bitrat | 33ebe7e430fa3fff37659157265de962dbc323adfac47489ab339855e60c13f6

Analysis

max time kernel
601s
max time network
607s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
09-09-2022 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BILLPAYM.exe
Size

300.0MB
MD5

41d8a777ddc40a009a046f88900c0b80
SHA1

25dfd72ffe79eb5884d27fead86f4886bed638de
SHA256

e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347
SHA512

e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514
SSDEEP

24576:R+GQ7D8nXiNeGFPQKpFCjI/teJb2Q/eF2YlIECXRPbSVKcS2nOI3lqaNJJxEJYsO:R+GaeGtpFC8/mb9ejKulkPaNJo

Score

10^/10

bitrat trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

newbithere.duckdns.org:2005

Attributes

communication_password
827ccb0eea8a706c4c34a16891f84e7b
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 9 IoCs

Processes:

Windows.exeWindows.exeWindows.exeWindows.exeWindows.exeWindows.exeWindows.exeWindows.exeWindows.exe

pid process

1016 Windows.exe
1692 Windows.exe
1040 Windows.exe
1340 Windows.exe
1320 Windows.exe
1648 Windows.exe
1600 Windows.exe
576 Windows.exe
2044 Windows.exe

pid	process
1016	Windows.exe
1692	Windows.exe
1040	Windows.exe
1340	Windows.exe
1320	Windows.exe
1648	Windows.exe
1600	Windows.exe
576	Windows.exe
2044	Windows.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/548-60-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/548-62-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/548-63-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/548-65-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/548-66-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/548-69-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/548-70-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/548-71-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/548-74-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1260-97-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1260-98-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1544-118-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1544-119-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2000-133-0x0000000000440000-0x0000000000824000-memory.dmp	upx
behavioral1/memory/2000-134-0x0000000000440000-0x0000000000824000-memory.dmp	upx
behavioral1/memory/2000-137-0x0000000000440000-0x0000000000824000-memory.dmp	upx
behavioral1/memory/2000-139-0x0000000000440000-0x0000000000824000-memory.dmp	upx
behavioral1/memory/2000-140-0x0000000000440000-0x0000000000824000-memory.dmp	upx
behavioral1/memory/1520-155-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1520-158-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1520-154-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1520-160-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1520-161-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1972-179-0x0000000000410000-0x00000000007F4000-memory.dmp	upx
behavioral1/memory/1972-176-0x0000000000410000-0x00000000007F4000-memory.dmp	upx
behavioral1/memory/1972-175-0x0000000000410000-0x00000000007F4000-memory.dmp	upx
behavioral1/memory/1972-181-0x0000000000410000-0x00000000007F4000-memory.dmp	upx
behavioral1/memory/1972-182-0x0000000000410000-0x00000000007F4000-memory.dmp	upx
behavioral1/memory/1712-202-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1712-203-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1036-223-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1036-224-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/744-244-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/744-245-0x0000000000460000-0x0000000000844000-memory.dmp	upx
behavioral1/memory/1708-265-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1708-266-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

pid	process
548	RegAsm.exe
548	RegAsm.exe
548	RegAsm.exe
548	RegAsm.exe
548	RegAsm.exe
1260	RegAsm.exe
1544	RegAsm.exe
2000	RegAsm.exe
1520	RegAsm.exe
1972	RegAsm.exe
1712	RegAsm.exe
1036	RegAsm.exe
744	RegAsm.exe
1708	RegAsm.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

BILLPAYM.exeWindows.exeWindows.exeWindows.exeWindows.exeWindows.exeWindows.exeWindows.exeWindows.exeWindows.exe

description	pid	process	target process
PID 960 set thread context of 548	960	BILLPAYM.exe	RegAsm.exe
PID 1016 set thread context of 1260	1016	Windows.exe	RegAsm.exe
PID 1692 set thread context of 1544	1692	Windows.exe	RegAsm.exe
PID 1040 set thread context of 2000	1040	Windows.exe	RegAsm.exe
PID 1340 set thread context of 1520	1340	Windows.exe	RegAsm.exe
PID 1320 set thread context of 1972	1320	Windows.exe	RegAsm.exe
PID 1648 set thread context of 1712	1648	Windows.exe	RegAsm.exe
PID 1600 set thread context of 1036	1600	Windows.exe	RegAsm.exe
PID 576 set thread context of 744	576	Windows.exe	RegAsm.exe
PID 2044 set thread context of 1708	2044	Windows.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1308	schtasks.exe
1572	schtasks.exe
1956	schtasks.exe
1604	schtasks.exe
1760	schtasks.exe
1572	schtasks.exe
564	schtasks.exe
1340	schtasks.exe
564	schtasks.exe
2008	schtasks.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

548 RegAsm.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

RegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	548	RegAsm.exe
Token: SeShutdownPrivilege	548	RegAsm.exe
Token: SeDebugPrivilege	1260	RegAsm.exe
Token: SeShutdownPrivilege	1260	RegAsm.exe
Token: SeDebugPrivilege	1544	RegAsm.exe
Token: SeShutdownPrivilege	1544	RegAsm.exe
Token: SeDebugPrivilege	2000	RegAsm.exe
Token: SeShutdownPrivilege	2000	RegAsm.exe
Token: SeDebugPrivilege	1520	RegAsm.exe
Token: SeShutdownPrivilege	1520	RegAsm.exe
Token: SeDebugPrivilege	1972	RegAsm.exe
Token: SeShutdownPrivilege	1972	RegAsm.exe
Token: SeDebugPrivilege	1712	RegAsm.exe
Token: SeShutdownPrivilege	1712	RegAsm.exe
Token: SeDebugPrivilege	1036	RegAsm.exe
Token: SeShutdownPrivilege	1036	RegAsm.exe
Token: SeDebugPrivilege	744	RegAsm.exe
Token: SeShutdownPrivilege	744	RegAsm.exe
Token: SeDebugPrivilege	1708	RegAsm.exe
Token: SeShutdownPrivilege	1708	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

548 RegAsm.exe
548 RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BILLPAYM.execmd.exetaskeng.exeWindows.execmd.exeWindows.exe

description	pid	process	target process
PID 960 wrote to memory of 1376	960	BILLPAYM.exe	cmd.exe
PID 960 wrote to memory of 1376	960	BILLPAYM.exe	cmd.exe
PID 960 wrote to memory of 1376	960	BILLPAYM.exe	cmd.exe
PID 960 wrote to memory of 1376	960	BILLPAYM.exe	cmd.exe
PID 960 wrote to memory of 1760	960	BILLPAYM.exe	cmd.exe
PID 960 wrote to memory of 1760	960	BILLPAYM.exe	cmd.exe
PID 960 wrote to memory of 1760	960	BILLPAYM.exe	cmd.exe
PID 960 wrote to memory of 1760	960	BILLPAYM.exe	cmd.exe
PID 1376 wrote to memory of 564	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 564	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 564	1376	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 564	1376	cmd.exe	schtasks.exe
PID 960 wrote to memory of 548	960	BILLPAYM.exe	RegAsm.exe
PID 960 wrote to memory of 548	960	BILLPAYM.exe	RegAsm.exe
PID 960 wrote to memory of 548	960	BILLPAYM.exe	RegAsm.exe
PID 960 wrote to memory of 548	960	BILLPAYM.exe	RegAsm.exe
PID 960 wrote to memory of 548	960	BILLPAYM.exe	RegAsm.exe
PID 960 wrote to memory of 548	960	BILLPAYM.exe	RegAsm.exe
PID 960 wrote to memory of 548	960	BILLPAYM.exe	RegAsm.exe
PID 960 wrote to memory of 548	960	BILLPAYM.exe	RegAsm.exe
PID 960 wrote to memory of 548	960	BILLPAYM.exe	RegAsm.exe
PID 960 wrote to memory of 548	960	BILLPAYM.exe	RegAsm.exe
PID 960 wrote to memory of 548	960	BILLPAYM.exe	RegAsm.exe
PID 1660 wrote to memory of 1016	1660	taskeng.exe	Windows.exe
PID 1660 wrote to memory of 1016	1660	taskeng.exe	Windows.exe
PID 1660 wrote to memory of 1016	1660	taskeng.exe	Windows.exe
PID 1660 wrote to memory of 1016	1660	taskeng.exe	Windows.exe
PID 1016 wrote to memory of 908	1016	Windows.exe	cmd.exe
PID 1016 wrote to memory of 908	1016	Windows.exe	cmd.exe
PID 1016 wrote to memory of 908	1016	Windows.exe	cmd.exe
PID 1016 wrote to memory of 908	1016	Windows.exe	cmd.exe
PID 1016 wrote to memory of 1740	1016	Windows.exe	cmd.exe
PID 1016 wrote to memory of 1740	1016	Windows.exe	cmd.exe
PID 1016 wrote to memory of 1740	1016	Windows.exe	cmd.exe
PID 1016 wrote to memory of 1740	1016	Windows.exe	cmd.exe
PID 908 wrote to memory of 1308	908	cmd.exe	schtasks.exe
PID 908 wrote to memory of 1308	908	cmd.exe	schtasks.exe
PID 908 wrote to memory of 1308	908	cmd.exe	schtasks.exe
PID 908 wrote to memory of 1308	908	cmd.exe	schtasks.exe
PID 1016 wrote to memory of 1260	1016	Windows.exe	RegAsm.exe
PID 1016 wrote to memory of 1260	1016	Windows.exe	RegAsm.exe
PID 1016 wrote to memory of 1260	1016	Windows.exe	RegAsm.exe
PID 1016 wrote to memory of 1260	1016	Windows.exe	RegAsm.exe
PID 1016 wrote to memory of 1260	1016	Windows.exe	RegAsm.exe
PID 1016 wrote to memory of 1260	1016	Windows.exe	RegAsm.exe
PID 1016 wrote to memory of 1260	1016	Windows.exe	RegAsm.exe
PID 1016 wrote to memory of 1260	1016	Windows.exe	RegAsm.exe
PID 1016 wrote to memory of 1260	1016	Windows.exe	RegAsm.exe
PID 1016 wrote to memory of 1260	1016	Windows.exe	RegAsm.exe
PID 1016 wrote to memory of 1260	1016	Windows.exe	RegAsm.exe
PID 1660 wrote to memory of 1692	1660	taskeng.exe	Windows.exe
PID 1660 wrote to memory of 1692	1660	taskeng.exe	Windows.exe
PID 1660 wrote to memory of 1692	1660	taskeng.exe	Windows.exe
PID 1660 wrote to memory of 1692	1660	taskeng.exe	Windows.exe
PID 1692 wrote to memory of 592	1692	Windows.exe	cmd.exe
PID 1692 wrote to memory of 592	1692	Windows.exe	cmd.exe
PID 1692 wrote to memory of 592	1692	Windows.exe	cmd.exe
PID 1692 wrote to memory of 592	1692	Windows.exe	cmd.exe
PID 1692 wrote to memory of 2016	1692	Windows.exe	cmd.exe
PID 1692 wrote to memory of 2016	1692	Windows.exe	cmd.exe
PID 1692 wrote to memory of 2016	1692	Windows.exe	cmd.exe
PID 1692 wrote to memory of 2016	1692	Windows.exe	cmd.exe
PID 1692 wrote to memory of 1544	1692	Windows.exe	RegAsm.exe
PID 1692 wrote to memory of 1544	1692	Windows.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\BILLPAYM.exe
"C:\Users\Admin\AppData\Local\Temp\BILLPAYM.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
- Creates scheduled task(s)
PID:564

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\BILLPAYM.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
2⤵
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:548

C:\Windows\system32\taskeng.exe
taskeng.exe {35322161-2469-4F99-8D00-08C4002DC198} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1308

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
PID:1740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
PID:592

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1340

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1040

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
4⤵
- Creates scheduled task(s)
PID:564

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
PID:572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1340

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
PID:1988

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1572

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1320

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
PID:960

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
4⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
PID:1212

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1648

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
PID:1996

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1600

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
PID:1952

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1604

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:576

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
PID:540

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1760

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
PID:560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2044

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
3⤵
PID:832

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\Windows.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1572

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows.exe" "C:\Users\Admin\AppData\Roaming\Windows.exe"
3⤵
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
300.0MB

MD5
41d8a777ddc40a009a046f88900c0b80

SHA1
25dfd72ffe79eb5884d27fead86f4886bed638de

SHA256
e6844a84f9210b5803147c158c841404331177bf409dab05fecb3b3303d50347

SHA512
e75f3bfc85ed1def013474d61d5ee936ce36f499e0e111a7a1264180b7c7cc0b9a35469c35549e14c5efccc105db509aa5935152aab4e028b038e12b126f4514

Download Submit
memory/540-229-0x0000000000000000-mapping.dmp

Download
memory/548-69-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/548-75-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/548-70-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/548-71-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/548-72-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/548-73-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/548-74-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/548-66-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/548-76-0x0000000000120000-0x000000000012A000-memory.dmp

Filesize
40KB

Download
memory/548-65-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/548-64-0x00000000007E2730-mapping.dmp

Download
memory/548-63-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/548-59-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/548-62-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/548-60-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/560-230-0x0000000000000000-mapping.dmp

Download
memory/564-126-0x0000000000000000-mapping.dmp

Download
memory/564-58-0x0000000000000000-mapping.dmp

Download
memory/572-125-0x0000000000000000-mapping.dmp

Download
memory/576-225-0x0000000000000000-mapping.dmp

Download
memory/576-227-0x0000000001270000-0x0000000001446000-memory.dmp

Filesize
1.8MB

Download
memory/592-103-0x0000000000000000-mapping.dmp

Download
memory/744-244-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/744-237-0x00000000007E2730-mapping.dmp

Download
memory/744-245-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/832-250-0x0000000000000000-mapping.dmp

Download
memory/908-82-0x0000000000000000-mapping.dmp

Download
memory/960-166-0x0000000000000000-mapping.dmp

Download
memory/960-54-0x0000000000890000-0x0000000000A66000-memory.dmp

Filesize
1.8MB

Download
memory/960-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/996-251-0x0000000000000000-mapping.dmp

Download
memory/1016-78-0x0000000000000000-mapping.dmp

Download
memory/1016-80-0x0000000000960000-0x0000000000B36000-memory.dmp

Filesize
1.8MB

Download
memory/1036-223-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1036-224-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1036-216-0x00000000007E2730-mapping.dmp

Download
memory/1040-120-0x0000000000000000-mapping.dmp

Download
memory/1040-122-0x00000000001A0000-0x0000000000376000-memory.dmp

Filesize
1.8MB

Download
memory/1212-167-0x0000000000000000-mapping.dmp

Download
memory/1260-90-0x00000000007E2730-mapping.dmp

Download
memory/1260-97-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1260-98-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1308-84-0x0000000000000000-mapping.dmp

Download
memory/1320-162-0x0000000000000000-mapping.dmp

Download
memory/1320-164-0x0000000000E90000-0x0000000001066000-memory.dmp

Filesize
1.8MB

Download
memory/1340-141-0x0000000000000000-mapping.dmp

Download
memory/1340-143-0x0000000000E00000-0x0000000000FD6000-memory.dmp

Filesize
1.8MB

Download
memory/1340-109-0x0000000000000000-mapping.dmp

Download
memory/1376-56-0x0000000000000000-mapping.dmp

Download
memory/1396-209-0x0000000000000000-mapping.dmp

Download
memory/1520-153-0x00000000007E2730-mapping.dmp

Download
memory/1520-160-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1520-161-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1520-154-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1520-158-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1520-155-0x0000000000460000-0x0000000000844000-memory.dmp

Filesize
3.9MB

Download
memory/1544-119-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1544-118-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1544-111-0x00000000007E2730-mapping.dmp

Download
memory/1572-151-0x0000000000000000-mapping.dmp

Download
memory/1572-252-0x0000000000000000-mapping.dmp

Download
memory/1600-206-0x0000000000D70000-0x0000000000F46000-memory.dmp

Filesize
1.8MB

Download
memory/1600-204-0x0000000000000000-mapping.dmp

Download
memory/1604-213-0x0000000000000000-mapping.dmp

Download
memory/1648-185-0x0000000000080000-0x0000000000256000-memory.dmp

Filesize
1.8MB

Download
memory/1648-183-0x0000000000000000-mapping.dmp

Download
memory/1680-146-0x0000000000000000-mapping.dmp

Download
memory/1692-101-0x0000000000DF0000-0x0000000000FC6000-memory.dmp

Filesize
1.8MB

Download
memory/1692-99-0x0000000000000000-mapping.dmp

Download
memory/1708-266-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1708-258-0x00000000007E2730-mapping.dmp

Download
memory/1708-265-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1712-202-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1712-195-0x00000000007E2730-mapping.dmp

Download
memory/1712-203-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1740-83-0x0000000000000000-mapping.dmp

Download
memory/1760-235-0x0000000000000000-mapping.dmp

Download
memory/1760-57-0x0000000000000000-mapping.dmp

Download
memory/1804-188-0x0000000000000000-mapping.dmp

Download
memory/1952-208-0x0000000000000000-mapping.dmp

Download
memory/1956-189-0x0000000000000000-mapping.dmp

Download
memory/1960-124-0x0000000000000000-mapping.dmp

Download
memory/1972-179-0x0000000000410000-0x00000000007F4000-memory.dmp

Filesize
3.9MB

Download
memory/1972-182-0x0000000000410000-0x00000000007F4000-memory.dmp

Filesize
3.9MB

Download
memory/1972-174-0x00000000007E2730-mapping.dmp

Download
memory/1972-176-0x0000000000410000-0x00000000007F4000-memory.dmp

Filesize
3.9MB

Download
memory/1972-175-0x0000000000410000-0x00000000007F4000-memory.dmp

Filesize
3.9MB

Download
memory/1972-181-0x0000000000410000-0x00000000007F4000-memory.dmp

Filesize
3.9MB

Download
memory/1988-145-0x0000000000000000-mapping.dmp

Download
memory/1996-187-0x0000000000000000-mapping.dmp

Download
memory/2000-139-0x0000000000440000-0x0000000000824000-memory.dmp

Filesize
3.9MB

Download
memory/2000-128-0x00000000006B2000-0x0000000000823000-memory.dmp

Filesize
1.4MB

Download
memory/2000-132-0x00000000007E2730-mapping.dmp

Download
memory/2000-133-0x0000000000440000-0x0000000000824000-memory.dmp

Filesize
3.9MB

Download
memory/2000-134-0x0000000000440000-0x0000000000824000-memory.dmp

Filesize
3.9MB

Download
memory/2000-137-0x0000000000440000-0x0000000000824000-memory.dmp

Filesize
3.9MB

Download
memory/2000-140-0x0000000000440000-0x0000000000824000-memory.dmp

Filesize
3.9MB

Download
memory/2008-172-0x0000000000000000-mapping.dmp

Download
memory/2016-104-0x0000000000000000-mapping.dmp

Download
memory/2044-246-0x0000000000000000-mapping.dmp

Download
memory/2044-248-0x0000000000330000-0x0000000000506000-memory.dmp

Filesize
1.8MB

Download