njrat | df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56

General

Target

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
Size

212KB
MD5

97cdc2694b476ab047a4d162d19ba8a6
SHA1

56d6f2e31897873d1f38564f659e5b36992a27d2
SHA256

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56
SHA512

f7956d6a6058ae1c496fae3b5985a60894718a66159b6f3f12ab1c6e3c67442defb6ba30233101db62e5b949a29719f19a5e029fdf0164e8886b4a9173d3987a

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

HacKed

C2

127.0.0.1:4004

Mutex

5cd8f17f4086744065eb0992a09e05a2

Attributes

reg_key
5cd8f17f4086744065eb0992a09e05a2
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 2 IoCs

Processes:

Trojan.exeTrojan.exe

pid process

1924 Trojan.exe
1504 Trojan.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

812 netsh.exe
Loads dropped DLL 2 IoCs

Processes:

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exeTrojan.exe

pid process

1744 df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
1924 Trojan.exe

pid	process
1924	Trojan.exe
1504	Trojan.exe

pid	process
812	netsh.exe

pid	process
1744	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
1924	Trojan.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exeTrojan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\CbNkGKKTsa = "C:\\Users\\Admin\\AppData\\Roaming\\CrJxFNPQeE\\eRSAErfXKH.exe"	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exeTrojan.exe

description	pid	process	target process
PID 1016 set thread context of 1744	1016	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 1924 set thread context of 1504	1924	Trojan.exe	Trojan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Trojan.exe

pid process

1504 Trojan.exe
1504 Trojan.exe
1504 Trojan.exe
1504 Trojan.exe
1504 Trojan.exe
1504 Trojan.exe

pid	process
1504	Trojan.exe
1504	Trojan.exe
1504	Trojan.exe
1504	Trojan.exe
1504	Trojan.exe
1504	Trojan.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exeTrojan.exe

description	pid	process
Token: SeDebugPrivilege	1744	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
Token: SeDebugPrivilege	1504	Trojan.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exedf8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exeTrojan.exeTrojan.exe

description	pid	process	target process
PID 1016 wrote to memory of 1744	1016	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 1016 wrote to memory of 1744	1016	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 1016 wrote to memory of 1744	1016	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 1016 wrote to memory of 1744	1016	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 1016 wrote to memory of 1744	1016	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 1016 wrote to memory of 1744	1016	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 1016 wrote to memory of 1744	1016	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 1016 wrote to memory of 1744	1016	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 1016 wrote to memory of 1744	1016	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
PID 1744 wrote to memory of 1924	1744	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	Trojan.exe
PID 1744 wrote to memory of 1924	1744	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	Trojan.exe
PID 1744 wrote to memory of 1924	1744	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	Trojan.exe
PID 1744 wrote to memory of 1924	1744	df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe	Trojan.exe
PID 1924 wrote to memory of 1504	1924	Trojan.exe	Trojan.exe
PID 1924 wrote to memory of 1504	1924	Trojan.exe	Trojan.exe
PID 1924 wrote to memory of 1504	1924	Trojan.exe	Trojan.exe
PID 1924 wrote to memory of 1504	1924	Trojan.exe	Trojan.exe
PID 1924 wrote to memory of 1504	1924	Trojan.exe	Trojan.exe
PID 1924 wrote to memory of 1504	1924	Trojan.exe	Trojan.exe
PID 1924 wrote to memory of 1504	1924	Trojan.exe	Trojan.exe
PID 1924 wrote to memory of 1504	1924	Trojan.exe	Trojan.exe
PID 1924 wrote to memory of 1504	1924	Trojan.exe	Trojan.exe
PID 1504 wrote to memory of 812	1504	Trojan.exe	netsh.exe
PID 1504 wrote to memory of 812	1504	Trojan.exe	netsh.exe
PID 1504 wrote to memory of 812	1504	Trojan.exe	netsh.exe
PID 1504 wrote to memory of 812	1504	Trojan.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
"C:\Users\Admin\AppData\Local\Temp\df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe
"C:\Users\Admin\AppData\Local\Temp\df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56.exe"
2⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
3b8c38e5fee31fdb2c7f7d723371fa8c

SHA1
f3af8d44b66bc3ff1895b7de5797391470dba3ec

SHA256
c664b257014243fb36eee3f00523bdc71d112fcf4f67c1e7d6f89fdefed0f115

SHA512
3f168cbafc2d6218fa2d85fecd3c9a5eab77989f02f19d17cac0442862301a29a5c650f84f6b3ea5433249c3215e2d1d3582cfaf4574fc3c40b1509ffb3a01a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
212KB

MD5
97cdc2694b476ab047a4d162d19ba8a6

SHA1
56d6f2e31897873d1f38564f659e5b36992a27d2

SHA256
df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56

SHA512
f7956d6a6058ae1c496fae3b5985a60894718a66159b6f3f12ab1c6e3c67442defb6ba30233101db62e5b949a29719f19a5e029fdf0164e8886b4a9173d3987a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
212KB

MD5
97cdc2694b476ab047a4d162d19ba8a6

SHA1
56d6f2e31897873d1f38564f659e5b36992a27d2

SHA256
df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56

SHA512
f7956d6a6058ae1c496fae3b5985a60894718a66159b6f3f12ab1c6e3c67442defb6ba30233101db62e5b949a29719f19a5e029fdf0164e8886b4a9173d3987a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
212KB

MD5
97cdc2694b476ab047a4d162d19ba8a6

SHA1
56d6f2e31897873d1f38564f659e5b36992a27d2

SHA256
df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56

SHA512
f7956d6a6058ae1c496fae3b5985a60894718a66159b6f3f12ab1c6e3c67442defb6ba30233101db62e5b949a29719f19a5e029fdf0164e8886b4a9173d3987a

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
212KB

MD5
97cdc2694b476ab047a4d162d19ba8a6

SHA1
56d6f2e31897873d1f38564f659e5b36992a27d2

SHA256
df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56

SHA512
f7956d6a6058ae1c496fae3b5985a60894718a66159b6f3f12ab1c6e3c67442defb6ba30233101db62e5b949a29719f19a5e029fdf0164e8886b4a9173d3987a

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
212KB

MD5
97cdc2694b476ab047a4d162d19ba8a6

SHA1
56d6f2e31897873d1f38564f659e5b36992a27d2

SHA256
df8b843854a0518dd942a451a8c3938c7e7b7e494a438b1af7eea6c3d3303a56

SHA512
f7956d6a6058ae1c496fae3b5985a60894718a66159b6f3f12ab1c6e3c67442defb6ba30233101db62e5b949a29719f19a5e029fdf0164e8886b4a9173d3987a

Download Submit
memory/812-94-0x0000000000000000-mapping.dmp

Download
memory/1016-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1016-56-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/1016-54-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/1504-85-0x0000000000408E3A-mapping.dmp

Download
memory/1744-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1744-71-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/1744-69-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/1744-66-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1744-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1744-60-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1744-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1744-64-0x0000000000408E3A-mapping.dmp

Download
memory/1744-58-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1744-57-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1924-73-0x0000000000000000-mapping.dmp

Download
memory/1924-76-0x0000000001360000-0x000000000139A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads