njrat | e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f

Analysis

max time kernel
150s
max time network
147s
platform
windows10_x64
resource
win10-en-20211208
submitted
15-12-2021 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f.exe
Size

8.4MB
MD5

fc878a1e87addcfc819a738f2f4b58f0
SHA1

3fe62a9844037951adda9aab5ce952b941033288
SHA256

e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f
SHA512

71da98d1086e4a8754d03592266e513e27a8ec4b8e252a7ca24a9278cd8eb0ed61d062a9a1b8f6b3b158c6f2b3465a1088e5b415feabf95a88f00d677ddd06e9

Score

10^/10

njrat xmrig miner persistence suricata trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1272-150-0x0000000140000000-0x000000014097B000-memory.dmp	xmrig
behavioral1/memory/1272-151-0x0000000140958000-mapping.dmp	xmrig
behavioral1/memory/1272-158-0x0000000140000000-0x000000014097B000-memory.dmp	xmrig

Executes dropped EXE 7 IoCs

Processes:

ra2.exeBuild.exeservies.exesihost64.exeClient.exeClient.exeClient.exe

pid process

3548 ra2.exe
1332 Build.exe
2944 servies.exe
3184 sihost64.exe
3128 Client.exe
1020 Client.exe
2320 Client.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

servies.exeexplorer.exeBuild.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	servies.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Build.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	servies.exe

Drops startup file 4 IoCs

Processes:

Client.exera2.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	ra2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Client.exe\" .."	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Client.exe\" .."	Client.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

servies.exe

description pid process target process

PID 2944 set thread context of 1272 2944 servies.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2944 set thread context of 1272	2944	servies.exe	explorer.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3428	schtasks.exe
1068	schtasks.exe
1172	schtasks.exe
3588	schtasks.exe
1880	schtasks.exe
412	schtasks.exe
3176	schtasks.exe
3104	schtasks.exe
2024	schtasks.exe

Kills process with taskkill 8 IoCs
evasion

Processes:

TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exe

pid process

380 TASKKILL.exe
4008 TASKKILL.exe
1492 TASKKILL.exe
608 TASKKILL.exe
644 TASKKILL.exe
2380 TASKKILL.exe
976 TASKKILL.exe
3824 TASKKILL.exe

pid	process
380	TASKKILL.exe
4008	TASKKILL.exe
1492	TASKKILL.exe
608	TASKKILL.exe
644	TASKKILL.exe
2380	TASKKILL.exe
976	TASKKILL.exe
3824	TASKKILL.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ra2.exeBuild.exe

pid	process
3548	ra2.exe
3548	ra2.exe
1332	Build.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe
3548	ra2.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

628

pid	process
628

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

ra2.exeTASKKILL.exeTASKKILL.exeBuild.exeservies.exeClient.exeTASKKILL.exeTASKKILL.exeexplorer.exeTASKKILL.exeTASKKILL.exeClient.exeTASKKILL.exeTASKKILL.exeClient.exe

description	pid	process
Token: SeDebugPrivilege	3548	ra2.exe
Token: SeDebugPrivilege	380	TASKKILL.exe
Token: SeDebugPrivilege	4008	TASKKILL.exe
Token: SeDebugPrivilege	1332	Build.exe
Token: SeDebugPrivilege	2944	servies.exe
Token: SeDebugPrivilege	3128	Client.exe
Token: SeDebugPrivilege	608	TASKKILL.exe
Token: SeDebugPrivilege	1492	TASKKILL.exe
Token: SeLockMemoryPrivilege	1272	explorer.exe
Token: SeLockMemoryPrivilege	1272	explorer.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe
Token: SeDebugPrivilege	644	TASKKILL.exe
Token: SeDebugPrivilege	2380	TASKKILL.exe
Token: SeDebugPrivilege	1020	Client.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe
Token: SeDebugPrivilege	976	TASKKILL.exe
Token: SeDebugPrivilege	3824	TASKKILL.exe
Token: SeDebugPrivilege	2320	Client.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe
Token: 33	3128	Client.exe
Token: SeIncBasePriorityPrivilege	3128	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f.exera2.exeBuild.execmd.execmd.exeservies.exeClient.exe

description	pid	process	target process
PID 2748 wrote to memory of 3548	2748	e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f.exe	ra2.exe
PID 2748 wrote to memory of 3548	2748	e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f.exe	ra2.exe
PID 2748 wrote to memory of 3548	2748	e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f.exe	ra2.exe
PID 2748 wrote to memory of 1332	2748	e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f.exe	Build.exe
PID 2748 wrote to memory of 1332	2748	e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f.exe	Build.exe
PID 3548 wrote to memory of 3980	3548	ra2.exe	schtasks.exe
PID 3548 wrote to memory of 3980	3548	ra2.exe	schtasks.exe
PID 3548 wrote to memory of 3980	3548	ra2.exe	schtasks.exe
PID 3548 wrote to memory of 3428	3548	ra2.exe	schtasks.exe
PID 3548 wrote to memory of 3428	3548	ra2.exe	schtasks.exe
PID 3548 wrote to memory of 3428	3548	ra2.exe	schtasks.exe
PID 3548 wrote to memory of 380	3548	ra2.exe	TASKKILL.exe
PID 3548 wrote to memory of 380	3548	ra2.exe	TASKKILL.exe
PID 3548 wrote to memory of 380	3548	ra2.exe	TASKKILL.exe
PID 3548 wrote to memory of 4008	3548	ra2.exe	TASKKILL.exe
PID 3548 wrote to memory of 4008	3548	ra2.exe	TASKKILL.exe
PID 3548 wrote to memory of 4008	3548	ra2.exe	TASKKILL.exe
PID 1332 wrote to memory of 3332	1332	Build.exe	cmd.exe
PID 1332 wrote to memory of 3332	1332	Build.exe	cmd.exe
PID 3332 wrote to memory of 1880	3332	cmd.exe	schtasks.exe
PID 3332 wrote to memory of 1880	3332	cmd.exe	schtasks.exe
PID 3548 wrote to memory of 1744	3548	ra2.exe	schtasks.exe
PID 3548 wrote to memory of 1744	3548	ra2.exe	schtasks.exe
PID 3548 wrote to memory of 1744	3548	ra2.exe	schtasks.exe
PID 3548 wrote to memory of 1068	3548	ra2.exe	schtasks.exe
PID 3548 wrote to memory of 1068	3548	ra2.exe	schtasks.exe
PID 3548 wrote to memory of 1068	3548	ra2.exe	schtasks.exe
PID 1332 wrote to memory of 3220	1332	Build.exe	cmd.exe
PID 1332 wrote to memory of 3220	1332	Build.exe	cmd.exe
PID 3220 wrote to memory of 2944	3220	cmd.exe	servies.exe
PID 3220 wrote to memory of 2944	3220	cmd.exe	servies.exe
PID 2944 wrote to memory of 3184	2944	servies.exe	sihost64.exe
PID 2944 wrote to memory of 3184	2944	servies.exe	sihost64.exe
PID 2944 wrote to memory of 1272	2944	servies.exe	explorer.exe
PID 2944 wrote to memory of 1272	2944	servies.exe	explorer.exe
PID 2944 wrote to memory of 1272	2944	servies.exe	explorer.exe
PID 2944 wrote to memory of 1272	2944	servies.exe	explorer.exe
PID 2944 wrote to memory of 1272	2944	servies.exe	explorer.exe
PID 2944 wrote to memory of 1272	2944	servies.exe	explorer.exe
PID 2944 wrote to memory of 1272	2944	servies.exe	explorer.exe
PID 2944 wrote to memory of 1272	2944	servies.exe	explorer.exe
PID 2944 wrote to memory of 1272	2944	servies.exe	explorer.exe
PID 2944 wrote to memory of 1272	2944	servies.exe	explorer.exe
PID 3548 wrote to memory of 3128	3548	ra2.exe	Client.exe
PID 3548 wrote to memory of 3128	3548	ra2.exe	Client.exe
PID 3548 wrote to memory of 3128	3548	ra2.exe	Client.exe
PID 3128 wrote to memory of 1800	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 1800	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 1800	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 1172	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 1172	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 1172	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 1492	3128	Client.exe	TASKKILL.exe
PID 3128 wrote to memory of 1492	3128	Client.exe	TASKKILL.exe
PID 3128 wrote to memory of 1492	3128	Client.exe	TASKKILL.exe
PID 3128 wrote to memory of 608	3128	Client.exe	TASKKILL.exe
PID 3128 wrote to memory of 608	3128	Client.exe	TASKKILL.exe
PID 3128 wrote to memory of 608	3128	Client.exe	TASKKILL.exe
PID 3128 wrote to memory of 2096	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 2096	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 2096	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 412	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 412	3128	Client.exe	schtasks.exe
PID 3128 wrote to memory of 412	3128	Client.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f.exe
"C:\Users\Admin\AppData\Local\Temp\e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\ra2.exe
"C:\Users\Admin\AppData\Local\Temp\ra2.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
3⤵
PID:3980

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\ra2.exe" /sc minute /mo 5
3⤵
- Creates scheduled task(s)
PID:3428

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:1744

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ra2.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:1068

C:\Users\Admin\Client.exe
"C:\Users\Admin\Client.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
4⤵
PID:1800

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\Client.exe" /sc minute /mo 5
4⤵
- Creates scheduled task(s)
PID:1172

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:608

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
4⤵
PID:2096

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\Client.exe" /sc minute /mo 1
4⤵
- Creates scheduled task(s)
PID:412

C:\Users\Admin\AppData\Local\Temp\Build.exe
"C:\Users\Admin\AppData\Local\Temp\Build.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "servies" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3332

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "servies" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe"
4⤵
- Creates scheduled task(s)
PID:1880

C:\Windows\SYSTEM32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe
C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"
5⤵
- Executes dropped EXE
PID:3184

C:\Windows\explorer.exe
C:\Windows\explorer.exe kikgvzdagtfalr0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAYZEBsbMhk19a7AHFG2E7AaoXpwGgnL9qfF4ckLxCoO5fPm2jEdfVVBnDTVsKcr78bsf+FJAiv9UkqD3PHA/InOiEAYhRW2/oAEFHfXMVdkjhaWKsg2Ui/VNDlZrjEfnNbtHmDzkUQ230hBNYh7ZxfvuOTeg8dkgkyXdOQwbhwsJPq28iQfFX1PueXdORkCf4VucZx9baeD4MEWeJktSkHVOynOvy7XJ6mNKXnfO/doHlqoNXzZ9yBJS+rgA0257kMWTO+mq/iSyuLLOlHufNdxCuaooAte42l8WasUHsqGcVky0tLDJI0vRieQM7RiXxpnGFfsCsd7THmjaH/w72d3yTFK/O26HmnrQqmsgAIYO6eidmlIq4VnrnNaUF02+EUeXXUC+XLSypGiOPZt/u2qjQSEo2JnfQG/1t76Y5UmvcdiThqoLnxJ0iX0LglGcPw3+/OmvYZC29fJYqJidc6CGf6nKuThpimDlMir2QU69LNxGOE1rkpFoyAWPXAN4T+Cg9ybqrJ+tbpIJQe9UPCQ==
5⤵
- Checks BIOS information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
2⤵
PID:2936

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\Client.exe" /sc minute /mo 5
2⤵
- Creates scheduled task(s)
PID:3176

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:2624

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\Client.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:3104

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
2⤵
PID:1280

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\Client.exe" /sc minute /mo 5
2⤵
- Creates scheduled task(s)
PID:2024

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\Client.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:3588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Client.exe.log

MD5
68fd23becbb886946c7fd350fa5efeba

SHA1
69cf312bf69233ec457b9ae4ce0ab4d092669e0b

SHA256
bc0c4509c74a57c5aa7260470b2b798157884b2f9072303e9fbc1e5ebbe18c14

SHA512
56e947f03c677e9f5dfa863c1b45721eff492f44d290ad5224a46b8623de5cf3fd56b4c04659c48b9342afb4061fea072992226b009a0b0d3bd67c9b3044b926

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build.exe

MD5
19402d6c5cd427fbfc867279bd40667a

SHA1
72a3aaf031894dc1736bdfaa25bac181019a9398

SHA256
ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994

SHA512
b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618

Download Submit
C:\Users\Admin\AppData\Local\Temp\Build.exe

MD5
19402d6c5cd427fbfc867279bd40667a

SHA1
72a3aaf031894dc1736bdfaa25bac181019a9398

SHA256
ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994

SHA512
b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618

Download Submit
C:\Users\Admin\AppData\Local\Temp\ra2.exe

MD5
6d9a47c5bae0ee452b2076ed8b98dab4

SHA1
e65b81b050d75b8dcb5374e0b39601abf55d631e

SHA256
32ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44

SHA512
c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\ra2.exe

MD5
6d9a47c5bae0ee452b2076ed8b98dab4

SHA1
e65b81b050d75b8dcb5374e0b39601abf55d631e

SHA256
32ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44

SHA512
c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe

MD5
5aff6f89f1a58c1f48873b39a6602005

SHA1
66c97937cf6b99ca8fa500c1345d6675061c0615

SHA256
0f4e36dcb645801dfb01afe7b7d3527ce295cc581af11102b02306d0b243a158

SHA512
e92787f9569617912ac7e7dc14c77d896369d16d70576e134c5f069851194c592f7f2ebe71f627668f8a6cf0e9ae166fb3b0610b83e7cf4a4b03e7da7f70c600

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe

MD5
5aff6f89f1a58c1f48873b39a6602005

SHA1
66c97937cf6b99ca8fa500c1345d6675061c0615

SHA256
0f4e36dcb645801dfb01afe7b7d3527ce295cc581af11102b02306d0b243a158

SHA512
e92787f9569617912ac7e7dc14c77d896369d16d70576e134c5f069851194c592f7f2ebe71f627668f8a6cf0e9ae166fb3b0610b83e7cf4a4b03e7da7f70c600

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe

MD5
19402d6c5cd427fbfc867279bd40667a

SHA1
72a3aaf031894dc1736bdfaa25bac181019a9398

SHA256
ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994

SHA512
b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\servies.exe

MD5
19402d6c5cd427fbfc867279bd40667a

SHA1
72a3aaf031894dc1736bdfaa25bac181019a9398

SHA256
ad363e875ebeaee352f9ce9a53f70fa1b8887ae3b42a9f1a817d3402db05b994

SHA512
b8e82ee6398eedfbe7617ab2e0c274a6f3eccad681ed044b17e444d8c711293e9ba64e5151b5ab558417a452639b93826d3c01ff5736ef787e05140e17b45618

Download Submit
C:\Users\Admin\Client.exe

MD5
6d9a47c5bae0ee452b2076ed8b98dab4

SHA1
e65b81b050d75b8dcb5374e0b39601abf55d631e

SHA256
32ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44

SHA512
c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59

Download Submit
C:\Users\Admin\Client.exe

MD5
6d9a47c5bae0ee452b2076ed8b98dab4

SHA1
e65b81b050d75b8dcb5374e0b39601abf55d631e

SHA256
32ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44

SHA512
c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59

Download Submit
C:\Users\Admin\Client.exe

MD5
6d9a47c5bae0ee452b2076ed8b98dab4

SHA1
e65b81b050d75b8dcb5374e0b39601abf55d631e

SHA256
32ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44

SHA512
c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59

Download Submit
C:\Users\Admin\Client.exe

MD5
6d9a47c5bae0ee452b2076ed8b98dab4

SHA1
e65b81b050d75b8dcb5374e0b39601abf55d631e

SHA256
32ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44

SHA512
c31223d4a96045a5b910f9da603676b9a28fc926a922075e676cb644f8f02251de3c57be4078b210b26300689876e9162c91e297bf0367bf189deceb32e61d59

Download Submit
memory/380-124-0x0000000000000000-mapping.dmp

Download
memory/412-171-0x0000000000000000-mapping.dmp

Download
memory/608-163-0x0000000000000000-mapping.dmp

Download
memory/644-178-0x0000000000000000-mapping.dmp

Download
memory/976-190-0x0000000000000000-mapping.dmp

Download
memory/1020-180-0x0000000000853000-0x0000000000855000-memory.dmp

Filesize
8KB

Download
memory/1020-181-0x0000000000855000-0x0000000000856000-memory.dmp

Filesize
4KB

Download
memory/1020-182-0x0000000000856000-0x0000000000857000-memory.dmp

Filesize
4KB

Download
memory/1020-174-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1068-135-0x0000000000000000-mapping.dmp

Download
memory/1172-161-0x0000000000000000-mapping.dmp

Download
memory/1272-155-0x00000000028F0000-0x00000000028F2000-memory.dmp

Filesize
8KB

Download
memory/1272-158-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download
memory/1272-175-0x00000000145E0000-0x0000000014600000-memory.dmp

Filesize
128KB

Download
memory/1272-164-0x00000000028F0000-0x00000000028F2000-memory.dmp

Filesize
8KB

Download
memory/1272-156-0x00000000028F0000-0x00000000028F2000-memory.dmp

Filesize
8KB

Download
memory/1272-165-0x0000000003970000-0x0000000003990000-memory.dmp

Filesize
128KB

Download
memory/1272-151-0x0000000140958000-mapping.dmp

Download
memory/1272-150-0x0000000140000000-0x000000014097B000-memory.dmp

Filesize
9.5MB

Download
memory/1272-166-0x00000000028F0000-0x00000000028F2000-memory.dmp

Filesize
8KB

Download
memory/1272-169-0x0000000013E60000-0x0000000013EA0000-memory.dmp

Filesize
256KB

Download
memory/1280-188-0x0000000000000000-mapping.dmp

Download
memory/1332-118-0x0000000000000000-mapping.dmp

Download
memory/1332-131-0x0000000022240000-0x0000000022242000-memory.dmp

Filesize
8KB

Download
memory/1332-125-0x00007FF6D2FD0000-0x00007FF6D2FD1000-memory.dmp

Filesize
4KB

Download
memory/1332-128-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1360-195-0x0000000000000000-mapping.dmp

Download
memory/1492-162-0x0000000000000000-mapping.dmp

Download
memory/1744-134-0x0000000000000000-mapping.dmp

Download
memory/1800-160-0x0000000000000000-mapping.dmp

Download
memory/1880-130-0x0000000000000000-mapping.dmp

Download
memory/2024-189-0x0000000000000000-mapping.dmp

Download
memory/2096-170-0x0000000000000000-mapping.dmp

Download
memory/2320-194-0x0000000001436000-0x0000000001437000-memory.dmp

Filesize
4KB

Download
memory/2320-193-0x0000000001435000-0x0000000001436000-memory.dmp

Filesize
4KB

Download
memory/2320-187-0x0000000001430000-0x0000000001431000-memory.dmp

Filesize
4KB

Download
memory/2320-192-0x0000000001433000-0x0000000001435000-memory.dmp

Filesize
8KB

Download
memory/2380-179-0x0000000000000000-mapping.dmp

Download
memory/2624-183-0x0000000000000000-mapping.dmp

Download
memory/2936-176-0x0000000000000000-mapping.dmp

Download
memory/2944-149-0x0000000022560000-0x0000000022562000-memory.dmp

Filesize
8KB

Download
memory/2944-137-0x0000000000000000-mapping.dmp

Download
memory/2944-140-0x00007FF6580B0000-0x00007FF6580B1000-memory.dmp

Filesize
4KB

Download
memory/3104-184-0x0000000000000000-mapping.dmp

Download
memory/3128-159-0x0000000002F90000-0x0000000002F91000-memory.dmp

Filesize
4KB

Download
memory/3128-167-0x0000000002F93000-0x0000000002F95000-memory.dmp

Filesize
8KB

Download
memory/3128-172-0x0000000002F96000-0x0000000002F97000-memory.dmp

Filesize
4KB

Download
memory/3128-152-0x0000000000000000-mapping.dmp

Download
memory/3128-168-0x0000000002F95000-0x0000000002F96000-memory.dmp

Filesize
4KB

Download
memory/3176-177-0x0000000000000000-mapping.dmp

Download
memory/3184-146-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/3184-143-0x0000000000000000-mapping.dmp

Download
memory/3184-157-0x000000001B820000-0x000000001B822000-memory.dmp

Filesize
8KB

Download
memory/3220-136-0x0000000000000000-mapping.dmp

Download
memory/3332-129-0x0000000000000000-mapping.dmp

Download
memory/3428-123-0x0000000000000000-mapping.dmp

Download
memory/3548-148-0x0000000000B16000-0x0000000000B17000-memory.dmp

Filesize
4KB

Download
memory/3548-115-0x0000000000000000-mapping.dmp

Download
memory/3548-133-0x0000000000B15000-0x0000000000B16000-memory.dmp

Filesize
4KB

Download
memory/3548-132-0x0000000000B13000-0x0000000000B15000-memory.dmp

Filesize
8KB

Download
memory/3548-121-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3588-196-0x0000000000000000-mapping.dmp

Download
memory/3824-191-0x0000000000000000-mapping.dmp

Download
memory/3980-122-0x0000000000000000-mapping.dmp

Download
memory/4008-127-0x0000000000000000-mapping.dmp

Download