Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
49s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/01/2025, 23:22
Static task
static1
Behavioral task
behavioral1
Sample
Phantom.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Phantom.exe
Resource
win10v2004-20241007-en
General
-
Target
Phantom.exe
-
Size
1.9MB
-
MD5
b2b18261a9e3f160e38c4a03f12b2204
-
SHA1
ba1ec3b154d6071c068a00408bfb9599d500c18c
-
SHA256
c97e3198e1c30dec6a40160c6784a3580e2893f1fd542fdbd67c3ae4447fda46
-
SHA512
2f469790c80291db2907f4eef383cf8054b4fa8bd9074871b0a76d935e250bda729ab7ed9e284181c760333eac01855e070a2c35b3eeea5e9f80c5c816b992e3
-
SSDEEP
24576:JFiGXkKK64/ZmydQcglGE0h59XZPHzNuoiH6Kcejbur2+ofUyVZ/Sb6lJ:JMGUbv9QGE8jX1zNuo06v2+fASmlJ
Malware Config
Extracted
xworm
109.176.252.16:80
109.176.252.16:80:80
-
Install_directory
%ProgramData%
-
install_file
WinReg32.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023cb9-7.dat family_xworm behavioral2/memory/2784-16-0x00000000005E0000-0x00000000005F6000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 688 powershell.exe 2688 powershell.exe 1932 powershell.exe 3188 powershell.exe -
Checks computer location settings 2 TTPs 19 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation niggafart.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Phantom.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinReg32.lnk niggafart.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinReg32.lnk niggafart.exe -
Executes dropped EXE 18 IoCs
pid Process 2784 niggafart.exe 1712 niggafart.exe 4064 niggafart.exe 824 niggafart.exe 4304 niggafart.exe 728 niggafart.exe 1156 niggafart.exe 2848 niggafart.exe 2112 niggafart.exe 1328 niggafart.exe 4284 niggafart.exe 3460 niggafart.exe 1912 niggafart.exe 2288 niggafart.exe 3156 niggafart.exe 1988 niggafart.exe 3772 niggafart.exe 1500 niggafart.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinReg32 = "C:\\ProgramData\\WinReg32.exe" niggafart.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4912 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2688 powershell.exe 2688 powershell.exe 1932 powershell.exe 1932 powershell.exe 3188 powershell.exe 3188 powershell.exe 688 powershell.exe 688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 1096 Phantom.exe Token: SeDebugPrivilege 2784 niggafart.exe Token: SeDebugPrivilege 1564 Phantom.exe Token: SeDebugPrivilege 1712 niggafart.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 1932 powershell.exe Token: SeDebugPrivilege 3188 powershell.exe Token: SeDebugPrivilege 1664 Phantom.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 4064 niggafart.exe Token: SeDebugPrivilege 2784 niggafart.exe Token: SeDebugPrivilege 3128 Phantom.exe Token: SeDebugPrivilege 824 niggafart.exe Token: SeDebugPrivilege 1216 Phantom.exe Token: SeDebugPrivilege 4304 niggafart.exe Token: SeDebugPrivilege 1568 Phantom.exe Token: SeDebugPrivilege 728 niggafart.exe Token: SeDebugPrivilege 4188 Phantom.exe Token: SeDebugPrivilege 1156 niggafart.exe Token: SeDebugPrivilege 3288 Phantom.exe Token: SeDebugPrivilege 2848 niggafart.exe Token: SeDebugPrivilege 4524 Phantom.exe Token: SeDebugPrivilege 2112 niggafart.exe Token: SeDebugPrivilege 4428 Phantom.exe Token: SeDebugPrivilege 1328 niggafart.exe Token: SeDebugPrivilege 4032 Phantom.exe Token: SeDebugPrivilege 4284 niggafart.exe Token: SeDebugPrivilege 896 Phantom.exe Token: SeDebugPrivilege 3460 niggafart.exe Token: SeDebugPrivilege 3464 Phantom.exe Token: SeDebugPrivilege 1912 niggafart.exe Token: SeDebugPrivilege 4220 Phantom.exe Token: SeDebugPrivilege 2288 niggafart.exe Token: SeDebugPrivilege 3780 Phantom.exe Token: SeDebugPrivilege 3156 niggafart.exe Token: SeDebugPrivilege 1664 Phantom.exe Token: SeDebugPrivilege 1988 niggafart.exe Token: SeDebugPrivilege 5100 Phantom.exe Token: SeDebugPrivilege 3772 niggafart.exe Token: SeDebugPrivilege 436 Phantom.exe Token: SeDebugPrivilege 1500 niggafart.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1096 wrote to memory of 2784 1096 Phantom.exe 84 PID 1096 wrote to memory of 2784 1096 Phantom.exe 84 PID 1096 wrote to memory of 1564 1096 Phantom.exe 85 PID 1096 wrote to memory of 1564 1096 Phantom.exe 85 PID 1564 wrote to memory of 1712 1564 Phantom.exe 87 PID 1564 wrote to memory of 1712 1564 Phantom.exe 87 PID 1564 wrote to memory of 1664 1564 Phantom.exe 88 PID 1564 wrote to memory of 1664 1564 Phantom.exe 88 PID 2784 wrote to memory of 2688 2784 niggafart.exe 89 PID 2784 wrote to memory of 2688 2784 niggafart.exe 89 PID 2784 wrote to memory of 1932 2784 niggafart.exe 91 PID 2784 wrote to memory of 1932 2784 niggafart.exe 91 PID 2784 wrote to memory of 3188 2784 niggafart.exe 93 PID 2784 wrote to memory of 3188 2784 niggafart.exe 93 PID 2784 wrote to memory of 688 2784 niggafart.exe 96 PID 2784 wrote to memory of 688 2784 niggafart.exe 96 PID 1664 wrote to memory of 4064 1664 Phantom.exe 98 PID 1664 wrote to memory of 4064 1664 Phantom.exe 98 PID 1664 wrote to memory of 3128 1664 Phantom.exe 99 PID 1664 wrote to memory of 3128 1664 Phantom.exe 99 PID 2784 wrote to memory of 4912 2784 niggafart.exe 100 PID 2784 wrote to memory of 4912 2784 niggafart.exe 100 PID 3128 wrote to memory of 824 3128 Phantom.exe 103 PID 3128 wrote to memory of 824 3128 Phantom.exe 103 PID 3128 wrote to memory of 1216 3128 Phantom.exe 104 PID 3128 wrote to memory of 1216 3128 Phantom.exe 104 PID 1216 wrote to memory of 4304 1216 Phantom.exe 107 PID 1216 wrote to memory of 4304 1216 Phantom.exe 107 PID 1216 wrote to memory of 1568 1216 Phantom.exe 108 PID 1216 wrote to memory of 1568 1216 Phantom.exe 108 PID 1568 wrote to memory of 728 1568 Phantom.exe 112 PID 1568 wrote to memory of 728 1568 Phantom.exe 112 PID 1568 wrote to memory of 4188 1568 Phantom.exe 113 PID 1568 wrote to memory of 4188 1568 Phantom.exe 113 PID 4188 wrote to memory of 1156 4188 Phantom.exe 119 PID 4188 wrote to memory of 1156 4188 Phantom.exe 119 PID 4188 wrote to memory of 3288 4188 Phantom.exe 120 PID 4188 wrote to memory of 3288 4188 Phantom.exe 120 PID 3288 wrote to memory of 2848 3288 Phantom.exe 124 PID 3288 wrote to memory of 2848 3288 Phantom.exe 124 PID 3288 wrote to memory of 4524 3288 Phantom.exe 125 PID 3288 wrote to memory of 4524 3288 Phantom.exe 125 PID 4524 wrote to memory of 2112 4524 Phantom.exe 131 PID 4524 wrote to memory of 2112 4524 Phantom.exe 131 PID 4524 wrote to memory of 4428 4524 Phantom.exe 132 PID 4524 wrote to memory of 4428 4524 Phantom.exe 132 PID 4428 wrote to memory of 1328 4428 Phantom.exe 135 PID 4428 wrote to memory of 1328 4428 Phantom.exe 135 PID 4428 wrote to memory of 4032 4428 Phantom.exe 136 PID 4428 wrote to memory of 4032 4428 Phantom.exe 136 PID 4032 wrote to memory of 4284 4032 Phantom.exe 140 PID 4032 wrote to memory of 4284 4032 Phantom.exe 140 PID 4032 wrote to memory of 896 4032 Phantom.exe 141 PID 4032 wrote to memory of 896 4032 Phantom.exe 141 PID 896 wrote to memory of 3460 896 Phantom.exe 143 PID 896 wrote to memory of 3460 896 Phantom.exe 143 PID 896 wrote to memory of 3464 896 Phantom.exe 144 PID 896 wrote to memory of 3464 896 Phantom.exe 144 PID 3464 wrote to memory of 1912 3464 Phantom.exe 147 PID 3464 wrote to memory of 1912 3464 Phantom.exe 147 PID 3464 wrote to memory of 4220 3464 Phantom.exe 148 PID 3464 wrote to memory of 4220 3464 Phantom.exe 148 PID 4220 wrote to memory of 2288 4220 Phantom.exe 150 PID 4220 wrote to memory of 2288 4220 Phantom.exe 150 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\niggafart.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'niggafart.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinReg32.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinReg32.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinReg32" /tr "C:\ProgramData\WinReg32.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4912
-
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"4⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"6⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:728
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"8⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"10⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"12⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3460
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"14⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3156
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"16⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3772
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"18⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:436 -
C:\Users\Admin\AppData\Local\Temp\niggafart.exe"C:\Users\Admin\AppData\Local\Temp\niggafart.exe"19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Users\Admin\AppData\Local\Temp\Phantom.exe"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"19⤵PID:3084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bb6a89a9355baba2918bb7c32eca1c94
SHA1976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2
SHA256192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b
SHA512efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
Filesize
944B
MD5359d1e37a264703c99ebd01eed362de5
SHA1a1122c8bf9848b3371cd191ba540864204d1d845
SHA2565781f3046b0d978469415a059cf5ceae0e532869e69ab1dffb8ed878bd299b07
SHA512ce3caa1d2205be8167b7cd48ebf538a9ce8c148643c26a20377894aa15cf00f90b2b5e2ebf35d40a0273c088abc11fe6f010e34691d7fbc4bef8d7e482f5087d
-
Filesize
944B
MD53b444d3f0ddea49d84cc7b3972abe0e6
SHA10a896b3808e68d5d72c2655621f43b0b2c65ae02
SHA256ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74
SHA512eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
62KB
MD59a2678d72c4828bfa8d10c0afbf68edb
SHA18c20f1c6a2c81579cdb932999a203328d73a49a9
SHA2569f746d574e237df62f38002710abab60c3451e8e716e6064d9201b8627c2014a
SHA512a9b8d3d839a03c8a346d7e29968d3398ec082bef1e4b1b102d7fa20447502c371ad67924f4f22f24347486218f48c446201528943f59ab803ce6a044b4f665d0