Analysis Overview
SHA256
8e027405c27400fc0c854b804f199eea27fcfe8a242bf3689658395d7530fe5a
Threat Level: Known bad
The file 8e027405c27400fc0c854b804f199eea27fcfe8a242bf3689658395d7530fe5a was found to be: Known bad.
Malicious Activity Summary
Detect XtremeRAT payload
XtremeRAT
njRAT/Bladabindi
Njrat family
UPX packed file
Executes dropped EXE
Modifies Windows Firewall
Drops startup file
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-23 16:33
Signatures
Njrat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2022-11-23 16:33
Reported
2022-11-23 18:05
Platform
win7-20221111-en
Max time kernel
202s
Max time network
34s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\كل العراق.exe
"C:\Users\Admin\AppData\Local\Temp\كل العراق.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
Network
Files
memory/1584-54-0x0000000075E61000-0x0000000075E63000-memory.dmp
memory/1584-55-0x0000000010000000-0x000000001004D000-memory.dmp
memory/528-56-0x0000000010000000-0x000000001004D000-memory.dmp
memory/528-58-0x0000000000000000-mapping.dmp
memory/1584-60-0x0000000010000000-0x000000001004D000-memory.dmp
memory/528-61-0x0000000010000000-0x000000001004D000-memory.dmp
memory/528-62-0x0000000010000000-0x000000001004D000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2022-11-23 16:33
Reported
2022-11-23 18:05
Platform
win10v2004-20221111-en
Max time kernel
197s
Max time network
203s
Command Line
Signatures
Detect XtremeRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XtremeRAT
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\svchost.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1120 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\كل العراق.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1120 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\كل العراق.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1120 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\كل العراق.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1120 wrote to memory of 4584 | N/A | C:\Users\Admin\AppData\Local\Temp\كل العراق.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1120 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\كل العراق.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 1120 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\كل العراق.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 1120 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\كل العراق.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\كل العراق.exe
"C:\Users\Admin\AppData\Local\Temp\كل العراق.exe"
C:\Windows\SysWOW64\svchost.exe
svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4584 -ip 4584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4584 -s 488
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.13:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.238.23.254:80 | tcp | |
| N/A | 8.238.23.254:80 | tcp | |
| N/A | 8.238.23.254:80 | tcp | |
| N/A | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
Files
memory/1120-132-0x0000000010000000-0x000000001004D000-memory.dmp
memory/4584-133-0x0000000000000000-mapping.dmp
memory/4584-134-0x0000000010000000-0x000000001004D000-memory.dmp
memory/1120-135-0x0000000010000000-0x000000001004D000-memory.dmp
memory/4584-136-0x0000000010000000-0x000000001004D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-23 16:33
Reported
2022-11-23 18:04
Platform
win7-20220812-en
Max time kernel
38s
Max time network
43s
Command Line
Signatures
njRAT/Bladabindi
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\الادبي.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\الادبي.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2000 wrote to memory of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\الادبي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
| PID 2000 wrote to memory of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\الادبي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
| PID 2000 wrote to memory of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\الادبي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
| PID 2000 wrote to memory of 1352 | N/A | C:\Users\Admin\AppData\Local\Temp\الادبي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\الادبي.exe
"C:\Users\Admin\AppData\Local\Temp\الادبي.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
Network
Files
memory/2000-54-0x00000000754E1000-0x00000000754E3000-memory.dmp
memory/2000-55-0x0000000074120000-0x00000000746CB000-memory.dmp
\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 2dbe2b2f3e81131526c4beec1d1a575e |
| SHA1 | dbae8830aafe88359e9150d5ca07f11c040b8692 |
| SHA256 | b68ac54d841c7d343fbd6db2bdd43e9859d4dcf74fca3ae76627be882dcce402 |
| SHA512 | 339b6dfd8d400f2017afe5e21a765e7cc3845e852eb493bc5f415708083ad41269f726770ab1e4d48f0e94df857232afe12751bb1a399e3aefa816f897dc609e |
\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 2dbe2b2f3e81131526c4beec1d1a575e |
| SHA1 | dbae8830aafe88359e9150d5ca07f11c040b8692 |
| SHA256 | b68ac54d841c7d343fbd6db2bdd43e9859d4dcf74fca3ae76627be882dcce402 |
| SHA512 | 339b6dfd8d400f2017afe5e21a765e7cc3845e852eb493bc5f415708083ad41269f726770ab1e4d48f0e94df857232afe12751bb1a399e3aefa816f897dc609e |
memory/1352-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 2dbe2b2f3e81131526c4beec1d1a575e |
| SHA1 | dbae8830aafe88359e9150d5ca07f11c040b8692 |
| SHA256 | b68ac54d841c7d343fbd6db2bdd43e9859d4dcf74fca3ae76627be882dcce402 |
| SHA512 | 339b6dfd8d400f2017afe5e21a765e7cc3845e852eb493bc5f415708083ad41269f726770ab1e4d48f0e94df857232afe12751bb1a399e3aefa816f897dc609e |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 2dbe2b2f3e81131526c4beec1d1a575e |
| SHA1 | dbae8830aafe88359e9150d5ca07f11c040b8692 |
| SHA256 | b68ac54d841c7d343fbd6db2bdd43e9859d4dcf74fca3ae76627be882dcce402 |
| SHA512 | 339b6dfd8d400f2017afe5e21a765e7cc3845e852eb493bc5f415708083ad41269f726770ab1e4d48f0e94df857232afe12751bb1a399e3aefa816f897dc609e |
memory/2000-62-0x0000000074120000-0x00000000746CB000-memory.dmp
memory/1352-63-0x0000000074120000-0x00000000746CB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-23 16:33
Reported
2022-11-23 18:04
Platform
win10v2004-20220812-en
Max time kernel
113s
Max time network
119s
Command Line
Signatures
njRAT/Bladabindi
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\الادبي.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2016 wrote to memory of 3716 | N/A | C:\Users\Admin\AppData\Local\Temp\الادبي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
| PID 2016 wrote to memory of 3716 | N/A | C:\Users\Admin\AppData\Local\Temp\الادبي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
| PID 2016 wrote to memory of 3716 | N/A | C:\Users\Admin\AppData\Local\Temp\الادبي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\الادبي.exe
"C:\Users\Admin\AppData\Local\Temp\الادبي.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.50.201.200:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/2016-132-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/2016-133-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/3716-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 2dbe2b2f3e81131526c4beec1d1a575e |
| SHA1 | dbae8830aafe88359e9150d5ca07f11c040b8692 |
| SHA256 | b68ac54d841c7d343fbd6db2bdd43e9859d4dcf74fca3ae76627be882dcce402 |
| SHA512 | 339b6dfd8d400f2017afe5e21a765e7cc3845e852eb493bc5f415708083ad41269f726770ab1e4d48f0e94df857232afe12751bb1a399e3aefa816f897dc609e |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 2dbe2b2f3e81131526c4beec1d1a575e |
| SHA1 | dbae8830aafe88359e9150d5ca07f11c040b8692 |
| SHA256 | b68ac54d841c7d343fbd6db2bdd43e9859d4dcf74fca3ae76627be882dcce402 |
| SHA512 | 339b6dfd8d400f2017afe5e21a765e7cc3845e852eb493bc5f415708083ad41269f726770ab1e4d48f0e94df857232afe12751bb1a399e3aefa816f897dc609e |
memory/2016-137-0x0000000074F20000-0x00000000754D1000-memory.dmp
memory/3716-138-0x0000000074F20000-0x00000000754D1000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-11-23 16:33
Reported
2022-11-23 18:05
Platform
win7-20221111-en
Max time kernel
203s
Max time network
76s
Command Line
Signatures
njRAT/Bladabindi
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\العلمي.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\العلمي.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1368 wrote to memory of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\العلمي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
| PID 1368 wrote to memory of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\العلمي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
| PID 1368 wrote to memory of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\العلمي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
| PID 1368 wrote to memory of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\العلمي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
| PID 1508 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1508 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1508 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1508 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\العلمي.exe
"C:\Users\Admin\AppData\Local\Temp\العلمي.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
Files
memory/1368-54-0x00000000754C1000-0x00000000754C3000-memory.dmp
\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 74526b46799abae6166733f30784d73b |
| SHA1 | fc775da0774384e002314dd3b1e49f2c7dbd69d4 |
| SHA256 | e935dcd2b982d3b46c39b880c812fbae4b9f73d5542a02839ef5ce48223f2205 |
| SHA512 | 98d5ea76b48ff8da220f8d2ec414894a09d30713a285b7f14861521d99c574918d4ac1df1b75af73fd5ec82681fd25832f83035833df1d822e902bae4a0dbe27 |
\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 74526b46799abae6166733f30784d73b |
| SHA1 | fc775da0774384e002314dd3b1e49f2c7dbd69d4 |
| SHA256 | e935dcd2b982d3b46c39b880c812fbae4b9f73d5542a02839ef5ce48223f2205 |
| SHA512 | 98d5ea76b48ff8da220f8d2ec414894a09d30713a285b7f14861521d99c574918d4ac1df1b75af73fd5ec82681fd25832f83035833df1d822e902bae4a0dbe27 |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 74526b46799abae6166733f30784d73b |
| SHA1 | fc775da0774384e002314dd3b1e49f2c7dbd69d4 |
| SHA256 | e935dcd2b982d3b46c39b880c812fbae4b9f73d5542a02839ef5ce48223f2205 |
| SHA512 | 98d5ea76b48ff8da220f8d2ec414894a09d30713a285b7f14861521d99c574918d4ac1df1b75af73fd5ec82681fd25832f83035833df1d822e902bae4a0dbe27 |
memory/1508-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 74526b46799abae6166733f30784d73b |
| SHA1 | fc775da0774384e002314dd3b1e49f2c7dbd69d4 |
| SHA256 | e935dcd2b982d3b46c39b880c812fbae4b9f73d5542a02839ef5ce48223f2205 |
| SHA512 | 98d5ea76b48ff8da220f8d2ec414894a09d30713a285b7f14861521d99c574918d4ac1df1b75af73fd5ec82681fd25832f83035833df1d822e902bae4a0dbe27 |
memory/1368-61-0x00000000746C0000-0x0000000074C6B000-memory.dmp
memory/1936-62-0x0000000000000000-mapping.dmp
memory/1508-63-0x00000000746C0000-0x0000000074C6B000-memory.dmp
memory/1508-65-0x00000000746C0000-0x0000000074C6B000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-11-23 16:33
Reported
2022-11-23 18:05
Platform
win10v2004-20221111-en
Max time kernel
194s
Max time network
211s
Command Line
Signatures
njRAT/Bladabindi
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\العلمي.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 204 wrote to memory of 1620 | N/A | C:\Users\Admin\AppData\Local\Temp\العلمي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
| PID 204 wrote to memory of 1620 | N/A | C:\Users\Admin\AppData\Local\Temp\العلمي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
| PID 204 wrote to memory of 1620 | N/A | C:\Users\Admin\AppData\Local\Temp\العلمي.exe | C:\Users\Admin\AppData\Local\Temp\Trojan.exe |
| PID 1620 wrote to memory of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1620 wrote to memory of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1620 wrote to memory of 5044 | N/A | C:\Users\Admin\AppData\Local\Temp\Trojan.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\العلمي.exe
"C:\Users\Admin\AppData\Local\Temp\العلمي.exe"
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 40.77.2.164:443 | tcp | |
| N/A | 51.105.71.136:443 | tcp | |
| N/A | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
| N/A | 8.8.8.8:53 | iraqiiraqi.no-ip.biz | udp |
Files
memory/204-132-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/204-133-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/1620-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 74526b46799abae6166733f30784d73b |
| SHA1 | fc775da0774384e002314dd3b1e49f2c7dbd69d4 |
| SHA256 | e935dcd2b982d3b46c39b880c812fbae4b9f73d5542a02839ef5ce48223f2205 |
| SHA512 | 98d5ea76b48ff8da220f8d2ec414894a09d30713a285b7f14861521d99c574918d4ac1df1b75af73fd5ec82681fd25832f83035833df1d822e902bae4a0dbe27 |
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
| MD5 | 74526b46799abae6166733f30784d73b |
| SHA1 | fc775da0774384e002314dd3b1e49f2c7dbd69d4 |
| SHA256 | e935dcd2b982d3b46c39b880c812fbae4b9f73d5542a02839ef5ce48223f2205 |
| SHA512 | 98d5ea76b48ff8da220f8d2ec414894a09d30713a285b7f14861521d99c574918d4ac1df1b75af73fd5ec82681fd25832f83035833df1d822e902bae4a0dbe27 |
memory/5044-137-0x0000000000000000-mapping.dmp
memory/204-138-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/1620-139-0x0000000074DD0000-0x0000000075381000-memory.dmp
memory/1620-140-0x0000000074DD0000-0x0000000075381000-memory.dmp