Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
24-08-2024 18:54
Static task
static1
Behavioral task
behavioral1
Sample
downloader11.exe
Resource
win7-20240705-en
General
-
Target
downloader11.exe
-
Size
70.1MB
-
MD5
7e4b04a254d52d6745a5d614ad447636
-
SHA1
09972b7895437ba28485ed0be0fadc22d6b710b6
-
SHA256
769e75f011679a606c9a6afbb6380942d08389ace334bfa7399b44bfcbc7db19
-
SHA512
e85d6e25cdbf6833de0586d477e0fe3741d5223e4f3be8ccc96984dc63eef045ccdf68aaae51c2ff2205da7f911008fbba7915d7553abb5ae92f9bc73c2cc2f8
-
SSDEEP
393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qRsGg4GUo3N3:lWoI7zGP5ahWc3ImF
Malware Config
Extracted
xworm
83.38.19.195:1603
-
Install_directory
%Temp%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 15 IoCs
Processes:
resource yara_rule C:\Users\Public\OneDrive.exe family_xworm C:\Users\Public\Runtime Broker.exe family_xworm C:\Users\Public\WmiPrvSE.exe family_xworm C:\Users\Public\svhost.exe family_xworm C:\Users\Public\SecurityHealthSystray.exe family_xworm behavioral1/memory/2568-51-0x0000000000970000-0x0000000000986000-memory.dmp family_xworm behavioral1/memory/2720-38-0x00000000011E0000-0x000000000120C000-memory.dmp family_xworm behavioral1/memory/2508-54-0x0000000000A00000-0x0000000000A44000-memory.dmp family_xworm behavioral1/memory/2528-55-0x0000000000210000-0x0000000000234000-memory.dmp family_xworm behavioral1/memory/2756-49-0x0000000000870000-0x0000000000886000-memory.dmp family_xworm behavioral1/memory/3056-188-0x0000000001390000-0x00000000013A6000-memory.dmp family_xworm behavioral1/memory/2348-191-0x0000000000230000-0x0000000000274000-memory.dmp family_xworm behavioral1/memory/844-199-0x0000000001030000-0x0000000001074000-memory.dmp family_xworm behavioral1/memory/1776-201-0x0000000000140000-0x0000000000156000-memory.dmp family_xworm behavioral1/memory/1560-204-0x0000000000990000-0x00000000009A6000-memory.dmp family_xworm -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
notepad.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ notepad.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1116 powershell.exe 1624 powershell.exe 1572 powershell.exe 2956 powershell.exe 2304 powershell.exe 1980 powershell.exe 2272 powershell.exe 1764 powershell.exe 1904 powershell.exe 3024 powershell.exe 2288 powershell.exe 2896 powershell.exe 1388 powershell.exe 2308 powershell.exe 2276 powershell.exe 448 powershell.exe 2416 powershell.exe 1464 powershell.exe 1524 powershell.exe 2512 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
notepad.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion notepad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion notepad.exe -
Drops startup file 9 IoCs
Processes:
svhost.exeOneDrive.exeWmiPrvSE.exeSecurityHealthSystray.exeRuntime Broker.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk svhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk OneDrive.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk OneDrive.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk svhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk WmiPrvSE.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk SecurityHealthSystray.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk SecurityHealthSystray.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk Runtime Broker.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk WmiPrvSE.exe -
Executes dropped EXE 15 IoCs
Processes:
notepad.exeOneDrive.exeRuntime Broker.exesvhost.exeWmiPrvSE.exeSecurityHealthSystray.exesvhost.exeSecurityHealthSystray.exeWmiPrvSE.exeSecurityHealthSystray.exesvhost.exeWmiPrvSE.exesvhost.exeSecurityHealthSystray.exeWmiPrvSE.exepid process 2344 notepad.exe 2720 OneDrive.exe 2756 Runtime Broker.exe 2568 svhost.exe 2528 WmiPrvSE.exe 2508 SecurityHealthSystray.exe 3056 svhost.exe 2348 SecurityHealthSystray.exe 2952 WmiPrvSE.exe 844 SecurityHealthSystray.exe 1776 svhost.exe 2836 WmiPrvSE.exe 1560 svhost.exe 1540 SecurityHealthSystray.exe 948 WmiPrvSE.exe -
Loads dropped DLL 1 IoCs
Processes:
notepad.exepid process 2344 notepad.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\notepad.exe agile_net behavioral1/memory/2344-7-0x0000000000D20000-0x00000000014D4000-memory.dmp agile_net -
Processes:
resource yara_rule behavioral1/memory/2344-14-0x000007FEF2D40000-0x000007FEF38C4000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\e6acf542-692a-4eeb-8143-80ce8cd764ce\AgileDotNetRT64.dll themida behavioral1/memory/2344-16-0x000007FEF2D40000-0x000007FEF38C4000-memory.dmp themida behavioral1/memory/2344-56-0x000007FEF2D40000-0x000007FEF38C4000-memory.dmp themida -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
WmiPrvSE.exeSecurityHealthSystray.exesvhost.exeOneDrive.exeRuntime Broker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Users\\Public\\WmiPrvSE.exe" WmiPrvSE.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\ProgramData\\SecurityHealthSystray.exe" SecurityHealthSystray.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" svhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Runtime Broker.exe" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe" Runtime Broker.exe -
Processes:
notepad.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
notepad.exepid process 2344 notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2940 schtasks.exe 2420 schtasks.exe 872 schtasks.exe 576 schtasks.exe 1756 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1388 powershell.exe 2416 powershell.exe 1624 powershell.exe 2272 powershell.exe 1116 powershell.exe 3024 powershell.exe 2308 powershell.exe 1464 powershell.exe 1764 powershell.exe 1904 powershell.exe 1524 powershell.exe 1572 powershell.exe 2288 powershell.exe 2896 powershell.exe 2512 powershell.exe 2956 powershell.exe 2276 powershell.exe 2304 powershell.exe 1980 powershell.exe 448 powershell.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
Runtime Broker.exeOneDrive.exesvhost.exeWmiPrvSE.exeSecurityHealthSystray.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exeSecurityHealthSystray.exeWmiPrvSE.exesvhost.exeSecurityHealthSystray.exeWmiPrvSE.exeSecurityHealthSystray.exesvhost.exeWmiPrvSE.exedescription pid process Token: SeDebugPrivilege 2756 Runtime Broker.exe Token: SeDebugPrivilege 2720 OneDrive.exe Token: SeDebugPrivilege 2568 svhost.exe Token: SeDebugPrivilege 2528 WmiPrvSE.exe Token: SeDebugPrivilege 2508 SecurityHealthSystray.exe Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 1464 powershell.exe Token: SeDebugPrivilege 1764 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 1572 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 2896 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 2276 powershell.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 1980 powershell.exe Token: SeDebugPrivilege 448 powershell.exe Token: SeDebugPrivilege 2528 WmiPrvSE.exe Token: SeDebugPrivilege 2508 SecurityHealthSystray.exe Token: SeDebugPrivilege 2568 svhost.exe Token: SeDebugPrivilege 2720 OneDrive.exe Token: SeDebugPrivilege 2756 Runtime Broker.exe Token: SeDebugPrivilege 3056 svhost.exe Token: SeDebugPrivilege 2348 SecurityHealthSystray.exe Token: SeDebugPrivilege 2952 WmiPrvSE.exe Token: SeDebugPrivilege 1776 svhost.exe Token: SeDebugPrivilege 844 SecurityHealthSystray.exe Token: SeDebugPrivilege 2836 WmiPrvSE.exe Token: SeDebugPrivilege 1540 SecurityHealthSystray.exe Token: SeDebugPrivilege 1560 svhost.exe Token: SeDebugPrivilege 948 WmiPrvSE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
downloader11.execmd.exenotepad.exeRuntime Broker.exeWmiPrvSE.exeOneDrive.exeSecurityHealthSystray.exesvhost.exedescription pid process target process PID 2868 wrote to memory of 2124 2868 downloader11.exe cmd.exe PID 2868 wrote to memory of 2124 2868 downloader11.exe cmd.exe PID 2868 wrote to memory of 2124 2868 downloader11.exe cmd.exe PID 2868 wrote to memory of 1976 2868 downloader11.exe cmd.exe PID 2868 wrote to memory of 1976 2868 downloader11.exe cmd.exe PID 2868 wrote to memory of 1976 2868 downloader11.exe cmd.exe PID 1976 wrote to memory of 2344 1976 cmd.exe notepad.exe PID 1976 wrote to memory of 2344 1976 cmd.exe notepad.exe PID 1976 wrote to memory of 2344 1976 cmd.exe notepad.exe PID 2344 wrote to memory of 2720 2344 notepad.exe OneDrive.exe PID 2344 wrote to memory of 2720 2344 notepad.exe OneDrive.exe PID 2344 wrote to memory of 2720 2344 notepad.exe OneDrive.exe PID 2344 wrote to memory of 2756 2344 notepad.exe Runtime Broker.exe PID 2344 wrote to memory of 2756 2344 notepad.exe Runtime Broker.exe PID 2344 wrote to memory of 2756 2344 notepad.exe Runtime Broker.exe PID 2344 wrote to memory of 2568 2344 notepad.exe svhost.exe PID 2344 wrote to memory of 2568 2344 notepad.exe svhost.exe PID 2344 wrote to memory of 2568 2344 notepad.exe svhost.exe PID 2344 wrote to memory of 2528 2344 notepad.exe WmiPrvSE.exe PID 2344 wrote to memory of 2528 2344 notepad.exe WmiPrvSE.exe PID 2344 wrote to memory of 2528 2344 notepad.exe WmiPrvSE.exe PID 2344 wrote to memory of 2508 2344 notepad.exe SecurityHealthSystray.exe PID 2344 wrote to memory of 2508 2344 notepad.exe SecurityHealthSystray.exe PID 2344 wrote to memory of 2508 2344 notepad.exe SecurityHealthSystray.exe PID 2868 wrote to memory of 2376 2868 downloader11.exe cmd.exe PID 2868 wrote to memory of 2376 2868 downloader11.exe cmd.exe PID 2868 wrote to memory of 2376 2868 downloader11.exe cmd.exe PID 2756 wrote to memory of 1116 2756 Runtime Broker.exe powershell.exe PID 2756 wrote to memory of 1116 2756 Runtime Broker.exe powershell.exe PID 2756 wrote to memory of 1116 2756 Runtime Broker.exe powershell.exe PID 2528 wrote to memory of 1388 2528 WmiPrvSE.exe powershell.exe PID 2528 wrote to memory of 1388 2528 WmiPrvSE.exe powershell.exe PID 2528 wrote to memory of 1388 2528 WmiPrvSE.exe powershell.exe PID 2720 wrote to memory of 2416 2720 OneDrive.exe powershell.exe PID 2720 wrote to memory of 2416 2720 OneDrive.exe powershell.exe PID 2720 wrote to memory of 2416 2720 OneDrive.exe powershell.exe PID 2508 wrote to memory of 2272 2508 SecurityHealthSystray.exe powershell.exe PID 2508 wrote to memory of 2272 2508 SecurityHealthSystray.exe powershell.exe PID 2508 wrote to memory of 2272 2508 SecurityHealthSystray.exe powershell.exe PID 2568 wrote to memory of 1624 2568 svhost.exe powershell.exe PID 2568 wrote to memory of 1624 2568 svhost.exe powershell.exe PID 2568 wrote to memory of 1624 2568 svhost.exe powershell.exe PID 2528 wrote to memory of 1764 2528 WmiPrvSE.exe powershell.exe PID 2528 wrote to memory of 1764 2528 WmiPrvSE.exe powershell.exe PID 2528 wrote to memory of 1764 2528 WmiPrvSE.exe powershell.exe PID 2720 wrote to memory of 1904 2720 OneDrive.exe powershell.exe PID 2720 wrote to memory of 1904 2720 OneDrive.exe powershell.exe PID 2720 wrote to memory of 1904 2720 OneDrive.exe powershell.exe PID 2508 wrote to memory of 3024 2508 SecurityHealthSystray.exe powershell.exe PID 2508 wrote to memory of 3024 2508 SecurityHealthSystray.exe powershell.exe PID 2508 wrote to memory of 3024 2508 SecurityHealthSystray.exe powershell.exe PID 2756 wrote to memory of 2308 2756 Runtime Broker.exe powershell.exe PID 2756 wrote to memory of 2308 2756 Runtime Broker.exe powershell.exe PID 2756 wrote to memory of 2308 2756 Runtime Broker.exe powershell.exe PID 2568 wrote to memory of 1464 2568 svhost.exe powershell.exe PID 2568 wrote to memory of 1464 2568 svhost.exe powershell.exe PID 2568 wrote to memory of 1464 2568 svhost.exe powershell.exe PID 2508 wrote to memory of 1524 2508 SecurityHealthSystray.exe powershell.exe PID 2508 wrote to memory of 1524 2508 SecurityHealthSystray.exe powershell.exe PID 2508 wrote to memory of 1524 2508 SecurityHealthSystray.exe powershell.exe PID 2568 wrote to memory of 1572 2568 svhost.exe powershell.exe PID 2568 wrote to memory of 1572 2568 svhost.exe powershell.exe PID 2568 wrote to memory of 1572 2568 svhost.exe powershell.exe PID 2720 wrote to memory of 2288 2720 OneDrive.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\downloader11.exe"C:\Users\Admin\AppData\Local\Temp\downloader11.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\redline.exe""2⤵PID:2124
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Public\OneDrive.exe"C:\Users\Public\OneDrive.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\OneDrive.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:2420 -
C:\Users\Public\Runtime Broker.exe"C:\Users\Public\Runtime Broker.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:872 -
C:\Users\Public\svhost.exe"C:\Users\Public\svhost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:2940 -
C:\Users\Public\WmiPrvSE.exe"C:\Users\Public\WmiPrvSE.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Public\WmiPrvSE.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:576 -
C:\Users\Public\SecurityHealthSystray.exe"C:\Users\Public\SecurityHealthSystray.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\SecurityHealthSystray.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"5⤵
- Scheduled Task/Job: Scheduled Task
PID:1756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\redline.exe""2⤵PID:2376
-
C:\Windows\system32\taskeng.exetaskeng.exe {43535C7F-18BB-4F13-AC2F-B699BDA212AA} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]1⤵PID:1196
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056 -
C:\Users\Public\WmiPrvSE.exeC:\Users\Public\WmiPrvSE.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\ProgramData\SecurityHealthSystray.exeC:\ProgramData\SecurityHealthSystray.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\ProgramData\SecurityHealthSystray.exeC:\ProgramData\SecurityHealthSystray.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:844 -
C:\Users\Public\WmiPrvSE.exeC:\Users\Public\WmiPrvSE.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Users\Public\WmiPrvSE.exeC:\Users\Public\WmiPrvSE.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948 -
C:\ProgramData\SecurityHealthSystray.exeC:\ProgramData\SecurityHealthSystray.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1540
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD505b012457488a95a05d0541e0470d392
SHA174f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA2561f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA5126d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6
-
Filesize
7.7MB
MD55dc898e0f4a504cf08b3bf1121108cfd
SHA1ebccf6c07546640bcd6db32d99cf3e1a30a415c9
SHA25614cd22fbf91e4e47cd635359460b65f57ebc39b68956db35b55090890b4a2dcf
SHA512a0ef35d1f21ef2703c27946a57830db25b6ad7f8d01d4439021887f82198d07a4f62417c99590deb29d0c9ea4028d84f72ee37955653f63f57dfe37c90b0db02
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5ecda1a56cb9995f8b105f10ab219f0da
SHA1f14408570e2d3076a2b7ab543e01609cb3a70068
SHA256aca3c0516a1e189177874b727ee285b7d796a5b0055cad57e73013aafae46f0e
SHA512803998858414b43686041d357f109029df14e6f93b8d05f10caea4cd88f63a0071b33d452848e3e86ef9d3f049ae930c2d1bcea9b648377344ae0802aca8a5f0
-
Filesize
981B
MD5773692c4d88cc2d3498d6e72dfb9e83f
SHA1930c889933b19556c3ba9dcc31c0eac8d1dc45ea
SHA256347edf31bdac8e3439de757b605285476808fa49a963828fe54508b13a2a3ca7
SHA5120344fa4ee0a34b02ff9ec9dc1eb4b80665172fd5875f803ca38ccb709d48143afa412ac0c605371d2117e738677de6d5efbf74a6fa9a08fab05734e9926e3a58
-
Filesize
158KB
MD5f73513e6c124d9749dfd123151e6db5f
SHA14779c67fd22ca94d8e6493d2ff4926c420a6660d
SHA2561b6126e0c126c7bf6c89a8930e0ae65d09bb8bb6f1a5561e8c7108120ebdd0e0
SHA5127ffa503e5259c3273c64078ee0f7911e037f0a10629078d2ff269ae5db1eab528138c4d02dd06e0668521bc75a8e2a99e5df50002098be9f0dc47b87c0cae7b5
-
Filesize
61KB
MD591d837ae278e58ffae9b9cecb989127b
SHA15d95e758e763ac6390abd58e4e53238c6bb4c7a5
SHA256348d4b3310a62ffa0313285c4e7903d8757b6aa904b8614443a6ac966b4c392a
SHA512b645023240e0cb4029058c235031fed22fed79b93db324c6c385eb02291b3fe1d053585e6372e0f0b96265ff432b8f574d4e0a8c99edfd22069e417375c3870f
-
Filesize
250KB
MD5ffe034d7354384175a0c41efe19cb7df
SHA19601ec9a836547f21b39acc43b48fa5258863551
SHA256b3a04200c5bdc579d24c279e04c31db6f623177b629ea1086cb64362417ac910
SHA512e782dece3f1b9fa572f0efb587fdbbee6657c8f089656626c27d1ad032854aabec09eb35e63c91b53f061a44b2a595832ad2d8e01760a7d1df6e09157b3daa92
-
Filesize
127KB
MD5669b9254354d91b88d1e2ed0a819ad3a
SHA1aba685e5c4661bcf3b41b26ff7948c785b57a95e
SHA2563e96447e464c59ec274c7cba90ec8e88814273fcdec782ed896949f476c592e4
SHA512e9b268d92737e999d8e5297f6eb4038962d7bc610285dc746dd9d01ebaa1b9789eada1e131ed345a06fb6b608a73c34e7cfebc4797a9f34bdd304f23457ae0a4
-
Filesize
63KB
MD5407deed69dbb3dc1aa3e9fc1befdc54c
SHA1aa58d9656c172cdd23512dfaf14d202fb447ecf9
SHA2563c226cbe5a0e25ca489394ce37951eabb65ae0a86151d16d145fb63df2933128
SHA51245c6b2b9280e288517c8233cb2b90e49f214e354f6056cf7dd163e382c14b82508eaa6590166ffdcd265f2e3a3c612a25bd5166eafef825b896f53ede621b2da
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e