njrat | 6c7c1efa3c4deb1fd07a04620a62183054c99d65918d9fc7858f8005b61e0655

General

Target

New Client.exe
Size

329KB
MD5

9202baa178d24e6fa0eb45262ac7e16a
SHA1

e45b9ed7c3ebd6b7994dc5de645b2a248ad3f770
SHA256

6c7c1efa3c4deb1fd07a04620a62183054c99d65918d9fc7858f8005b61e0655
SHA512

0ad8b21d9fefcd42b82c60801c1e65381ec769ffa032496a4648917e2f5fb6ce94fb602776c39d9ecbaa01b48fdfbf2f4fef0135d178a8b5cb7c18d2f6952c5a
SSDEEP

6144:z1g9zWvMmbhoLVOT/FtBkFHS4bnb5Y1C54hP56eya4oPbLZzXHgTbM0Ckc6D+Kl2:z1NXbhoLVOT/FtBkFHSwnb5Y1C54hP5x

Score

10^/10

njrat slave persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Slave

C2

127.0.0.1:11883

Mutex

sys.exe

Attributes

reg_key
sys.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 3 IoCs

Processes:

sys.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys.exe	sys.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys.exe	sys.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys.url	sys.exe

Executes dropped EXE 1 IoCs

Processes:

sys.exe

pid process

4928 sys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sys.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4175128012-676912335-1083716439-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys.exe = "\"C:\\Windows\\sys.exe\" .."	sys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys.exe = "\"C:\\Windows\\sys.exe\" .."	sys.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in Windows directory 2 IoCs

Processes:

New Client.exesys.exe

description ioc process

File created C:\Windows\sys.exe New Client.exe
File opened for modification C:\Windows\sys.exe sys.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\sys.exe	New Client.exe
File opened for modification	C:\Windows\sys.exe	sys.exe

Creates scheduled task(s) 1 TTPs 38 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4104	schtasks.exe
3056	schtasks.exe
592	schtasks.exe
196	schtasks.exe
2728	schtasks.exe
764	schtasks.exe
2052	schtasks.exe
2836	schtasks.exe
912	schtasks.exe
4056	schtasks.exe
4864	schtasks.exe
4120	schtasks.exe
5068	schtasks.exe
4332	schtasks.exe
1448	schtasks.exe
4224	schtasks.exe
5096	schtasks.exe
2176	schtasks.exe
4140	schtasks.exe
3804	schtasks.exe
4848	schtasks.exe
3396	schtasks.exe
4092	schtasks.exe
4552	schtasks.exe
3820	schtasks.exe
2636	schtasks.exe
3556	schtasks.exe
5020	schtasks.exe
4828	schtasks.exe
2512	schtasks.exe
1708	schtasks.exe
3748	schtasks.exe
2008	schtasks.exe
1964	schtasks.exe
4784	schtasks.exe
1288	schtasks.exe
4820	schtasks.exe
1160	schtasks.exe

Kills process with taskkill 39 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
932	taskkill.exe
2640	taskkill.exe
404	taskkill.exe
2340	taskkill.exe
2012	taskkill.exe
4400	taskkill.exe
2884	taskkill.exe
2128	taskkill.exe
3060	taskkill.exe
4576	taskkill.exe
5012	taskkill.exe
3312	taskkill.exe
4708	taskkill.exe
4836	taskkill.exe
4288	taskkill.exe
1000	taskkill.exe
3088	taskkill.exe
4040	taskkill.exe
4808	taskkill.exe
4920	taskkill.exe
380	taskkill.exe
1804	taskkill.exe
4320	taskkill.exe
5116	taskkill.exe
5040	taskkill.exe
204	taskkill.exe
3156	taskkill.exe
4796	taskkill.exe
308	taskkill.exe
2132	taskkill.exe
1540	taskkill.exe
2668	taskkill.exe
60	taskkill.exe
496	taskkill.exe
228	taskkill.exe
4604	taskkill.exe
1416	taskkill.exe
4692	taskkill.exe
5072	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sys.exe

pid	process
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe
4928	sys.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

sys.exe

description	pid	process
Token: SeDebugPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe
Token: 33	4928	sys.exe
Token: SeIncBasePriorityPrivilege	4928	sys.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Client.exesys.exe

description	pid	process	target process
PID 4188 wrote to memory of 4928	4188	New Client.exe	sys.exe
PID 4188 wrote to memory of 4928	4188	New Client.exe	sys.exe
PID 4188 wrote to memory of 4928	4188	New Client.exe	sys.exe
PID 4928 wrote to memory of 4836	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 4836	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 4836	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 936	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 936	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 936	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4140	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4140	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4140	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 5040	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 5040	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 5040	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 4936	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4936	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4936	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 912	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 912	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 912	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 2340	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 2340	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 2340	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 2180	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 2180	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 2180	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 1448	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 1448	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 1448	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 3088	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 3088	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 3088	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 3192	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 3192	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 3192	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4224	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4224	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4224	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 2012	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 2012	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 2012	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 5032	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 5032	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 5032	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 5096	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 5096	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 5096	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 60	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 60	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 60	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 1692	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 1692	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 1692	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4104	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4104	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4104	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 3060	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 3060	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 3060	4928	sys.exe	taskkill.exe
PID 4928 wrote to memory of 4984	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4984	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 4984	4928	sys.exe	schtasks.exe
PID 4928 wrote to memory of 1964	4928	sys.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\sys.exe
"C:\Windows\sys.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4836

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:936

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4140

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:5040

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4936

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:912

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2340

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:2180

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1448

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:3088

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3192

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4224

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2012

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:5032

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:5096

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:60

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4104

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:3060

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4984

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:204

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:2064

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:5020

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4288

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4512

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:3804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4808

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4804

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:3056

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4576

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1712

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4848

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4796

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4944

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4828

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4692

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:2208

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4056

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4920

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1932

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4784

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4040

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1944

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4864

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:5072

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3972

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:3396

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:308

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:2300

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:196

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4400

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:2804

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:2512

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:5012

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:2364

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1708

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:380

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1156

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:2728

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:228

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:2760

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4092

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:496

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3812

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4552

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:3156

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3068

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2884

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:3820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:1804

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1952

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:2052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4320

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3224

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:2636

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:932

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:776

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1288

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2132

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:5080

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4604

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1864

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4120

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:1416

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4564

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:5068

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:5116

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4212

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:3748

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2128

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4628

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2640

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1372

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:3556

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:1540

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4548

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:2836

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:1000

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3420

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:2176

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:3312

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4168

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4332

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4708

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4636

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:404

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3188

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1160

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2668

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:5084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys.exe
Filesize
329KB

MD5
9202baa178d24e6fa0eb45262ac7e16a

SHA1
e45b9ed7c3ebd6b7994dc5de645b2a248ad3f770

SHA256
6c7c1efa3c4deb1fd07a04620a62183054c99d65918d9fc7858f8005b61e0655

SHA512
0ad8b21d9fefcd42b82c60801c1e65381ec769ffa032496a4648917e2f5fb6ce94fb602776c39d9ecbaa01b48fdfbf2f4fef0135d178a8b5cb7c18d2f6952c5a

Download Submit
C:\Windows\sys.exe
Filesize
329KB

MD5
9202baa178d24e6fa0eb45262ac7e16a

SHA1
e45b9ed7c3ebd6b7994dc5de645b2a248ad3f770

SHA256
6c7c1efa3c4deb1fd07a04620a62183054c99d65918d9fc7858f8005b61e0655

SHA512
0ad8b21d9fefcd42b82c60801c1e65381ec769ffa032496a4648917e2f5fb6ce94fb602776c39d9ecbaa01b48fdfbf2f4fef0135d178a8b5cb7c18d2f6952c5a

Download Submit
C:\Windows\sys.exe
Filesize
329KB

MD5
9202baa178d24e6fa0eb45262ac7e16a

SHA1
e45b9ed7c3ebd6b7994dc5de645b2a248ad3f770

SHA256
6c7c1efa3c4deb1fd07a04620a62183054c99d65918d9fc7858f8005b61e0655

SHA512
0ad8b21d9fefcd42b82c60801c1e65381ec769ffa032496a4648917e2f5fb6ce94fb602776c39d9ecbaa01b48fdfbf2f4fef0135d178a8b5cb7c18d2f6952c5a

Download Submit
memory/4188-117-0x0000000074120000-0x00000000746D0000-memory.dmp

Filesize
5.7MB

Download
memory/4188-118-0x0000000074120000-0x00000000746D0000-memory.dmp

Filesize
5.7MB

Download
memory/4188-119-0x0000000000A90000-0x0000000000AA0000-memory.dmp

Filesize
64KB

Download
memory/4188-126-0x0000000074120000-0x00000000746D0000-memory.dmp

Filesize
5.7MB

Download
memory/4928-127-0x0000000074120000-0x00000000746D0000-memory.dmp

Filesize
5.7MB

Download
memory/4928-128-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download
memory/4928-129-0x0000000074120000-0x00000000746D0000-memory.dmp

Filesize
5.7MB

Download
memory/4928-133-0x0000000074120000-0x00000000746D0000-memory.dmp

Filesize
5.7MB

Download
memory/4928-134-0x0000000002380000-0x0000000002390000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads