njrat | 8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5

General

Target

8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
Size

164KB
MD5

715d74c965242d4a7d7eef5e8db5eac2
SHA1

a35ce7d6b5b205cb9cbdff2322f345b5b4c88749
SHA256

8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5
SHA512

991b8600e1247f507a4582fcf7915141f993057f993bfe7b8581f7ed70f94dbf6d7f5185d40894bcf4432318dd22b2d515dfb19c766676ab46f0b022c0ea77fd

Score

10^/10

njrat persistence trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Client.exeClient.exeClient.exe

pid process

4252 Client.exe
2628 Client.exe
1076 Client.exe

pid	process
4252	Client.exe
2628	Client.exe
1076	Client.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe

Drops startup file 4 IoCs

Processes:

8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exeClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe\" .."	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Client.exe\" .."	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2220 schtasks.exe
5116 schtasks.exe
1420 schtasks.exe
5032 schtasks.exe
3140 schtasks.exe
3676 schtasks.exe
3252 schtasks.exe
2468 schtasks.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exe

pid process

1116 TASKKILL.exe
2416 TASKKILL.exe
2748 TASKKILL.exe
2184 TASKKILL.exe
3588 TASKKILL.exe
3892 TASKKILL.exe
3272 TASKKILL.exe
1200 TASKKILL.exe

pid	process
2220	schtasks.exe
5116	schtasks.exe
1420	schtasks.exe
5032	schtasks.exe
3140	schtasks.exe
3676	schtasks.exe
3252	schtasks.exe
2468	schtasks.exe

pid	process
1116	TASKKILL.exe
2416	TASKKILL.exe
2748	TASKKILL.exe
2184	TASKKILL.exe
3588	TASKKILL.exe
3892	TASKKILL.exe
3272	TASKKILL.exe
1200	TASKKILL.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe

pid	process
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exeTASKKILL.exeTASKKILL.exeClient.exeTASKKILL.exeTASKKILL.exeClient.exeTASKKILL.exeTASKKILL.exeClient.exeTASKKILL.exeTASKKILL.exe

description	pid	process
Token: SeDebugPrivilege	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
Token: SeDebugPrivilege	3272	TASKKILL.exe
Token: SeDebugPrivilege	3892	TASKKILL.exe
Token: SeDebugPrivilege	4252	Client.exe
Token: SeDebugPrivilege	1116	TASKKILL.exe
Token: SeDebugPrivilege	1200	TASKKILL.exe
Token: SeDebugPrivilege	2628	Client.exe
Token: SeDebugPrivilege	2748	TASKKILL.exe
Token: SeDebugPrivilege	2416	TASKKILL.exe
Token: 33	4252	Client.exe
Token: SeIncBasePriorityPrivilege	4252	Client.exe
Token: 33	4252	Client.exe
Token: SeIncBasePriorityPrivilege	4252	Client.exe
Token: 33	4252	Client.exe
Token: SeIncBasePriorityPrivilege	4252	Client.exe
Token: 33	4252	Client.exe
Token: SeIncBasePriorityPrivilege	4252	Client.exe
Token: 33	4252	Client.exe
Token: SeIncBasePriorityPrivilege	4252	Client.exe
Token: 33	4252	Client.exe
Token: SeIncBasePriorityPrivilege	4252	Client.exe
Token: SeDebugPrivilege	1076	Client.exe
Token: SeDebugPrivilege	2184	TASKKILL.exe
Token: SeDebugPrivilege	3588	TASKKILL.exe
Token: 33	4252	Client.exe
Token: SeIncBasePriorityPrivilege	4252	Client.exe
Token: 33	4252	Client.exe
Token: SeIncBasePriorityPrivilege	4252	Client.exe
Token: 33	4252	Client.exe
Token: SeIncBasePriorityPrivilege	4252	Client.exe
Token: 33	4252	Client.exe
Token: SeIncBasePriorityPrivilege	4252	Client.exe
Token: 33	4252	Client.exe
Token: SeIncBasePriorityPrivilege	4252	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exeClient.exeClient.exeClient.exe

description	pid	process	target process
PID 1484 wrote to memory of 2368	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	schtasks.exe
PID 1484 wrote to memory of 2368	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	schtasks.exe
PID 1484 wrote to memory of 2368	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	schtasks.exe
PID 1484 wrote to memory of 2220	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	schtasks.exe
PID 1484 wrote to memory of 2220	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	schtasks.exe
PID 1484 wrote to memory of 2220	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	schtasks.exe
PID 1484 wrote to memory of 3892	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	TASKKILL.exe
PID 1484 wrote to memory of 3892	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	TASKKILL.exe
PID 1484 wrote to memory of 3892	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	TASKKILL.exe
PID 1484 wrote to memory of 3272	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	TASKKILL.exe
PID 1484 wrote to memory of 3272	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	TASKKILL.exe
PID 1484 wrote to memory of 3272	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	TASKKILL.exe
PID 1484 wrote to memory of 1756	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	schtasks.exe
PID 1484 wrote to memory of 1756	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	schtasks.exe
PID 1484 wrote to memory of 1756	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	schtasks.exe
PID 1484 wrote to memory of 5116	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	schtasks.exe
PID 1484 wrote to memory of 5116	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	schtasks.exe
PID 1484 wrote to memory of 5116	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	schtasks.exe
PID 1484 wrote to memory of 4252	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	Client.exe
PID 1484 wrote to memory of 4252	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	Client.exe
PID 1484 wrote to memory of 4252	1484	8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe	Client.exe
PID 4252 wrote to memory of 3572	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 3572	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 3572	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 1420	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 1420	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 1420	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 1200	4252	Client.exe	TASKKILL.exe
PID 4252 wrote to memory of 1200	4252	Client.exe	TASKKILL.exe
PID 4252 wrote to memory of 1200	4252	Client.exe	TASKKILL.exe
PID 4252 wrote to memory of 1116	4252	Client.exe	TASKKILL.exe
PID 4252 wrote to memory of 1116	4252	Client.exe	TASKKILL.exe
PID 4252 wrote to memory of 1116	4252	Client.exe	TASKKILL.exe
PID 4252 wrote to memory of 3324	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 3324	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 3324	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 5032	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 5032	4252	Client.exe	schtasks.exe
PID 4252 wrote to memory of 5032	4252	Client.exe	schtasks.exe
PID 2628 wrote to memory of 3960	2628	Client.exe	schtasks.exe
PID 2628 wrote to memory of 3960	2628	Client.exe	schtasks.exe
PID 2628 wrote to memory of 3960	2628	Client.exe	schtasks.exe
PID 2628 wrote to memory of 3140	2628	Client.exe	schtasks.exe
PID 2628 wrote to memory of 3140	2628	Client.exe	schtasks.exe
PID 2628 wrote to memory of 3140	2628	Client.exe	schtasks.exe
PID 2628 wrote to memory of 2416	2628	Client.exe	TASKKILL.exe
PID 2628 wrote to memory of 2416	2628	Client.exe	TASKKILL.exe
PID 2628 wrote to memory of 2416	2628	Client.exe	TASKKILL.exe
PID 2628 wrote to memory of 2748	2628	Client.exe	TASKKILL.exe
PID 2628 wrote to memory of 2748	2628	Client.exe	TASKKILL.exe
PID 2628 wrote to memory of 2748	2628	Client.exe	TASKKILL.exe
PID 2628 wrote to memory of 4248	2628	Client.exe	schtasks.exe
PID 2628 wrote to memory of 4248	2628	Client.exe	schtasks.exe
PID 2628 wrote to memory of 4248	2628	Client.exe	schtasks.exe
PID 2628 wrote to memory of 3676	2628	Client.exe	schtasks.exe
PID 2628 wrote to memory of 3676	2628	Client.exe	schtasks.exe
PID 2628 wrote to memory of 3676	2628	Client.exe	schtasks.exe
PID 1076 wrote to memory of 1136	1076	Client.exe	schtasks.exe
PID 1076 wrote to memory of 1136	1076	Client.exe	schtasks.exe
PID 1076 wrote to memory of 1136	1076	Client.exe	schtasks.exe
PID 1076 wrote to memory of 3252	1076	Client.exe	schtasks.exe
PID 1076 wrote to memory of 3252	1076	Client.exe	schtasks.exe
PID 1076 wrote to memory of 3252	1076	Client.exe	schtasks.exe
PID 1076 wrote to memory of 2184	1076	Client.exe	TASKKILL.exe

C:\Users\Admin\AppData\Local\Temp\8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe
"C:\Users\Admin\AppData\Local\Temp\8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
2⤵
PID:2368

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe" /sc minute /mo 5
2⤵
- Creates scheduled task(s)
PID:2220

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:1756

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:5116

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
3⤵
PID:3572

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 5
3⤵
- Creates scheduled task(s)
PID:1420

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
3⤵
PID:3324

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 1
3⤵
- Creates scheduled task(s)
PID:5032

C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Users\Admin\AppData\Local\Temp\Client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
2⤵
PID:3960

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 5
2⤵
- Creates scheduled task(s)
PID:3140

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:4248

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:3676

C:\Users\Admin\AppData\Local\Temp\Client.exe
C:\Users\Admin\AppData\Local\Temp\Client.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYANP /F
2⤵
PID:1136

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 5
2⤵
- Creates scheduled task(s)
PID:3252

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM wscript.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\SysWOW64\TASKKILL.exe
TASKKILL /F /IM cmd.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn NYAN /F
2⤵
PID:4404

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\Client.exe" /sc minute /mo 1
2⤵
- Creates scheduled task(s)
PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Client.exe.log
Filesize
408B

MD5
40b0c3caa1b14a4c83e8475c46bf2016

SHA1
af9575cda4d842f028d18b17063796a894ecd9d0

SHA256
70e88a428d92b6ab5905dac9f324824c4c6f120bc3f385c82b2d12f707a4a867

SHA512
916437df737de4b6063b7116b4d148229d4a975eb4046122d47434b81fba06e88e09e5f273ec496c81ef3feecb843ccad20a7a04074224416c1fa9951acbdac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
164KB

MD5
715d74c965242d4a7d7eef5e8db5eac2

SHA1
a35ce7d6b5b205cb9cbdff2322f345b5b4c88749

SHA256
8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5

SHA512
991b8600e1247f507a4582fcf7915141f993057f993bfe7b8581f7ed70f94dbf6d7f5185d40894bcf4432318dd22b2d515dfb19c766676ab46f0b022c0ea77fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
164KB

MD5
715d74c965242d4a7d7eef5e8db5eac2

SHA1
a35ce7d6b5b205cb9cbdff2322f345b5b4c88749

SHA256
8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5

SHA512
991b8600e1247f507a4582fcf7915141f993057f993bfe7b8581f7ed70f94dbf6d7f5185d40894bcf4432318dd22b2d515dfb19c766676ab46f0b022c0ea77fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
164KB

MD5
715d74c965242d4a7d7eef5e8db5eac2

SHA1
a35ce7d6b5b205cb9cbdff2322f345b5b4c88749

SHA256
8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5

SHA512
991b8600e1247f507a4582fcf7915141f993057f993bfe7b8581f7ed70f94dbf6d7f5185d40894bcf4432318dd22b2d515dfb19c766676ab46f0b022c0ea77fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe
Filesize
164KB

MD5
715d74c965242d4a7d7eef5e8db5eac2

SHA1
a35ce7d6b5b205cb9cbdff2322f345b5b4c88749

SHA256
8f421c919d5d885275754df8539ef6ee7da254c2835e405522467d8adb4379f5

SHA512
991b8600e1247f507a4582fcf7915141f993057f993bfe7b8581f7ed70f94dbf6d7f5185d40894bcf4432318dd22b2d515dfb19c766676ab46f0b022c0ea77fd

Download Submit
memory/1076-170-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/1076-167-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/1076-166-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/1116-145-0x0000000000000000-mapping.dmp

Download
memory/1136-162-0x0000000000000000-mapping.dmp

Download
memory/1200-144-0x0000000000000000-mapping.dmp

Download
memory/1420-143-0x0000000000000000-mapping.dmp

Download
memory/1484-130-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/1484-135-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/1484-141-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/1756-136-0x0000000000000000-mapping.dmp

Download
memory/2184-164-0x0000000000000000-mapping.dmp

Download
memory/2220-132-0x0000000000000000-mapping.dmp

Download
memory/2368-131-0x0000000000000000-mapping.dmp

Download
memory/2416-154-0x0000000000000000-mapping.dmp

Download
memory/2468-169-0x0000000000000000-mapping.dmp

Download
memory/2628-159-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/2628-151-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/2628-156-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/2748-155-0x0000000000000000-mapping.dmp

Download
memory/3140-153-0x0000000000000000-mapping.dmp

Download
memory/3252-163-0x0000000000000000-mapping.dmp

Download
memory/3272-134-0x0000000000000000-mapping.dmp

Download
memory/3324-148-0x0000000000000000-mapping.dmp

Download
memory/3572-142-0x0000000000000000-mapping.dmp

Download
memory/3588-165-0x0000000000000000-mapping.dmp

Download
memory/3676-158-0x0000000000000000-mapping.dmp

Download
memory/3892-133-0x0000000000000000-mapping.dmp

Download
memory/3960-152-0x0000000000000000-mapping.dmp

Download
memory/4248-157-0x0000000000000000-mapping.dmp

Download
memory/4252-147-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/4252-146-0x00000000752F0000-0x00000000758A1000-memory.dmp

Filesize
5.7MB

Download
memory/4252-138-0x0000000000000000-mapping.dmp

Download
memory/4404-168-0x0000000000000000-mapping.dmp

Download
memory/5032-149-0x0000000000000000-mapping.dmp

Download
memory/5116-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads