njrat | 4f00f70a815773e39b5b0f4d9c85213bd905035c13adcddb7760220fe6f9833e

Analysis

max time kernel
108s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 06:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2c57307860d41e2fe4c63eff46610984.exe
Size

79KB
MD5

2c57307860d41e2fe4c63eff46610984
SHA1

fd4019909baf41a003cc105dd004d83bc21a6516
SHA256

4f00f70a815773e39b5b0f4d9c85213bd905035c13adcddb7760220fe6f9833e
SHA512

8c4e233c1d43bf2a8f59749f01049c72a9104d8ba84d067d57b142eb83879be2ccaa7fdadabecd8ebb2151c5f7e1b27bf3b0b8312e54124aeaf0400accb70f19
SSDEEP

1536:8iYlBSVqR3TblSkWbWvrrKY/Xg8cb7yYot4w:/YOObaCLg8cbXod

Score

10^/10

njrat piska evasion persistence trojan

Malware Config

Extracted

Family

njrat

Botnet

PISKA

Mutex

53$79$73$74$65$6d$33$32

Attributes

reg_key
53$79$73$74$65$6d$33$32
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 1 TTPs 11 IoCs

evasion

Windows Service

T1543.003

pid	Process
4652	netsh.exe
4848	netsh.exe
1840	netsh.exe
748	netsh.exe
1068	netsh.exe
2308	netsh.exe
3860	netsh.exe
5004	netsh.exe
1504	netsh.exe
1028	netsh.exe
2408	netsh.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Qasim_Haxor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Qasim_Haxor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Qasim_Haxor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Qasim_Haxor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Qasim_Haxor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Qasim_Haxor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Qasim_Haxor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	2c57307860d41e2fe4c63eff46610984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	svchost.exe

Drops startup file 9 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Qasim_Haxor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Qasim_Haxor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Qasim_Haxor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Qasim_Haxor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Qasim_Haxor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Qasim_Haxor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Qasim_Haxor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exe	Qasim_Haxor.exe

Executes dropped EXE 16 IoCs

pid	Process
4940	Qasim_Haxor.exe
2440	svchost.exe
2228	Qasim_Haxor.exe
5004	netsh.exe
4076	Qasim_Haxor.exe
3400	Conhost.exe
1296	Qasim_Haxor.exe
3344	svchost.exe
920	svchost.exe
2716	svchost.exe
1176	Qasim_Haxor.exe
4876	svchost.exe
1608	Qasim_Haxor.exe
1840	svchost.exe
4260	Qasim_Haxor.exe
2200	svchost.exe

Adds Run key to start application 2 TTPs 41 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	netsh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	2c57307860d41e2fe4c63eff46610984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System32 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Qasim_Haxor.exe\" .."	Qasim_Haxor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\53$79$73$74$65$6d$33$32 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\explorer\\WmiPrvSE.exe"	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4940	5028	2c57307860d41e2fe4c63eff46610984.exe	93
PID 5028 wrote to memory of 4940	5028	2c57307860d41e2fe4c63eff46610984.exe	93
PID 5028 wrote to memory of 4940	5028	2c57307860d41e2fe4c63eff46610984.exe	93
PID 4940 wrote to memory of 2408	4940	Qasim_Haxor.exe	99
PID 4940 wrote to memory of 2408	4940	Qasim_Haxor.exe	99
PID 4940 wrote to memory of 2408	4940	Qasim_Haxor.exe	99
PID 4940 wrote to memory of 2440	4940	Qasim_Haxor.exe	100
PID 4940 wrote to memory of 2440	4940	Qasim_Haxor.exe	100
PID 4940 wrote to memory of 2440	4940	Qasim_Haxor.exe	100
PID 2440 wrote to memory of 2228	2440	svchost.exe	104
PID 2440 wrote to memory of 2228	2440	svchost.exe	104
PID 2440 wrote to memory of 2228	2440	svchost.exe	104
PID 2228 wrote to memory of 748	2228	Qasim_Haxor.exe	106
PID 2228 wrote to memory of 748	2228	Qasim_Haxor.exe	106
PID 2228 wrote to memory of 748	2228	Qasim_Haxor.exe	106
PID 2228 wrote to memory of 5004	2228	Qasim_Haxor.exe	134
PID 2228 wrote to memory of 5004	2228	Qasim_Haxor.exe	134
PID 2228 wrote to memory of 5004	2228	Qasim_Haxor.exe	134
PID 5004 wrote to memory of 4076	5004	netsh.exe	109
PID 5004 wrote to memory of 4076	5004	netsh.exe	109
PID 5004 wrote to memory of 4076	5004	netsh.exe	109
PID 4076 wrote to memory of 1068	4076	Qasim_Haxor.exe	113
PID 4076 wrote to memory of 1068	4076	Qasim_Haxor.exe	113
PID 4076 wrote to memory of 1068	4076	Qasim_Haxor.exe	113
PID 4076 wrote to memory of 3400	4076	Qasim_Haxor.exe	120
PID 4076 wrote to memory of 3400	4076	Qasim_Haxor.exe	120
PID 4076 wrote to memory of 3400	4076	Qasim_Haxor.exe	120
PID 3400 wrote to memory of 1296	3400	Conhost.exe	115
PID 3400 wrote to memory of 1296	3400	Conhost.exe	115
PID 3400 wrote to memory of 1296	3400	Conhost.exe	115
PID 1296 wrote to memory of 1840	1296	Qasim_Haxor.exe	131
PID 1296 wrote to memory of 1840	1296	Qasim_Haxor.exe	131
PID 1296 wrote to memory of 1840	1296	Qasim_Haxor.exe	131
PID 1296 wrote to memory of 3344	1296	Qasim_Haxor.exe	118
PID 1296 wrote to memory of 3344	1296	Qasim_Haxor.exe	118
PID 1296 wrote to memory of 3344	1296	Qasim_Haxor.exe	118
PID 3344 wrote to memory of 920	3344	svchost.exe	156
PID 3344 wrote to memory of 920	3344	svchost.exe	156
PID 3344 wrote to memory of 920	3344	svchost.exe	156
PID 920 wrote to memory of 2308	920	svchost.exe	121
PID 920 wrote to memory of 2308	920	svchost.exe	121
PID 920 wrote to memory of 2308	920	svchost.exe	121
PID 920 wrote to memory of 2716	920	svchost.exe	122
PID 920 wrote to memory of 2716	920	svchost.exe	122
PID 920 wrote to memory of 2716	920	svchost.exe	122
PID 2716 wrote to memory of 1176	2716	svchost.exe	124
PID 2716 wrote to memory of 1176	2716	svchost.exe	124
PID 2716 wrote to memory of 1176	2716	svchost.exe	124
PID 1176 wrote to memory of 4652	1176	Qasim_Haxor.exe	126
PID 1176 wrote to memory of 4652	1176	Qasim_Haxor.exe	126
PID 1176 wrote to memory of 4652	1176	Qasim_Haxor.exe	126
PID 1176 wrote to memory of 4876	1176	Qasim_Haxor.exe	127
PID 1176 wrote to memory of 4876	1176	Qasim_Haxor.exe	127
PID 1176 wrote to memory of 4876	1176	Qasim_Haxor.exe	127
PID 4876 wrote to memory of 1608	4876	svchost.exe	128
PID 4876 wrote to memory of 1608	4876	svchost.exe	128
PID 4876 wrote to memory of 1608	4876	svchost.exe	128
PID 1608 wrote to memory of 3860	1608	Qasim_Haxor.exe	144
PID 1608 wrote to memory of 3860	1608	Qasim_Haxor.exe	144
PID 1608 wrote to memory of 3860	1608	Qasim_Haxor.exe	144
PID 1608 wrote to memory of 1840	1608	Qasim_Haxor.exe	131
PID 1608 wrote to memory of 1840	1608	Qasim_Haxor.exe	131
PID 1608 wrote to memory of 1840	1608	Qasim_Haxor.exe	131
PID 1840 wrote to memory of 4260	1840	svchost.exe	132

C:\Users\Admin\AppData\Local\Temp\2c57307860d41e2fe4c63eff46610984.exe
"C:\Users\Admin\AppData\Local\Temp\2c57307860d41e2fe4c63eff46610984.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
  "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe" "Qasim_Haxor.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:2408
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
      "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe" "Qasim_Haxor.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:748
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        5⤵
        
        PID:5004
      - C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
        6⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe" "Qasim_Haxor.exe" ENABLE
        7⤵
        Modifies Windows Firewall
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        7⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
        8⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe" "Qasim_Haxor.exe" ENABLE
        9⤵
        Modifies Windows Firewall
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
        10⤵
        
        PID:920
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe" "Qasim_Haxor.exe" ENABLE
        11⤵
        Modifies Windows Firewall
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
        12⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe" "Qasim_Haxor.exe" ENABLE
        13⤵
        Modifies Windows Firewall
        
        PID:4652
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
        14⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe" "Qasim_Haxor.exe" ENABLE
        15⤵
        Modifies Windows Firewall
        
        PID:3860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
        16⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe" "Qasim_Haxor.exe" ENABLE
        17⤵
        Modifies Windows Firewall
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
        18⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe" "Qasim_Haxor.exe" ENABLE
        19⤵
        Modifies Windows Firewall
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        19⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
        20⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe" "Qasim_Haxor.exe" ENABLE
        21⤵
        Modifies Windows Firewall
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        21⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
        22⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe" "Qasim_Haxor.exe" ENABLE
        23⤵
        Modifies Windows Firewall
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        23⤵
        Checks computer location settings
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe"
        24⤵
        
        PID:4316

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Qasim_Haxor.exe.log

Filesize
411B

MD5
b5766774c3ec5c3c2bd98da37069b64a

SHA1
230ab2667e627ef2252bdd19a2eb39fc86aa521c

SHA256
e81508d529d4607729ea190c95e5bf809bad250638ed22fa58c307de7c8d0161

SHA512
23038bdddc0db8830608e5c440e825e675338c30d79833c5173499bee105bd8d92896a397cd138359485228b98369d122a19e4e24b1cec13ad1679a609a47d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe

Filesize
68KB

MD5
81eabcea05a95d2f73e28e4934a6e129

SHA1
bd179800bcea72ec9c7ad06319193fb3a8c7f323

SHA256
4e1fdd6ee418aac5057dd7e48aaf5317e1ae222ab7a51df80337deecbf62f786

SHA512
b0cb9d3e496367e729d4f4decd8c7bc0edfebe9b494dee9c7c46033764e6973e02f0417d15ac85e9bbfb5431cdd72584e215c5855da43f6ea5bd8085d5d683a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qasim_Haxor.exe

Filesize
79KB

MD5
2c57307860d41e2fe4c63eff46610984

SHA1
fd4019909baf41a003cc105dd004d83bc21a6516

SHA256
4f00f70a815773e39b5b0f4d9c85213bd905035c13adcddb7760220fe6f9833e

SHA512
8c4e233c1d43bf2a8f59749f01049c72a9104d8ba84d067d57b142eb83879be2ccaa7fdadabecd8ebb2151c5f7e1b27bf3b0b8312e54124aeaf0400accb70f19

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt

Filesize
49B

MD5
6f437bc96fabebf1dadbf7f68832a25e

SHA1
6f81628ac5952f3ce7025011ef919505a5261318

SHA256
8bfa57cd722328ae1b4b4394bfc535e615220432a66735127eb37b8e0556a94c

SHA512
42028606dd729faa1ae81dae737ec68a9f351f4b4fad8caceca64eeb566e2767648cfeac3bdd59e5a7f3b146708bd92db1ae392ed4110e08b52c93609cbe4cd9

Download Submit
memory/920-135-0x00000000010C0000-0x00000000010D0000-memory.dmp

Filesize
64KB

Download
memory/920-134-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/920-152-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1176-165-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1176-182-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1176-163-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1176-164-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/1296-122-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1296-105-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/1296-104-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1608-212-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1608-195-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1608-194-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/1608-193-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1840-213-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/1840-222-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2200-243-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2200-252-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2228-63-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2228-45-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2228-44-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/2228-43-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2440-31-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2440-42-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2716-153-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/2716-162-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3344-124-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3344-123-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3344-133-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3400-103-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3400-92-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3400-94-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3428-282-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3428-273-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3860-297-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3860-283-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/3860-284-0x0000000001090000-0x00000000010A0000-memory.dmp

Filesize
64KB

Download
memory/3860-285-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4076-75-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/4076-74-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4076-93-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4260-223-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4260-225-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4260-224-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/4260-242-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4852-272-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4852-254-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/4852-253-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4852-255-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4876-192-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4876-183-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4940-30-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4940-14-0x00000000011B0000-0x00000000011C0000-memory.dmp

Filesize
64KB

Download
memory/4940-15-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/4940-13-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/5004-64-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/5004-73-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/5028-12-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/5028-1-0x00000000019D0000-0x00000000019E0000-memory.dmp

Filesize
64KB

Download
memory/5028-2-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/5028-0-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/5064-299-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/5064-298-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download
memory/5064-306-0x00000000753B0000-0x0000000075961000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads