xworm | 799e38a2d934e537b2f1caf0803549a16f436b36c75d370f82d8565fa707945a

Analysis

max time kernel
126s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 23:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

PassatHook.exe
Size

81KB
MD5

6a94bba080aa0680e802f11fc15f3097
SHA1

5c02939054e727378cb0b53d33cf10fbce153ab8
SHA256

799e38a2d934e537b2f1caf0803549a16f436b36c75d370f82d8565fa707945a
SHA512

4de71ce1b3f3de66626a03f136f19f49bd9df9bafc1ded49e1df4c2ee4466e05e8e6c8de88ee45f36118d8d2f5c5194641ba4382fada02d34be2dccfe544c84e
SSDEEP

1536:jV8pE5LncGZb7ivIUn72/aN6nnOP8YKqX:jV8mncCb2jeOE0X

Score

10^/10

xworm discovery execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

yet-involving.gl.at.ply.gg:21072

Attributes

Install_directory
%AppData%
install_file
Perm.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/4500-65-0x0000000001750000-0x000000000175E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4500-1-0x0000000000FA0000-0x0000000000FBA000-memory.dmp	family_xworm
behavioral2/files/0x000b000000023ca1-60.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe
3956	powershell.exe
3812	powershell.exe
4824	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	PassatHook.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Perm.lnk	PassatHook.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Perm.lnk	PassatHook.exe

Executes dropped EXE 2 IoCs

pid	Process
4180	Perm.exe
3856	Perm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Perm = "C:\\Users\\Admin\\AppData\\Roaming\\Perm.exe"	PassatHook.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	PassatHook.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "234"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3328	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4500	PassatHook.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3048	powershell.exe
3048	powershell.exe
3956	powershell.exe
3956	powershell.exe
3812	powershell.exe
3812	powershell.exe
4824	powershell.exe
4824	powershell.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4500	PassatHook.exe
4048	msedge.exe
4048	msedge.exe
1524	msedge.exe
1524	msedge.exe
1740	identity_helper.exe
1740	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4500	PassatHook.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	4500	PassatHook.exe
Token: SeDebugPrivilege	4180	Perm.exe
Token: SeDebugPrivilege	3856	Perm.exe
Token: SeShutdownPrivilege	4000	shutdown.exe
Token: SeRemoteShutdownPrivilege	4000	shutdown.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe
1524	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4500	PassatHook.exe
4500	PassatHook.exe
2928	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 3048	4500	PassatHook.exe	86
PID 4500 wrote to memory of 3048	4500	PassatHook.exe	86
PID 4500 wrote to memory of 3956	4500	PassatHook.exe	88
PID 4500 wrote to memory of 3956	4500	PassatHook.exe	88
PID 4500 wrote to memory of 3812	4500	PassatHook.exe	90
PID 4500 wrote to memory of 3812	4500	PassatHook.exe	90
PID 4500 wrote to memory of 4824	4500	PassatHook.exe	92
PID 4500 wrote to memory of 4824	4500	PassatHook.exe	92
PID 4500 wrote to memory of 3328	4500	PassatHook.exe	94
PID 4500 wrote to memory of 3328	4500	PassatHook.exe	94
PID 4500 wrote to memory of 1524	4500	PassatHook.exe	113
PID 4500 wrote to memory of 1524	4500	PassatHook.exe	113
PID 1524 wrote to memory of 732	1524	msedge.exe	114
PID 1524 wrote to memory of 732	1524	msedge.exe	114
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 2712	1524	msedge.exe	115
PID 1524 wrote to memory of 4048	1524	msedge.exe	116
PID 1524 wrote to memory of 4048	1524	msedge.exe	116
PID 1524 wrote to memory of 2572	1524	msedge.exe	117
PID 1524 wrote to memory of 2572	1524	msedge.exe	117
PID 1524 wrote to memory of 2572	1524	msedge.exe	117
PID 1524 wrote to memory of 2572	1524	msedge.exe	117
PID 1524 wrote to memory of 2572	1524	msedge.exe	117
PID 1524 wrote to memory of 2572	1524	msedge.exe	117
PID 1524 wrote to memory of 2572	1524	msedge.exe	117
PID 1524 wrote to memory of 2572	1524	msedge.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PassatHook.exe
"C:\Users\Admin\AppData\Local\Temp\PassatHook.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PassatHook.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'PassatHook.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Perm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Perm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Perm" /tr "C:\Users\Admin\AppData\Roaming\Perm.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff919c346f8,0x7ff919c34708,0x7ff919c34718
    3⤵
    PID:732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
    3⤵
    PID:2712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
    3⤵
    PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
    3⤵
    PID:4824
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
    3⤵
    PID:4444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
    3⤵
    PID:4436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
    3⤵
    PID:2104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
    3⤵
    PID:1960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
    3⤵
    PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,18069848188224955617,3050804339779695633,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
    3⤵
    PID:4928
- C:\Windows\SYSTEM32\shutdown.exe
  shutdown.exe /f /s /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4000

C:\Users\Admin\AppData\Roaming\Perm.exe
C:\Users\Admin\AppData\Roaming\Perm.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Users\Admin\AppData\Roaming\Perm.exe
C:\Users\Admin\AppData\Roaming\Perm.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1960

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38fb055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Perm.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e79b26b368b6d882e3e58a3db1c1b76

SHA1
f191affdcf31e97a897b4679a50f52f8d4663609

SHA256
b77db3841fa8a5e8b3c6ef68119c5ec4ee6eede5f7c253a4d5998c81252339ed

SHA512
3ad768d1dd88836a70ab2e2a26980471e09d206b559e3c1888115a22f8d0dde942ed16f18b4cdc1a585d5fbaebef7ec1d7aec68bfba8a00dde1a73dc17c856a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b496ce08aaf8429a03ef0e022663e874

SHA1
5e3a5cad94edf71e2c443538bca2b34f1e865233

SHA256
dfc774fb3ccc009e513e16b295cd7e9b55ba480384211603bfb8c2e93347a54b

SHA512
a36bd279d0f68fd4fd8a79395e715298e90cb0d3a9c1a6d9441a87766f48b6e806f19ecbf4bece16900dd97a9eed8d0d3e070286dd295c466b24c39d4c04e3b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cf7e5dacf417f39489e013776908fbc2

SHA1
46cc43f1dcfa618b99fbcf6fb68926ee17b3276f

SHA256
41a595670f8a5c2203e1a103be582d309fcc81b6b5c96067b536d425755439a0

SHA512
604aa78c1477f25d8978586d5d36a391ab2c3460dbfbb84283b0f8fa07d3f361affc16b687bdaf7499f6dd467a660e2bed22e38fb1ea1124cb2a0ec2aa02d5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
51cf8df21f531e31f7740b4ec487a48a

SHA1
40c6a73b22d71625a62df109aefc92a5f9b9d13e

SHA256
263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d

SHA512
57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f5ea6e485a296269f874f3d12709ce50

SHA1
c73e5adec8ceef00e49e0f51d382b990fc5b4d4c

SHA256
980d5cc1b33f9995ce40b593bac646373b613070e5ca6da2c297c5fb8c1f28c3

SHA512
09e3083c712ae875d1dae3d4c903e96e6f5e97f5a15d4301319d3f6f63b2e704ce1b728704fd4ada7f0c26b782b05b551f961db8775f7527b1b1b224e7478659

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r00eqdcz.czv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Perm.exe

Filesize
81KB

MD5
6a94bba080aa0680e802f11fc15f3097

SHA1
5c02939054e727378cb0b53d33cf10fbce153ab8

SHA256
799e38a2d934e537b2f1caf0803549a16f436b36c75d370f82d8565fa707945a

SHA512
4de71ce1b3f3de66626a03f136f19f49bd9df9bafc1ded49e1df4c2ee4466e05e8e6c8de88ee45f36118d8d2f5c5194641ba4382fada02d34be2dccfe544c84e

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
f591cdd4d0b46e0cd793ac4c1c992222

SHA1
c5e4fe2eb6810877cbb0f6bce444af5c909abff6

SHA256
33d12c57a2e1c1030604dafcea395593c98524169036ffd64028075bf26bf729

SHA512
67a39fc7d867bbcccdac95d44a80edc29f00e8797c69af46e9a2be73fe8f7d503cefadd6eaf00c2861c57582d98ba7c2ef618aa11aa3138b0b0178bd518ecf19

Download Submit
memory/3048-19-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-3-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-4-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-5-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/3048-11-0x000001BD7EC80000-0x000001BD7ECA2000-memory.dmp

Filesize
136KB

Download
memory/3048-18-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/4500-30-0x00007FF91D203000-0x00007FF91D205000-memory.dmp

Filesize
8KB

Download
memory/4500-69-0x0000000001760000-0x000000000176C000-memory.dmp

Filesize
48KB

Download
memory/4500-0-0x00007FF91D203000-0x00007FF91D205000-memory.dmp

Filesize
8KB

Download
memory/4500-59-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/4500-66-0x00000000017F0000-0x00000000017FA000-memory.dmp

Filesize
40KB

Download
memory/4500-65-0x0000000001750000-0x000000000175E000-memory.dmp

Filesize
56KB

Download
memory/4500-63-0x0000000003030000-0x000000000303C000-memory.dmp

Filesize
48KB

Download
memory/4500-283-0x0000000001840000-0x000000000184A000-memory.dmp

Filesize
40KB

Download
memory/4500-2-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

Filesize
10.8MB

Download
memory/4500-1-0x0000000000FA0000-0x0000000000FBA000-memory.dmp

Filesize
104KB

Download
memory/4500-316-0x00007FF91D200000-0x00007FF91DCC1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads