njrat | hxxps://anonfiles[.]com/7eDav0X5yc/Creanix_Executor_zip

Analysis

max time kernel
209s
max time network
208s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
11/02/2023, 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anonfiles.com/7eDav0X5yc/Creanix_Executor_zip

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

existing-ultimate.at.ply.gg:58386

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	RealtekHDAudioo.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	RealtekHDAudioo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	RealtekHDAudioo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	attrib.exe

Executes dropped EXE 3 IoCs

pid	Process
4144	paylod.exe
3212	Nihon.exe
1204	RealtekHDAudioo.exe

Loads dropped DLL 1 IoCs

pid	Process
3212	Nihon.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\RealtekHDAudioo.exe"	paylod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	RealtekHDAudioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	RealtekHDAudioo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	RealtekHDAudioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	RealtekHDAudioo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d8bcd69a5bbed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3094ed0f343ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{391DF35A-AA27-11ED-9424-F2ECB67C8E21} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "235984580"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "235984580"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31014452"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003685d675a8adc140b6777e2b00533b09000000000200000000001066000000010000200000003f315a6537e1aebe6c4cf3ce1a6b4ea670e8e8c67700c02c27b8caf2c1ff9909000000000e80000000020000200000008eb43a79291a4ff348e05efbc2e241523bc21ce7d96c87bb6732d580efd4c4fe2000000075d31fa20e2c62b470f7c4737f07167edb38d3eac6340aed9751afd9cb3983d14000000069089330763f9c339996cf891d20be4de4a6ac2e12068fe735a86fb01d74be3bf115c8bbe0a5e0c2f866512085524be9a08895608dca2ffc004a03787058c4d2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f05c6e10343ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\anonfiles.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "245830602"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "382913664"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31014452"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DOMStorage\anonfiles.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31014452"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "382945656"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382897071"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003685d675a8adc140b6777e2b00533b09000000000200000000001066000000010000200000005aed2873ebbd75ca87d3b367cd4942560ca2afbbdf99ba8c67c428ad0337f8d5000000000e800000000200002000000080d4c5417956f44d449b3833cb697c72bf63ea0f803fe54afbb6dc3cbdec53bf20000000e10c43a58700c77933262fa037dae1bd0e1123b336ac3a8c807b5df3889c455f40000000ebeb6a36e3bac02e243aee7c7acf28ef812482f6f79bac8f697b00cabf614198aed48648abf2d8ddf2de9d25607072c477642e0520102b974770fb79d981f18d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\RepId\PublicId = "{F17DB239-AFE8-412C-8E6B-6E6A87C264AD}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3212	Nihon.exe
3212	Nihon.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	Nihon.exe
Token: SeDebugPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe
Token: 33	1204	RealtekHDAudioo.exe
Token: SeIncBasePriorityPrivilege	1204	RealtekHDAudioo.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3520	iexplore.exe
3520	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3520	iexplore.exe
3520	iexplore.exe
4640	IEXPLORE.EXE
4640	IEXPLORE.EXE
4640	IEXPLORE.EXE
4640	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 4640	3520	iexplore.exe	66
PID 3520 wrote to memory of 4640	3520	iexplore.exe	66
PID 3520 wrote to memory of 4640	3520	iexplore.exe	66
PID 2328 wrote to memory of 4144	2328	Creanix.exe	72
PID 2328 wrote to memory of 4144	2328	Creanix.exe	72
PID 2328 wrote to memory of 4144	2328	Creanix.exe	72
PID 2328 wrote to memory of 3212	2328	Creanix.exe	71
PID 2328 wrote to memory of 3212	2328	Creanix.exe	71
PID 2328 wrote to memory of 3212	2328	Creanix.exe	71
PID 4144 wrote to memory of 1204	4144	paylod.exe	74
PID 4144 wrote to memory of 1204	4144	paylod.exe	74
PID 4144 wrote to memory of 1204	4144	paylod.exe	74
PID 4144 wrote to memory of 2716	4144	paylod.exe	75
PID 4144 wrote to memory of 2716	4144	paylod.exe	75
PID 4144 wrote to memory of 2716	4144	paylod.exe	75
PID 1204 wrote to memory of 5024	1204	RealtekHDAudioo.exe	77
PID 1204 wrote to memory of 5024	1204	RealtekHDAudioo.exe	77
PID 1204 wrote to memory of 5024	1204	RealtekHDAudioo.exe	77
PID 1204 wrote to memory of 4016	1204	RealtekHDAudioo.exe	78
PID 1204 wrote to memory of 4016	1204	RealtekHDAudioo.exe	78
PID 1204 wrote to memory of 4016	1204	RealtekHDAudioo.exe	78

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2716	attrib.exe
5024	attrib.exe
4016	attrib.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://anonfiles.com/7eDav0X5yc/Creanix_Executor_zip
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3520 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\Temp1_Creanix Executor.zip\Creanix Executor\Creanix.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Creanix Executor.zip\Creanix Executor\Creanix.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\Nihon.exe
  "C:\Users\Admin\AppData\Local\Temp\Nihon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- C:\Users\Admin\AppData\Local\Temp\paylod.exe
  "C:\Users\Admin\AppData\Local\Temp\paylod.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Users\Admin\AppData\Roaming\RealtekHDAudioo.exe
    "C:\Users\Admin\AppData\Roaming\RealtekHDAudioo.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
      4⤵
      Drops startup file
      Views/modifies file attributes
      PID:5024
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
      4⤵
      Views/modifies file attributes
      PID:4016
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\RealtekHDAudioo.exe"
    3⤵
    - Views/modifies file attributes
    PID:2716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
54d6253214f843b2b958ccc313c9d824

SHA1
6458fc1969c53f40b83d11149811cc0acf952a12

SHA256
9452ca2937559277d5c065011cc3f080eab643950189b27605bca71c12e6f10d

SHA512
be04dfda0020d0d907e1f0f0ddc86d4793a27029ac950524333aa37defae511a739af51bf77e51a742f50d73dc03b33771d417b69ea0272da0f02f233f665d52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\83C70E8C88F4EDFCC5A1D8BB501E4F5F

Filesize
503B

MD5
50cabb4b53c5059cbfeaad0c9cd2b4c9

SHA1
2cfd9d2ba00bc250110fa137fd855d6cfeb9a1a4

SHA256
d7343896df67869bac108ccee5e503b1119f8fcd57e1563856f37f5f6f328901

SHA512
d8b4ede7a0f89d80072aef26dfc565ebd38cbd9f44c8f101bfdedf444ab599435ee353c94a0068c3313230af3532ecacf1fa515cdb1ae6b8af81b69f4613e11f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
77a6ecc8b5635e9dcda575da7bc48c67

SHA1
f6958a27835a4e26dc78810148cc45bac3f8c558

SHA256
9953c9ba69c325f59575aeef704b379e8f210ba29e5e1be2578643bc158660fb

SHA512
075638fc425405c58bee7f42e933734479ef52394ada71047861e5b04563da0d6ac779249b6750f37bafcec9a2f84eadb15022cb5b3753ee9fd87e9da5b402d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
14e8456e0f2d970de97535c8874f9929

SHA1
eb643fdac451806b53a1c76f738d20c4963022d3

SHA256
c56c12bec71a5633f82d02f2f319f2a8bd2a08c53f309b4a32f2fd00f042bc1c

SHA512
5e650b82b0ae17c0d9d894c3d7d8398787633ee4dd484615bb855eac97af457d4aa5a7fcab498511b113c75034ecfb138d676626c4b482a15ff016b842a02ddb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\83C70E8C88F4EDFCC5A1D8BB501E4F5F

Filesize
548B

MD5
ef3f48a7e8315cefc917781e55ce5c59

SHA1
1c9fab2f7100010f54b69335f3dd1ff9e7d095da

SHA256
2fe18fe4e1c030d859a4017d7173b62cb4a14b18a9418c2a94c15e36c15bd61c

SHA512
37322f0a978d77711c5a6f0bf624db851afa88936a46c8dbd89e54c2e1e18a209fe622d3ddaa73cd41dbaefce094e42e5aeffc22e1d4f4339d9cab3f4ab2c184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\EVRHKMT2.cookie

Filesize
610B

MD5
2aa6f2a4f3f90a39e1029a46e3a73d64

SHA1
3e12a855a303d4ca8f770f92ccdc0949a1b61008

SHA256
87e37191376c245a7c499296048afc03101b129b7dff6170d938bf471a28e607

SHA512
765eef88893e62192cdcc1cbb4011074961e7f74e2ed95c3934fede5d3a9e072fad4a704bd16705e212cee71aabefa577bf2c1930a68453e4f0ab7a5e422421f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\FFZEVAS7.cookie

Filesize
181B

MD5
50afa3cd17cc9a9db73c0cab2771125b

SHA1
39574b9cb46aa5b7159c2b8451385db758c94654

SHA256
498e34fa7b5ebc1fc4cc95189f25714eed89f83f4b531baf63c0d5edaf51c2f1

SHA512
9f878eb43027e63b085b2394824586ba60f7093ab10dcb038124ce8462e117b461d445881322ffc13f4832d53935ee1c083c3915707bf2173dd6ab91b5e01e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nihon.exe

Filesize
7.1MB

MD5
0770b122545119afb2c4e87a2b6732ef

SHA1
d644fb9b8fead525dae31c75ad58afff3d90e33d

SHA256
6b2b4ba436ffb3f5cb5872a1c590c8504a26a2d003cb872313fc722222ea6cc6

SHA512
fd1660b22b04656f9b87dccf1b130da356557aacca34ef19472a4a79ac28330ff2b55427f7062c32a71e642417e2eb64d2edced80c48d0d4001c0905b1d3ae37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nihon.exe

Filesize
7.1MB

MD5
0770b122545119afb2c4e87a2b6732ef

SHA1
d644fb9b8fead525dae31c75ad58afff3d90e33d

SHA256
6b2b4ba436ffb3f5cb5872a1c590c8504a26a2d003cb872313fc722222ea6cc6

SHA512
fd1660b22b04656f9b87dccf1b130da356557aacca34ef19472a4a79ac28330ff2b55427f7062c32a71e642417e2eb64d2edced80c48d0d4001c0905b1d3ae37

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe

Filesize
26KB

MD5
505515da146939087afa69dbeff3dc33

SHA1
43bc8403fcc0ce7f0d0c006e7b7f0e4cb5df5107

SHA256
408ef4ae6a05133068975f3139fa2406068788b4d14abed0fff3ab7fd05a1a28

SHA512
99adad94f08f120227940db33274cd85716352a4d7e9c0bcc5103240ab4cab1dcc934ec5bee6185b1527a32e4ce1ef4b79febacd6f5a6c7413144932da8e208e

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe

Filesize
26KB

MD5
505515da146939087afa69dbeff3dc33

SHA1
43bc8403fcc0ce7f0d0c006e7b7f0e4cb5df5107

SHA256
408ef4ae6a05133068975f3139fa2406068788b4d14abed0fff3ab7fd05a1a28

SHA512
99adad94f08f120227940db33274cd85716352a4d7e9c0bcc5103240ab4cab1dcc934ec5bee6185b1527a32e4ce1ef4b79febacd6f5a6c7413144932da8e208e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe

Filesize
26KB

MD5
505515da146939087afa69dbeff3dc33

SHA1
43bc8403fcc0ce7f0d0c006e7b7f0e4cb5df5107

SHA256
408ef4ae6a05133068975f3139fa2406068788b4d14abed0fff3ab7fd05a1a28

SHA512
99adad94f08f120227940db33274cd85716352a4d7e9c0bcc5103240ab4cab1dcc934ec5bee6185b1527a32e4ce1ef4b79febacd6f5a6c7413144932da8e208e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
8372a71624532f16cbdc043457a5fdac

SHA1
e2d18e2d23cc42eb0770281013bba409598acd10

SHA256
bf164f00ec0e138ac2942302ce72202620c388c03b57bf3206afb1e31bb9db78

SHA512
559619fec0094372a2a644e5b202dceff7c274958ab48bcccbec79c5ad521da253be5527710eb057e03948c67a2b45f51fb06e43d3aa6acbb7296e68cabbe96b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
66b139a6480fc3766322583c1dacddcd

SHA1
0c5c596960735a4e48c224aac2cf0992222be905

SHA256
16baa7555cd33b8420b59d37dcb9cc50427b40067c92f29682c08b5f9452c770

SHA512
e4b9619ec4b7bb818b6dbd15e56c842a7ac7db5a7779a3b7efadf394274fc4a0572de0d4c660de0b422d795ed435b9dd4f59b8bac4a589ae828c625b49cd50aa

Download Submit
C:\Users\Admin\AppData\Roaming\RealtekHDAudioo.exe

Filesize
26KB

MD5
505515da146939087afa69dbeff3dc33

SHA1
43bc8403fcc0ce7f0d0c006e7b7f0e4cb5df5107

SHA256
408ef4ae6a05133068975f3139fa2406068788b4d14abed0fff3ab7fd05a1a28

SHA512
99adad94f08f120227940db33274cd85716352a4d7e9c0bcc5103240ab4cab1dcc934ec5bee6185b1527a32e4ce1ef4b79febacd6f5a6c7413144932da8e208e

Download Submit
C:\Users\Admin\AppData\Roaming\RealtekHDAudioo.exe

Filesize
26KB

MD5
505515da146939087afa69dbeff3dc33

SHA1
43bc8403fcc0ce7f0d0c006e7b7f0e4cb5df5107

SHA256
408ef4ae6a05133068975f3139fa2406068788b4d14abed0fff3ab7fd05a1a28

SHA512
99adad94f08f120227940db33274cd85716352a4d7e9c0bcc5103240ab4cab1dcc934ec5bee6185b1527a32e4ce1ef4b79febacd6f5a6c7413144932da8e208e

Download Submit
C:\Users\Admin\Downloads\Creanix Executor.zip.pkmaycv.partial

Filesize
7.9MB

MD5
c52d996a4b4d222ed3838a73fb151484

SHA1
a4a13a7b93a0beb42386161d4d46c727dd43df0a

SHA256
f3a361a261b682e7a5c40e5af4f24edfdfdff229b3859c9ec0d9e162fba190e5

SHA512
5ab120d712b5b5fdf8d7fb79153d00e13d47d5b5400d6cee42186997f65dac761b7b13260a96a154f6b927688998401e9a2bb6f598bf72d5b4cfa8d2ac324de8

Download Submit
\Users\Admin\AppData\Local\Temp\dc1a346e22544b9a88c270d74454b40c\WebView2Loader.dll

Filesize
107KB

MD5
0fc6f5b0b3babdf352024844d2a756d5

SHA1
1b58e7c0ff1d1cd83d9aed80c8d75d8bc2b163e8

SHA256
77a2a3097c0af6e884d2f7643dfe38094453309dd2433c33730fca10a0477411

SHA512
81942fe24fdb0977ffc4e19046af49cdb3cfd4660d75a4e8f5a5db399275c9641a2615bf01c94b74fed044730144b0969160a2eaccf274ee4aae6c595e5abe15

Download Submit
memory/1204-441-0x0000000005B90000-0x0000000005C22000-memory.dmp

Filesize
584KB

Download
memory/1204-449-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/1204-458-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/2328-166-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-177-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-141-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-142-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-143-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-146-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-145-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-144-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-148-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-149-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-150-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-147-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-151-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-152-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-153-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-154-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-155-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-156-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-157-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-158-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-159-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-161-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-162-0x000000006E7A0000-0x000000006ED50000-memory.dmp

Filesize
5.7MB

Download
memory/2328-163-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-160-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-164-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-165-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-139-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-167-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-168-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-169-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-170-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-171-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-172-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-173-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-175-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-174-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-176-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-178-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-140-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-179-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-181-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-180-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-123-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-124-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-125-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-126-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-127-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-138-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-128-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-129-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-195-0x000000006E7A0000-0x000000006ED50000-memory.dmp

Filesize
5.7MB

Download
memory/2328-130-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-131-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-137-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-134-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-136-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/2328-135-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3212-190-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3212-312-0x0000000005910000-0x0000000005D14000-memory.dmp

Filesize
4.0MB

Download
memory/3212-316-0x00000000056B0000-0x00000000056CA000-memory.dmp

Filesize
104KB

Download
memory/3212-317-0x0000000005F20000-0x0000000005FD2000-memory.dmp

Filesize
712KB

Download
memory/3212-333-0x000000000A270000-0x000000000A278000-memory.dmp

Filesize
32KB

Download
memory/3212-341-0x000000000C160000-0x000000000C198000-memory.dmp

Filesize
224KB

Download
memory/3212-192-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/3212-265-0x0000000000700000-0x0000000000E14000-memory.dmp

Filesize
7.1MB

Download
memory/4144-188-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4144-186-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4144-193-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4144-191-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4144-296-0x00000000062E0000-0x00000000067DE000-memory.dmp

Filesize
5.0MB

Download
memory/4144-262-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download
memory/4144-266-0x0000000005480000-0x000000000551C000-memory.dmp

Filesize
624KB

Download
memory/4144-185-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download
memory/4144-184-0x0000000077B00000-0x0000000077C8E000-memory.dmp

Filesize
1.6MB

Download