njrat | dc3ec70f6daa71429bee069cdce1d600db4ad9d054ac745dba2310c624d193fa

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2023, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Project 1.exe
Size

7.9MB
MD5

b1c2fc17bdfc63a9c9a38fd50b5ef56f
SHA1

399bc3892ea9558b44c48c35a116e68ea10ffcbf
SHA256

dc3ec70f6daa71429bee069cdce1d600db4ad9d054ac745dba2310c624d193fa
SHA512

55f5e9c6b2f5bac36cd31c2ca69ff627eaecdf61abdb33f530744fcd352edda256a7079be0b261cbc6a7f20bb6940c1b1ff1b1e2a622a514647afa675957ef09
SSDEEP

196608:eLo2IyBOU7KIUPwVRQTBmvuwIhCMwt1/okm:eM2T57KNPwVRQUfbfjtm

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

considered-arrest.at.ply.gg:19159

Mutex

45dc89a20c39cab97b1d3cdf088b928f

Attributes

reg_key
45dc89a20c39cab97b1d3cdf088b928f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	PandorahVNC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	persiste Module.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	persiste Module.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	New Project 1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	._cache_New Project 1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 9 IoCs

pid	Process
2164	._cache_New Project 1.exe
540	Synaptics.exe
3188	._cache_Synaptics.exe
3976	PandorahVNC.exe
5032	persiste Module.exe
1352	._cache_PandorahVNC.exe
2428	persiste Module.exe
4416	._cache_persiste Module.exe
1628	._cache_persiste Module.exe

Loads dropped DLL 2 IoCs

pid	Process
2428	persiste Module.exe
2428	persiste Module.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	New Project 1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2244	1352	WerFault.exe	92

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	New Project 1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	PandorahVNC.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	._cache_persiste Module.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_New Project 1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	._cache_Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	persiste Module.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	persiste Module.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
880	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	._cache_PandorahVNC.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
880	EXCEL.EXE
880	EXCEL.EXE
880	EXCEL.EXE
880	EXCEL.EXE
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe
880	EXCEL.EXE
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2164	1636	New Project 1.exe	86
PID 1636 wrote to memory of 2164	1636	New Project 1.exe	86
PID 1636 wrote to memory of 2164	1636	New Project 1.exe	86
PID 1636 wrote to memory of 540	1636	New Project 1.exe	87
PID 1636 wrote to memory of 540	1636	New Project 1.exe	87
PID 1636 wrote to memory of 540	1636	New Project 1.exe	87
PID 540 wrote to memory of 3188	540	Synaptics.exe	88
PID 540 wrote to memory of 3188	540	Synaptics.exe	88
PID 540 wrote to memory of 3188	540	Synaptics.exe	88
PID 2164 wrote to memory of 3976	2164	._cache_New Project 1.exe	89
PID 2164 wrote to memory of 3976	2164	._cache_New Project 1.exe	89
PID 2164 wrote to memory of 3976	2164	._cache_New Project 1.exe	89
PID 2164 wrote to memory of 5032	2164	._cache_New Project 1.exe	90
PID 2164 wrote to memory of 5032	2164	._cache_New Project 1.exe	90
PID 2164 wrote to memory of 5032	2164	._cache_New Project 1.exe	90
PID 3976 wrote to memory of 1352	3976	PandorahVNC.exe	92
PID 3976 wrote to memory of 1352	3976	PandorahVNC.exe	92
PID 3976 wrote to memory of 1352	3976	PandorahVNC.exe	92
PID 3188 wrote to memory of 2428	3188	._cache_Synaptics.exe	93
PID 3188 wrote to memory of 2428	3188	._cache_Synaptics.exe	93
PID 3188 wrote to memory of 2428	3188	._cache_Synaptics.exe	93
PID 5032 wrote to memory of 4416	5032	persiste Module.exe	94
PID 5032 wrote to memory of 4416	5032	persiste Module.exe	94
PID 5032 wrote to memory of 4416	5032	persiste Module.exe	94
PID 2428 wrote to memory of 1628	2428	persiste Module.exe	95
PID 2428 wrote to memory of 1628	2428	persiste Module.exe	95
PID 2428 wrote to memory of 1628	2428	persiste Module.exe	95

C:\Users\Admin\AppData\Local\Temp\New Project 1.exe
"C:\Users\Admin\AppData\Local\Temp\New Project 1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\._cache_New Project 1.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_New Project 1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe
    "C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\._cache_PandorahVNC.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_PandorahVNC.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1856
        5⤵
        Program crash
        
        PID:2244
- - C:\Users\Admin\AppData\Local\Temp\persiste Module.exe
    "C:\Users\Admin\AppData\Local\Temp\persiste Module.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\._cache_persiste Module.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_persiste Module.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:4416
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Users\Admin\AppData\Local\Temp\persiste Module.exe
      "C:\Users\Admin\AppData\Local\Temp\persiste Module.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\._cache_persiste Module.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_persiste Module.exe"
        5⤵
        Executes dropped EXE
        
        PID:1628

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1352 -ip 1352
1⤵
PID:4824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.9MB

MD5
b1c2fc17bdfc63a9c9a38fd50b5ef56f

SHA1
399bc3892ea9558b44c48c35a116e68ea10ffcbf

SHA256
dc3ec70f6daa71429bee069cdce1d600db4ad9d054ac745dba2310c624d193fa

SHA512
55f5e9c6b2f5bac36cd31c2ca69ff627eaecdf61abdb33f530744fcd352edda256a7079be0b261cbc6a7f20bb6940c1b1ff1b1e2a622a514647afa675957ef09

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.9MB

MD5
b1c2fc17bdfc63a9c9a38fd50b5ef56f

SHA1
399bc3892ea9558b44c48c35a116e68ea10ffcbf

SHA256
dc3ec70f6daa71429bee069cdce1d600db4ad9d054ac745dba2310c624d193fa

SHA512
55f5e9c6b2f5bac36cd31c2ca69ff627eaecdf61abdb33f530744fcd352edda256a7079be0b261cbc6a7f20bb6940c1b1ff1b1e2a622a514647afa675957ef09

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.9MB

MD5
b1c2fc17bdfc63a9c9a38fd50b5ef56f

SHA1
399bc3892ea9558b44c48c35a116e68ea10ffcbf

SHA256
dc3ec70f6daa71429bee069cdce1d600db4ad9d054ac745dba2310c624d193fa

SHA512
55f5e9c6b2f5bac36cd31c2ca69ff627eaecdf61abdb33f530744fcd352edda256a7079be0b261cbc6a7f20bb6940c1b1ff1b1e2a622a514647afa675957ef09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\._cache_persiste Module.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_New Project 1.exe

Filesize
7.2MB

MD5
0ecfd1d18a2bfe0be78b5ebae1f60872

SHA1
8ac431400f364a19803899475264993a02e01300

SHA256
63c6c51d671fe6add62a536301244ec07ef433d009321884c86d6419f00cabe2

SHA512
604c66ee707653a26df338ca4f113c2284074436cd7a589394c7cb5cb61fdf0aaa7a8eeaf580000195bb5a9a253506484cda9bdf1139aa169b084a27569549fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_New Project 1.exe

Filesize
7.2MB

MD5
0ecfd1d18a2bfe0be78b5ebae1f60872

SHA1
8ac431400f364a19803899475264993a02e01300

SHA256
63c6c51d671fe6add62a536301244ec07ef433d009321884c86d6419f00cabe2

SHA512
604c66ee707653a26df338ca4f113c2284074436cd7a589394c7cb5cb61fdf0aaa7a8eeaf580000195bb5a9a253506484cda9bdf1139aa169b084a27569549fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_New Project 1.exe

Filesize
7.2MB

MD5
0ecfd1d18a2bfe0be78b5ebae1f60872

SHA1
8ac431400f364a19803899475264993a02e01300

SHA256
63c6c51d671fe6add62a536301244ec07ef433d009321884c86d6419f00cabe2

SHA512
604c66ee707653a26df338ca4f113c2284074436cd7a589394c7cb5cb61fdf0aaa7a8eeaf580000195bb5a9a253506484cda9bdf1139aa169b084a27569549fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_PandorahVNC.exe

Filesize
3.3MB

MD5
bdf57bb779169e0e76dd7ef9b962a3a8

SHA1
8635cd15e6ca3929aabe49ccf8202621e8fd624a

SHA256
e612636863efc9d4963a7bd65dcd5e30b612af8a35122a88cc5d500f680860d9

SHA512
40b0f0db351a8247f96b4848562d8f806451495b08179344101141c805b2b07707edebfb1792ba7f567ca2139cdec1de0c45b3c3694ee5f2e4111575cc1ac355

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_PandorahVNC.exe

Filesize
3.3MB

MD5
bdf57bb779169e0e76dd7ef9b962a3a8

SHA1
8635cd15e6ca3929aabe49ccf8202621e8fd624a

SHA256
e612636863efc9d4963a7bd65dcd5e30b612af8a35122a88cc5d500f680860d9

SHA512
40b0f0db351a8247f96b4848562d8f806451495b08179344101141c805b2b07707edebfb1792ba7f567ca2139cdec1de0c45b3c3694ee5f2e4111575cc1ac355

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_PandorahVNC.exe

Filesize
3.3MB

MD5
bdf57bb779169e0e76dd7ef9b962a3a8

SHA1
8635cd15e6ca3929aabe49ccf8202621e8fd624a

SHA256
e612636863efc9d4963a7bd65dcd5e30b612af8a35122a88cc5d500f680860d9

SHA512
40b0f0db351a8247f96b4848562d8f806451495b08179344101141c805b2b07707edebfb1792ba7f567ca2139cdec1de0c45b3c3694ee5f2e4111575cc1ac355

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
7.2MB

MD5
0ecfd1d18a2bfe0be78b5ebae1f60872

SHA1
8ac431400f364a19803899475264993a02e01300

SHA256
63c6c51d671fe6add62a536301244ec07ef433d009321884c86d6419f00cabe2

SHA512
604c66ee707653a26df338ca4f113c2284074436cd7a589394c7cb5cb61fdf0aaa7a8eeaf580000195bb5a9a253506484cda9bdf1139aa169b084a27569549fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
7.2MB

MD5
0ecfd1d18a2bfe0be78b5ebae1f60872

SHA1
8ac431400f364a19803899475264993a02e01300

SHA256
63c6c51d671fe6add62a536301244ec07ef433d009321884c86d6419f00cabe2

SHA512
604c66ee707653a26df338ca4f113c2284074436cd7a589394c7cb5cb61fdf0aaa7a8eeaf580000195bb5a9a253506484cda9bdf1139aa169b084a27569549fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_persiste Module.exe

Filesize
37KB

MD5
1ab74a6ae9e8672aec208d40553e0f46

SHA1
78b5e911a1dba6bdefab5a551a3c86a7c67c546f

SHA256
76efed220ef62db6c1f3ddf21bbc44b1614d406d09f4373d4c4dd8131635e526

SHA512
b3618d1daacb51cbdd777b7db815bfae1419b0f0ca22eff1a1af969aa3dfe86bcde1dfbd259f3000fa2bf35426aec35cfadb93cf5afafaa3feef7529d2cc8c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_persiste Module.exe

Filesize
37KB

MD5
1ab74a6ae9e8672aec208d40553e0f46

SHA1
78b5e911a1dba6bdefab5a551a3c86a7c67c546f

SHA256
76efed220ef62db6c1f3ddf21bbc44b1614d406d09f4373d4c4dd8131635e526

SHA512
b3618d1daacb51cbdd777b7db815bfae1419b0f0ca22eff1a1af969aa3dfe86bcde1dfbd259f3000fa2bf35426aec35cfadb93cf5afafaa3feef7529d2cc8c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_persiste Module.exe

Filesize
37KB

MD5
1ab74a6ae9e8672aec208d40553e0f46

SHA1
78b5e911a1dba6bdefab5a551a3c86a7c67c546f

SHA256
76efed220ef62db6c1f3ddf21bbc44b1614d406d09f4373d4c4dd8131635e526

SHA512
b3618d1daacb51cbdd777b7db815bfae1419b0f0ca22eff1a1af969aa3dfe86bcde1dfbd259f3000fa2bf35426aec35cfadb93cf5afafaa3feef7529d2cc8c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_persiste Module.exe

Filesize
37KB

MD5
1ab74a6ae9e8672aec208d40553e0f46

SHA1
78b5e911a1dba6bdefab5a551a3c86a7c67c546f

SHA256
76efed220ef62db6c1f3ddf21bbc44b1614d406d09f4373d4c4dd8131635e526

SHA512
b3618d1daacb51cbdd777b7db815bfae1419b0f0ca22eff1a1af969aa3dfe86bcde1dfbd259f3000fa2bf35426aec35cfadb93cf5afafaa3feef7529d2cc8c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_persiste Module.exe

Filesize
37KB

MD5
1ab74a6ae9e8672aec208d40553e0f46

SHA1
78b5e911a1dba6bdefab5a551a3c86a7c67c546f

SHA256
76efed220ef62db6c1f3ddf21bbc44b1614d406d09f4373d4c4dd8131635e526

SHA512
b3618d1daacb51cbdd777b7db815bfae1419b0f0ca22eff1a1af969aa3dfe86bcde1dfbd259f3000fa2bf35426aec35cfadb93cf5afafaa3feef7529d2cc8c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_persiste Module.exe

Filesize
37KB

MD5
1ab74a6ae9e8672aec208d40553e0f46

SHA1
78b5e911a1dba6bdefab5a551a3c86a7c67c546f

SHA256
76efed220ef62db6c1f3ddf21bbc44b1614d406d09f4373d4c4dd8131635e526

SHA512
b3618d1daacb51cbdd777b7db815bfae1419b0f0ca22eff1a1af969aa3dfe86bcde1dfbd259f3000fa2bf35426aec35cfadb93cf5afafaa3feef7529d2cc8c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\EJ5pGRiY.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe

Filesize
4.0MB

MD5
c08e003e9318a3c44e3b399d618900ea

SHA1
f4fb5d72dda68c0b209b73b514393da10937b641

SHA256
1807d0e8ad33486f3eb4ce7e254adc9b5df1c66dd3725c8af615612c845ff8dc

SHA512
f0bab8cf52240cde32cef40eb0f65447b153195b2e54b061ed8467d87c58db9a907d186c97af0fc12e6016b2f3b69a4e12474a06b057fcf7106f12f1014c0e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe

Filesize
4.0MB

MD5
c08e003e9318a3c44e3b399d618900ea

SHA1
f4fb5d72dda68c0b209b73b514393da10937b641

SHA256
1807d0e8ad33486f3eb4ce7e254adc9b5df1c66dd3725c8af615612c845ff8dc

SHA512
f0bab8cf52240cde32cef40eb0f65447b153195b2e54b061ed8467d87c58db9a907d186c97af0fc12e6016b2f3b69a4e12474a06b057fcf7106f12f1014c0e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\PandorahVNC.exe

Filesize
4.0MB

MD5
c08e003e9318a3c44e3b399d618900ea

SHA1
f4fb5d72dda68c0b209b73b514393da10937b641

SHA256
1807d0e8ad33486f3eb4ce7e254adc9b5df1c66dd3725c8af615612c845ff8dc

SHA512
f0bab8cf52240cde32cef40eb0f65447b153195b2e54b061ed8467d87c58db9a907d186c97af0fc12e6016b2f3b69a4e12474a06b057fcf7106f12f1014c0e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\persiste Module.exe

Filesize
790KB

MD5
c8ccadf228daab2a24e268c5f6de69d1

SHA1
746dbc9aeeeecbf29dc6040460dff7cb9879f7f7

SHA256
ec61a22a6c94b98563c5a8caef5595ddcc04018229cc2e1ba5de292ebd165ca4

SHA512
b7c0a41dde7f3bb2a2769e3689715ce534b457229fc591099da983ce354d62bfbe3d57385b0cc632bad860371aac5412fda21b727ab8ef7f77495c2c063e056f

Download Submit
C:\Users\Admin\AppData\Local\Temp\persiste Module.exe

Filesize
790KB

MD5
c8ccadf228daab2a24e268c5f6de69d1

SHA1
746dbc9aeeeecbf29dc6040460dff7cb9879f7f7

SHA256
ec61a22a6c94b98563c5a8caef5595ddcc04018229cc2e1ba5de292ebd165ca4

SHA512
b7c0a41dde7f3bb2a2769e3689715ce534b457229fc591099da983ce354d62bfbe3d57385b0cc632bad860371aac5412fda21b727ab8ef7f77495c2c063e056f

Download Submit
C:\Users\Admin\AppData\Local\Temp\persiste Module.exe

Filesize
790KB

MD5
c8ccadf228daab2a24e268c5f6de69d1

SHA1
746dbc9aeeeecbf29dc6040460dff7cb9879f7f7

SHA256
ec61a22a6c94b98563c5a8caef5595ddcc04018229cc2e1ba5de292ebd165ca4

SHA512
b7c0a41dde7f3bb2a2769e3689715ce534b457229fc591099da983ce354d62bfbe3d57385b0cc632bad860371aac5412fda21b727ab8ef7f77495c2c063e056f

Download Submit
C:\Users\Admin\AppData\Local\Temp\persiste Module.exe

Filesize
790KB

MD5
c8ccadf228daab2a24e268c5f6de69d1

SHA1
746dbc9aeeeecbf29dc6040460dff7cb9879f7f7

SHA256
ec61a22a6c94b98563c5a8caef5595ddcc04018229cc2e1ba5de292ebd165ca4

SHA512
b7c0a41dde7f3bb2a2769e3689715ce534b457229fc591099da983ce354d62bfbe3d57385b0cc632bad860371aac5412fda21b727ab8ef7f77495c2c063e056f

Download Submit
C:\Users\Admin\AppData\Local\Temp\persiste Module.exe

Filesize
790KB

MD5
c8ccadf228daab2a24e268c5f6de69d1

SHA1
746dbc9aeeeecbf29dc6040460dff7cb9879f7f7

SHA256
ec61a22a6c94b98563c5a8caef5595ddcc04018229cc2e1ba5de292ebd165ca4

SHA512
b7c0a41dde7f3bb2a2769e3689715ce534b457229fc591099da983ce354d62bfbe3d57385b0cc632bad860371aac5412fda21b727ab8ef7f77495c2c063e056f

Download Submit
memory/540-511-0x0000000000400000-0x0000000000BEC000-memory.dmp

Filesize
7.9MB

Download
memory/540-560-0x0000000000400000-0x0000000000BEC000-memory.dmp

Filesize
7.9MB

Download
memory/540-534-0x0000000000400000-0x0000000000BEC000-memory.dmp

Filesize
7.9MB

Download
memory/540-531-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/540-315-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/880-507-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/880-512-0x00007FFFB6230000-0x00007FFFB6240000-memory.dmp

Filesize
64KB

Download
memory/880-510-0x00007FFFB6230000-0x00007FFFB6240000-memory.dmp

Filesize
64KB

Download
memory/880-508-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/880-506-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/880-505-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/880-504-0x00007FFFB8410000-0x00007FFFB8420000-memory.dmp

Filesize
64KB

Download
memory/1352-494-0x0000000001340000-0x0000000001352000-memory.dmp

Filesize
72KB

Download
memory/1352-495-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/1352-490-0x0000000000590000-0x00000000008D8000-memory.dmp

Filesize
3.3MB

Download
memory/1352-503-0x0000000006520000-0x000000000655C000-memory.dmp

Filesize
240KB

Download
memory/1352-509-0x0000000005A10000-0x0000000005A1A000-memory.dmp

Filesize
40KB

Download
memory/1352-498-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/1352-496-0x0000000002E50000-0x0000000002EE2000-memory.dmp

Filesize
584KB

Download
memory/1628-502-0x00000000018A0000-0x00000000018B0000-memory.dmp

Filesize
64KB

Download
memory/1636-236-0x0000000000400000-0x0000000000BEC000-memory.dmp

Filesize
7.9MB

Download
memory/1636-138-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/2164-224-0x0000000000400000-0x0000000000B2C000-memory.dmp

Filesize
7.2MB

Download
memory/2428-500-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2428-499-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3976-480-0x0000000000400000-0x0000000000804000-memory.dmp

Filesize
4.0MB

Download
memory/3976-444-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4416-501-0x0000000001730000-0x0000000001740000-memory.dmp

Filesize
64KB

Download
memory/5032-445-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/5032-493-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads