xworm | c97e3198e1c30dec6a40160c6784a3580e2893f1fd542fdbd67c3ae4447fda46

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Phantom.exe
Size

1.9MB
MD5

b2b18261a9e3f160e38c4a03f12b2204
SHA1

ba1ec3b154d6071c068a00408bfb9599d500c18c
SHA256

c97e3198e1c30dec6a40160c6784a3580e2893f1fd542fdbd67c3ae4447fda46
SHA512

2f469790c80291db2907f4eef383cf8054b4fa8bd9074871b0a76d935e250bda729ab7ed9e284181c760333eac01855e070a2c35b3eeea5e9f80c5c816b992e3
SSDEEP

24576:JFiGXkKK64/ZmydQcglGE0h59XZPHzNuoiH6Kcejbur2+ofUyVZ/Sb6lJ:JMGUbv9QGE8jX1zNuo06v2+fASmlJ

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

109.176.252.16:80

109.176.252.16:80:80

Attributes

Install_directory
%ProgramData%
install_file
WinReg32.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2804-8-0x0000000000260000-0x0000000000276000-memory.dmp	family_xworm
behavioral1/files/0x000900000001225f-6.dat	family_xworm
behavioral1/memory/2788-52-0x0000000001170000-0x0000000001186000-memory.dmp	family_xworm
behavioral1/memory/1532-63-0x0000000000960000-0x0000000000976000-memory.dmp	family_xworm
behavioral1/memory/1356-102-0x00000000010B0000-0x00000000010C6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1184	powershell.exe
2956	powershell.exe
908	powershell.exe
2792	powershell.exe
588	powershell.exe
984	powershell.exe
1592	powershell.exe
2968	powershell.exe
572	powershell.exe
3004	powershell.exe
1976	powershell.exe
560	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinReg32.lnk	niggafart.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinReg32.lnk	niggafart.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinReg32.lnk	niggafart.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinReg32.lnk	niggafart.exe

Executes dropped EXE 30 IoCs

pid	Process
2804	niggafart.exe
1708	niggafart.exe
2164	niggafart.exe
828	niggafart.exe
1368	niggafart.exe
900	niggafart.exe
1324	niggafart.exe
2308	niggafart.exe
2676	niggafart.exe
2444	niggafart.exe
2788	WinReg32.exe
2232	niggafart.exe
2248	niggafart.exe
1532	niggafart.exe
1832	niggafart.exe
2628	niggafart.exe
1148	niggafart.exe
1664	niggafart.exe
1604	niggafart.exe
1032	niggafart.exe
604	niggafart.exe
2212	niggafart.exe
1356	WinReg32.exe
2936	niggafart.exe
2196	niggafart.exe
2976	niggafart.exe
2816	niggafart.exe
2260	niggafart.exe
3004	niggafart.exe
2160	niggafart.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinReg32 = "C:\\ProgramData\\WinReg32.exe"	niggafart.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinReg32 = "C:\\ProgramData\\WinReg32.exe"	niggafart.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinReg32 = "C:\\ProgramData\\WinReg32.exe"	niggafart.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
30	ip-api.com
56	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1796	schtasks.exe
2764	schtasks.exe
2432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2792	powershell.exe
3004	powershell.exe
1976	powershell.exe
588	powershell.exe
984	powershell.exe
560	powershell.exe
1184	powershell.exe
1592	powershell.exe
2956	powershell.exe
2968	powershell.exe
572	powershell.exe
908	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	Phantom.exe
Token: SeDebugPrivilege	2804	niggafart.exe
Token: SeDebugPrivilege	2688	Phantom.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1708	niggafart.exe
Token: SeDebugPrivilege	2804	niggafart.exe
Token: SeDebugPrivilege	1016	Phantom.exe
Token: SeDebugPrivilege	2164	niggafart.exe
Token: SeDebugPrivilege	908	Phantom.exe
Token: SeDebugPrivilege	828	niggafart.exe
Token: SeDebugPrivilege	940	Phantom.exe
Token: SeDebugPrivilege	1368	niggafart.exe
Token: SeDebugPrivilege	1088	Phantom.exe
Token: SeDebugPrivilege	900	niggafart.exe
Token: SeDebugPrivilege	1060	Phantom.exe
Token: SeDebugPrivilege	2980	Phantom.exe
Token: SeDebugPrivilege	2308	niggafart.exe
Token: SeDebugPrivilege	2756	Phantom.exe
Token: SeDebugPrivilege	2676	niggafart.exe
Token: SeDebugPrivilege	2728	Phantom.exe
Token: SeDebugPrivilege	2444	niggafart.exe
Token: SeDebugPrivilege	1664	Phantom.exe
Token: SeDebugPrivilege	2788	WinReg32.exe
Token: SeDebugPrivilege	2232	niggafart.exe
Token: SeDebugPrivilege	2908	Phantom.exe
Token: SeDebugPrivilege	2248	niggafart.exe
Token: SeDebugPrivilege	2820	Phantom.exe
Token: SeDebugPrivilege	1532	niggafart.exe
Token: SeDebugPrivilege	2196	Phantom.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1832	niggafart.exe
Token: SeDebugPrivilege	1532	niggafart.exe
Token: SeDebugPrivilege	2732	Phantom.exe
Token: SeDebugPrivilege	2628	niggafart.exe
Token: SeDebugPrivilege	2428	Phantom.exe
Token: SeDebugPrivilege	1148	niggafart.exe
Token: SeDebugPrivilege	2556	Phantom.exe
Token: SeDebugPrivilege	1664	niggafart.exe
Token: SeDebugPrivilege	2740	Phantom.exe
Token: SeDebugPrivilege	1604	niggafart.exe
Token: SeDebugPrivilege	2148	Phantom.exe
Token: SeDebugPrivilege	1032	niggafart.exe
Token: SeDebugPrivilege	2664	Phantom.exe
Token: SeDebugPrivilege	604	niggafart.exe
Token: SeDebugPrivilege	2164	Phantom.exe
Token: SeDebugPrivilege	2212	niggafart.exe
Token: SeDebugPrivilege	2452	Phantom.exe
Token: SeDebugPrivilege	1356	WinReg32.exe
Token: SeDebugPrivilege	2936	niggafart.exe
Token: SeDebugPrivilege	1696	Phantom.exe
Token: SeDebugPrivilege	2196	niggafart.exe
Token: SeDebugPrivilege	2340	Phantom.exe
Token: SeDebugPrivilege	2976	niggafart.exe
Token: SeDebugPrivilege	1928	Phantom.exe
Token: SeDebugPrivilege	2816	niggafart.exe
Token: SeDebugPrivilege	2780	Phantom.exe
Token: SeDebugPrivilege	2260	niggafart.exe
Token: SeDebugPrivilege	1676	Phantom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2804	2348	Phantom.exe	32
PID 2348 wrote to memory of 2804	2348	Phantom.exe	32
PID 2348 wrote to memory of 2804	2348	Phantom.exe	32
PID 2348 wrote to memory of 2688	2348	Phantom.exe	33
PID 2348 wrote to memory of 2688	2348	Phantom.exe	33
PID 2348 wrote to memory of 2688	2348	Phantom.exe	33
PID 2804 wrote to memory of 2792	2804	niggafart.exe	34
PID 2804 wrote to memory of 2792	2804	niggafart.exe	34
PID 2804 wrote to memory of 2792	2804	niggafart.exe	34
PID 2804 wrote to memory of 3004	2804	niggafart.exe	36
PID 2804 wrote to memory of 3004	2804	niggafart.exe	36
PID 2804 wrote to memory of 3004	2804	niggafart.exe	36
PID 2804 wrote to memory of 1976	2804	niggafart.exe	38
PID 2804 wrote to memory of 1976	2804	niggafart.exe	38
PID 2804 wrote to memory of 1976	2804	niggafart.exe	38
PID 2804 wrote to memory of 588	2804	niggafart.exe	40
PID 2804 wrote to memory of 588	2804	niggafart.exe	40
PID 2804 wrote to memory of 588	2804	niggafart.exe	40
PID 2688 wrote to memory of 1708	2688	Phantom.exe	42
PID 2688 wrote to memory of 1708	2688	Phantom.exe	42
PID 2688 wrote to memory of 1708	2688	Phantom.exe	42
PID 2688 wrote to memory of 1016	2688	Phantom.exe	43
PID 2688 wrote to memory of 1016	2688	Phantom.exe	43
PID 2688 wrote to memory of 1016	2688	Phantom.exe	43
PID 2804 wrote to memory of 1796	2804	niggafart.exe	44
PID 2804 wrote to memory of 1796	2804	niggafart.exe	44
PID 2804 wrote to memory of 1796	2804	niggafart.exe	44
PID 1016 wrote to memory of 2164	1016	Phantom.exe	46
PID 1016 wrote to memory of 2164	1016	Phantom.exe	46
PID 1016 wrote to memory of 2164	1016	Phantom.exe	46
PID 1016 wrote to memory of 908	1016	Phantom.exe	47
PID 1016 wrote to memory of 908	1016	Phantom.exe	47
PID 1016 wrote to memory of 908	1016	Phantom.exe	47
PID 908 wrote to memory of 828	908	Phantom.exe	48
PID 908 wrote to memory of 828	908	Phantom.exe	48
PID 908 wrote to memory of 828	908	Phantom.exe	48
PID 908 wrote to memory of 940	908	Phantom.exe	49
PID 908 wrote to memory of 940	908	Phantom.exe	49
PID 908 wrote to memory of 940	908	Phantom.exe	49
PID 940 wrote to memory of 1368	940	Phantom.exe	50
PID 940 wrote to memory of 1368	940	Phantom.exe	50
PID 940 wrote to memory of 1368	940	Phantom.exe	50
PID 940 wrote to memory of 1088	940	Phantom.exe	51
PID 940 wrote to memory of 1088	940	Phantom.exe	51
PID 940 wrote to memory of 1088	940	Phantom.exe	51
PID 1088 wrote to memory of 900	1088	Phantom.exe	52
PID 1088 wrote to memory of 900	1088	Phantom.exe	52
PID 1088 wrote to memory of 900	1088	Phantom.exe	52
PID 1088 wrote to memory of 1060	1088	Phantom.exe	53
PID 1088 wrote to memory of 1060	1088	Phantom.exe	53
PID 1088 wrote to memory of 1060	1088	Phantom.exe	53
PID 1060 wrote to memory of 1324	1060	Phantom.exe	54
PID 1060 wrote to memory of 1324	1060	Phantom.exe	54
PID 1060 wrote to memory of 1324	1060	Phantom.exe	54
PID 1060 wrote to memory of 2980	1060	Phantom.exe	55
PID 1060 wrote to memory of 2980	1060	Phantom.exe	55
PID 1060 wrote to memory of 2980	1060	Phantom.exe	55
PID 2980 wrote to memory of 2308	2980	Phantom.exe	56
PID 2980 wrote to memory of 2308	2980	Phantom.exe	56
PID 2980 wrote to memory of 2308	2980	Phantom.exe	56
PID 2980 wrote to memory of 2756	2980	Phantom.exe	57
PID 2980 wrote to memory of 2756	2980	Phantom.exe	57
PID 2980 wrote to memory of 2756	2980	Phantom.exe	57
PID 2756 wrote to memory of 2676	2756	Phantom.exe	58

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Phantom.exe
"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\niggafart.exe
  "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\niggafart.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'niggafart.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinReg32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinReg32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinReg32" /tr "C:\ProgramData\WinReg32.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1796
- C:\Users\Admin\AppData\Local\Temp\Phantom.exe
  "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\niggafart.exe
    "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- - C:\Users\Admin\AppData\Local\Temp\Phantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\niggafart.exe
      "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\Phantom.exe
      "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
    - - C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
      - C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        8⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        13⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        14⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\niggafart.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'niggafart.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinReg32.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinReg32.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinReg32" /tr "C:\ProgramData\WinReg32.exe"
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        15⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        17⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        19⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        21⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        22⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        23⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        25⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        26⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        27⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\niggafart.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'niggafart.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinReg32.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinReg32.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:908
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinReg32" /tr "C:\ProgramData\WinReg32.exe"
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        27⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        28⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        28⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        29⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        29⤵
        
        PID:1348

C:\Windows\system32\taskeng.exe
taskeng.exe {85A66484-2933-4F4B-9F5D-806CBCC9A678} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
PID:1092
- C:\ProgramData\WinReg32.exe
  C:\ProgramData\WinReg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\ProgramData\WinReg32.exe
  C:\ProgramData\WinReg32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\niggafart.exe

Filesize
62KB

MD5
9a2678d72c4828bfa8d10c0afbf68edb

SHA1
8c20f1c6a2c81579cdb932999a203328d73a49a9

SHA256
9f746d574e237df62f38002710abab60c3451e8e716e6064d9201b8627c2014a

SHA512
a9b8d3d839a03c8a346d7e29968d3398ec082bef1e4b1b102d7fa20447502c371ad67924f4f22f24347486218f48c446201528943f59ab803ce6a044b4f665d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0f5afd8ed74a1de393f380aaf4c2a7a5

SHA1
8da6c371fd8733f1fb7f17d60d8ada84ad0384cd

SHA256
a4ac2899d14e85f766492c687a55f4b110ab925fe203f4317f791463aa6fae0c

SHA512
a024c17b8f52af1ca45504a853f5ad14c50de212752bc0c5aea4c43c4239554dff2896488295602af815bfce5435294d19adc11958ce319925b0762c612f0c48

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ab046427118285aa99bac055dada67fc

SHA1
e14e987082101bc103f9ba1d303571c005e69b9f

SHA256
8bec1b37f7311ae67841b08826c1d894961b67316d5791963f3881efb421f644

SHA512
b2461b632f34efb4cb4ce63d02ff8bdb2d3dd6542c6be5638e0e349de5361020c572dd8f09ead6c9c19fea59da4db2096b0821f5905d041bf1bf1dffed527add

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
835bfc39cc7acf67f888c778e6ade276

SHA1
2b4d43c06db952a075403cf97b2957c1f6fd169c

SHA256
ec0bbf7b436edca7a857e91cb69344e0289de587c8034d08a98520aa8c49fdbd

SHA512
46a28f8825668b8f51a4384337f7cc08817a1047a611ca145d73fc493fc69bfca250f24746e435df309c16929404a48e249922489069021e9b71669f35ef7d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinReg32.lnk

Filesize
640B

MD5
381ddd1d8492c2a8657644da8d1a03b5

SHA1
ad6e63265c826f05b2074dd6602b727f9caecf63

SHA256
a5a564550800ed82ab2f8fcdb0534e8b1ced5f53cd166a0f79a83f8ec035fb35

SHA512
96acc375108c6c22d00cd2992b2d2153a324a95e4700f1b5884c8b798643b12fb2230a20c320536eba0ebe61a74600981728e81c8b443d58fa2b1eada8621407

Download Submit
memory/984-70-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/1356-102-0x00000000010B0000-0x00000000010C6000-memory.dmp

Filesize
88KB

Download
memory/1532-63-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/2348-10-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2348-2-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2348-1-0x0000000000C30000-0x0000000000E10000-memory.dmp

Filesize
1.9MB

Download
memory/2348-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2788-52-0x0000000001170000-0x0000000001186000-memory.dmp

Filesize
88KB

Download
memory/2792-15-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2792-16-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2804-57-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-40-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-39-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-9-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2804-8-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/3004-23-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/3004-22-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download