Malware Analysis Report

2025-01-18 20:40

Sample ID 241210-ywjmvasjbn
Target Encoder Builder v2.4 (pass DIMA-XP).rar
SHA256 b5cd4b8c5c616fab5924452155581bc94e0fe0d67cf8286e300be3d985ca5ef6
Tags
xorist discovery ransomware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5cd4b8c5c616fab5924452155581bc94e0fe0d67cf8286e300be3d985ca5ef6

Threat Level: Known bad

The file Encoder Builder v2.4 (pass DIMA-XP).rar was found to be: Known bad.

Malicious Activity Summary

xorist discovery ransomware upx

Xorist family

Detected Xorist Ransomware

Xorist Ransomware

Executes dropped EXE

UPX packed file

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-10 20:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-10 20:08

Reported

2024-12-10 20:10

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Encoder Builder v2.4 (pass DIMA-XP).rar"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Encoder Builder v2.4 (pass DIMA-XP).rar"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-10 20:08

Reported

2024-12-10 20:10

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Encoder Builder v2.4 (pass DIMA-XP).rar"

Signatures

Detected Xorist Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xorist Ransomware

ransomware xorist

Xorist family

xorist

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\upx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\nigger.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f5425481e03947bc34db131e946b44c8dd50000 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 7400310000000000ff4aa0b31000454e434f44457e312e3400005a0009000400efbe8a590da18a590da12e000000993c02000000070000000000000000000000000000000000000045006e0063006f0064006500720020004200750069006c006400650072002000760032002e00340000001a000000 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "5" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\IconSize = "48" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "4" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9} C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "6" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616257" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByDirection = "1" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 7400310000000000ff4aa2b31000454e434f44457e312e3400005a0009000400efbe8a590da18a590da12e0000009c3c02000000070000000000000000000000000000000000000045006e0063006f0064006500720020004200750069006c006400650072002000760032002e00340000001a000000 C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A
N/A N/A C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Encoder Builder v2.4 (pass DIMA-XP).rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe

"C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\upx.exe

"C:\Users\Admin\AppData\Local\Temp\upx.exe" -9 "C:\Users\Admin\Desktop\nigger.exe"

C:\Users\Admin\Desktop\nigger.exe

"C:\Users\Admin\Desktop\nigger.exe"

C:\Users\Admin\Desktop\nigger.exe

"C:\Users\Admin\Desktop\nigger.exe"

C:\Users\Admin\Desktop\nigger.exe

"C:\Users\Admin\Desktop\nigger.exe"

C:\Users\Admin\Desktop\nigger.exe

"C:\Users\Admin\Desktop\nigger.exe"

C:\Users\Admin\Desktop\nigger.exe

"C:\Users\Admin\Desktop\nigger.exe"

C:\Users\Admin\Desktop\nigger.exe

"C:\Users\Admin\Desktop\nigger.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zE0A2542C7\Encoder Builder v2.4\Encoder Builder v2.4\bin\._.DS_Store

MD5 241ea797774c86197000ffd2fe2ed491
SHA1 2452430e8782abd83462c2a2a4ef2dbfbf2ca4e9
SHA256 37852a6bced076acaa2cb93a36e3e60e7a4558fa7bc485b886952deef0108a3d
SHA512 58b3f564a47151a0c4518406172e4ef409faad35c135078d692d9579281343c25b8a5aa4c35ae94ce7b6a229af9ea971a4d6effb54184a0a88d0762a4451aeb8

C:\Users\Admin\Desktop\Encoder Builder v2.4\Encoder Builder v2.4\bin\Encoder_Builder_v2.4.exe

MD5 4c824eb8598f175d41e9a2ea06129890
SHA1 64b57ea796956cbb60ce4fc702239cbc395aee6f
SHA256 7a57d83ae7fde49cfd57e7d2753570306a09c6082bc82f75c89d23fa650a0011
SHA512 122e509a3101a67d867f7a3653c8e5d2f838a04c7cb6a97af52e6b35ad709099a3b5940bca48be225ef0d8403537150f232f6137689180a6fd62affef5114845

memory/4692-84-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/4692-85-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/4692-86-0x00000000006E0000-0x00000000006E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\upx.exe

MD5 308f709a8f01371a6dd088a793e65a5f
SHA1 a07c073d807ab0119b090821ee29edaae481e530
SHA256 c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35
SHA512 c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28

C:\Users\Admin\Desktop\nigger.exe

MD5 d94bfb49259b0dc224580099d88899e5
SHA1 33d595f97c39684562e9c3342d1477719e91678d
SHA256 cee0058819af4ced052cc25032682e1739574080196e4727b8b390591d634003
SHA512 a1be423b0a76696688ff0999b840e9bd80397506e0a921383c61f84e2dda9a2fc93d7745d7d9f304e7c440553dac4002141d47f27d7308746ca1948fcbc9c71f

memory/2008-98-0x0000000000400000-0x000000000057E000-memory.dmp

memory/2008-105-0x0000000000400000-0x000000000057E000-memory.dmp

C:\Users\Admin\Desktop\nigger.exe

MD5 c0359eff2544c2e59037b6bc57afb535
SHA1 39412f5c9e6fd624312441ccbd85a498aed9637c
SHA256 c955beab8021c516e967632d841aed7496c6bdaed70ddcaf65554dea48790a88
SHA512 76c279bf4fab8918207162950b684be6fff293b364bca0884184f9a4663b747d2fdc84052812056ed3d07fe32a313f25b8ce39e00a9403e7d7e3efca7fd97f68

memory/3628-107-0x0000000000400000-0x000000000040C000-memory.dmp

memory/3628-110-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4692-111-0x0000000000400000-0x00000000004E2000-memory.dmp

memory/1692-113-0x0000000000400000-0x000000000040C000-memory.dmp

memory/3392-115-0x0000000000400000-0x000000000040C000-memory.dmp

memory/408-117-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4492-119-0x0000000000400000-0x000000000040C000-memory.dmp

memory/824-121-0x0000000000400000-0x000000000040C000-memory.dmp

memory/4692-122-0x0000000000400000-0x00000000004E2000-memory.dmp