Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 14:17
Static task
static1
Behavioral task
behavioral1
Sample
loader.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
loader.exe
Resource
win10v2004-20250314-en
General
-
Target
loader.exe
-
Size
363KB
-
MD5
1b0b97cb1346c496b8368b3e9622d8fd
-
SHA1
ebe3c3f59f26d341933317dec9ed00b041c90d04
-
SHA256
32ea7d3ceea4b73b2a98ef55aebc41581fdfad995fe9d9cc2411dedc1806f28a
-
SHA512
05a4933ed5c5f965058c03ff00828e7bafc71966804955d7962bc6cb8ebab96a1c8f435b9157da3c2a8aa8549b0807d902820831a7ca1108f6491fa6919fe22e
-
SSDEEP
6144:a5kgvH9LLVEbIALguKV5BwUnZqazMhD9RLJt88sndcP8pPyDvUGOksWb:s9Lh9qKLBwiZlzMB9xgndcP88DvvP
Malware Config
Extracted
xworm
147.185.221.26:23644
0x5a40AdB1249013E0Fb71E2Dd45966Fd34Eb41701:0
-
Install_directory
%ProgramData%
-
install_file
USB.exe
-
telegram
https://api.telegram.org/bot8106118960:AAFOA408eK_QvHY0jWRZumDGc9wtr3DB5r8/sendMessage?chat_id=6229207397
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/436-344-0x0000000000400000-0x0000000000414000-memory.dmp family_xworm -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection svchost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2420 created 420 2420 cp0krljx.wcq.exe 5 -
Xworm family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2420 cp0krljx.wcq.exe -
Loads dropped DLL 1 IoCs
pid Process 3044 loader.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Windows\\SysWOW64\\Anti Sware core service\\RuntimeBroker.exe" powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to get system information.
pid Process 1676 powershell.exe 2092 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\System32\Tasks\$77cp0krljx.wcq.exe svchost.exe File opened for modification C:\Windows\System32\Tasks\$77cp0krljx.wcq.exe svchost.exe File created C:\Windows\SysWOW64\Anti Sware core service\RuntimeBroker.exe cp0krljx.wcq.exe File created C:\Windows\System32\Tasks\Runtimebroker svchost.exe File opened for modification C:\Windows\System32\Tasks\Runtimebroker svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2420 set thread context of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 set thread context of 436 2420 cp0krljx.wcq.exe 44 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore svchost.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2844 SCHTASKS.exe 1940 SCHTASKS.exe 2808 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2420 cp0krljx.wcq.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 1676 powershell.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe 2824 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2420 cp0krljx.wcq.exe Token: SeDebugPrivilege 2420 cp0krljx.wcq.exe Token: SeDebugPrivilege 2824 dllhost.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeDebugPrivilege 2092 powershell.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeShutdownPrivilege 1484 explorer.exe Token: SeAuditPrivilege 328 svchost.exe Token: SeShutdownPrivilege 1484 explorer.exe Token: SeShutdownPrivilege 1484 explorer.exe Token: SeShutdownPrivilege 1484 explorer.exe Token: SeShutdownPrivilege 1484 explorer.exe Token: SeShutdownPrivilege 1484 explorer.exe Token: SeShutdownPrivilege 1484 explorer.exe Token: SeShutdownPrivilege 1484 explorer.exe Token: SeShutdownPrivilege 1484 explorer.exe Token: SeShutdownPrivilege 1484 explorer.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeIncBasePriorityPrivilege 848 svchost.exe Token: SeDebugPrivilege 436 RegAsm.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe Token: SeRestorePrivilege 848 svchost.exe Token: SeShutdownPrivilege 848 svchost.exe Token: SeSystemEnvironmentPrivilege 848 svchost.exe Token: SeUndockPrivilege 848 svchost.exe Token: SeManageVolumePrivilege 848 svchost.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe Token: SeRestorePrivilege 848 svchost.exe Token: SeShutdownPrivilege 848 svchost.exe Token: SeSystemEnvironmentPrivilege 848 svchost.exe Token: SeUndockPrivilege 848 svchost.exe Token: SeManageVolumePrivilege 848 svchost.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe Token: SeRestorePrivilege 848 svchost.exe Token: SeShutdownPrivilege 848 svchost.exe Token: SeSystemEnvironmentPrivilege 848 svchost.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 1104 taskhost.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1104 taskhost.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe 1484 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2420 3044 loader.exe 30 PID 3044 wrote to memory of 2420 3044 loader.exe 30 PID 3044 wrote to memory of 2420 3044 loader.exe 30 PID 2420 wrote to memory of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 wrote to memory of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 wrote to memory of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 wrote to memory of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 wrote to memory of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 wrote to memory of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 wrote to memory of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 wrote to memory of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 wrote to memory of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 wrote to memory of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 wrote to memory of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 wrote to memory of 2824 2420 cp0krljx.wcq.exe 31 PID 2420 wrote to memory of 2844 2420 cp0krljx.wcq.exe 32 PID 2420 wrote to memory of 2844 2420 cp0krljx.wcq.exe 32 PID 2420 wrote to memory of 2844 2420 cp0krljx.wcq.exe 32 PID 2824 wrote to memory of 420 2824 dllhost.exe 5 PID 2824 wrote to memory of 464 2824 dllhost.exe 6 PID 2824 wrote to memory of 480 2824 dllhost.exe 7 PID 2824 wrote to memory of 488 2824 dllhost.exe 8 PID 2824 wrote to memory of 600 2824 dllhost.exe 9 PID 2824 wrote to memory of 680 2824 dllhost.exe 10 PID 2420 wrote to memory of 1940 2420 cp0krljx.wcq.exe 34 PID 2420 wrote to memory of 1940 2420 cp0krljx.wcq.exe 34 PID 2420 wrote to memory of 1940 2420 cp0krljx.wcq.exe 34 PID 2824 wrote to memory of 752 2824 dllhost.exe 11 PID 2824 wrote to memory of 816 2824 dllhost.exe 12 PID 2824 wrote to memory of 848 2824 dllhost.exe 13 PID 2824 wrote to memory of 996 2824 dllhost.exe 15 PID 2824 wrote to memory of 328 2824 dllhost.exe 16 PID 2824 wrote to memory of 888 2824 dllhost.exe 17 PID 2824 wrote to memory of 1084 2824 dllhost.exe 18 PID 2824 wrote to memory of 1104 2824 dllhost.exe 19 PID 2824 wrote to memory of 1176 2824 dllhost.exe 20 PID 2824 wrote to memory of 1200 2824 dllhost.exe 21 PID 2824 wrote to memory of 1292 2824 dllhost.exe 23 PID 2824 wrote to memory of 1196 2824 dllhost.exe 24 PID 2824 wrote to memory of 1632 2824 dllhost.exe 25 PID 2824 wrote to memory of 2868 2824 dllhost.exe 26 PID 2824 wrote to memory of 2504 2824 dllhost.exe 27 PID 2824 wrote to memory of 2420 2824 dllhost.exe 30 PID 2824 wrote to memory of 2844 2824 dllhost.exe 32 PID 2824 wrote to memory of 2884 2824 dllhost.exe 33 PID 2824 wrote to memory of 1940 2824 dllhost.exe 34 PID 2420 wrote to memory of 1676 2420 cp0krljx.wcq.exe 36 PID 2420 wrote to memory of 1676 2420 cp0krljx.wcq.exe 36 PID 2420 wrote to memory of 1676 2420 cp0krljx.wcq.exe 36 PID 2824 wrote to memory of 2592 2824 dllhost.exe 35 PID 2824 wrote to memory of 1676 2824 dllhost.exe 36 PID 2824 wrote to memory of 1856 2824 dllhost.exe 37 PID 2420 wrote to memory of 2092 2420 cp0krljx.wcq.exe 38 PID 2420 wrote to memory of 2092 2420 cp0krljx.wcq.exe 38 PID 2420 wrote to memory of 2092 2420 cp0krljx.wcq.exe 38 PID 2824 wrote to memory of 2092 2824 dllhost.exe 38 PID 2420 wrote to memory of 884 2420 cp0krljx.wcq.exe 40 PID 2420 wrote to memory of 884 2420 cp0krljx.wcq.exe 40 PID 2420 wrote to memory of 884 2420 cp0krljx.wcq.exe 40 PID 2824 wrote to memory of 884 2824 dllhost.exe 40 PID 2824 wrote to memory of 2092 2824 dllhost.exe 38 PID 2824 wrote to memory of 2348 2824 dllhost.exe 39 PID 2824 wrote to memory of 884 2824 dllhost.exe 40 PID 2824 wrote to memory of 1924 2824 dllhost.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7c7d8b5c-65f0-4368-9d1e-f07a781965eb}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1484
-
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:600
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe3⤵PID:1196
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵PID:1632
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}3⤵PID:3008
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
- Enumerates system info in registry
PID:1476
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding3⤵PID:2752
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:680
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
- Modifies security service
- Modifies Internet Explorer settings
PID:752
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:816
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵PID:1176
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:996
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
- Suspicious use of AdjustPrivilegeToken
PID:328
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:888
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1084
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
- Suspicious use of FindShellTrayWindow
PID:1104
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"2⤵PID:1292
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:2868
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:2504
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:480
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:488
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Roaming\cp0krljx.wcq.exe"C:\Users\Admin\AppData\Roaming\cp0krljx.wcq.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77cp0krljx.wcq.exe" /tr "'C:\Users\Admin\AppData\Roaming\cp0krljx.wcq.exe'" /sc onlogon /rl HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2844
-
-
C:\Windows\system32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77cp0krljx.wcq.exe" /tr "'C:\Users\Admin\AppData\Roaming\cp0krljx.wcq.exe'" /sc onlogon /rl HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:1940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" (Get-CimInstance -ClassName Win32_ComputerSystem).TotalPhysicalMemory4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker' -Value '"C:\Windows\SysWOW64\Anti Sware core service\RuntimeBroker.exe"' -PropertyType 'String'4⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\system32\cmd.exe"cmd" /C schtasks /create /tn \Runtimebroker /tr "C:\Windows\SysWOW64\Anti Sware core service\RuntimeBroker.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f4⤵PID:884
-
C:\Windows\system32\schtasks.exeschtasks /create /tn \Runtimebroker /tr "C:\Windows\SysWOW64\Anti Sware core service\RuntimeBroker.exe" /st 00:00 /du 9999:59 /sc once /ri 30 /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:2808
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#by-unknown4⤵PID:2648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#by-unknown4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:436
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-628374814-1885142022-1173245374-447002903-1560458221-1480133281-266915745-1682424739"1⤵PID:2884
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "268508542-10629008156110775323808869476496380334704724551162125895-1900756359"1⤵PID:2592
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "323901252934699259-520378760-372887146938166601547661526-1836066625-721265480"1⤵PID:1856
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2619795641584419425-809185659123435941667040390-613458703-16675206971236827244"1⤵PID:2348
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-578784363-1035339384251371700-114233623229419695-87807100562322085-1182633652"1⤵PID:1924
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD580c6ac8210fe2730f01c980ea33cffd3
SHA103d591dcb312f27159498b0bdfde37bbc5df36bf
SHA256b86324a7a37b3e8bd3ea02f444643755023fd7612338fc91b60e4ce41a8224f3
SHA512fa07a9f866f411c5e7180b2ec43e9650be369da84241b6e991324f230c933be37fac480945c7ee218b117d21a2c0828ab27438aed3f3683f0abd0c0d01f43d1a
-
Filesize
363KB
MD51b0b97cb1346c496b8368b3e9622d8fd
SHA1ebe3c3f59f26d341933317dec9ed00b041c90d04
SHA25632ea7d3ceea4b73b2a98ef55aebc41581fdfad995fe9d9cc2411dedc1806f28a
SHA51205a4933ed5c5f965058c03ff00828e7bafc71966804955d7962bc6cb8ebab96a1c8f435b9157da3c2a8aa8549b0807d902820831a7ca1108f6491fa6919fe22e