7f5e97be2b0ac

SHA1
304d7acb471b158d24589fbea57d9958ab0865a3

SHA256
86ec0d1bf8a6f39db99d8fab5ff11597ae5bf644ac2731d73b42e59b508088c5

SHA512
4d2f63ce7510c593f3cef47fcd042b7ff3f9fd94838d4802479ff67292afd527b701796a7194e9f14114211bef29e048a59a00f551f84c7cd020ef46ba10731e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1068-119-0x0000000000890000-0x00000000008BE000-memory.dmp

Filesize
184KB

Download
memory/1524-66-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1784-122-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/1876-111-0x00000000012F0000-0x0000000001318000-memory.dmp

Filesize
160KB

Download
memory/1896-123-0x0000000000DB0000-0x0000000000DDE000-memory.dmp

Filesize
184KB

Download
memory/2012-71-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2336-11-0x0000000001100000-0x0000000001128000-memory.dmp

Filesize
160KB

Download
memory/2336-20-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2336-113-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2356-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2356-1-0x0000000000A70000-0x00000000019F0000-memory.dmp

Filesize
15.5MB

Download
memory/2368-112-0x00000000000B0000-0x00000000000DE000-memory.dmp

Filesize
184KB

Download
memory/2692-42-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2720-37-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2776-26-0x00000000010E0000-0x0000000001FC8000-memory.dmp

Filesize
14.9MB

Download
memory/2956-19-0x00000000011D0000-0x00000000011FE000-memory.dmp

Filesize
184KB

Download
memory/2988-18-0x0000000000A00000-0x0000000000A2C000-memory.dmp

Filesize
176KB

Download