njrat | b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1

Analysis

max time kernel
151s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe
Size

1.2MB
MD5

2938f0df9c213f6b72ad810dd344280c
SHA1

51a6efa00cfd118fe2926bdae1ed941032693490
SHA256

b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1
SHA512

d5d4f4e33a4a40b0a1482f973fc11ddf4c9dd06b04328e1cb1dd5cab341496e7f3fe2bf3560eac58224ed87ee783d075ab349e792ec97411420d4a2c6d1ac9e3
SSDEEP

24576:RJ/Nr0n4WncacV5NBMwxVFLB+uoQxs2eBS:RPKGjNawxsbQpmS

Score

10^/10

njrat te7chelou by xfacker trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

te7chelou by xfacker

127.0.0.1:5552

Mutex

c633d68267ddc65598b821619897acab

Attributes

reg_key
c633d68267ddc65598b821619897acab
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 3 IoCs

Processes:

Server.exeProcessHacker.exe123.exe

pid process

1016 Server.exe
1520 ProcessHacker.exe
848 123.exe

pid	process
1016	Server.exe
1520	ProcessHacker.exe
848	123.exe

Loads dropped DLL 9 IoCs

Processes:

b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exeProcessHacker.exeServer.exe

pid	process
628	b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe
628	b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe
628	b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1016	Server.exe
1016	Server.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

ProcessHacker.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ProcessHacker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ProcessHacker.exe

pid	process
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ProcessHacker.exe

pid process

1520 ProcessHacker.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

ProcessHacker.exe

description	pid	process
Token: SeDebugPrivilege	1520	ProcessHacker.exe
Token: SeIncBasePriorityPrivilege	1520	ProcessHacker.exe
Token: 33	1520	ProcessHacker.exe
Token: SeLoadDriverPrivilege	1520	ProcessHacker.exe
Token: SeProfSingleProcessPrivilege	1520	ProcessHacker.exe
Token: SeRestorePrivilege	1520	ProcessHacker.exe
Token: SeShutdownPrivilege	1520	ProcessHacker.exe
Token: SeTakeOwnershipPrivilege	1520	ProcessHacker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ProcessHacker.exe

pid	process
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

ProcessHacker.exe

pid	process
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe
1520	ProcessHacker.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exeServer.exe

description	pid	process	target process
PID 628 wrote to memory of 1016	628	b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe	Server.exe
PID 628 wrote to memory of 1016	628	b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe	Server.exe
PID 628 wrote to memory of 1016	628	b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe	Server.exe
PID 628 wrote to memory of 1016	628	b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe	Server.exe
PID 628 wrote to memory of 1520	628	b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe	ProcessHacker.exe
PID 628 wrote to memory of 1520	628	b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe	ProcessHacker.exe
PID 628 wrote to memory of 1520	628	b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe	ProcessHacker.exe
PID 628 wrote to memory of 1520	628	b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe	ProcessHacker.exe
PID 1016 wrote to memory of 848	1016	Server.exe	123.exe
PID 1016 wrote to memory of 848	1016	Server.exe	123.exe
PID 1016 wrote to memory of 848	1016	Server.exe	123.exe
PID 1016 wrote to memory of 848	1016	Server.exe	123.exe

C:\Users\Admin\AppData\Local\Temp\b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe
"C:\Users\Admin\AppData\Local\Temp\b62974737cde4fd82e8c918815ba5af11a4bb7c7b4af2d1680c88e5fcb77f1c1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
3⤵
- Executes dropped EXE
PID:848

C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
"C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1520

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123.exe
Filesize
22KB

MD5
06018305f58f310572bb3514f7c0d8ab

SHA1
fef4c7fac63c6bc2468ab6ff90fd16df0bec89b7

SHA256
f514e867948829c96a58e1e591180eb6412d00bd8b41ffbca7b21c07b39ff6c4

SHA512
f6561d2f95319c026fdd9c9c0b44ad9bea19f0938fad5af8c5667bc0d8400ce68bb46d88e466dd2390308ceb64422894308980a9db5c3909e7298c264709bd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe
Filesize
22KB

MD5
06018305f58f310572bb3514f7c0d8ab

SHA1
fef4c7fac63c6bc2468ab6ff90fd16df0bec89b7

SHA256
f514e867948829c96a58e1e591180eb6412d00bd8b41ffbca7b21c07b39ff6c4

SHA512
f6561d2f95319c026fdd9c9c0b44ad9bea19f0938fad5af8c5667bc0d8400ce68bb46d88e466dd2390308ceb64422894308980a9db5c3909e7298c264709bd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
Filesize
1.1MB

MD5
8abb6fc46809e428796081b356ccfc3b

SHA1
02c2cf5c67db9e93aa23b39477a3f81e2c1963aa

SHA256
6cce6dc45ef6f62b082784bf57063d2811d933d72a8b6d9e3281170ac76c9c10

SHA512
2ead2de1ce244fee7ef8a2253eab08e80149f40b5cb1b5b93f15418ae2030dab910ea51c5cff763d940dfb93fa9970122aa65d71c902a62fa5ad14639d4a85dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
Filesize
1.1MB

MD5
8abb6fc46809e428796081b356ccfc3b

SHA1
02c2cf5c67db9e93aa23b39477a3f81e2c1963aa

SHA256
6cce6dc45ef6f62b082784bf57063d2811d933d72a8b6d9e3281170ac76c9c10

SHA512
2ead2de1ce244fee7ef8a2253eab08e80149f40b5cb1b5b93f15418ae2030dab910ea51c5cff763d940dfb93fa9970122aa65d71c902a62fa5ad14639d4a85dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
22KB

MD5
06018305f58f310572bb3514f7c0d8ab

SHA1
fef4c7fac63c6bc2468ab6ff90fd16df0bec89b7

SHA256
f514e867948829c96a58e1e591180eb6412d00bd8b41ffbca7b21c07b39ff6c4

SHA512
f6561d2f95319c026fdd9c9c0b44ad9bea19f0938fad5af8c5667bc0d8400ce68bb46d88e466dd2390308ceb64422894308980a9db5c3909e7298c264709bd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
22KB

MD5
06018305f58f310572bb3514f7c0d8ab

SHA1
fef4c7fac63c6bc2468ab6ff90fd16df0bec89b7

SHA256
f514e867948829c96a58e1e591180eb6412d00bd8b41ffbca7b21c07b39ff6c4

SHA512
f6561d2f95319c026fdd9c9c0b44ad9bea19f0938fad5af8c5667bc0d8400ce68bb46d88e466dd2390308ceb64422894308980a9db5c3909e7298c264709bd4f

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
Filesize
22KB

MD5
06018305f58f310572bb3514f7c0d8ab

SHA1
fef4c7fac63c6bc2468ab6ff90fd16df0bec89b7

SHA256
f514e867948829c96a58e1e591180eb6412d00bd8b41ffbca7b21c07b39ff6c4

SHA512
f6561d2f95319c026fdd9c9c0b44ad9bea19f0938fad5af8c5667bc0d8400ce68bb46d88e466dd2390308ceb64422894308980a9db5c3909e7298c264709bd4f

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
Filesize
22KB

MD5
06018305f58f310572bb3514f7c0d8ab

SHA1
fef4c7fac63c6bc2468ab6ff90fd16df0bec89b7

SHA256
f514e867948829c96a58e1e591180eb6412d00bd8b41ffbca7b21c07b39ff6c4

SHA512
f6561d2f95319c026fdd9c9c0b44ad9bea19f0938fad5af8c5667bc0d8400ce68bb46d88e466dd2390308ceb64422894308980a9db5c3909e7298c264709bd4f

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
Filesize
22KB

MD5
06018305f58f310572bb3514f7c0d8ab

SHA1
fef4c7fac63c6bc2468ab6ff90fd16df0bec89b7

SHA256
f514e867948829c96a58e1e591180eb6412d00bd8b41ffbca7b21c07b39ff6c4

SHA512
f6561d2f95319c026fdd9c9c0b44ad9bea19f0938fad5af8c5667bc0d8400ce68bb46d88e466dd2390308ceb64422894308980a9db5c3909e7298c264709bd4f

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
Filesize
22KB

MD5
06018305f58f310572bb3514f7c0d8ab

SHA1
fef4c7fac63c6bc2468ab6ff90fd16df0bec89b7

SHA256
f514e867948829c96a58e1e591180eb6412d00bd8b41ffbca7b21c07b39ff6c4

SHA512
f6561d2f95319c026fdd9c9c0b44ad9bea19f0938fad5af8c5667bc0d8400ce68bb46d88e466dd2390308ceb64422894308980a9db5c3909e7298c264709bd4f

Download Submit
\Users\Admin\AppData\Local\Temp\ProcessHacker.exe
Filesize
1.1MB

MD5
8abb6fc46809e428796081b356ccfc3b

SHA1
02c2cf5c67db9e93aa23b39477a3f81e2c1963aa

SHA256
6cce6dc45ef6f62b082784bf57063d2811d933d72a8b6d9e3281170ac76c9c10

SHA512
2ead2de1ce244fee7ef8a2253eab08e80149f40b5cb1b5b93f15418ae2030dab910ea51c5cff763d940dfb93fa9970122aa65d71c902a62fa5ad14639d4a85dc

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
22KB

MD5
06018305f58f310572bb3514f7c0d8ab

SHA1
fef4c7fac63c6bc2468ab6ff90fd16df0bec89b7

SHA256
f514e867948829c96a58e1e591180eb6412d00bd8b41ffbca7b21c07b39ff6c4

SHA512
f6561d2f95319c026fdd9c9c0b44ad9bea19f0938fad5af8c5667bc0d8400ce68bb46d88e466dd2390308ceb64422894308980a9db5c3909e7298c264709bd4f

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
22KB

MD5
06018305f58f310572bb3514f7c0d8ab

SHA1
fef4c7fac63c6bc2468ab6ff90fd16df0bec89b7

SHA256
f514e867948829c96a58e1e591180eb6412d00bd8b41ffbca7b21c07b39ff6c4

SHA512
f6561d2f95319c026fdd9c9c0b44ad9bea19f0938fad5af8c5667bc0d8400ce68bb46d88e466dd2390308ceb64422894308980a9db5c3909e7298c264709bd4f

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
22KB

MD5
06018305f58f310572bb3514f7c0d8ab

SHA1
fef4c7fac63c6bc2468ab6ff90fd16df0bec89b7

SHA256
f514e867948829c96a58e1e591180eb6412d00bd8b41ffbca7b21c07b39ff6c4

SHA512
f6561d2f95319c026fdd9c9c0b44ad9bea19f0938fad5af8c5667bc0d8400ce68bb46d88e466dd2390308ceb64422894308980a9db5c3909e7298c264709bd4f

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
22KB

MD5
06018305f58f310572bb3514f7c0d8ab

SHA1
fef4c7fac63c6bc2468ab6ff90fd16df0bec89b7

SHA256
f514e867948829c96a58e1e591180eb6412d00bd8b41ffbca7b21c07b39ff6c4

SHA512
f6561d2f95319c026fdd9c9c0b44ad9bea19f0938fad5af8c5667bc0d8400ce68bb46d88e466dd2390308ceb64422894308980a9db5c3909e7298c264709bd4f

Download Submit
memory/628-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/848-73-0x0000000000000000-mapping.dmp

Download
memory/848-79-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/848-82-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1016-70-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1016-57-0x0000000000000000-mapping.dmp

Download
memory/1016-81-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1016-83-0x0000000074000000-0x00000000745AB000-memory.dmp

Filesize
5.7MB

Download
memory/1520-67-0x0000000003B40000-0x0000000004128000-memory.dmp

Filesize
5.9MB

Download
memory/1520-66-0x0000000003B40000-0x0000000004128000-memory.dmp

Filesize
5.9MB

Download
memory/1520-61-0x0000000000000000-mapping.dmp

Download
memory/1520-80-0x0000000003B40000-0x0000000004128000-memory.dmp

Filesize
5.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads