njrat | 566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-en-20211104
submitted
05-11-2021 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7355d1a43f1d438e09eebff0c90211b0.exe
Size

227KB
MD5

7355d1a43f1d438e09eebff0c90211b0
SHA1

4d6ca4321e87d5381ceeb1b60c300b7ab69ef30a
SHA256

566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c
SHA512

867b8beda9c79d09cd40267f254f3134a5a8837cd195c1324a938fa17e53521910f0cc3b038a4676ce84c87bd475778a1900ea80ed03850b3ac7f4141ecbef2e

Score

10^/10

njrat directx evasion persistence suricata trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

DirectX

20.79.249.125:1604

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata

Nirsoft 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

pid process

108 AdvancedRun.exe
240 AdvancedRun.exe
2004 䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe

Drops startup file 3 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	7355d1a43f1d438e09eebff0c90211b0.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	7355d1a43f1d438e09eebff0c90211b0.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe	7355d1a43f1d438e09eebff0c90211b0.exe

Loads dropped DLL 5 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exeAdvancedRun.exe

pid	process
852	7355d1a43f1d438e09eebff0c90211b0.exe
852	7355d1a43f1d438e09eebff0c90211b0.exe
108	AdvancedRun.exe
108	AdvancedRun.exe
852	7355d1a43f1d438e09eebff0c90211b0.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	7355d1a43f1d438e09eebff0c90211b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	7355d1a43f1d438e09eebff0c90211b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe = "0"	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe = "0"	7355d1a43f1d438e09eebff0c90211b0.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾 = "C:\\Windows\\Microsoft.NET\\Framework\\\u200c\u2008\u200c\u200c\u202f›‼\u200d‽\u2028\u2009\u200d\u200b\u200f\u200a\\svchost.exe"	7355d1a43f1d438e09eebff0c90211b0.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7355d1a43f1d438e09eebff0c90211b0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7355d1a43f1d438e09eebff0c90211b0.exe

Drops file in Windows directory 1 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe	7355d1a43f1d438e09eebff0c90211b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
108	AdvancedRun.exe
108	AdvancedRun.exe
240	AdvancedRun.exe
240	AdvancedRun.exe
1632	powershell.exe
1840	powershell.exe
1432	powershell.exe
1920	powershell.exe
1780	powershell.exe
1800	powershell.exe
1580	powershell.exe
1324	powershell.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exeAdvancedRun.exeAdvancedRun.exe䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeDebugPrivilege	108	AdvancedRun.exe
Token: SeImpersonatePrivilege	108	AdvancedRun.exe
Token: SeDebugPrivilege	240	AdvancedRun.exe
Token: SeImpersonatePrivilege	240	AdvancedRun.exe
Token: SeDebugPrivilege	2004	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: 33	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: 33	852	7355d1a43f1d438e09eebff0c90211b0.exe
Token: SeIncBasePriorityPrivilege	852	7355d1a43f1d438e09eebff0c90211b0.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

7355d1a43f1d438e09eebff0c90211b0.exeAdvancedRun.exe

description	pid	process	target process
PID 852 wrote to memory of 108	852	7355d1a43f1d438e09eebff0c90211b0.exe	AdvancedRun.exe
PID 852 wrote to memory of 108	852	7355d1a43f1d438e09eebff0c90211b0.exe	AdvancedRun.exe
PID 852 wrote to memory of 108	852	7355d1a43f1d438e09eebff0c90211b0.exe	AdvancedRun.exe
PID 852 wrote to memory of 108	852	7355d1a43f1d438e09eebff0c90211b0.exe	AdvancedRun.exe
PID 108 wrote to memory of 240	108	AdvancedRun.exe	AdvancedRun.exe
PID 108 wrote to memory of 240	108	AdvancedRun.exe	AdvancedRun.exe
PID 108 wrote to memory of 240	108	AdvancedRun.exe	AdvancedRun.exe
PID 108 wrote to memory of 240	108	AdvancedRun.exe	AdvancedRun.exe
PID 852 wrote to memory of 1632	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1632	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1632	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1632	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1780	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1780	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1780	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1780	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1432	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1432	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1432	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1432	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1840	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1840	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1840	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1840	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1920	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1920	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1920	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1920	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 2004	852	7355d1a43f1d438e09eebff0c90211b0.exe	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
PID 852 wrote to memory of 2004	852	7355d1a43f1d438e09eebff0c90211b0.exe	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
PID 852 wrote to memory of 2004	852	7355d1a43f1d438e09eebff0c90211b0.exe	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
PID 852 wrote to memory of 2004	852	7355d1a43f1d438e09eebff0c90211b0.exe	䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
PID 852 wrote to memory of 1324	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1324	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1324	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1324	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1580	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1580	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1580	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1580	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1800	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1800	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1800	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe
PID 852 wrote to memory of 1800	852	7355d1a43f1d438e09eebff0c90211b0.exe	powershell.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

7355d1a43f1d438e09eebff0c90211b0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7355d1a43f1d438e09eebff0c90211b0.exe

C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe
"C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:852

C:\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108

C:\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe" /SpecialRun 4101d8 108
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7355d1a43f1d438e09eebff0c90211b0.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\‌ ‌‌ ›‼‍‽  ‍‏ \svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e8eeaa120d2b4780e5a90ff136cd8af3

SHA1
d9b1b31cbf56399cf92a4e49d5ddabacd2bd1a2d

SHA256
242c66546a755c00600efc29de65711d453ce503cb846f2bfda86759e807fd15

SHA512
e1bdee736db768b1ce8ae985da9053d5ac71ebb4c1344e6b23c852270c218a5b42741217790b1486bd305ad56f4ef82a19793aafaceb1b3cc32b56d6751cfc35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e8eeaa120d2b4780e5a90ff136cd8af3

SHA1
d9b1b31cbf56399cf92a4e49d5ddabacd2bd1a2d

SHA256
242c66546a755c00600efc29de65711d453ce503cb846f2bfda86759e807fd15

SHA512
e1bdee736db768b1ce8ae985da9053d5ac71ebb4c1344e6b23c852270c218a5b42741217790b1486bd305ad56f4ef82a19793aafaceb1b3cc32b56d6751cfc35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e8eeaa120d2b4780e5a90ff136cd8af3

SHA1
d9b1b31cbf56399cf92a4e49d5ddabacd2bd1a2d

SHA256
242c66546a755c00600efc29de65711d453ce503cb846f2bfda86759e807fd15

SHA512
e1bdee736db768b1ce8ae985da9053d5ac71ebb4c1344e6b23c852270c218a5b42741217790b1486bd305ad56f4ef82a19793aafaceb1b3cc32b56d6751cfc35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e8eeaa120d2b4780e5a90ff136cd8af3

SHA1
d9b1b31cbf56399cf92a4e49d5ddabacd2bd1a2d

SHA256
242c66546a755c00600efc29de65711d453ce503cb846f2bfda86759e807fd15

SHA512
e1bdee736db768b1ce8ae985da9053d5ac71ebb4c1344e6b23c852270c218a5b42741217790b1486bd305ad56f4ef82a19793aafaceb1b3cc32b56d6751cfc35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e8eeaa120d2b4780e5a90ff136cd8af3

SHA1
d9b1b31cbf56399cf92a4e49d5ddabacd2bd1a2d

SHA256
242c66546a755c00600efc29de65711d453ce503cb846f2bfda86759e807fd15

SHA512
e1bdee736db768b1ce8ae985da9053d5ac71ebb4c1344e6b23c852270c218a5b42741217790b1486bd305ad56f4ef82a19793aafaceb1b3cc32b56d6751cfc35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e8eeaa120d2b4780e5a90ff136cd8af3

SHA1
d9b1b31cbf56399cf92a4e49d5ddabacd2bd1a2d

SHA256
242c66546a755c00600efc29de65711d453ce503cb846f2bfda86759e807fd15

SHA512
e1bdee736db768b1ce8ae985da9053d5ac71ebb4c1344e6b23c852270c218a5b42741217790b1486bd305ad56f4ef82a19793aafaceb1b3cc32b56d6751cfc35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
MD5
7355d1a43f1d438e09eebff0c90211b0

SHA1
4d6ca4321e87d5381ceeb1b60c300b7ab69ef30a

SHA256
566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c

SHA512
867b8beda9c79d09cd40267f254f3134a5a8837cd195c1324a938fa17e53521910f0cc3b038a4676ce84c87bd475778a1900ea80ed03850b3ac7f4141ecbef2e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
MD5
7355d1a43f1d438e09eebff0c90211b0

SHA1
4d6ca4321e87d5381ceeb1b60c300b7ab69ef30a

SHA256
566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c

SHA512
867b8beda9c79d09cd40267f254f3134a5a8837cd195c1324a938fa17e53521910f0cc3b038a4676ce84c87bd475778a1900ea80ed03850b3ac7f4141ecbef2e

Download Submit
\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\4e525dca-117a-4882-b059-185fd0d147e1\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\䁢䁞䁟䀾䀲䀰䁔䁢䀰䀵䀴䀱䁝䁟䀾.exe
MD5
7355d1a43f1d438e09eebff0c90211b0

SHA1
4d6ca4321e87d5381ceeb1b60c300b7ab69ef30a

SHA256
566e2f01abcfcd6c7b757449819a52e6956f31d389a1b4c6f9dfbf443a97874c

SHA512
867b8beda9c79d09cd40267f254f3134a5a8837cd195c1324a938fa17e53521910f0cc3b038a4676ce84c87bd475778a1900ea80ed03850b3ac7f4141ecbef2e

Download Submit
memory/108-65-0x0000000000000000-mapping.dmp

Download
memory/240-71-0x0000000000000000-mapping.dmp

Download
memory/852-107-0x0000000000960000-0x0000000000967000-memory.dmp

Filesize
28KB

Download
memory/852-57-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/852-60-0x00000000004C0000-0x00000000004C3000-memory.dmp

Filesize
12KB

Download
memory/852-61-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/852-58-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/852-62-0x00000000008D0000-0x0000000000922000-memory.dmp

Filesize
328KB

Download
memory/852-55-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/1324-90-0x0000000000000000-mapping.dmp

Download
memory/1324-109-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/1432-114-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1432-77-0x0000000000000000-mapping.dmp

Download
memory/1580-112-0x0000000002540000-0x000000000318A000-memory.dmp

Filesize
12.3MB

Download
memory/1580-92-0x0000000000000000-mapping.dmp

Download
memory/1632-74-0x0000000000000000-mapping.dmp

Download
memory/1632-113-0x0000000002330000-0x0000000002F7A000-memory.dmp

Filesize
12.3MB

Download
memory/1632-118-0x0000000002330000-0x0000000002F7A000-memory.dmp

Filesize
12.3MB

Download
memory/1780-110-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1780-75-0x0000000000000000-mapping.dmp

Download
memory/1780-117-0x00000000004F2000-0x00000000004F4000-memory.dmp

Filesize
8KB

Download
memory/1780-111-0x00000000004F1000-0x00000000004F2000-memory.dmp

Filesize
4KB

Download
memory/1800-115-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download
memory/1800-99-0x0000000000000000-mapping.dmp

Download
memory/1840-108-0x0000000002590000-0x00000000031DA000-memory.dmp

Filesize
12.3MB

Download
memory/1840-79-0x0000000000000000-mapping.dmp

Download
memory/1920-81-0x0000000000000000-mapping.dmp

Download
memory/1920-116-0x0000000002370000-0x0000000002FBA000-memory.dmp

Filesize
12.3MB

Download
memory/2004-94-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/2004-88-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/2004-84-0x0000000000000000-mapping.dmp

Download
memory/2004-97-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download