Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2025, 14:42
Behavioral task
behavioral1
Sample
Binaries.rar
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Binaries.rar
Resource
win10v2004-20250314-en
General
-
Target
Binaries.rar
-
Size
1019KB
-
MD5
9f0a1e5448e276fd9a1868b08261b258
-
SHA1
bd0e596a0dacba429edc5d06ca23df7a6136682e
-
SHA256
5d112a86cfba7fc6a1a176b08fb203eb98d103ba95f9edf6adb72c70558f0c96
-
SHA512
3a81021e2bff42b1e861d791c9f9089853b5d8e44a8b12aa3f2018a6eba55ee3de3f744c75e2021f6570f7712b1dc1589ff1aa52a4804f02f2111dc3de0a2d52
-
SSDEEP
24576:uc7mwB4VdnJuGYlLS1GmezoXZUnfG4vLjcl7FpOR5wG24q+h:cU4TeVqaoXO+4vv+fORR24q2
Malware Config
Extracted
xworm
5.0
multi-referral.gl.at.ply.gg:43504
L9qlmFNDu8drSdGe
-
Install_directory
%Userprofile%
-
install_file
SecurityHealthSystray.exe
-
telegram
https://api.telegram.org/bot7999164804:AAFnlMmOEm_tg1MgP0Rjs4-EAp9cjIouFj4/sendMessage?chat_id=5462166893
Extracted
metasploit
windows/shell_reverse_tcp
147.185.221.26:43504
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral2/files/0x000700000002422d-55.dat family_xworm -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Metasploit family
-
Xworm family
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.exe RuntimeBroker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.exe RuntimeBroker.exe -
Executes dropped EXE 8 IoCs
pid Process 5456 PROLoader.exe 1760 RuntimeBroker.exe 1048 RuntimeBroker.exe 3220 RuntimeBroker.exe 748 RuntimeBroker.exe 1684 RuntimeBroker.exe 1764 RuntimeBroker.exe 3132 RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" PROLoader.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" PROLoader.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000804f74f5a994db0159cdd6565d9edb0159cdd6565d9edb0114000000 PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000010000000200000000000000ffffffff PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\NodeSlot = "6" PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff PROLoader.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 010000000200000000000000ffffffff PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000020000000100000000000000ffffffff PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" PROLoader.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\MRUListEx = ffffffff PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 PROLoader.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags PROLoader.exe Set value (str) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Documents" PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 PROLoader.exe Set value (data) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} PROLoader.exe Set value (int) \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell PROLoader.exe Key created \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} PROLoader.exe -
Opens file in notepad (likely ransom note) 2 IoCs
pid Process 1676 NOTEPAD.EXE 5308 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 1760 RuntimeBroker.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 1048 RuntimeBroker.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1928 7zFM.exe 5456 PROLoader.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 1928 7zFM.exe Token: 35 1928 7zFM.exe Token: SeSecurityPrivilege 1928 7zFM.exe Token: SeDebugPrivilege 1760 RuntimeBroker.exe Token: SeDebugPrivilege 956 taskmgr.exe Token: SeSystemProfilePrivilege 956 taskmgr.exe Token: SeCreateGlobalPrivilege 956 taskmgr.exe Token: SeDebugPrivilege 1048 RuntimeBroker.exe Token: SeDebugPrivilege 3220 RuntimeBroker.exe Token: SeDebugPrivilege 748 RuntimeBroker.exe Token: SeDebugPrivilege 1684 RuntimeBroker.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
pid Process 1928 7zFM.exe 1928 7zFM.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 1676 NOTEPAD.EXE 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe -
Suspicious use of SendNotifyMessage 56 IoCs
pid Process 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe 956 taskmgr.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5456 PROLoader.exe 5456 PROLoader.exe 5456 PROLoader.exe 5456 PROLoader.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 5456 wrote to memory of 1208 5456 PROLoader.exe 113 PID 5456 wrote to memory of 1208 5456 PROLoader.exe 113 PID 1208 wrote to memory of 6104 1208 csc.exe 115 PID 1208 wrote to memory of 6104 1208 csc.exe 115 PID 5456 wrote to memory of 5808 5456 PROLoader.exe 116 PID 5456 wrote to memory of 5808 5456 PROLoader.exe 116 PID 5808 wrote to memory of 5752 5808 csc.exe 118 PID 5808 wrote to memory of 5752 5808 csc.exe 118 PID 1760 wrote to memory of 1588 1760 RuntimeBroker.exe 121 PID 1760 wrote to memory of 1588 1760 RuntimeBroker.exe 121 PID 1760 wrote to memory of 1588 1760 RuntimeBroker.exe 121 PID 1048 wrote to memory of 1420 1048 RuntimeBroker.exe 129 PID 1048 wrote to memory of 1420 1048 RuntimeBroker.exe 129 PID 1048 wrote to memory of 1420 1048 RuntimeBroker.exe 129 PID 3220 wrote to memory of 5512 3220 RuntimeBroker.exe 133 PID 3220 wrote to memory of 5512 3220 RuntimeBroker.exe 133 PID 3220 wrote to memory of 5512 3220 RuntimeBroker.exe 133 PID 748 wrote to memory of 2532 748 RuntimeBroker.exe 136 PID 748 wrote to memory of 2532 748 RuntimeBroker.exe 136 PID 748 wrote to memory of 2532 748 RuntimeBroker.exe 136 PID 1684 wrote to memory of 1676 1684 RuntimeBroker.exe 139
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Binaries.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1928
-
C:\Users\Admin\Desktop\PROLoader.exe"C:\Users\Admin\Desktop\PROLoader.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5456 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rordxo0g\rordxo0g.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E9A.tmp" "c:\Users\Admin\Desktop\CSC5E843DA9DD7F46698592564C34FF59C.TMP"3⤵PID:6104
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xwcclnu2\xwcclnu2.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:5808 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4159.tmp" "c:\Users\Admin\Desktop\CSC27E1C2C73C33418AA6821B2AF571C85.TMP"3⤵PID:5752
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:956
-
C:\Users\Admin\Desktop\RuntimeBroker.exe"C:\Users\Admin\Desktop\RuntimeBroker.exe"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\windows\system32\notepad.exe"C:\windows\system32\notepad.exe"2⤵PID:1588
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:956
-
C:\Users\Admin\Desktop\RuntimeBroker.exe"C:\Users\Admin\Desktop\RuntimeBroker.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\windows\system32\notepad.exe"C:\windows\system32\notepad.exe"2⤵PID:1420
-
-
C:\Users\Admin\Desktop\RuntimeBroker.exe"C:\Users\Admin\Desktop\RuntimeBroker.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\windows\system32\notepad.exe"C:\windows\system32\notepad.exe"2⤵PID:5512
-
-
C:\Users\Admin\Desktop\RuntimeBroker.exe"C:\Users\Admin\Desktop\RuntimeBroker.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748 -
C:\windows\system32\notepad.exe"C:\windows\system32\notepad.exe"2⤵PID:2532
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ResumeTrace.txt1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:1676
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ResumeTrace.txt1⤵
- Opens file in notepad (likely ransom note)
PID:5308
-
C:\Users\Admin\Desktop\RuntimeBroker.exe"C:\Users\Admin\Desktop\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
-
C:\Users\Admin\Desktop\RuntimeBroker.exe"C:\Users\Admin\Desktop\RuntimeBroker.exe"1⤵
- Executes dropped EXE
PID:1764
-
C:\Users\Admin\Desktop\RuntimeBroker.exe"C:\Users\Admin\Desktop\RuntimeBroker.exe"1⤵
- Executes dropped EXE
PID:3132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
1KB
MD57d45272e7784829b37f98513c144da31
SHA1c253786b93a9e210d40465b56100fd61aa5b8688
SHA2566b70220dc3b6c85d0f686e0cb7beeabfb92fd70f31a445f676b04c6e2495cb66
SHA512a076e7d149386996955d3d3fbaca3369764ab7ac2c5eae08e7e5034cab0f5082ceb9ea9131bfce0dff725db6c103544e1f341d11f570ee9b67dad1f05aa5a817
-
Filesize
1KB
MD5eede7bf224f86c3c63404f5efa122136
SHA1764628589838c849a85a2a279f449dd9ab826a6c
SHA256f46d29cefb17429fc3842f3902083c0007ba64b1ac7b2483551f3d552ab5f28d
SHA5121ac37f8c1b2436e43ea9b5211424cd976066b54784c78661aabdffc0052e61ac2845be6e1c6db466a1af22bc68346fe1f5c9447d4a082e3feef66dedda0d5b56
-
Filesize
492KB
MD57166b548771cc27b22229d7172aeb1b0
SHA11a213576eddddb0e96598261b8e6d09b8068fa0d
SHA2565ae1ec9752d0d1135903a33479a429c016e1b0d9de42a17ae92f89249c90337f
SHA51274662005e86a120ce731b749a1cb886018690d1c2919b47f213926d72bffff9b2c63588aeb7abe036017f2b1d229367b901cb08761bfab511a4b63e73c3145b5
-
Filesize
221KB
MD5c6980ba499b45f3935b7bf04de03cf4f
SHA18916564f43715b15688ab9344c97843361ead99b
SHA256e41940e10aa03835cb0ae6854f2cd93cca928a57a9ff51e46954a3eb309a4dc7
SHA512a3578b1b835f8dd0ce9a934b46da4f8df473ad7b9a969eb0ea691a699301a7c31b81befdf7251bbabfe0aa7a8467f42d2528dfd1724459a3122640ae2a09f7f2
-
Filesize
9KB
MD5fc3fe046b6eeb6ac4f413cc6e2f3a3bb
SHA171dcef92cede78dea1b0971f2737d803f94c47f1
SHA2567bbbe93b84a3d08ee0ef31fbf86ceedafed2f3da0a8c1e35e1a39822c2a331d6
SHA5127aff795bd1ade8f1a44154fb9a49bf471a129314275629ae18c8d906030700ef0fa77bb1e3ce3ccb769f72acb08b27b4b7b21af172353abb690e87d4475ecafd
-
Filesize
34KB
MD54179d0a6822260bf3e84a8d90ecda8c9
SHA1eacfc5792d7ed9db3a732918b56d97d69cfd0a48
SHA25600e7ec07ed1eb17159029388ef81dad7fc2b0b45598d8ccbfaea8e85b8abd63a
SHA5120462726b62535aa7099e561330a8f4cec3e446a48453ec40feac9132487b9db05e02ee8c848e3a9c47096d27ba39b58ce5c42dbfc5d5c92941ac98007f381beb
-
Filesize
41KB
MD5c0fc461085a61fd1bb0c5bbfc3153b9e
SHA196c79d857a6a431693b4755f201da3bfc3b7865e
SHA256b41d6eb32aa5e13aa17a088b2ee96bdf12046efca5aa1f3c90277485a3bd1894
SHA512bfc3992cdd85f01d9c6409cba8b049aa362ee3db7ad88a56abf0e1d713339f18d6843924589c3991b5273b9ae1893eebcc1a3068f941c34219f464e6bc1507aa
-
Filesize
1.1MB
MD520e4287af743cd81d39079eac2b890fb
SHA174547ae2277a769b60fa1b9f508791a7dd205137
SHA2561e47cd53cde93403b8ba9fea45f7da35a7dc97fa166a39b220eaeeb9cb4212f5
SHA5127932d8a8fd437d85e9e4fdb820327df1e0e065d287626b681cb1b4ccc10bebc35037fc21113c54430ed908d10e5785e5e3c34d590bba6701ae39e19490c2c499
-
Filesize
1KB
MD5867da14ba1fdd3ecb78eeec3c6715e53
SHA1cfa1c8f760d1a0064ab2bbe585a42e1c6a2a9856
SHA2561d7addea68b9b3689c5686f619f63fbd7bdb62fc6577f3cc8f5e2d9191ab326f
SHA5123932739c2f58e4730d62f98c1fa7596bcfa4124edf3b43d0e3fd3cffb378d5d733ff38e00f0a6269b3011d7967138cc8c14610c258b966b8e318e22a04484461
-
Filesize
12KB
MD57e553885b25f681ecd110c094d5c4a5f
SHA1fa14274a2a75eac3f2c2fddc6a7ab36cf33ea395
SHA2560badcfbf9acf6112fbf465a67553fe9fe08217d449eac970ee5618b41a1294e6
SHA5122719d23d924704846e8be6ad8375b123c61cd49b21236e08f8fc212b4f25c6fb7abe63088a8a49a5c55cfcd5a3e920a466c99c8169e6638afb627d4ae9d2f919
-
Filesize
330B
MD5b65cd072cfec1f49af485ccf3b6fb7e3
SHA1399cc80a6756f4f3e492982ed8df740afd507acb
SHA256353a05e7f4b1df440e2fd2bb0007042d5808883c198e2d4108ae812e8e5047da
SHA51212fee24c15698da1c6752b3fa1db66324887a871c390ed84179872ec0c7753c9dbc825d688784cd99aea1a5c7e426a15dec195921737d474a3cc4655478b3542
-
Filesize
183KB
MD5f67ef2078a71f1e68b8e2e59635f0de1
SHA1d32621621421e7d17cbb2012ed004bba8ca2790f
SHA256e72f929d5c7a6b5f77c9bbfcb12b1ba5841a7b615bd60bdadbfbd1e5a173289f
SHA5124aef1ded771b0ebf447e9246b2326a27216398e9561a643c52be5d40244b35c082c67bb4db2067865e48190cba0f20cf4166272e854f9b8bb73dd57c47ce342a
-
Filesize
235B
MD57e9b16dc78a2352e0f571515cd7df328
SHA180df374c1cbef28537843e0a54e30c283550e4ae
SHA25604c85955881ba3a1ee1c649ca6eec980ba5169c5055f57e3b46fd23fe4713173
SHA512a3114bfae018ba88c793b8651e2c1e6ef57564199082f56d6730b098140eceac9d2892c9902777e9403b9655914f09e9ec529cabb82be2fbe6e7cf314c17dcba
-
Filesize
1KB
MD58cb2d1f69e2730b5de634f6b6c12005f
SHA11f9496195f09f58a4e382994717a5da34086d770
SHA256f5d616663ac61dc843c8663f2ceaaf6939b974ffd74e6e1be232b3fe8c6667ea
SHA512d035c16a8d8f09abedc94e10d46983e371d2862b277128fe00184d3a1cbb8a69367c08e150c63b07729938bea6644af4e3913e629969d38978b0d934e9e61eda