bitrat | 56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

Analysis

max time kernel
596s
max time network
610s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-08-2022 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZMANHSYTGDH.exe
Size

300.0MB
MD5

a730bb7884d349d1ddc845d21836b94c
SHA1

fd6594a90a24130f8888fcf626450dd7d2aaaead
SHA256

56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32
SHA512

b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

bitrat9300.duckdns.org:9300

Attributes

communication_password
e10adc3949ba59abbe56e057f20f883e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 9 IoCs

Processes:

kjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exe

pid process

332 kjhgf.exe
1880 kjhgf.exe
328 kjhgf.exe
1460 kjhgf.exe
1976 kjhgf.exe
976 kjhgf.exe
1128 kjhgf.exe
1916 kjhgf.exe
2040 kjhgf.exe

pid	process
332	kjhgf.exe
1880	kjhgf.exe
328	kjhgf.exe
1460	kjhgf.exe
1976	kjhgf.exe
976	kjhgf.exe
1128	kjhgf.exe
1916	kjhgf.exe
2040	kjhgf.exe

UPX packed file 30 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1992-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1992-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1992-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1992-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1992-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1992-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1992-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1992-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1992-72-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1092-87-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1092-88-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1092-91-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1092-93-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1092-94-0x0000000000430000-0x0000000000814000-memory.dmp	upx
behavioral1/memory/1976-114-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1976-115-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/332-135-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/332-136-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1616-156-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1616-157-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/684-177-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/684-178-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1064-198-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1064-199-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1620-218-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1620-219-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1480-239-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1480-240-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2028-260-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2028-261-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

pid	process
1992	RegAsm.exe
1992	RegAsm.exe
1992	RegAsm.exe
1992	RegAsm.exe
1092	RegAsm.exe
1976	RegAsm.exe
332	RegAsm.exe
1616	RegAsm.exe
684	RegAsm.exe
1064	RegAsm.exe
1620	RegAsm.exe
1480	RegAsm.exe
2028	RegAsm.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

ZMANHSYTGDH.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exekjhgf.exe

description	pid	process	target process
PID 1664 set thread context of 1992	1664	ZMANHSYTGDH.exe	RegAsm.exe
PID 332 set thread context of 1092	332	kjhgf.exe	RegAsm.exe
PID 1880 set thread context of 1976	1880	kjhgf.exe	RegAsm.exe
PID 328 set thread context of 332	328	kjhgf.exe	RegAsm.exe
PID 1460 set thread context of 1616	1460	kjhgf.exe	RegAsm.exe
PID 1976 set thread context of 684	1976	kjhgf.exe	RegAsm.exe
PID 976 set thread context of 1064	976	kjhgf.exe	RegAsm.exe
PID 1128 set thread context of 1620	1128	kjhgf.exe	RegAsm.exe
PID 1916 set thread context of 1480	1916	kjhgf.exe	RegAsm.exe
PID 2040 set thread context of 2028	2040	kjhgf.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2032	schtasks.exe
2028	schtasks.exe
1684	schtasks.exe
1604	schtasks.exe
1984	schtasks.exe
1060	schtasks.exe
692	schtasks.exe
1980	schtasks.exe
1116	schtasks.exe
692	schtasks.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1992	RegAsm.exe
Token: SeShutdownPrivilege	1992	RegAsm.exe
Token: SeDebugPrivilege	1092	RegAsm.exe
Token: SeShutdownPrivilege	1092	RegAsm.exe
Token: SeDebugPrivilege	1976	RegAsm.exe
Token: SeShutdownPrivilege	1976	RegAsm.exe
Token: SeDebugPrivilege	332	RegAsm.exe
Token: SeShutdownPrivilege	332	RegAsm.exe
Token: SeDebugPrivilege	1616	RegAsm.exe
Token: SeShutdownPrivilege	1616	RegAsm.exe
Token: SeDebugPrivilege	684	RegAsm.exe
Token: SeShutdownPrivilege	684	RegAsm.exe
Token: SeDebugPrivilege	1064	RegAsm.exe
Token: SeShutdownPrivilege	1064	RegAsm.exe
Token: SeDebugPrivilege	1620	RegAsm.exe
Token: SeShutdownPrivilege	1620	RegAsm.exe
Token: SeDebugPrivilege	1480	RegAsm.exe
Token: SeShutdownPrivilege	1480	RegAsm.exe
Token: SeDebugPrivilege	2028	RegAsm.exe
Token: SeShutdownPrivilege	2028	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

1992 RegAsm.exe
1992 RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ZMANHSYTGDH.execmd.exetaskeng.exekjhgf.execmd.exekjhgf.execmd.exe

description	pid	process	target process
PID 1664 wrote to memory of 828	1664	ZMANHSYTGDH.exe	cmd.exe
PID 1664 wrote to memory of 828	1664	ZMANHSYTGDH.exe	cmd.exe
PID 1664 wrote to memory of 828	1664	ZMANHSYTGDH.exe	cmd.exe
PID 1664 wrote to memory of 828	1664	ZMANHSYTGDH.exe	cmd.exe
PID 1664 wrote to memory of 2004	1664	ZMANHSYTGDH.exe	cmd.exe
PID 1664 wrote to memory of 2004	1664	ZMANHSYTGDH.exe	cmd.exe
PID 1664 wrote to memory of 2004	1664	ZMANHSYTGDH.exe	cmd.exe
PID 1664 wrote to memory of 2004	1664	ZMANHSYTGDH.exe	cmd.exe
PID 828 wrote to memory of 2032	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 2032	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 2032	828	cmd.exe	schtasks.exe
PID 828 wrote to memory of 2032	828	cmd.exe	schtasks.exe
PID 1664 wrote to memory of 1992	1664	ZMANHSYTGDH.exe	RegAsm.exe
PID 1664 wrote to memory of 1992	1664	ZMANHSYTGDH.exe	RegAsm.exe
PID 1664 wrote to memory of 1992	1664	ZMANHSYTGDH.exe	RegAsm.exe
PID 1664 wrote to memory of 1992	1664	ZMANHSYTGDH.exe	RegAsm.exe
PID 1664 wrote to memory of 1992	1664	ZMANHSYTGDH.exe	RegAsm.exe
PID 1664 wrote to memory of 1992	1664	ZMANHSYTGDH.exe	RegAsm.exe
PID 1664 wrote to memory of 1992	1664	ZMANHSYTGDH.exe	RegAsm.exe
PID 1664 wrote to memory of 1992	1664	ZMANHSYTGDH.exe	RegAsm.exe
PID 1664 wrote to memory of 1992	1664	ZMANHSYTGDH.exe	RegAsm.exe
PID 1664 wrote to memory of 1992	1664	ZMANHSYTGDH.exe	RegAsm.exe
PID 1664 wrote to memory of 1992	1664	ZMANHSYTGDH.exe	RegAsm.exe
PID 1096 wrote to memory of 332	1096	taskeng.exe	kjhgf.exe
PID 1096 wrote to memory of 332	1096	taskeng.exe	kjhgf.exe
PID 1096 wrote to memory of 332	1096	taskeng.exe	kjhgf.exe
PID 1096 wrote to memory of 332	1096	taskeng.exe	kjhgf.exe
PID 332 wrote to memory of 584	332	kjhgf.exe	cmd.exe
PID 332 wrote to memory of 584	332	kjhgf.exe	cmd.exe
PID 332 wrote to memory of 584	332	kjhgf.exe	cmd.exe
PID 332 wrote to memory of 584	332	kjhgf.exe	cmd.exe
PID 332 wrote to memory of 1484	332	kjhgf.exe	cmd.exe
PID 332 wrote to memory of 1484	332	kjhgf.exe	cmd.exe
PID 332 wrote to memory of 1484	332	kjhgf.exe	cmd.exe
PID 332 wrote to memory of 1484	332	kjhgf.exe	cmd.exe
PID 332 wrote to memory of 1092	332	kjhgf.exe	RegAsm.exe
PID 332 wrote to memory of 1092	332	kjhgf.exe	RegAsm.exe
PID 332 wrote to memory of 1092	332	kjhgf.exe	RegAsm.exe
PID 332 wrote to memory of 1092	332	kjhgf.exe	RegAsm.exe
PID 332 wrote to memory of 1092	332	kjhgf.exe	RegAsm.exe
PID 332 wrote to memory of 1092	332	kjhgf.exe	RegAsm.exe
PID 332 wrote to memory of 1092	332	kjhgf.exe	RegAsm.exe
PID 584 wrote to memory of 692	584	cmd.exe	schtasks.exe
PID 584 wrote to memory of 692	584	cmd.exe	schtasks.exe
PID 584 wrote to memory of 692	584	cmd.exe	schtasks.exe
PID 584 wrote to memory of 692	584	cmd.exe	schtasks.exe
PID 332 wrote to memory of 1092	332	kjhgf.exe	RegAsm.exe
PID 332 wrote to memory of 1092	332	kjhgf.exe	RegAsm.exe
PID 332 wrote to memory of 1092	332	kjhgf.exe	RegAsm.exe
PID 332 wrote to memory of 1092	332	kjhgf.exe	RegAsm.exe
PID 1096 wrote to memory of 1880	1096	taskeng.exe	kjhgf.exe
PID 1096 wrote to memory of 1880	1096	taskeng.exe	kjhgf.exe
PID 1096 wrote to memory of 1880	1096	taskeng.exe	kjhgf.exe
PID 1096 wrote to memory of 1880	1096	taskeng.exe	kjhgf.exe
PID 1880 wrote to memory of 2036	1880	kjhgf.exe	cmd.exe
PID 1880 wrote to memory of 2036	1880	kjhgf.exe	cmd.exe
PID 1880 wrote to memory of 2036	1880	kjhgf.exe	cmd.exe
PID 1880 wrote to memory of 2036	1880	kjhgf.exe	cmd.exe
PID 1880 wrote to memory of 2028	1880	kjhgf.exe	cmd.exe
PID 1880 wrote to memory of 2028	1880	kjhgf.exe	cmd.exe
PID 1880 wrote to memory of 2028	1880	kjhgf.exe	cmd.exe
PID 1880 wrote to memory of 2028	1880	kjhgf.exe	cmd.exe
PID 2036 wrote to memory of 1980	2036	cmd.exe	schtasks.exe
PID 2036 wrote to memory of 1980	2036	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ZMANHSYTGDH.exe
"C:\Users\Admin\AppData\Local\Temp\ZMANHSYTGDH.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\ZMANHSYTGDH.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
2⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Windows\system32\taskeng.exe
taskeng.exe {1A13FE7A-D5A5-4480-8E7D-4E85615F8375} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
4⤵
- Creates scheduled task(s)
PID:692

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
3⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1980

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
3⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:328

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
PID:684

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1116

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
3⤵
PID:1252

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1460

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
PID:2032

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
4⤵
- Creates scheduled task(s)
PID:2028

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
3⤵
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1976

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
PID:432

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
4⤵
- Creates scheduled task(s)
PID:692

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
3⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:976

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
PID:1812

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1984

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
3⤵
PID:1188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1128

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
PID:548

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1684

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
3⤵
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1916

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
PID:368

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1060

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
3⤵
PID:1400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Users\Admin\AppData\Roaming\kjhgf.exe
C:\Users\Admin\AppData\Roaming\kjhgf.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2040

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
3⤵
PID:1608

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\kjhgf.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kjhgf.exe" "C:\Users\Admin\AppData\Roaming\kjhgf.exe"
3⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
C:\Users\Admin\AppData\Roaming\kjhgf.exe
Filesize
300.0MB

MD5
a730bb7884d349d1ddc845d21836b94c

SHA1
fd6594a90a24130f8888fcf626450dd7d2aaaead

SHA256
56d029f38edfb1aee407aa0fdff20a61e61707324dc2119049b941a1951a7d32

SHA512
b19fbd1bae8d92336848bdfad4f27806637d71258b61cccda6413c1f350e90f00134b8c55c25813dd742557202e258bb1cbb43b46fc1feb1f1a7d96e816c6504

Download Submit
memory/328-118-0x00000000001A0000-0x0000000000348000-memory.dmp

Filesize
1.7MB

Download
memory/328-116-0x0000000000000000-mapping.dmp

Download
memory/332-128-0x00000000007E2730-mapping.dmp

Download
memory/332-135-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/332-136-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/332-74-0x0000000000000000-mapping.dmp

Download
memory/332-76-0x0000000000FC0000-0x0000000001168000-memory.dmp

Filesize
1.7MB

Download
memory/368-224-0x0000000000000000-mapping.dmp

Download
memory/432-162-0x0000000000000000-mapping.dmp

Download
memory/548-203-0x0000000000000000-mapping.dmp

Download
memory/584-78-0x0000000000000000-mapping.dmp

Download
memory/684-120-0x0000000000000000-mapping.dmp

Download
memory/684-170-0x00000000007E2730-mapping.dmp

Download
memory/684-178-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/684-177-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/692-80-0x0000000000000000-mapping.dmp

Download
memory/692-164-0x0000000000000000-mapping.dmp

Download
memory/828-56-0x0000000000000000-mapping.dmp

Download
memory/832-204-0x0000000000000000-mapping.dmp

Download
memory/976-179-0x0000000000000000-mapping.dmp

Download
memory/976-181-0x0000000001300000-0x00000000014A8000-memory.dmp

Filesize
1.7MB

Download
memory/1060-226-0x0000000000000000-mapping.dmp

Download
memory/1064-198-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1064-199-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1064-191-0x00000000007E2730-mapping.dmp

Download
memory/1092-87-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1092-94-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1092-91-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1092-82-0x00000000006A2000-0x0000000000813000-memory.dmp

Filesize
1.4MB

Download
memory/1092-86-0x00000000007E2730-mapping.dmp

Download
memory/1092-88-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1092-93-0x0000000000430000-0x0000000000814000-memory.dmp

Filesize
3.9MB

Download
memory/1116-122-0x0000000000000000-mapping.dmp

Download
memory/1128-200-0x0000000000000000-mapping.dmp

Download
memory/1188-184-0x0000000000000000-mapping.dmp

Download
memory/1252-121-0x0000000000000000-mapping.dmp

Download
memory/1400-225-0x0000000000000000-mapping.dmp

Download
memory/1460-139-0x0000000001050000-0x00000000011F8000-memory.dmp

Filesize
1.7MB

Download
memory/1460-137-0x0000000000000000-mapping.dmp

Download
memory/1480-232-0x00000000007E2730-mapping.dmp

Download
memory/1480-240-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1480-239-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1484-79-0x0000000000000000-mapping.dmp

Download
memory/1600-142-0x0000000000000000-mapping.dmp

Download
memory/1604-247-0x0000000000000000-mapping.dmp

Download
memory/1608-245-0x0000000000000000-mapping.dmp

Download
memory/1616-156-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1616-149-0x00000000007E2730-mapping.dmp

Download
memory/1616-157-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1620-219-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1620-211-0x00000000007E2730-mapping.dmp

Download
memory/1620-218-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1664-54-0x0000000001040000-0x00000000011E8000-memory.dmp

Filesize
1.7MB

Download
memory/1664-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1684-205-0x0000000000000000-mapping.dmp

Download
memory/1700-246-0x0000000000000000-mapping.dmp

Download
memory/1812-183-0x0000000000000000-mapping.dmp

Download
memory/1880-95-0x0000000000000000-mapping.dmp

Download
memory/1880-97-0x00000000011A0000-0x0000000001348000-memory.dmp

Filesize
1.7MB

Download
memory/1916-222-0x0000000000050000-0x00000000001F8000-memory.dmp

Filesize
1.7MB

Download
memory/1916-220-0x0000000000000000-mapping.dmp

Download
memory/1976-158-0x0000000000000000-mapping.dmp

Download
memory/1976-115-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1976-114-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1976-107-0x00000000007E2730-mapping.dmp

Download
memory/1976-160-0x0000000001300000-0x00000000014A8000-memory.dmp

Filesize
1.7MB

Download
memory/1980-101-0x0000000000000000-mapping.dmp

Download
memory/1984-185-0x0000000000000000-mapping.dmp

Download
memory/1992-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1992-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1992-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1992-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1992-64-0x00000000007E2730-mapping.dmp

Download
memory/1992-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1992-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1992-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1992-72-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1992-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1992-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2004-57-0x0000000000000000-mapping.dmp

Download
memory/2012-163-0x0000000000000000-mapping.dmp

Download
memory/2028-143-0x0000000000000000-mapping.dmp

Download
memory/2028-100-0x0000000000000000-mapping.dmp

Download
memory/2028-253-0x00000000007E2730-mapping.dmp

Download
memory/2028-260-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2028-261-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2032-58-0x0000000000000000-mapping.dmp

Download
memory/2032-141-0x0000000000000000-mapping.dmp

Download
memory/2036-99-0x0000000000000000-mapping.dmp

Download
memory/2040-241-0x0000000000000000-mapping.dmp

Download
memory/2040-243-0x0000000000B70000-0x0000000000D18000-memory.dmp

Filesize
1.7MB

Download