njrat | 6c7c1efa3c4deb1fd07a04620a62183054c99d65918d9fc7858f8005b61e0655

General

Target

New Client.exe
Size

329KB
MD5

9202baa178d24e6fa0eb45262ac7e16a
SHA1

e45b9ed7c3ebd6b7994dc5de645b2a248ad3f770
SHA256

6c7c1efa3c4deb1fd07a04620a62183054c99d65918d9fc7858f8005b61e0655
SHA512

0ad8b21d9fefcd42b82c60801c1e65381ec769ffa032496a4648917e2f5fb6ce94fb602776c39d9ecbaa01b48fdfbf2f4fef0135d178a8b5cb7c18d2f6952c5a
SSDEEP

6144:z1g9zWvMmbhoLVOT/FtBkFHS4bnb5Y1C54hP56eya4oPbLZzXHgTbM0Ckc6D+Kl2:z1NXbhoLVOT/FtBkFHSwnb5Y1C54hP5x

Score

10^/10

njrat slave persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

Slave

C2

127.0.0.1:11883

Mutex

sys.exe

Attributes

reg_key
sys.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Client.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	New Client.exe

Drops startup file 3 IoCs

Processes:

sys.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys.url	sys.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys.exe	sys.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys.exe	sys.exe

Executes dropped EXE 1 IoCs

Processes:

sys.exe

pid process

4296 sys.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sys.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys.exe = "\"C:\\Windows\\sys.exe\" .."	sys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sys.exe = "\"C:\\Windows\\sys.exe\" .."	sys.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in Windows directory 2 IoCs

Processes:

New Client.exesys.exe

description ioc process

File created C:\Windows\sys.exe New Client.exe
File opened for modification C:\Windows\sys.exe sys.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\sys.exe	New Client.exe
File opened for modification	C:\Windows\sys.exe	sys.exe

Creates scheduled task(s) 1 TTPs 29 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4660	schtasks.exe
4236	schtasks.exe
5032	schtasks.exe
4516	schtasks.exe
1692	schtasks.exe
1668	schtasks.exe
5108	schtasks.exe
2804	schtasks.exe
1956	schtasks.exe
4932	schtasks.exe
2712	schtasks.exe
2160	schtasks.exe
224	schtasks.exe
4948	schtasks.exe
1648	schtasks.exe
3068	schtasks.exe
1820	schtasks.exe
2532	schtasks.exe
1328	schtasks.exe
4828	schtasks.exe
4640	schtasks.exe
3380	schtasks.exe
4600	schtasks.exe
1808	schtasks.exe
1272	schtasks.exe
4888	schtasks.exe
1844	schtasks.exe
988	schtasks.exe
3656	schtasks.exe

Kills process with taskkill 29 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
636	taskkill.exe
4604	taskkill.exe
4312	taskkill.exe
4704	taskkill.exe
2244	taskkill.exe
3776	taskkill.exe
2304	taskkill.exe
2944	taskkill.exe
1164	taskkill.exe
5028	taskkill.exe
2920	taskkill.exe
3144	taskkill.exe
2540	taskkill.exe
4696	taskkill.exe
2832	taskkill.exe
3336	taskkill.exe
1624	taskkill.exe
2368	taskkill.exe
1728	taskkill.exe
3140	taskkill.exe
3504	taskkill.exe
3720	taskkill.exe
1260	taskkill.exe
4572	taskkill.exe
4444	taskkill.exe
412	taskkill.exe
5112	taskkill.exe
4856	taskkill.exe
4652	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sys.exe

pid	process
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe
4296	sys.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

sys.exe

description	pid	process
Token: SeDebugPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe
Token: 33	4296	sys.exe
Token: SeIncBasePriorityPrivilege	4296	sys.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Client.exesys.exe

description	pid	process	target process
PID 4236 wrote to memory of 4296	4236	New Client.exe	sys.exe
PID 4236 wrote to memory of 4296	4236	New Client.exe	sys.exe
PID 4236 wrote to memory of 4296	4236	New Client.exe	sys.exe
PID 4296 wrote to memory of 636	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 636	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 636	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 4468	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4468	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4468	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 2160	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 2160	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 2160	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4604	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 4604	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 4604	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 4456	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4456	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4456	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4640	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4640	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4640	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 5112	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 5112	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 5112	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 1420	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 1420	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 1420	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 3380	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 3380	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 3380	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 3776	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 3776	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 3776	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 2664	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 2664	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 2664	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 3068	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 3068	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 3068	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 2304	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 2304	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 2304	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 4872	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4872	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4872	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4932	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4932	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 4932	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 2832	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 2832	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 2832	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 228	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 228	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 228	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 1668	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 1668	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 1668	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 3504	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 3504	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 3504	4296	sys.exe	taskkill.exe
PID 4296 wrote to memory of 3024	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 3024	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 3024	4296	sys.exe	schtasks.exe
PID 4296 wrote to memory of 1808	4296	sys.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\sys.exe
"C:\Windows\sys.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:636

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4468

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:2160

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4604

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4456

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4640

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:5112

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1420

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:3380

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:3776

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:2664

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:3068

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2304

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4872

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4932

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2832

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:228

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1668

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:3504

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3024

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1808

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4312

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4088

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:5108

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:3336

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4672

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1272

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2944

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4596

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1820

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:1164

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3728

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:224

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4856

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3828

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4888

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:1624

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1544

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:2712

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:5028

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4280

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4660

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4704

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4520

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4948

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4652

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3844

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:2804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4444

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4256

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:2532

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2368

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4236

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4696

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3220

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1844

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:3720

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3388

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1328

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:1728

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1384

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1692

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:1260

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4176

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1648

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:412

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:3396

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:5032

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2244

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:556

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:988

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:3144

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:1704

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4516

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:3140

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4928

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:4572

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:2308

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4828

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2540

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:2164

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:3656

C:\Windows\SysWOW64\taskkill.exe
taskkill /f im Wireshark.exe
3⤵
- Kills process with taskkill
PID:2920

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
3⤵
PID:4340

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Windows\sys.exe
3⤵
- Creates scheduled task(s)
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\sys.exe
Filesize
329KB

MD5
9202baa178d24e6fa0eb45262ac7e16a

SHA1
e45b9ed7c3ebd6b7994dc5de645b2a248ad3f770

SHA256
6c7c1efa3c4deb1fd07a04620a62183054c99d65918d9fc7858f8005b61e0655

SHA512
0ad8b21d9fefcd42b82c60801c1e65381ec769ffa032496a4648917e2f5fb6ce94fb602776c39d9ecbaa01b48fdfbf2f4fef0135d178a8b5cb7c18d2f6952c5a

Download Submit
C:\Windows\sys.exe
Filesize
329KB

MD5
9202baa178d24e6fa0eb45262ac7e16a

SHA1
e45b9ed7c3ebd6b7994dc5de645b2a248ad3f770

SHA256
6c7c1efa3c4deb1fd07a04620a62183054c99d65918d9fc7858f8005b61e0655

SHA512
0ad8b21d9fefcd42b82c60801c1e65381ec769ffa032496a4648917e2f5fb6ce94fb602776c39d9ecbaa01b48fdfbf2f4fef0135d178a8b5cb7c18d2f6952c5a

Download Submit
C:\Windows\sys.exe
Filesize
329KB

MD5
9202baa178d24e6fa0eb45262ac7e16a

SHA1
e45b9ed7c3ebd6b7994dc5de645b2a248ad3f770

SHA256
6c7c1efa3c4deb1fd07a04620a62183054c99d65918d9fc7858f8005b61e0655

SHA512
0ad8b21d9fefcd42b82c60801c1e65381ec769ffa032496a4648917e2f5fb6ce94fb602776c39d9ecbaa01b48fdfbf2f4fef0135d178a8b5cb7c18d2f6952c5a

Download Submit
memory/4236-146-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/4236-134-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/4236-135-0x0000000001550000-0x0000000001560000-memory.dmp

Filesize
64KB

Download
memory/4236-133-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/4296-145-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/4296-147-0x0000000001960000-0x0000000001970000-memory.dmp

Filesize
64KB

Download
memory/4296-148-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/4296-152-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download
memory/4296-153-0x0000000001960000-0x0000000001970000-memory.dmp

Filesize
64KB

Download
memory/4296-154-0x0000000074FA0000-0x0000000075551000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads