xworm | c97e3198e1c30dec6a40160c6784a3580e2893f1fd542fdbd67c3ae4447fda46

Analysis

max time kernel
49s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2025, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Phantom.exe
Size

1.9MB
MD5

b2b18261a9e3f160e38c4a03f12b2204
SHA1

ba1ec3b154d6071c068a00408bfb9599d500c18c
SHA256

c97e3198e1c30dec6a40160c6784a3580e2893f1fd542fdbd67c3ae4447fda46
SHA512

2f469790c80291db2907f4eef383cf8054b4fa8bd9074871b0a76d935e250bda729ab7ed9e284181c760333eac01855e070a2c35b3eeea5e9f80c5c816b992e3
SSDEEP

24576:JFiGXkKK64/ZmydQcglGE0h59XZPHzNuoiH6Kcejbur2+ofUyVZ/Sb6lJ:JMGUbv9QGE8jX1zNuo06v2+fASmlJ

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

109.176.252.16:80

109.176.252.16:80:80

Attributes

Install_directory
%ProgramData%
install_file
WinReg32.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cb9-7.dat	family_xworm
behavioral2/memory/2784-16-0x00000000005E0000-0x00000000005F6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
688	powershell.exe
2688	powershell.exe
1932	powershell.exe
3188	powershell.exe

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	niggafart.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Phantom.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinReg32.lnk	niggafart.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinReg32.lnk	niggafart.exe

Executes dropped EXE 18 IoCs

pid	Process
2784	niggafart.exe
1712	niggafart.exe
4064	niggafart.exe
824	niggafart.exe
4304	niggafart.exe
728	niggafart.exe
1156	niggafart.exe
2848	niggafart.exe
2112	niggafart.exe
1328	niggafart.exe
4284	niggafart.exe
3460	niggafart.exe
1912	niggafart.exe
2288	niggafart.exe
3156	niggafart.exe
1988	niggafart.exe
3772	niggafart.exe
1500	niggafart.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinReg32 = "C:\\ProgramData\\WinReg32.exe"	niggafart.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2688	powershell.exe
2688	powershell.exe
1932	powershell.exe
1932	powershell.exe
3188	powershell.exe
3188	powershell.exe
688	powershell.exe
688	powershell.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	Phantom.exe
Token: SeDebugPrivilege	2784	niggafart.exe
Token: SeDebugPrivilege	1564	Phantom.exe
Token: SeDebugPrivilege	1712	niggafart.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	1664	Phantom.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	4064	niggafart.exe
Token: SeDebugPrivilege	2784	niggafart.exe
Token: SeDebugPrivilege	3128	Phantom.exe
Token: SeDebugPrivilege	824	niggafart.exe
Token: SeDebugPrivilege	1216	Phantom.exe
Token: SeDebugPrivilege	4304	niggafart.exe
Token: SeDebugPrivilege	1568	Phantom.exe
Token: SeDebugPrivilege	728	niggafart.exe
Token: SeDebugPrivilege	4188	Phantom.exe
Token: SeDebugPrivilege	1156	niggafart.exe
Token: SeDebugPrivilege	3288	Phantom.exe
Token: SeDebugPrivilege	2848	niggafart.exe
Token: SeDebugPrivilege	4524	Phantom.exe
Token: SeDebugPrivilege	2112	niggafart.exe
Token: SeDebugPrivilege	4428	Phantom.exe
Token: SeDebugPrivilege	1328	niggafart.exe
Token: SeDebugPrivilege	4032	Phantom.exe
Token: SeDebugPrivilege	4284	niggafart.exe
Token: SeDebugPrivilege	896	Phantom.exe
Token: SeDebugPrivilege	3460	niggafart.exe
Token: SeDebugPrivilege	3464	Phantom.exe
Token: SeDebugPrivilege	1912	niggafart.exe
Token: SeDebugPrivilege	4220	Phantom.exe
Token: SeDebugPrivilege	2288	niggafart.exe
Token: SeDebugPrivilege	3780	Phantom.exe
Token: SeDebugPrivilege	3156	niggafart.exe
Token: SeDebugPrivilege	1664	Phantom.exe
Token: SeDebugPrivilege	1988	niggafart.exe
Token: SeDebugPrivilege	5100	Phantom.exe
Token: SeDebugPrivilege	3772	niggafart.exe
Token: SeDebugPrivilege	436	Phantom.exe
Token: SeDebugPrivilege	1500	niggafart.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 2784	1096	Phantom.exe	84
PID 1096 wrote to memory of 2784	1096	Phantom.exe	84
PID 1096 wrote to memory of 1564	1096	Phantom.exe	85
PID 1096 wrote to memory of 1564	1096	Phantom.exe	85
PID 1564 wrote to memory of 1712	1564	Phantom.exe	87
PID 1564 wrote to memory of 1712	1564	Phantom.exe	87
PID 1564 wrote to memory of 1664	1564	Phantom.exe	88
PID 1564 wrote to memory of 1664	1564	Phantom.exe	88
PID 2784 wrote to memory of 2688	2784	niggafart.exe	89
PID 2784 wrote to memory of 2688	2784	niggafart.exe	89
PID 2784 wrote to memory of 1932	2784	niggafart.exe	91
PID 2784 wrote to memory of 1932	2784	niggafart.exe	91
PID 2784 wrote to memory of 3188	2784	niggafart.exe	93
PID 2784 wrote to memory of 3188	2784	niggafart.exe	93
PID 2784 wrote to memory of 688	2784	niggafart.exe	96
PID 2784 wrote to memory of 688	2784	niggafart.exe	96
PID 1664 wrote to memory of 4064	1664	Phantom.exe	98
PID 1664 wrote to memory of 4064	1664	Phantom.exe	98
PID 1664 wrote to memory of 3128	1664	Phantom.exe	99
PID 1664 wrote to memory of 3128	1664	Phantom.exe	99
PID 2784 wrote to memory of 4912	2784	niggafart.exe	100
PID 2784 wrote to memory of 4912	2784	niggafart.exe	100
PID 3128 wrote to memory of 824	3128	Phantom.exe	103
PID 3128 wrote to memory of 824	3128	Phantom.exe	103
PID 3128 wrote to memory of 1216	3128	Phantom.exe	104
PID 3128 wrote to memory of 1216	3128	Phantom.exe	104
PID 1216 wrote to memory of 4304	1216	Phantom.exe	107
PID 1216 wrote to memory of 4304	1216	Phantom.exe	107
PID 1216 wrote to memory of 1568	1216	Phantom.exe	108
PID 1216 wrote to memory of 1568	1216	Phantom.exe	108
PID 1568 wrote to memory of 728	1568	Phantom.exe	112
PID 1568 wrote to memory of 728	1568	Phantom.exe	112
PID 1568 wrote to memory of 4188	1568	Phantom.exe	113
PID 1568 wrote to memory of 4188	1568	Phantom.exe	113
PID 4188 wrote to memory of 1156	4188	Phantom.exe	119
PID 4188 wrote to memory of 1156	4188	Phantom.exe	119
PID 4188 wrote to memory of 3288	4188	Phantom.exe	120
PID 4188 wrote to memory of 3288	4188	Phantom.exe	120
PID 3288 wrote to memory of 2848	3288	Phantom.exe	124
PID 3288 wrote to memory of 2848	3288	Phantom.exe	124
PID 3288 wrote to memory of 4524	3288	Phantom.exe	125
PID 3288 wrote to memory of 4524	3288	Phantom.exe	125
PID 4524 wrote to memory of 2112	4524	Phantom.exe	131
PID 4524 wrote to memory of 2112	4524	Phantom.exe	131
PID 4524 wrote to memory of 4428	4524	Phantom.exe	132
PID 4524 wrote to memory of 4428	4524	Phantom.exe	132
PID 4428 wrote to memory of 1328	4428	Phantom.exe	135
PID 4428 wrote to memory of 1328	4428	Phantom.exe	135
PID 4428 wrote to memory of 4032	4428	Phantom.exe	136
PID 4428 wrote to memory of 4032	4428	Phantom.exe	136
PID 4032 wrote to memory of 4284	4032	Phantom.exe	140
PID 4032 wrote to memory of 4284	4032	Phantom.exe	140
PID 4032 wrote to memory of 896	4032	Phantom.exe	141
PID 4032 wrote to memory of 896	4032	Phantom.exe	141
PID 896 wrote to memory of 3460	896	Phantom.exe	143
PID 896 wrote to memory of 3460	896	Phantom.exe	143
PID 896 wrote to memory of 3464	896	Phantom.exe	144
PID 896 wrote to memory of 3464	896	Phantom.exe	144
PID 3464 wrote to memory of 1912	3464	Phantom.exe	147
PID 3464 wrote to memory of 1912	3464	Phantom.exe	147
PID 3464 wrote to memory of 4220	3464	Phantom.exe	148
PID 3464 wrote to memory of 4220	3464	Phantom.exe	148
PID 4220 wrote to memory of 2288	4220	Phantom.exe	150
PID 4220 wrote to memory of 2288	4220	Phantom.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Phantom.exe
"C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\niggafart.exe
  "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\niggafart.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'niggafart.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WinReg32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WinReg32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:688
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WinReg32" /tr "C:\ProgramData\WinReg32.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4912
- C:\Users\Admin\AppData\Local\Temp\Phantom.exe
  "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\niggafart.exe
    "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1712
- - C:\Users\Admin\AppData\Local\Temp\Phantom.exe
    "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\niggafart.exe
      "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4064
  - - C:\Users\Admin\AppData\Local\Temp\Phantom.exe
      "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
      4⤵
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1216
      - C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
      - C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        6⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        8⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        10⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        12⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        14⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        15⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        16⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        17⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        18⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\niggafart.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggafart.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Phantom.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Phantom.exe"
        19⤵
        
        PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Phantom.exe.log

Filesize
1KB

MD5
bb6a89a9355baba2918bb7c32eca1c94

SHA1
976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2

SHA256
192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b

SHA512
efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\niggafart.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
359d1e37a264703c99ebd01eed362de5

SHA1
a1122c8bf9848b3371cd191ba540864204d1d845

SHA256
5781f3046b0d978469415a059cf5ceae0e532869e69ab1dffb8ed878bd299b07

SHA512
ce3caa1d2205be8167b7cd48ebf538a9ce8c148643c26a20377894aa15cf00f90b2b5e2ebf35d40a0273c088abc11fe6f010e34691d7fbc4bef8d7e482f5087d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kjd2khvx.e4m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\niggafart.exe

Filesize
62KB

MD5
9a2678d72c4828bfa8d10c0afbf68edb

SHA1
8c20f1c6a2c81579cdb932999a203328d73a49a9

SHA256
9f746d574e237df62f38002710abab60c3451e8e716e6064d9201b8627c2014a

SHA512
a9b8d3d839a03c8a346d7e29968d3398ec082bef1e4b1b102d7fa20447502c371ad67924f4f22f24347486218f48c446201528943f59ab803ce6a044b4f665d0

Download Submit
memory/1096-0-0x00007FF95A713000-0x00007FF95A715000-memory.dmp

Filesize
8KB

Download
memory/1096-2-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/1096-19-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/1096-1-0x0000000000F20000-0x0000000001100000-memory.dmp

Filesize
1.9MB

Download
memory/1564-21-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/1564-18-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2688-31-0x0000017775BA0000-0x0000017775BC2000-memory.dmp

Filesize
136KB

Download
memory/2784-16-0x00000000005E0000-0x00000000005F6000-memory.dmp

Filesize
88KB

Download
memory/2784-17-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2784-75-0x00007FF95A710000-0x00007FF95B1D1000-memory.dmp

Filesize
10.8MB

Download