Analysis Overview
SHA256
b5cd4b8c5c616fab5924452155581bc94e0fe0d67cf8286e300be3d985ca5ef6
Threat Level: Known bad
The file Encoder Builder v2.4 (pass DIMA-XP).rar was found to be: Known bad.
Malicious Activity Summary
Xorist family
Detected Xorist Ransomware
Xorist Ransomware
Executes dropped EXE
UPX packed file
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-10 20:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-10 20:08
Reported
2024-12-10 20:10
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Encoder Builder v2.4 (pass DIMA-XP).rar"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-10 20:08
Reported
2024-12-10 20:10
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Detected Xorist Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xorist Ransomware
Xorist family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upx.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\nigger.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\nigger.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\nigger.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\nigger.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\nigger.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\nigger.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\upx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\nigger.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f5425481e03947bc34db131e946b44c8dd50000 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 7400310000000000ff4aa0b31000454e434f44457e312e3400005a0009000400efbe8a590da18a590da12e000000993c02000000070000000000000000000000000000000000000045006e0063006f0064006500720020004200750069006c006400650072002000760032002e00340000001a000000 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "5" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\IconSize = "48" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "4" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9} | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "6" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByDirection = "1" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 7400310000000000ff4aa2b31000454e434f44457e312e3400005a0009000400efbe8a590da18a590da12e0000009c3c02000000070000000000000000000000000000000000000045006e0063006f0064006500720020004200750069006c006400650072002000760032002e00340000001a000000 | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4692 wrote to memory of 2008 | N/A | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | C:\Users\Admin\AppData\Local\Temp\upx.exe |
| PID 4692 wrote to memory of 2008 | N/A | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | C:\Users\Admin\AppData\Local\Temp\upx.exe |
| PID 4692 wrote to memory of 2008 | N/A | C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe | C:\Users\Admin\AppData\Local\Temp\upx.exe |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Encoder Builder v2.4 (pass DIMA-XP).rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe
"C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Local\Temp\upx.exe
"C:\Users\Admin\AppData\Local\Temp\upx.exe" -9 "C:\Users\Admin\Desktop\nigger.exe"
C:\Users\Admin\Desktop\nigger.exe
"C:\Users\Admin\Desktop\nigger.exe"
C:\Users\Admin\Desktop\nigger.exe
"C:\Users\Admin\Desktop\nigger.exe"
C:\Users\Admin\Desktop\nigger.exe
"C:\Users\Admin\Desktop\nigger.exe"
C:\Users\Admin\Desktop\nigger.exe
"C:\Users\Admin\Desktop\nigger.exe"
C:\Users\Admin\Desktop\nigger.exe
"C:\Users\Admin\Desktop\nigger.exe"
C:\Users\Admin\Desktop\nigger.exe
"C:\Users\Admin\Desktop\nigger.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zE0A2542C7\Encoder Builder v2.4\Encoder Builder v2.4\bin\._.DS_Store
| MD5 | 241ea797774c86197000ffd2fe2ed491 |
| SHA1 | 2452430e8782abd83462c2a2a4ef2dbfbf2ca4e9 |
| SHA256 | 37852a6bced076acaa2cb93a36e3e60e7a4558fa7bc485b886952deef0108a3d |
| SHA512 | 58b3f564a47151a0c4518406172e4ef409faad35c135078d692d9579281343c25b8a5aa4c35ae94ce7b6a229af9ea971a4d6effb54184a0a88d0762a4451aeb8 |
C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe
| MD5 | 4c824eb8598f175d41e9a2ea06129890 |
| SHA1 | 64b57ea796956cbb60ce4fc702239cbc395aee6f |
| SHA256 | 7a57d83ae7fde49cfd57e7d2753570306a09c6082bc82f75c89d23fa650a0011 |
| SHA512 | 122e509a3101a67d867f7a3653c8e5d2f838a04c7cb6a97af52e6b35ad709099a3b5940bca48be225ef0d8403537150f232f6137689180a6fd62affef5114845 |
memory/4692-84-0x00000000006E0000-0x00000000006E1000-memory.dmp
memory/4692-85-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/4692-86-0x00000000006E0000-0x00000000006E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\upx.exe
| MD5 | 308f709a8f01371a6dd088a793e65a5f |
| SHA1 | a07c073d807ab0119b090821ee29edaae481e530 |
| SHA256 | c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35 |
| SHA512 | c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28 |
C:\Users\Admin\Desktop\nigger.exe
| MD5 | d94bfb49259b0dc224580099d88899e5 |
| SHA1 | 33d595f97c39684562e9c3342d1477719e91678d |
| SHA256 | cee0058819af4ced052cc25032682e1739574080196e4727b8b390591d634003 |
| SHA512 | a1be423b0a76696688ff0999b840e9bd80397506e0a921383c61f84e2dda9a2fc93d7745d7d9f304e7c440553dac4002141d47f27d7308746ca1948fcbc9c71f |
memory/2008-98-0x0000000000400000-0x000000000057E000-memory.dmp
memory/2008-105-0x0000000000400000-0x000000000057E000-memory.dmp
C:\Users\Admin\Desktop\nigger.exe
| MD5 | c0359eff2544c2e59037b6bc57afb535 |
| SHA1 | 39412f5c9e6fd624312441ccbd85a498aed9637c |
| SHA256 | c955beab8021c516e967632d841aed7496c6bdaed70ddcaf65554dea48790a88 |
| SHA512 | 76c279bf4fab8918207162950b684be6fff293b364bca0884184f9a4663b747d2fdc84052812056ed3d07fe32a313f25b8ce39e00a9403e7d7e3efca7fd97f68 |
memory/3628-107-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3628-110-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4692-111-0x0000000000400000-0x00000000004E2000-memory.dmp
memory/1692-113-0x0000000000400000-0x000000000040C000-memory.dmp
memory/3392-115-0x0000000000400000-0x000000000040C000-memory.dmp
memory/408-117-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4492-119-0x0000000000400000-0x000000000040C000-memory.dmp
memory/824-121-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4692-122-0x0000000000400000-0x00000000004E2000-memory.dmp