xworm | 7191ca1e3053e459c10aec9281eeb98a94f36fa0134085b2c2386741a6e18f6b

Analysis

max time kernel
28s
max time network
21s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlitzedGrabberV12.exe
Size

4.7MB
MD5

f1417759e105ff9909ed454ad5db48a0
SHA1

d8ff4cfa49616988882f1d4e6318db869acd75ce
SHA256

966cee8682727f4f09d137b4924ec6daeb7c0b9dcb8b9700be8c3e73c57c6b60
SHA512

e0359c601e59b56c1d5e324c85692b3f3db94adb1a2110c5fd3e6ab248475d27fa1f2aff86f57c0d99ae328cf4e68783a84af41049d7856c3b940ab6ef19b675
SSDEEP

98304:hmVrrT79MEH/TSbOJfUhEpZlm5qqCabiiSXiBuxIr7n:h2rlMEfTa6fUWlQzCaWiIsX

Score

10^/10

xworm defense_evasion discovery persistence rat themida trojan

Malware Config

Extracted

Family

xworm

Version

3.1

stores-anytime.at.ply.gg:36673

Mutex

S2a8VYouw8L5LAad

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2800-103-0x0000000000900000-0x0000000001116000-memory.dmp	family_xworm
behavioral1/memory/2800-104-0x0000000000900000-0x0000000001116000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 12 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dusmtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dusmtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dusmtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dusmtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dusmtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dusmtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dusmtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dusmtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dusmtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dusmtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dusmtask.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dusmtask.exe

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dusmtask.exe

Executes dropped EXE 12 IoCs

pid	Process
2744	dusmtask.exe
2840	dusmtask.exe
3048	dusmtask.exe
1932	dusmtask.exe
1872	dusmtask.exe
2896	dusmtask.exe
2404	dusmtask.exe
2488	dusmtask.exe
836	dusmtask.exe
2236	dusmtask.exe
2532	dusmtask.exe
2096	dusmtask.exe

Themida packer 37 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00080000000120f6-7.dat	themida
behavioral1/memory/2744-13-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2744-14-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2840-21-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2840-20-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/3048-27-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/3048-26-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2840-29-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/1932-33-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/1932-34-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/3048-37-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/1872-42-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/1872-43-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/1932-45-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2896-51-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2896-52-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/1872-54-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2404-58-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2404-59-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2896-61-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2488-66-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2488-67-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2404-69-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/836-73-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/836-74-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2488-76-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2236-80-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2236-81-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/836-84-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2532-89-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2532-90-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2236-92-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2096-96-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2096-97-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2532-99-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2800-103-0x0000000000900000-0x0000000001116000-memory.dmp	themida
behavioral1/memory/2800-104-0x0000000000900000-0x0000000001116000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dusmtask = "C:\\Users\\Admin\\AppData\\Roaming\\dusmtask.exe"	dusmtask.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dusmtask.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dusmtask.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
2744	dusmtask.exe
2840	dusmtask.exe
3048	dusmtask.exe
1932	dusmtask.exe
1872	dusmtask.exe
2896	dusmtask.exe
2404	dusmtask.exe
2488	dusmtask.exe
836	dusmtask.exe
2236	dusmtask.exe
2532	dusmtask.exe
2096	dusmtask.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusmtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dusmtask.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	dusmtask.exe
Token: SeDebugPrivilege	2840	dusmtask.exe
Token: SeDebugPrivilege	3048	dusmtask.exe
Token: SeDebugPrivilege	1932	dusmtask.exe
Token: SeDebugPrivilege	1872	dusmtask.exe
Token: SeDebugPrivilege	2896	dusmtask.exe
Token: SeDebugPrivilege	2404	dusmtask.exe
Token: SeDebugPrivilege	2488	dusmtask.exe
Token: SeDebugPrivilege	836	dusmtask.exe
Token: SeDebugPrivilege	2236	dusmtask.exe
Token: SeDebugPrivilege	2532	dusmtask.exe
Token: SeDebugPrivilege	2096	dusmtask.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 2860	1228	BlitzedGrabberV12.exe	30
PID 1228 wrote to memory of 2860	1228	BlitzedGrabberV12.exe	30
PID 1228 wrote to memory of 2860	1228	BlitzedGrabberV12.exe	30
PID 1228 wrote to memory of 2744	1228	BlitzedGrabberV12.exe	31
PID 1228 wrote to memory of 2744	1228	BlitzedGrabberV12.exe	31
PID 1228 wrote to memory of 2744	1228	BlitzedGrabberV12.exe	31
PID 1228 wrote to memory of 2744	1228	BlitzedGrabberV12.exe	31
PID 2860 wrote to memory of 2924	2860	BlitzedGrabberV12.exe	32
PID 2860 wrote to memory of 2924	2860	BlitzedGrabberV12.exe	32
PID 2860 wrote to memory of 2924	2860	BlitzedGrabberV12.exe	32
PID 2860 wrote to memory of 2840	2860	BlitzedGrabberV12.exe	33
PID 2860 wrote to memory of 2840	2860	BlitzedGrabberV12.exe	33
PID 2860 wrote to memory of 2840	2860	BlitzedGrabberV12.exe	33
PID 2860 wrote to memory of 2840	2860	BlitzedGrabberV12.exe	33
PID 2924 wrote to memory of 2664	2924	BlitzedGrabberV12.exe	34
PID 2924 wrote to memory of 2664	2924	BlitzedGrabberV12.exe	34
PID 2924 wrote to memory of 2664	2924	BlitzedGrabberV12.exe	34
PID 2924 wrote to memory of 3048	2924	BlitzedGrabberV12.exe	35
PID 2924 wrote to memory of 3048	2924	BlitzedGrabberV12.exe	35
PID 2924 wrote to memory of 3048	2924	BlitzedGrabberV12.exe	35
PID 2924 wrote to memory of 3048	2924	BlitzedGrabberV12.exe	35
PID 2664 wrote to memory of 2200	2664	BlitzedGrabberV12.exe	36
PID 2664 wrote to memory of 2200	2664	BlitzedGrabberV12.exe	36
PID 2664 wrote to memory of 2200	2664	BlitzedGrabberV12.exe	36
PID 2664 wrote to memory of 1932	2664	BlitzedGrabberV12.exe	37
PID 2664 wrote to memory of 1932	2664	BlitzedGrabberV12.exe	37
PID 2664 wrote to memory of 1932	2664	BlitzedGrabberV12.exe	37
PID 2664 wrote to memory of 1932	2664	BlitzedGrabberV12.exe	37
PID 2200 wrote to memory of 2340	2200	BlitzedGrabberV12.exe	38
PID 2200 wrote to memory of 2340	2200	BlitzedGrabberV12.exe	38
PID 2200 wrote to memory of 2340	2200	BlitzedGrabberV12.exe	38
PID 2200 wrote to memory of 1872	2200	BlitzedGrabberV12.exe	39
PID 2200 wrote to memory of 1872	2200	BlitzedGrabberV12.exe	39
PID 2200 wrote to memory of 1872	2200	BlitzedGrabberV12.exe	39
PID 2200 wrote to memory of 1872	2200	BlitzedGrabberV12.exe	39
PID 2340 wrote to memory of 1484	2340	BlitzedGrabberV12.exe	40
PID 2340 wrote to memory of 1484	2340	BlitzedGrabberV12.exe	40
PID 2340 wrote to memory of 1484	2340	BlitzedGrabberV12.exe	40
PID 2340 wrote to memory of 2896	2340	BlitzedGrabberV12.exe	41
PID 2340 wrote to memory of 2896	2340	BlitzedGrabberV12.exe	41
PID 2340 wrote to memory of 2896	2340	BlitzedGrabberV12.exe	41
PID 2340 wrote to memory of 2896	2340	BlitzedGrabberV12.exe	41
PID 1484 wrote to memory of 2976	1484	BlitzedGrabberV12.exe	42
PID 1484 wrote to memory of 2976	1484	BlitzedGrabberV12.exe	42
PID 1484 wrote to memory of 2976	1484	BlitzedGrabberV12.exe	42
PID 1484 wrote to memory of 2404	1484	BlitzedGrabberV12.exe	43
PID 1484 wrote to memory of 2404	1484	BlitzedGrabberV12.exe	43
PID 1484 wrote to memory of 2404	1484	BlitzedGrabberV12.exe	43
PID 1484 wrote to memory of 2404	1484	BlitzedGrabberV12.exe	43
PID 2976 wrote to memory of 2424	2976	BlitzedGrabberV12.exe	44
PID 2976 wrote to memory of 2424	2976	BlitzedGrabberV12.exe	44
PID 2976 wrote to memory of 2424	2976	BlitzedGrabberV12.exe	44
PID 2976 wrote to memory of 2488	2976	BlitzedGrabberV12.exe	45
PID 2976 wrote to memory of 2488	2976	BlitzedGrabberV12.exe	45
PID 2976 wrote to memory of 2488	2976	BlitzedGrabberV12.exe	45
PID 2976 wrote to memory of 2488	2976	BlitzedGrabberV12.exe	45
PID 2424 wrote to memory of 900	2424	BlitzedGrabberV12.exe	46
PID 2424 wrote to memory of 900	2424	BlitzedGrabberV12.exe	46
PID 2424 wrote to memory of 900	2424	BlitzedGrabberV12.exe	46
PID 2424 wrote to memory of 836	2424	BlitzedGrabberV12.exe	47
PID 2424 wrote to memory of 836	2424	BlitzedGrabberV12.exe	47
PID 2424 wrote to memory of 836	2424	BlitzedGrabberV12.exe	47
PID 2424 wrote to memory of 836	2424	BlitzedGrabberV12.exe	47
PID 900 wrote to memory of 1540	900	BlitzedGrabberV12.exe	48

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
  "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
    "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
      "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        11⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        12⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        13⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
        14⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
        14⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
        13⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
        12⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
        11⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
        10⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
        9⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
      - C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
  - - C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
      "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3048
- - C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
    "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- C:\Users\Admin\AppData\Local\Temp\dusmtask.exe
  "C:\Users\Admin\AppData\Local\Temp\dusmtask.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dusmtask.exe

Filesize
3.0MB

MD5
ee3873b241dfbbab09c396c2b6eda8da

SHA1
4e723e9f768450b29d95b306d210112e2a8f5cbd

SHA256
14ae06ced2d080fcec3ca648454e7edb2d3cf8754e1d9a3c053850a1604aec09

SHA512
a5a461fff089324c12b8fa99d4b72402242c71aa82db12040b4b14c05fb6358956ba1d7aa3308ac39ba01a736c5c181f0782b629709d5d56e63d641075cc7548

Download Submit
memory/836-74-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/836-84-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/836-73-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/1228-1-0x00000000009F0000-0x0000000000E9E000-memory.dmp

Filesize
4.7MB

Download
memory/1228-2-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/1228-0-0x000007FEF5303000-0x000007FEF5304000-memory.dmp

Filesize
4KB

Download
memory/1228-10-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-42-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/1872-43-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/1872-39-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/1872-54-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/1932-45-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/1932-33-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/1932-34-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2096-96-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2096-97-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2236-92-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2236-80-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2236-81-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2404-58-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2404-59-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2404-69-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2488-63-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2488-66-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2488-67-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2488-76-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2532-90-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2532-99-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2532-86-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2532-89-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2744-14-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2744-35-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2744-13-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2744-9-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2800-103-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2800-104-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2840-20-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2840-21-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2840-29-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2860-17-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2860-8-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2896-48-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2896-61-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2896-52-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/2896-51-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/3048-37-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/3048-26-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/3048-27-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download
memory/3048-23-0x0000000000900000-0x0000000001116000-memory.dmp

Filesize
8.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads