njrat | 9703bf9f3b22e8a8cd3b2797a2da5a48d326c9dde57dbe4481b6cbc634b81f04

Analysis

max time kernel
152s
max time network
124s
platform
windows10_x64
resource
win10-en-20210920
submitted
23-10-2021 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Twitter Crack.exe
Size

5.4MB
MD5

87e2016d2af2214bb8bd71b20adcecb4
SHA1

95e0c972f66ae2c0a6ffd41bf4aaeb24e6e567b1
SHA256

9703bf9f3b22e8a8cd3b2797a2da5a48d326c9dde57dbe4481b6cbc634b81f04
SHA512

b38ab45feaa97b689c11301e968c8b6087fa8513409fd0d517ff7d2d86ae9ca104e7d577c80cfb53fb87ddff684146326665385208674790220bcf5a19d6e81d

Score

10^/10

njrat white monkey evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

white monkey

127.0.0.1:1177

Mutex

56af94ecf1deb5aa0dab576ea890f3e9

Attributes

reg_key
56af94ecf1deb5aa0dab576ea890f3e9
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

snail.exesetup..exesetup_.exenordvpn.exe

pid process

3096 snail.exe
1280 setup..exe
1100 setup_.exe
2944 nordvpn.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
3096	snail.exe
1280	setup..exe
1100	setup_.exe
2944	nordvpn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nordvpn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\56af94ecf1deb5aa0dab576ea890f3e9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\nordvpn.exe\" .."	nordvpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\56af94ecf1deb5aa0dab576ea890f3e9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\nordvpn.exe\" .."	nordvpn.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 api.ipify.org
20 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4084 1100 WerFault.exe setup_.exe
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 22 Go-http-client/1.1
HTTP User-Agent header 24 Go-http-client/1.1

flow	ioc
19	api.ipify.org
20	api.ipify.org

pid	pid_target	process	target process
4084	1100	WerFault.exe	setup_.exe

description	flow	ioc
HTTP User-Agent header	22	Go-http-client/1.1
HTTP User-Agent header	24	Go-http-client/1.1

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Twitter Crack.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Twitter Crack.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Twitter Crack.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Twitter Crack.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e0f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f6362000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60b000000010000001a0000004900530052004700200052006f006f0074002000580031000000090000000100000016000000301406082b0601050507030206082b0601050507030114000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e1d000000010000001000000073b6876195f5d18e048510422aef04e3030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Twitter Crack.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da6030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e81d000000010000001000000073b6876195f5d18e048510422aef04e314000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e090000000100000016000000301406082b0601050507030206082b060105050703010b000000010000001a0000004900530052004700200052006f006f007400200058003100000062000000010000002000000096bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f630400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Twitter Crack.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Twitter Crack.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

Processes:

nordvpn.exe

pid	process
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe
2944	nordvpn.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nordvpn.exe

description pid process

Token: SeDebugPrivilege 2944 nordvpn.exe

description	pid	process
Token: SeDebugPrivilege	2944	nordvpn.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Twitter Crack.exesnail.exesetup..exenordvpn.exe

description	pid	process	target process
PID 3844 wrote to memory of 3096	3844	Twitter Crack.exe	snail.exe
PID 3844 wrote to memory of 3096	3844	Twitter Crack.exe	snail.exe
PID 3844 wrote to memory of 3096	3844	Twitter Crack.exe	snail.exe
PID 3096 wrote to memory of 1280	3096	snail.exe	setup..exe
PID 3096 wrote to memory of 1280	3096	snail.exe	setup..exe
PID 3096 wrote to memory of 1280	3096	snail.exe	setup..exe
PID 3096 wrote to memory of 1100	3096	snail.exe	setup_.exe
PID 3096 wrote to memory of 1100	3096	snail.exe	setup_.exe
PID 3096 wrote to memory of 1100	3096	snail.exe	setup_.exe
PID 1280 wrote to memory of 2944	1280	setup..exe	nordvpn.exe
PID 1280 wrote to memory of 2944	1280	setup..exe	nordvpn.exe
PID 1280 wrote to memory of 2944	1280	setup..exe	nordvpn.exe
PID 2944 wrote to memory of 688	2944	nordvpn.exe	netsh.exe
PID 2944 wrote to memory of 688	2944	nordvpn.exe	netsh.exe
PID 2944 wrote to memory of 688	2944	nordvpn.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Twitter Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Twitter Crack.exe"
1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3844

C:\Users\Admin\AppData\Local\Temp\snail.exe
snail.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\setup..exe
"C:\Users\Admin\AppData\Local\Temp\setup..exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\nordvpn.exe
"C:\Users\Admin\AppData\Local\Temp\nordvpn.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\nordvpn.exe" "nordvpn.exe" ENABLE
5⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\setup_.exe
"C:\Users\Admin\AppData\Local\Temp\setup_.exe"
3⤵
- Executes dropped EXE
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 804
4⤵
- Program crash
PID:4084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nordvpn.exe
MD5
4691c91f1abaccef0f5dfafc85942310

SHA1
3c9c8c03501988bb2bb964db3d60a77062ef92a1

SHA256
9e9ce667ebfdb6605bbcc4233309cae2c98abc46e2653be5b20c0f703dad7224

SHA512
a836fd3b649b3fe2e9987e3bd8f5f669020549fa78142b7377d5e56e030d36c59a2e6eb6a08e46e3b50da79981bd23fbb889502f3be087448c6f0db254b7b574

Download Submit
C:\Users\Admin\AppData\Local\Temp\nordvpn.exe
MD5
4691c91f1abaccef0f5dfafc85942310

SHA1
3c9c8c03501988bb2bb964db3d60a77062ef92a1

SHA256
9e9ce667ebfdb6605bbcc4233309cae2c98abc46e2653be5b20c0f703dad7224

SHA512
a836fd3b649b3fe2e9987e3bd8f5f669020549fa78142b7377d5e56e030d36c59a2e6eb6a08e46e3b50da79981bd23fbb889502f3be087448c6f0db254b7b574

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup..exe
MD5
4691c91f1abaccef0f5dfafc85942310

SHA1
3c9c8c03501988bb2bb964db3d60a77062ef92a1

SHA256
9e9ce667ebfdb6605bbcc4233309cae2c98abc46e2653be5b20c0f703dad7224

SHA512
a836fd3b649b3fe2e9987e3bd8f5f669020549fa78142b7377d5e56e030d36c59a2e6eb6a08e46e3b50da79981bd23fbb889502f3be087448c6f0db254b7b574

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup..exe
MD5
4691c91f1abaccef0f5dfafc85942310

SHA1
3c9c8c03501988bb2bb964db3d60a77062ef92a1

SHA256
9e9ce667ebfdb6605bbcc4233309cae2c98abc46e2653be5b20c0f703dad7224

SHA512
a836fd3b649b3fe2e9987e3bd8f5f669020549fa78142b7377d5e56e030d36c59a2e6eb6a08e46e3b50da79981bd23fbb889502f3be087448c6f0db254b7b574

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_.exe
MD5
1cd5240426985eb0e32e10606334c8ea

SHA1
f645cb1538ad0e8df89ac64210306e6862b108ed

SHA256
ab9818436dc89b24355524393bfdbe3878b6496d5660b91228cc6d1d9df181c0

SHA512
6e5577794646adf86815010c2fcd4b0b60a3edc4fab315c42eb0500e60a99da36d04036b43a69df55bb7702b833f2f92997c63a97bccca10263c5adc06c6a368

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_.exe
MD5
1cd5240426985eb0e32e10606334c8ea

SHA1
f645cb1538ad0e8df89ac64210306e6862b108ed

SHA256
ab9818436dc89b24355524393bfdbe3878b6496d5660b91228cc6d1d9df181c0

SHA512
6e5577794646adf86815010c2fcd4b0b60a3edc4fab315c42eb0500e60a99da36d04036b43a69df55bb7702b833f2f92997c63a97bccca10263c5adc06c6a368

Download Submit
C:\Users\Admin\AppData\Local\Temp\snail.exe
MD5
937c4ed05a3ecd221b5fed516392249c

SHA1
72f591422a654febc2dbf92922dc85e91da65fa7

SHA256
bc735af90ec655fb686eeb2e23ea089c744e441c40543a518875eeb9d58d9361

SHA512
14b9d81045b0dba1bfc776f727a2a96a851d89a9a5e7c9b8234771956b442ef70d86480962f4d2e78baa52f1c3cf2645a4030eccdb834a5872633882c5c4627b

Download Submit
C:\Users\Admin\AppData\Local\Temp\snail.exe
MD5
937c4ed05a3ecd221b5fed516392249c

SHA1
72f591422a654febc2dbf92922dc85e91da65fa7

SHA256
bc735af90ec655fb686eeb2e23ea089c744e441c40543a518875eeb9d58d9361

SHA512
14b9d81045b0dba1bfc776f727a2a96a851d89a9a5e7c9b8234771956b442ef70d86480962f4d2e78baa52f1c3cf2645a4030eccdb834a5872633882c5c4627b

Download Submit
memory/688-192-0x0000000000000000-mapping.dmp

Download
memory/1100-159-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-378-0x0000000077310000-0x0000000077311000-memory.dmp

Filesize
4KB

Download
memory/1100-127-0x00000000025EE000-0x00000000025EF000-memory.dmp

Filesize
4KB

Download
memory/1100-129-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-130-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-131-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-132-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-133-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-134-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-135-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-136-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-137-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-138-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-139-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-140-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-162-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-142-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-144-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-143-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-146-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-147-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-148-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-145-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-149-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-150-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-151-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-152-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-153-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-154-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-155-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-156-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-157-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-158-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-126-0x00000000025ED000-0x00000000025EE000-memory.dmp

Filesize
4KB

Download
memory/1100-160-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-161-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-141-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-128-0x00000000025EF000-0x00000000025F8000-memory.dmp

Filesize
36KB

Download
memory/1100-173-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-167-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-379-0x00000000776E0000-0x00000000776E1000-memory.dmp

Filesize
4KB

Download
memory/1100-164-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-169-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-166-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-165-0x0000000000400000-0x00000000008B6000-memory.dmp

Filesize
4.7MB

Download
memory/1100-170-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-171-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-172-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-174-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-163-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-176-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-175-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-177-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-178-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-180-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-179-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-181-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-182-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-376-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/1100-185-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-183-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-189-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-190-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-125-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-193-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-191-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-124-0x00000000024F1000-0x00000000025C3000-memory.dmp

Filesize
840KB

Download
memory/1100-186-0x00000000025C3000-0x00000000025E6000-memory.dmp

Filesize
140KB

Download
memory/1100-120-0x0000000000000000-mapping.dmp

Download
memory/1280-168-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1280-118-0x0000000000000000-mapping.dmp

Download
memory/2944-231-0x00000000014A0000-0x00000000014A1000-memory.dmp

Filesize
4KB

Download
memory/2944-184-0x0000000000000000-mapping.dmp

Download
memory/2944-380-0x00000000014A3000-0x00000000014A5000-memory.dmp

Filesize
8KB

Download
memory/3096-115-0x0000000000000000-mapping.dmp

Download