njrat | hxxp://redirme[.]com/2gd5

General

Target

http://redirme.com/2gd5

Score

10^/10

njrat evasion trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 1 IoCs

Processes:

server.exe

pid process

1960 server.exe
Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

2284 netsh.exe
2640 netsh.exe
1324 netsh.exe

pid	process
1960	server.exe

pid	process
2284	netsh.exe
2640	netsh.exe
1324	netsh.exe

Drops startup file 6 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8034375930e00022c56fc91cfb3d8ba2Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8034375930e00022c56fc91cfb3d8ba2Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows_hh.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows_hh.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

server.exe

description ioc process

File created C:\autorun.inf server.exe
File opened for modification C:\autorun.inf server.exe

description	ioc	process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe

Drops file in System32 directory 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Windows_hh.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Windows_hh.exe	server.exe

Drops file in Program Files directory 2 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows_hh.exe	server.exe
File opened for modification	C:\Program Files (x86)\Windows_hh.exe	server.exe

Drops file in Windows directory 2 IoCs

Processes:

omg.exeserver.exe

description ioc process

File created C:\Windows\server.exe omg.exe
File opened for modification C:\Windows\server.exe server.exe

description	ioc	process
File created	C:\Windows\server.exe	omg.exe
File opened for modification	C:\Windows\server.exe	server.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exetaskmgr.exeserver.exetaskmgr.exe

pid	process
2140	chrome.exe
2160	chrome.exe
2176	chrome.exe
2168	chrome.exe
2000	chrome.exe
2408	chrome.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
2156	taskmgr.exe
2156	taskmgr.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe
1960	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

1960 server.exe

pid	process
1960	server.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskmgr.exeserver.exetaskmgr.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2560	taskmgr.exe
Token: SeDebugPrivilege	1960	server.exe
Token: SeDebugPrivilege	2156	taskmgr.exe
Token: SeDebugPrivilege	2892	taskmgr.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

taskmgr.exetaskmgr.exetaskmgr.exe

pid	process
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe

Suspicious use of SendNotifyMessage 49 IoCs

Processes:

taskmgr.exetaskmgr.exetaskmgr.exe

pid	process
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2560	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2156	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe
2892	taskmgr.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

chrome.exeomg.exeserver.exe

description	pid	process	target process
PID 1040 wrote to memory of 832	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 832	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 832	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2080	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2160	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2160	1040	chrome.exe	chrome.exe
PID 1040 wrote to memory of 2160	1040	chrome.exe	chrome.exe
PID 2932 wrote to memory of 1960	2932	omg.exe	server.exe
PID 2932 wrote to memory of 1960	2932	omg.exe	server.exe
PID 2932 wrote to memory of 1960	2932	omg.exe	server.exe
PID 2932 wrote to memory of 1960	2932	omg.exe	server.exe
PID 1960 wrote to memory of 1324	1960	server.exe	netsh.exe
PID 1960 wrote to memory of 1324	1960	server.exe	netsh.exe
PID 1960 wrote to memory of 1324	1960	server.exe	netsh.exe
PID 1960 wrote to memory of 1324	1960	server.exe	netsh.exe
PID 1960 wrote to memory of 2284	1960	server.exe	netsh.exe
PID 1960 wrote to memory of 2284	1960	server.exe	netsh.exe
PID 1960 wrote to memory of 2284	1960	server.exe	netsh.exe
PID 1960 wrote to memory of 2284	1960	server.exe	netsh.exe
PID 1960 wrote to memory of 2640	1960	server.exe	netsh.exe
PID 1960 wrote to memory of 2640	1960	server.exe	netsh.exe
PID 1960 wrote to memory of 2640	1960	server.exe	netsh.exe
PID 1960 wrote to memory of 2640	1960	server.exe	netsh.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://redirme.com/2gd5
1⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5c34f50,0x7fef5c34f60,0x7fef5c34f70
2⤵
PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1004,15441852032738297967,18398560783887496536,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1028 /prefetch:2
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1004,15441852032738297967,18398560783887496536,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1348 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1080,6726707779826935345,10118923632023727960,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1104 /prefetch:2
1⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1124 /prefetch:2
1⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1120,15599078079414865744,10429508138205893098,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1128 /prefetch:2
1⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1360 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1120,15599078079414865744,10429508138205893098,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1376 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1080,6726707779826935345,10118923632023727960,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1312 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 /prefetch:8
1⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
1⤵
PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
1⤵
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2396 /prefetch:1
1⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3544 /prefetch:8
1⤵
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
1⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2032 /prefetch:2
1⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:1
1⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
1⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:8
1⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
1⤵
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
1⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5144 /prefetch:8
1⤵
PID:552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5180 /prefetch:8
1⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
1⤵
PID:280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4688 /prefetch:8
1⤵
PID:2564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4456 /prefetch:8
1⤵
PID:2872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
1⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3884 /prefetch:8
1⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3756 /prefetch:8
1⤵
PID:1696

C:\Users\Admin\Downloads\omg.exe
"C:\Users\Admin\Downloads\omg.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\server.exe
"C:\Windows\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1324

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Windows\server.exe"
3⤵
- Modifies Windows Firewall
PID:2284

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4016 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2408

C:\Users\Admin\Downloads\omg.exe
"C:\Users\Admin\Downloads\omg.exe"
1⤵
PID:2132

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,6637182635760099983,9747868893931198619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1200 /prefetch:8
1⤵
PID:2500

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2156

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FransescoPast.txt
Filesize
68B

MD5
5d1ca92a2ff501a2e5b14c81cf976611

SHA1
33878a56a565bb02b93361adce0561190c4983e5

SHA256
517a564b158762553aae8df5c8ee0b84487ccbbb489cac4408341c975d878dec

SHA512
340fafda6afd8f2463345afcee5c5f743fb4248e77fd8049a2534c12fdc65ce76d1196c4cd808335f84f668dacdca07fdc242ff3cd0704358929222525e9821f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FransescoPast.txt
Filesize
68B

MD5
5d1ca92a2ff501a2e5b14c81cf976611

SHA1
33878a56a565bb02b93361adce0561190c4983e5

SHA256
517a564b158762553aae8df5c8ee0b84487ccbbb489cac4408341c975d878dec

SHA512
340fafda6afd8f2463345afcee5c5f743fb4248e77fd8049a2534c12fdc65ce76d1196c4cd808335f84f668dacdca07fdc242ff3cd0704358929222525e9821f

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
c6bdbc9d86009ccf7e8de878c9603213

SHA1
2a4b8716f978f2d107bcd8294b486a5ee45afe6e

SHA256
36a067fdfcee95eb270f0b72e3b9e40d52c907d749fb9a8490d82f8ee56b29eb

SHA512
c42a52cd8837e2533b3d5ec97639f0c94287e3d7a6c73635c21df50eba8483b60df15bf262a308836875cd9afed504e7f98a2f6b254e4181fe548b1853d42256

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
4B

MD5
c6bdbc9d86009ccf7e8de878c9603213

SHA1
2a4b8716f978f2d107bcd8294b486a5ee45afe6e

SHA256
36a067fdfcee95eb270f0b72e3b9e40d52c907d749fb9a8490d82f8ee56b29eb

SHA512
c42a52cd8837e2533b3d5ec97639f0c94287e3d7a6c73635c21df50eba8483b60df15bf262a308836875cd9afed504e7f98a2f6b254e4181fe548b1853d42256

Download Submit
C:\Windows\server.exe
Filesize
144KB

MD5
041c89019d22777cdc1a1eb7fe70a603

SHA1
e9be7747b6826cb0ac35975e871d6ce2d153ffd8

SHA256
411b4514473de704428e3b72dc5d3a676ae8a355057711be00cfbd4f1f61bcfa

SHA512
99c3034bb0e8bf1fc241a7741a1b8036f7a3ba1632d3a8e4f520be8fd36a5664ded52a31505947be14a2e884ef3dd2894b743099ad5ac6bf9a5061b9fc8785ac

Download Submit
C:\Windows\server.exe
Filesize
144KB

MD5
041c89019d22777cdc1a1eb7fe70a603

SHA1
e9be7747b6826cb0ac35975e871d6ce2d153ffd8

SHA256
411b4514473de704428e3b72dc5d3a676ae8a355057711be00cfbd4f1f61bcfa

SHA512
99c3034bb0e8bf1fc241a7741a1b8036f7a3ba1632d3a8e4f520be8fd36a5664ded52a31505947be14a2e884ef3dd2894b743099ad5ac6bf9a5061b9fc8785ac

Download Submit
\??\pipe\crashpad_1040_PPYXVTIJXXTGCLHI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1324-66-0x0000000000000000-mapping.dmp

Download
memory/1960-58-0x0000000000000000-mapping.dmp

Download
memory/1960-65-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-68-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-73-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2132-70-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2284-79-0x0000000000000000-mapping.dmp

Download
memory/2560-74-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download
memory/2560-75-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2560-76-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2640-80-0x0000000000000000-mapping.dmp

Download
memory/2932-55-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/2932-56-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-57-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download
memory/2932-62-0x00000000742B0000-0x000000007485B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads