Malware Analysis Report

2025-03-15 06:25

Sample ID 240128-p8f8tadadl
Target 7d324740e1df497d42cdb8dd7113addd
SHA256 f2a55809809a2586e56c5c45aeaf4c07b155dc6f03aa0e4b3880f6f576ef6239
Tags
njrat hacked persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2a55809809a2586e56c5c45aeaf4c07b155dc6f03aa0e4b3880f6f576ef6239

Threat Level: Known bad

The file 7d324740e1df497d42cdb8dd7113addd was found to be: Known bad.

Malicious Activity Summary

njrat hacked persistence trojan

njRAT/Bladabindi

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 12:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 12:59

Reported

2024-01-28 13:02

Platform

win7-20231215-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\paylod.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.exe C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.exe C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.exe C:\Windows\SysWOW64\attrib.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsHelp.exe" C:\Users\Admin\AppData\Local\Temp\paylod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Chrome.URL" C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Chrome2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Chrome.URL" C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Chrome.URL" C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Chrome.URL" C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe C:\Users\Admin\AppData\Local\Temp\paylod.exe
PID 2476 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe C:\Users\Admin\AppData\Local\Temp\paylod.exe
PID 2476 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe C:\Users\Admin\AppData\Local\Temp\paylod.exe
PID 2476 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe C:\Users\Admin\AppData\Local\Temp\paylod.exe
PID 2700 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe
PID 2700 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe
PID 2700 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe
PID 2700 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe
PID 2700 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\SysWOW64\attrib.exe
PID 2700 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\SysWOW64\attrib.exe
PID 2700 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\SysWOW64\attrib.exe
PID 2700 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\SysWOW64\attrib.exe
PID 2584 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe
PID 2584 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe
PID 2584 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe
PID 2584 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe
PID 2584 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe
PID 2584 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe
PID 2584 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe
PID 2584 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe

"C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\paylod.exe

"C:\Users\Admin\AppData\Local\Temp\paylod.exe"

C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Chrome.exe"

Network

Country Destination Domain Proto
IN 59.93.130.243:5552 tcp
IN 59.93.130.243:5552 tcp
IN 59.93.130.243:5552 tcp
IN 59.93.130.243:5552 tcp
IN 59.93.130.243:5552 tcp

Files

memory/2476-0-0x0000000074ED0000-0x000000007547B000-memory.dmp

memory/2476-1-0x0000000074ED0000-0x000000007547B000-memory.dmp

memory/2476-2-0x0000000000C50000-0x0000000000C90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 425e22d9f5c01616afc92987791b19e9
SHA1 b73dfc550dc27562683284fb51661200f31419f9
SHA256 8b346b32769ef0bcb04a87516d3c87d918f355a326237ad36193a2d3e7caaa08
SHA512 da29a3e912bdceed74133aaf0c5fa69a9cd637901c2372088075710b5b9f6e2633d13b30f429d48be51848c4c73c5a3a44d41de3257b74a638a7fe108f5f9612

memory/2476-17-0x0000000074ED0000-0x000000007547B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\paylod.exe

MD5 3b12d9c5ad49b7342347e1a40edda5dd
SHA1 9b629a9dec7bf6589e4f9d8f2f84bfda6c1a5b18
SHA256 c6468ff73a89d69720337aeb433f9dc671ffa99db3b6eeeeddab4f3ec428b96e
SHA512 7c37eb9b853459d37657f5facf2c7070a385c40cfde6cfa37f7d98acee8fd963bf32e6b2357637f0f3f31fb0211c401d933fe2454b8f57a1eac9483c5280488a

memory/2700-18-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2700-19-0x0000000071FB0000-0x000000007269E000-memory.dmp

memory/2700-22-0x0000000071FB0000-0x000000007269E000-memory.dmp

memory/2584-33-0x0000000000990000-0x000000000099C000-memory.dmp

memory/2700-35-0x0000000071FB0000-0x000000007269E000-memory.dmp

memory/2584-34-0x0000000071FB0000-0x000000007269E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Chrome.lnk

MD5 79f6e84895dbac00aa43937da2fd93c6
SHA1 1f175f35c3b94d1968ff20108a89499947d74ebc
SHA256 f3d1bc3c0ecb8b1ac6dea6dc69a50c7a0d50e476da7e970ec60985221ed1976c
SHA512 722018d3e52648bc42810ad9e4bb1ba5c1cc9142050e834b5eb69ff25292a2c210f370b57a73657004308ed6ace9d0ac45a9424c72658eb49bf02c8ec06dc0c1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk

MD5 3aaea95d017475615ff9c2a3e8a0ff0a
SHA1 8328de825421d6a0bbb566b47eb49c9911c17ca3
SHA256 e7d1ec9a1c60295b3b944cf7d20ddd707456b1f99f2906d12019ab8240e7b7bd
SHA512 b1420b38e7d640dcb7e73f34c6c9fd245b4699c016757b217b7680165744cf75bb561dabf270972f37f6f1c712526ba9b0e3cac50afd1f2cbe0eb459c2b32abf

memory/2584-40-0x0000000071FB0000-0x000000007269E000-memory.dmp

memory/2584-42-0x00000000056F0000-0x0000000005730000-memory.dmp

memory/2584-44-0x00000000056F0000-0x0000000005730000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 12:59

Reported

2024-01-28 13:02

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\paylod.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\paylod.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.exe C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.exe C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.exe C:\Windows\SysWOW64\attrib.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Chrome2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Chrome.URL" C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Chrome.URL" C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Chrome.URL" C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WindowsHelp.exe" C:\Users\Admin\AppData\Local\Temp\paylod.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Chrome.URL" C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4884 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe C:\Users\Admin\AppData\Local\Temp\paylod.exe
PID 4884 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe C:\Users\Admin\AppData\Local\Temp\paylod.exe
PID 4884 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe C:\Users\Admin\AppData\Local\Temp\paylod.exe
PID 4884 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4884 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4884 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1820 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe
PID 1820 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe
PID 1820 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe
PID 1820 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\SysWOW64\attrib.exe
PID 1820 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\SysWOW64\attrib.exe
PID 1820 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\paylod.exe C:\Windows\SysWOW64\attrib.exe
PID 3040 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe
PID 3040 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe
PID 3040 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe
PID 3040 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe
PID 3040 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe
PID 3040 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe

"C:\Users\Admin\AppData\Local\Temp\7d324740e1df497d42cdb8dd7113addd.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\paylod.exe

"C:\Users\Admin\AppData\Local\Temp\paylod.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe"

C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsHelp.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Chrome.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
IN 59.93.130.243:5552 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
IN 59.93.130.243:5552 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
IN 59.93.130.243:5552 tcp
IN 59.93.130.243:5552 tcp
IN 59.93.130.243:5552 tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/4884-0-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/4884-2-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/4884-1-0x00000000016F0000-0x0000000001700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\paylod.exe

MD5 3b12d9c5ad49b7342347e1a40edda5dd
SHA1 9b629a9dec7bf6589e4f9d8f2f84bfda6c1a5b18
SHA256 c6468ff73a89d69720337aeb433f9dc671ffa99db3b6eeeeddab4f3ec428b96e
SHA512 7c37eb9b853459d37657f5facf2c7070a385c40cfde6cfa37f7d98acee8fd963bf32e6b2357637f0f3f31fb0211c401d933fe2454b8f57a1eac9483c5280488a

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 425e22d9f5c01616afc92987791b19e9
SHA1 b73dfc550dc27562683284fb51661200f31419f9
SHA256 8b346b32769ef0bcb04a87516d3c87d918f355a326237ad36193a2d3e7caaa08
SHA512 da29a3e912bdceed74133aaf0c5fa69a9cd637901c2372088075710b5b9f6e2633d13b30f429d48be51848c4c73c5a3a44d41de3257b74a638a7fe108f5f9612

memory/4884-23-0x0000000074FE0000-0x0000000075591000-memory.dmp

memory/1820-24-0x0000000000250000-0x000000000025C000-memory.dmp

memory/1820-26-0x0000000004BE0000-0x0000000004C7C000-memory.dmp

memory/1820-25-0x00000000721C0000-0x0000000072970000-memory.dmp

memory/1820-29-0x00000000059E0000-0x0000000005F84000-memory.dmp

memory/1820-30-0x00000000721C0000-0x0000000072970000-memory.dmp

memory/1820-41-0x00000000721C0000-0x0000000072970000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Chrome.lnk

MD5 b9b94c3b79d16fcf092491abf3a7828c
SHA1 7b246b21c5e035fd56d2f3572c99d684c9f78f48
SHA256 01af2aae3dcf137132940b223b4760ef4b9f1928477b6d31fcc941533fbcff31
SHA512 86adf7ff0f37fe068d994da106ed7a854e7fc66bac89edbdfaede9d3e8947755d7d8942a9820af690045397ec3f5029c49425b92e85a3f2aba3e029a73f52a28

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk

MD5 8452fd97a1ac84393545154d251a59a6
SHA1 3b5a84c03e174e00ee0819e7d99f457f1c3a8328
SHA256 6d347f633fd4a7f4ab5923fb751db6f818fdeb17b3867bf55309a2dfc1e16899
SHA512 72be82c44de7c362c2d6f46fe7d9ac4802261a84f3493e6cc89ea30900eb0109b6e94217fd096ef73ce1c56487ca27bf97d7130725190acc6ae04e74c52fadd0

memory/3040-40-0x00000000721C0000-0x0000000072970000-memory.dmp

memory/3040-46-0x00000000721C0000-0x0000000072970000-memory.dmp

memory/3040-48-0x00000000060D0000-0x00000000060E0000-memory.dmp

memory/3040-50-0x00000000060E0000-0x0000000006172000-memory.dmp

memory/3040-51-0x0000000006090000-0x000000000609A000-memory.dmp

memory/3040-52-0x00000000060D0000-0x00000000060E0000-memory.dmp