ramnit | abe47f0361c9878b2f4475dc8989e9055012a0c4ce1cc18f913bc9b89d618b45

Analysis

max time kernel
297s
max time network
351s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
22/03/2025, 10:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XClient.exe
Size

174KB
MD5

a6cc70ece3acb1443a203972dc007a6c
SHA1

c2bfd3e0a43bffcb7dbba118e507c423c5ed8869
SHA256

abe47f0361c9878b2f4475dc8989e9055012a0c4ce1cc18f913bc9b89d618b45
SHA512

a1c9aad284b2a14b12f22154d8bc6500d0ff4d330671fc958c0a0fab3a7437bccbaec5e8ca099f399f2ab4499dccea7224f68dedf726ed1818b2fbcd2819fa1f
SSDEEP

3072:jNWJcweLkbmlHBOgzca3v7EsUT8rmtIhF:jacAbCT/HUTftO

Score

10^/10

ramnit xworm banker credential_access defense_evasion discovery evasion execution persistence rat spyware stealer trojan upx worm

Malware Config

Extracted

Family

xworm

such-captain.gl.at.ply.gg:7723

Attributes

install_file
USB.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1144-31-0x00000000011C0000-0x00000000011CE000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1144-1-0x0000000000770000-0x00000000007A0000-memory.dmp	family_xworm

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	powershell.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1144 created 708	1144	XClient.exe	7

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 5 IoCs

pid	Process
6128	cwlohd.exe
1572	cwlohdSrv.exe
3644	mdkqwc.exe
3052	rckdvy.exe
1960	bidmkc.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\Win32.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3712238951-2226310826-298817577-1000\Software\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\Win32.bat"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3580	powershell.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001a00000002b1fc-10.dat	upx
behavioral1/memory/6128-13-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/files/0x001900000002b204-17.dat	upx
behavioral1/memory/1572-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1572-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/6128-22-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-23-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-26-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-27-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-28-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-30-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-53-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-62-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-68-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-74-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-80-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-86-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-92-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-98-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-104-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/6128-110-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/files/0x0003000000000034-224.dat	upx
behavioral1/memory/3000-228-0x0000000000400000-0x00000000006D8000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Win32.bat	cmd.exe
File opened for modification	C:\Windows\Win32.bat	cmd.exe
File opened for modification	C:\Windows\Win32.bat	cmd.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
884	sc.exe
1060	sc.exe
5940	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2656	1572	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwlohdSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rckdvy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bidmkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwlohd.exe

Kills process with taskkill 10 IoCs

defense_evasion

pid	Process
3364	taskkill.exe
5264	taskkill.exe
936	taskkill.exe
1604	taskkill.exe
600	taskkill.exe
4196	taskkill.exe
3892	taskkill.exe
1220	taskkill.exe
4060	taskkill.exe
6112	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
5956	reg.exe
6116	reg.exe
5240	reg.exe
4232	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1144	XClient.exe
1144	XClient.exe
1144	XClient.exe
3580	powershell.exe
3580	powershell.exe
3580	powershell.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	1144	XClient.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	1936	whoami.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	1196	whoami.exe
Token: SeDebugPrivilege	1196	whoami.exe
Token: SeDebugPrivilege	1196	whoami.exe
Token: SeDebugPrivilege	1196	whoami.exe
Token: SeDebugPrivilege	1196	whoami.exe
Token: SeDebugPrivilege	1196	whoami.exe
Token: SeDebugPrivilege	1196	whoami.exe
Token: SeDebugPrivilege	1196	whoami.exe
Token: 33	2060	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2060	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3052	rckdvy.exe
1960	bidmkc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 6128	1144	XClient.exe	85
PID 1144 wrote to memory of 6128	1144	XClient.exe	85
PID 1144 wrote to memory of 6128	1144	XClient.exe	85
PID 6128 wrote to memory of 1572	6128	cwlohd.exe	86
PID 6128 wrote to memory of 1572	6128	cwlohd.exe	86
PID 6128 wrote to memory of 1572	6128	cwlohd.exe	86
PID 1144 wrote to memory of 884	1144	XClient.exe	91
PID 1144 wrote to memory of 884	1144	XClient.exe	91
PID 1144 wrote to memory of 4840	1144	XClient.exe	92
PID 1144 wrote to memory of 4840	1144	XClient.exe	92
PID 1144 wrote to memory of 1936	1144	XClient.exe	94
PID 1144 wrote to memory of 1936	1144	XClient.exe	94
PID 1144 wrote to memory of 5152	1144	XClient.exe	95
PID 1144 wrote to memory of 5152	1144	XClient.exe	95
PID 1144 wrote to memory of 3680	1144	XClient.exe	96
PID 1144 wrote to memory of 3680	1144	XClient.exe	96
PID 1144 wrote to memory of 3580	1144	XClient.exe	97
PID 1144 wrote to memory of 3580	1144	XClient.exe	97
PID 3580 wrote to memory of 1060	3580	powershell.exe	99
PID 3580 wrote to memory of 1060	3580	powershell.exe	99
PID 3580 wrote to memory of 5672	3580	powershell.exe	100
PID 3580 wrote to memory of 5672	3580	powershell.exe	100
PID 3580 wrote to memory of 1196	3580	powershell.exe	102
PID 3580 wrote to memory of 1196	3580	powershell.exe	102
PID 3580 wrote to memory of 5080	3580	powershell.exe	103
PID 3580 wrote to memory of 5080	3580	powershell.exe	103
PID 3580 wrote to memory of 5940	3580	powershell.exe	104
PID 3580 wrote to memory of 5940	3580	powershell.exe	104
PID 1144 wrote to memory of 3644	1144	XClient.exe	106
PID 1144 wrote to memory of 3644	1144	XClient.exe	106
PID 1144 wrote to memory of 3052	1144	XClient.exe	107
PID 1144 wrote to memory of 3052	1144	XClient.exe	107
PID 1144 wrote to memory of 3052	1144	XClient.exe	107
PID 3052 wrote to memory of 1832	3052	rckdvy.exe	108
PID 3052 wrote to memory of 1832	3052	rckdvy.exe	108
PID 1832 wrote to memory of 2520	1832	cmd.exe	112
PID 1832 wrote to memory of 2520	1832	cmd.exe	112
PID 1832 wrote to memory of 936	1832	cmd.exe	113
PID 1832 wrote to memory of 936	1832	cmd.exe	113
PID 1832 wrote to memory of 4060	1832	cmd.exe	114
PID 1832 wrote to memory of 4060	1832	cmd.exe	114
PID 1832 wrote to memory of 1604	1832	cmd.exe	115
PID 1832 wrote to memory of 1604	1832	cmd.exe	115
PID 1832 wrote to memory of 600	1832	cmd.exe	116
PID 1832 wrote to memory of 600	1832	cmd.exe	116
PID 1832 wrote to memory of 6112	1832	cmd.exe	117
PID 1832 wrote to memory of 6112	1832	cmd.exe	117
PID 1832 wrote to memory of 5956	1832	cmd.exe	118
PID 1832 wrote to memory of 5956	1832	cmd.exe	118
PID 1832 wrote to memory of 6116	1832	cmd.exe	119
PID 1832 wrote to memory of 6116	1832	cmd.exe	119
PID 1144 wrote to memory of 1960	1144	XClient.exe	120
PID 1144 wrote to memory of 1960	1144	XClient.exe	120
PID 1144 wrote to memory of 1960	1144	XClient.exe	120
PID 1960 wrote to memory of 4708	1960	bidmkc.exe	121
PID 1960 wrote to memory of 4708	1960	bidmkc.exe	121
PID 4708 wrote to memory of 3380	4708	cmd.exe	123
PID 4708 wrote to memory of 3380	4708	cmd.exe	123
PID 4708 wrote to memory of 4196	4708	cmd.exe	124
PID 4708 wrote to memory of 4196	4708	cmd.exe	124
PID 4708 wrote to memory of 3892	4708	cmd.exe	125
PID 4708 wrote to memory of 3892	4708	cmd.exe	125
PID 4708 wrote to memory of 1220	4708	cmd.exe	126
PID 4708 wrote to memory of 1220	4708	cmd.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  - Modifies Windows Defender Real-time Protection settings
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    PID:1060
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    PID:5672
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    PID:5080
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    PID:5940

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\cwlohd.exe
  "C:\Users\Admin\AppData\Local\Temp\cwlohd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6128
- - C:\Users\Admin\AppData\Local\Temp\cwlohdSrv.exe
    C:\Users\Admin\AppData\Local\Temp\cwlohdSrv.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 320
      4⤵
      Program crash
      PID:2656
- C:\Windows\system32\sc.exe
  "C:\Windows\system32\sc.exe" qc windefend
  2⤵
  - Launches sc.exe
  PID:884
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
  2⤵
  PID:4840
- C:\Windows\system32\whoami.exe
  "C:\Windows\system32\whoami.exe" /groups
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" start TrustedInstaller
  2⤵
  PID:5152
- C:\Windows\system32\net1.exe
  "C:\Windows\system32\net1.exe" start lsass
  2⤵
  PID:3680
- C:\Users\Admin\AppData\Local\Temp\mdkqwc.exe
  "C:\Users\Admin\AppData\Local\Temp\mdkqwc.exe"
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Users\Admin\AppData\Local\Temp\rckdvy.exe
  "C:\Users\Admin\AppData\Local\Temp\rckdvy.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DA30.tmp\DA31.bat C:\Users\Admin\AppData\Local\Temp\rckdvy.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f
      4⤵
      Adds Run key to start application
      PID:2520
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f chrome.exe
      4⤵
      Kills process with taskkill
      PID:936
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f ie.exe
      4⤵
      Kills process with taskkill
      PID:4060
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f firefox.exe
      4⤵
      Kills process with taskkill
      PID:1604
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f opera.exe
      4⤵
      Kills process with taskkill
      PID:600
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f safari.exe
      4⤵
      Kills process with taskkill
      PID:6112
  - - C:\Windows\system32\reg.exe
      Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.* /q
      4⤵
      Modifies registry key
      PID:5956
  - - C:\Windows\system32\reg.exe
      Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /q
      4⤵
      Modifies registry key
      PID:6116
- C:\Users\Admin\AppData\Local\Temp\bidmkc.exe
  "C:\Users\Admin\AppData\Local\Temp\bidmkc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4E9.tmp\4EA.bat C:\Users\Admin\AppData\Local\Temp\bidmkc.exe"
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Win32 /t REG_SZ /d C:\Windows\Win32.bat /f
      4⤵
      Adds Run key to start application
      PID:3380
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f chrome.exe
      4⤵
      Kills process with taskkill
      PID:4196
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f ie.exe
      4⤵
      Kills process with taskkill
      PID:3892
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f firefox.exe
      4⤵
      Kills process with taskkill
      PID:1220
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f opera.exe
      4⤵
      Kills process with taskkill
      PID:3364
  - - C:\Windows\system32\taskkill.exe
      taskkill /im /f safari.exe
      4⤵
      Kills process with taskkill
      PID:5264
  - - C:\Windows\system32\reg.exe
      Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.* /q
      4⤵
      Modifies registry key
      PID:5240
  - - C:\Windows\system32\reg.exe
      Reg Delete HKLM\System\CurrentControlSet\Control\SafeBoot /q
      4⤵
      Modifies registry key
      PID:4232
- C:\Users\Admin\AppData\Local\Temp\jrynvz.exe
  "C:\Users\Admin\AppData\Local\Temp\jrynvz.exe"
  2⤵
  PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1572 -ip 1572
1⤵
PID:3588

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DA30.tmp\DA31.bat

Filesize
1KB

MD5
2854ba232e3a9bd85ebbc306b5fdbb93

SHA1
62f6c8eb5dc94e0a13ca36f880927bfbae826d8a

SHA256
995feb5aabca4e0a431003d2cf0989aafe34afaec0a42c7305d610512c9dc3b5

SHA512
ed9207b247462ef4325fed7a0f2c17263ace7117eea2b40c1ff9a966a4b2c7dcfc8f84d80e81e69e4758f9e0ff9f3f85a4085caa8633d4ad86406896e314073a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2hlhuv3d.zgl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwlohd.exe

Filesize
105KB

MD5
0e542ed3683f4c20ffcd2cc711ef0bdf

SHA1
59f11e58264895cf4d4e7df765bd9fc64dc4a606

SHA256
397aa2bdcc81f8e29a1a6c0774263031c9757141990ceb2e059135cdd8f955fe

SHA512
a4ea307ef3053882bc059b93c29930d75421178b6539049cbcdce790cfdb4bbbc6d8a786243d079a2bb3e2c696465021d76a02b9ca44580e07aa7cd34bdeacf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwlohdSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jrynvz.exe

Filesize
1.7MB

MD5
6e628c5531010f1053fff090a7699659

SHA1
237e5b8870092dd0e9a3b0fb76da93fcfce56516

SHA256
52d65a486dd027d9d6e3ca10ea808815ff0fda4e5032695333b7c2d5a5f95e41

SHA512
53eb023d70038b2820a6c0ed0a453307f90b22279e521fa8af3b6ef240ce022300a1d05794bf02d52f472c5adeb87c814373c5e29b3f13102c0128af06d5f0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdkqwc.exe

Filesize
10.0MB

MD5
be9b8e7c29977c01f3122f1e5082f45d

SHA1
c53a253ac33ab33e94f3ad5e5200645b6391b779

SHA256
cb6384b855d46fe5678bb3d5d1fc77c800884f8345cb490e1aa71646e872d3ae

SHA512
91514128a7a488581372881a556b081ad920086fd43da84188033f0bd48f294199192b753ec691c2cb79072420b346f767d9cfb4ef2d119ca1e345d65df8dc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\rckdvy.exe

Filesize
69KB

MD5
57aefeb4dc6a62340c9cd1ee49d043d1

SHA1
e769b03d88cc128982f5394c28f6ba31cac957b7

SHA256
6f396703789bb1d26f98023d79f1a634dadc1cd5c2f3c096a42119e022381edd

SHA512
db2a5c757f9d90da18a48cd6fdec120439b1e3ae9552c76d433da890c68cb9ff65f9c35da5f97a4e9bfbda1feb214895e7121fe63dd4318149a6aedf348c2e89

Download Submit
\??\c:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
22e796539d05c5390c21787da1fb4c2b

SHA1
55320ebdedd3069b2aaf1a258462600d9ef53a58

SHA256
7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

SHA512
d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

Download Submit
\??\c:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
30e02b803a8a3a143eea476d7ab245a1

SHA1
d3bf1f568172e8125effe5b29bb57a8f9483fbb7

SHA256
b70c5f6cb630103fa7a96bdde12ab6a2fd0ff0fd026b61dc1123e46f9fdc44c4

SHA512
2a1dcf83e601c0b6969898767d2f85689f9e483922658f6e4a09f993cda75106f46a8e3a0cdd787710a203c162b4b508f84bd05585b3d18377c9491eb08e0dee

Download Submit
memory/1144-2-0x00007FFE2C6F0000-0x00007FFE2D1B2000-memory.dmp

Filesize
10.8MB

Download
memory/1144-58-0x000000001AE20000-0x000000001AE29000-memory.dmp

Filesize
36KB

Download
memory/1144-60-0x000000001AE60000-0x000000001AE7E000-memory.dmp

Filesize
120KB

Download
memory/1144-0-0x00007FFE2C6F3000-0x00007FFE2C6F5000-memory.dmp

Filesize
8KB

Download
memory/1144-61-0x000000001AE80000-0x000000001AE8B000-memory.dmp

Filesize
44KB

Download
memory/1144-24-0x000000001C5E0000-0x000000001C690000-memory.dmp

Filesize
704KB

Download
memory/1144-25-0x000000001EC60000-0x000000001F188000-memory.dmp

Filesize
5.2MB

Download
memory/1144-87-0x000000001ADD0000-0x000000001AE16000-memory.dmp

Filesize
280KB

Download
memory/1144-5-0x00000000011A0000-0x00000000011AC000-memory.dmp

Filesize
48KB

Download
memory/1144-4-0x00007FFE2C6F0000-0x00007FFE2D1B2000-memory.dmp

Filesize
10.8MB

Download
memory/1144-3-0x00007FFE2C6F3000-0x00007FFE2C6F5000-memory.dmp

Filesize
8KB

Download
memory/1144-31-0x00000000011C0000-0x00000000011CE000-memory.dmp

Filesize
56KB

Download
memory/1144-1-0x0000000000770000-0x00000000007A0000-memory.dmp

Filesize
192KB

Download
memory/1144-40-0x000000001C690000-0x000000001C6B2000-memory.dmp

Filesize
136KB

Download
memory/1144-55-0x000000001D2F0000-0x000000001D37E000-memory.dmp

Filesize
568KB

Download
memory/1144-42-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/1144-57-0x000000001ADD0000-0x000000001AE16000-memory.dmp

Filesize
280KB

Download
memory/1144-54-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/1144-41-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/1144-56-0x000000001CB30000-0x000000001CBBE000-memory.dmp

Filesize
568KB

Download
memory/1144-59-0x000000001AE50000-0x000000001AE5D000-memory.dmp

Filesize
52KB

Download
memory/1572-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1572-19-0x0000000002140000-0x000000000214F000-memory.dmp

Filesize
60KB

Download
memory/1572-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3000-228-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3644-128-0x00000214EAAA0000-0x00000214EB49C000-memory.dmp

Filesize
10.0MB

Download
memory/6128-22-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-74-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-80-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-86-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-68-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-92-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-98-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-104-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-110-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-62-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-53-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-30-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-28-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-27-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-26-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-23-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6128-13-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads