Analysis
-
max time kernel
72s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 20:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://send.vis.ee/download/985214744a54ded9/#WLxLohLkxDK_UeKq_Tcv2w
Resource
win10v2004-20240508-en
General
-
Target
https://send.vis.ee/download/985214744a54ded9/#WLxLohLkxDK_UeKq_Tcv2w
Malware Config
Extracted
xworm
127.0.0.1:13576
edition-eat.gl.at.ply.gg:13576
-
Install_directory
%AppData%
-
install_file
svchost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RunTime Broker.exe family_xworm behavioral1/memory/5076-247-0x00000000006F0000-0x0000000000706000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4372 powershell.exe 5564 powershell.exe 4760 powershell.exe 5896 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
customserialchanger.exeRunTime Broker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation customserialchanger.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation RunTime Broker.exe -
Drops startup file 2 IoCs
Processes:
RunTime Broker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk RunTime Broker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk RunTime Broker.exe -
Executes dropped EXE 4 IoCs
Processes:
customserialchanger.execustom serial changer.exeRunTime Broker.exesvchost.exepid process 6096 customserialchanger.exe 2984 custom serial changer.exe 5076 RunTime Broker.exe 4072 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
custom serial changer.exepid process 2984 custom serial changer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RunTime Broker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" RunTime Broker.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 61 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.execustom serial changer.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1152 msedge.exe 1152 msedge.exe 3624 msedge.exe 3624 msedge.exe 3156 identity_helper.exe 3156 identity_helper.exe 5472 msedge.exe 5472 msedge.exe 2984 custom serial changer.exe 2984 custom serial changer.exe 4372 powershell.exe 4372 powershell.exe 4372 powershell.exe 5564 powershell.exe 5564 powershell.exe 5564 powershell.exe 4760 powershell.exe 4760 powershell.exe 4760 powershell.exe 5896 powershell.exe 5896 powershell.exe 5896 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
7zG.execustomserialchanger.exeRunTime Broker.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exedescription pid process Token: SeRestorePrivilege 5848 7zG.exe Token: 35 5848 7zG.exe Token: SeSecurityPrivilege 5848 7zG.exe Token: SeSecurityPrivilege 5848 7zG.exe Token: SeDebugPrivilege 6096 customserialchanger.exe Token: SeDebugPrivilege 5076 RunTime Broker.exe Token: SeDebugPrivilege 4372 powershell.exe Token: SeDebugPrivilege 5564 powershell.exe Token: SeDebugPrivilege 4760 powershell.exe Token: SeDebugPrivilege 5896 powershell.exe Token: SeDebugPrivilege 5076 RunTime Broker.exe Token: SeDebugPrivilege 4072 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
msedge.exepid process 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe 3624 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
custom serial changer.exepid process 2984 custom serial changer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3624 wrote to memory of 4036 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 4036 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 3028 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 1152 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 1152 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe PID 3624 wrote to memory of 2008 3624 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://send.vis.ee/download/985214744a54ded9/#WLxLohLkxDK_UeKq_Tcv2w1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef86946f8,0x7ffef8694708,0x7ffef86947182⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:82⤵PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:1672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:82⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4816 /prefetch:82⤵PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:1692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵PID:1996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵PID:5192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵PID:5200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,5029602097993724679,518083770145057986,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5472
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4776
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1776
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5716
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap22880:100:7zEvent215561⤵
- Suspicious use of AdjustPrivilegeToken
PID:5848
-
C:\Users\Admin\Downloads\customserialchanger.exe"C:\Users\Admin\Downloads\customserialchanger.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6096 -
C:\Users\Admin\AppData\Local\Temp\custom serial changer.exe"C:\Users\Admin\AppData\Local\Temp\custom serial changer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\RunTime Broker.exe"C:\Users\Admin\AppData\Local\Temp\RunTime Broker.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RunTime Broker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RunTime Broker.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5896
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Creates scheduled task(s)
PID:1820
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exeC:\Users\Admin\AppData\Roaming\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
Filesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD50f94cedfc8bb05d092a10ae97135794a
SHA122389d00e69e01c19b973a068c0b5d1c46e4c85c
SHA256ba50e54ee2d2fadc1bc8c6dd660f774832ebca1d623cfc702a798729827d53cf
SHA512365a143b8b8918d692ea1fa22e77c53208f75dcaac5bb2ce597218c1e9731cbddc383c4a0af26c070debe8bca2bfe714bc497abf8c335d63b4c79a4f415761f5
-
Filesize
179B
MD52f62d710bbbbf43f0f72e33e002f81d2
SHA1e95168eb3be616f49b80e081bf464e62ea02889c
SHA256a4df0b26715faf756bf203c9bf3715ca6f847277dad8702582e8203d918b3d6d
SHA5124e8d892a1d3c09ee7354137714eb663fd399252c21acef7ae549e1f1add779b39fe1192529d5bbc0d60536c51e8d6a3ba727afabed510f9045ee41676675196d
-
Filesize
5KB
MD5d8d9ccf83bf68685d207dd1453a49ea1
SHA102329e64ce697ee28aed2875de505f6d4b471eb1
SHA2560820e7f7bb9d5b903dfb02932d2102a4c899aac6f40dd58017a99bc8631e465e
SHA512aeece88a99ccb33d426136d0881bb91810fb9ac97b491d6bb885d73c3264092641f115839624ebe7b2e347c0f17b07a6c9e9ee7fb2cdcb51d4c5f82ba1d18112
-
Filesize
7KB
MD556730feec25e446d2ac7b7670c25f9d6
SHA1567bc42721447c51e710e6b03afd7b4f6df24777
SHA256763c348f4ddf4699e34ac1cb3ee561315ee0f6ea2a28707d209e704d999e1b6d
SHA51247833e5641cf7457492997999aaa8c3b888c3ed51ce78cd82f6965c5b010ce11d126831341683a9c001d9f03ed1da0296b2cb9f4fd34809e91b8619efc722d74
-
Filesize
7KB
MD5ecb7034c96883bb83bf3551f0fc95e33
SHA1536536ed0869fe22e8ba66db91f0ecea1f4c0317
SHA2563636a5ecf7ef43397365efefb8efe2fac843726d9bad39ee95564b0adb1960d5
SHA512e47630f154398261710edb5a0b8155acdfecb9be5d04a801de82a9fe65eeadf29a51fcc223860876a2cf6552a5d2280ba981fcbefe8f55cb49ad569425ad8d5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2c166fe67d49e8cb801e349921289a516d8e7b5b\f8f6cb04-8bbe-4147-8bf2-53ac77ee022b\index-dir\the-real-index
Filesize840B
MD5f2151659b8d54d3f1eb5541a7d068d2a
SHA17472f907024c8dd51a91bbc14362785b7ea396ea
SHA256f522b1c2687873371c85252cc40af673c59def07863b6a4cb880a19ce980163f
SHA512a54d2c21c01efcbb7b88da81a34b98e387348297e6653fb66d4ebfcdca75b3c483251ba7b9476b4823fd00dc60fd87909ed957dbf480dc0119f7e090dbb03c5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2c166fe67d49e8cb801e349921289a516d8e7b5b\f8f6cb04-8bbe-4147-8bf2-53ac77ee022b\index-dir\the-real-index~RFe57bdf1.TMP
Filesize48B
MD50f1724048a11818d3531b358ae14df14
SHA16f646d7914cc5f6ac834748c5ba6b9c1933c446e
SHA2567d9f372af3fc7985b013a437add844d331ca2e4ec00bf97cd2eb59cca9135d52
SHA5121c690a612bb76501239ca8d2904c6a613e25f77a121929bda0ed432292db021c303823ca9a74e2f2df51a065eae7e1e5956e2c83c4145a718586e0a9dc33f0ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2c166fe67d49e8cb801e349921289a516d8e7b5b\index.txt
Filesize83B
MD5be247b19a0b61b8bddc2d45ce903f9b4
SHA1b007789e9d8bc0e27b77820e9b3bd7acd86806e8
SHA25656cd02d67bc1bc8cb0f3002a447cb511008f17d566dbc21a25e8b478a5c90317
SHA5125e27972c0cee220f6c904d413932370dd3f39f93753953ca276349d2bf35e14c0f9655451d1ce5d23a3ea37e473ffc5fb8e5b247c463ca1f09e4ccee7b5aa584
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\2c166fe67d49e8cb801e349921289a516d8e7b5b\index.txt
Filesize78B
MD590958c99371216dc21d21c54bcbaa3aa
SHA1bc5f8cf4cc8406cde3ffe8000902790fd2317a42
SHA256d7865a42a69f34cfc61d5bb01ef54c041ecc4f541532906a4591f4feb91366d9
SHA51276cb49e03b71cc9440dfbb0e1fa0fcc1e96fd7ece0fbb2d500a61a5da9ec9e815cf29dfe45090adc7dba97fb52f1ff6da5cf95507930d487940d3144def14b68
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize48B
MD59295d416bdc0cfb590bac7ff766e85a3
SHA1ceee278006f102084eee6fd24357587346d38029
SHA256e2b1ad90cbeb3a8776ab540f755944ef7f4fcbe3f2fe1e7265b8785d623f4b14
SHA512430e5377771e95a7a8ec79d1d1aa0e827e9d6759a88fa0068a1fba781fcc9933cd07ea8af5823770454f278b78500ed5a74ae44ccc5fc8386f5e84f5c5353b67
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD503f06b50dff6c7f534533fc7060180f1
SHA12f14c0b48119e738c4b3f57f4ee9d57b20706c22
SHA256fac1fe97abc8eb37cd22dbc6a649317fc35bfe78eb64f8f00de66b971fcd50be
SHA51295a6fb03bb16dfa4b9d925865c5fdb16784f7ce713a599fd8f15d25adc6cd0902ba2269c76ab48ad706b56b09335db24c396f4df0f8646b2ad911b2af2fcd1d6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c0f4eafb566f4034e307356701b490e5
SHA14c55cb85ad96dbe78b2c7ae731e5a1cb06611e43
SHA2567e0c120f9021af0d563e865ca1e4c80b418277145357b6183a291a28bd238a71
SHA51267644dc9112dc0ddcf52de85597f787bedf796967c1b4dcda1f05463bc330128526ccb89eedaaa839f59e7ed4616343308011e1bc7ec977a3c96bbad327fd72e
-
Filesize
11KB
MD5c3ce04c31e4e3fdeeb943a917810074a
SHA1e0ed09a96a8487bce0715f87a9a7536fac5e3009
SHA2568581b9796d4ca4de39196e66e9657457e164aa537efa7f48ce76120a1b945b01
SHA5120b802d360912a688f9be2d0962f185cc25d7a38dd9f08b1143d47d099597ee8eaa4fa9b8d60f0b68cbaa5a7cb6c083b768a197e0a463cb89cbcc5307ee027b5e
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5e5663972c1caaba7088048911c758bf3
SHA13462dea0f9c2c16a9c3afdaef8bbb1f753c1c198
SHA2569f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e
SHA512ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc
-
Filesize
944B
MD5ada3bbf645850fada48785399a44c2e9
SHA10421c13b7bb2120e078e18a9d4f5118743c1c8bd
SHA256cff75b20b3479f35242de2571318472607db1aa0a52db62c1c01a89bccb8491d
SHA5126e0b2753850b1da38dddba4059a6ab2261a244e25bd078afc1bfb78743505dcc405caef08753134faa30bf9f4c8cd5d862405407aeb5c73ae7e86072da366c82
-
Filesize
62KB
MD53a52af24ef33fe6d33c1846d625dd1f0
SHA14ceb62cacb2c1c245010c45ad15153c25d55db0a
SHA2567e3c9831a6c7006afe2e31ca2c28ee6c6fbaedcc37cc115704603749560de2e9
SHA5129fe079a542386cbda611a1928e143d5fc82e2a8d90f8b9e93bbeb892ddcf0581b3bf6f791aead76f7581e1ce417379846aeb6cd0f783760b89d3ee7ef116b196
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
33.1MB
MD5c7c1764924b1a90284b75d7d6ea9871f
SHA1df943a55497d82a11020dc5a4432f3f9f9c2071e
SHA2565e4f5a1a0c6b7adb18b87c3a0aa515cea1b015d9706322794457c7703baf1ec9
SHA51210dcd8aee7fcbaa59fdd4b9110eded632221f7c61e220d8edd07a193f6396ff25beb23590f89a7ad2255e1ae09d45ad1cf052b215c851b1255685d1fe81b7ef2
-
Filesize
13.1MB
MD537874c2652e1228aeccd12300915e325
SHA1a4fb6ae69f1fef08ef9da650dba692af59c75a19
SHA256f16bf777e4ad72a2eb99e9ec9572c6f4473c239aa6de21c2c111f4ae4993fd07
SHA5129a45763c624f340244bc63af40dea3ae155fc5e4b59de6564df8d3e2551fbb86c632fb1d62e229616080d230bf5af6a9a5c787fc1ec6204894f74146b476c327
-
Filesize
27.5MB
MD553961609c74ce7b2e4b4ace97f4ea412
SHA1d2fcce8cd47bdaddb5c44674553089c816a20e17
SHA2562ad2dc2b95deedf57abc5ced4636834ca2a4631eb8879087b074ff8d758a18f0
SHA512c252f0123e1cb5214d60a48859de7641fcfcfddec0990e6178966d931446a70342cca0584558f521edd92b5593a9b3acc6022c1d4d77d0660b0bb5df27073309
-
Filesize
27.3MB
MD52622308c4f83c91334b744173451233d
SHA17ac839f820578aa0e564cea25c2362d8f79e8a6f
SHA256a8756b12e0366cd11cb5b60309d1e4f3f44ed289ac0aab23948e7a9f3534f03c
SHA512b50c7163beb1bb793893d3a22d9573aa9acf2d565ed79a07733f1a9f49d792e29676951046af9bd753e4d992c56e4c4e7b52e11437c0517e036a360412f3c8f3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e