Malware Analysis Report

2025-03-15 06:25

Sample ID 240129-ekttwsahcq
Target 7ed42ba337d1cb153fb2470c0938fef0
SHA256 0d4f6eed0b7579534b2c934d91298ddab1c88ebefc873f5b82243f5b182161ec
Tags
njrat hacked persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d4f6eed0b7579534b2c934d91298ddab1c88ebefc873f5b82243f5b182161ec

Threat Level: Known bad

The file 7ed42ba337d1cb153fb2470c0938fef0 was found to be: Known bad.

Malicious Activity Summary

njrat hacked persistence trojan

njRAT/Bladabindi

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops startup file

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-29 04:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 04:00

Reported

2024-01-29 04:03

Platform

win7-20231215-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp57F0.tmpizqighvc.exe C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp57F0.tmpizqighvc.exe C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\tmp57F0.tmpizqighvc = "C:\\Users\\Admin\\AppData\\Roaming\\tmp57F0.tmpizqighvc.exe" C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 8.tcp.ngrok.io N/A N/A
N/A 8.tcp.ngrok.io N/A N/A
N/A 8.tcp.ngrok.io N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe
PID 2936 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe
PID 2936 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe
PID 2936 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe
PID 2936 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe
PID 2936 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe
PID 2936 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe
PID 2796 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 2796 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 2796 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 2796 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 2796 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe C:\Windows\SysWOW64\attrib.exe
PID 2796 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe C:\Windows\SysWOW64\attrib.exe
PID 2796 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe C:\Windows\SysWOW64\attrib.exe
PID 2796 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe

"C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe"

C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe

"C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe"

C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe

"C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 3.142.167.54:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 3.19.130.43:10093 8.tcp.ngrok.io tcp
US 3.19.130.43:10093 8.tcp.ngrok.io tcp
US 3.19.130.43:10093 8.tcp.ngrok.io tcp
US 3.19.130.43:10093 8.tcp.ngrok.io tcp
US 3.19.130.43:10093 8.tcp.ngrok.io tcp
US 3.19.130.43:10093 8.tcp.ngrok.io tcp
US 3.19.130.43:10093 8.tcp.ngrok.io tcp
US 3.19.130.43:10093 8.tcp.ngrok.io tcp
US 3.19.130.43:10093 8.tcp.ngrok.io tcp
US 3.19.130.43:10093 8.tcp.ngrok.io tcp
US 3.19.130.43:10093 8.tcp.ngrok.io tcp
US 3.19.130.43:10093 8.tcp.ngrok.io tcp

Files

C:\Users\Admin\AppData\Local\Temp\tmp57F0.tmpizqighvc.exe

MD5 9d02de8e771827f73c26a3d669e579d7
SHA1 4a8cdec5afa86832bafd59f17812896b47c4464f
SHA256 0531fa8add852becdab7c5235a9de90de117c0c6b06dcbcc58a397538e968f96
SHA512 daa07f74ab83c2c6bd183b679aa5cd9e055985f402bae968ee422cab4a056cad0a5b7ae5e30f65846eb041711f203751b809f75efc35cdd46920275a55787dc6

C:\Users\Admin\AppData\Local\Temp\tmp584E.tmpuhjkr.exe

MD5 67f4d91c4725ce8f1d86e15f49ef57c2
SHA1 de32cb8976e32543130eda1f3f8a495f324502f8
SHA256 485dadce98a6cbc3c5ce2a5208bd22975451f3e00826c40e7fad474d1a05c679
SHA512 348ed6bb2f8ee62cfae877d86dcc7ad2b915f6875aaf4c8c773d00754e9c77652f5db717cf7e2aaaa9f1418baae33aee1b61814dd921acb64049b74b842a86e0

memory/2936-11-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/2720-13-0x0000000000AC0000-0x0000000000B40000-memory.dmp

memory/2796-12-0x0000000074B80000-0x000000007512B000-memory.dmp

memory/2720-14-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/2796-15-0x0000000074B80000-0x000000007512B000-memory.dmp

memory/2796-16-0x00000000005D0000-0x0000000000610000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp57F0.tmpizqighvc.exe

MD5 c56edc1cf17484d49de0876be36b4f8c
SHA1 39959fb755bcaf23c92fd91fee93d33b64ae8d91
SHA256 3796edc5afea91e6d0890d1d67558d10370206f5b1685c40752ff9d3d67df9e9
SHA512 c3cd566761acfa6dbc7e363704a5c8e5d1773d1ace5ee33ab9c8d61691d2d44da790f0bc9764298b2345157e4a043f8dab1000120fac6f0d3ea93c304f1eddfc

memory/2552-29-0x0000000074B80000-0x000000007512B000-memory.dmp

memory/2552-30-0x00000000004C0000-0x0000000000500000-memory.dmp

memory/2552-32-0x0000000074B80000-0x000000007512B000-memory.dmp

memory/2796-31-0x0000000074B80000-0x000000007512B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 565df4165447568662fdba324b8d3337
SHA1 e2e8e657599c98d5542cb2ead057e8782f176344
SHA256 9811ac66c473f94ee4df4a142c51c468594edb84369aebc127a04aee29a472c1
SHA512 012cee46578f1c434065bcbef9c24fbf9fd5b267e88d239658f5afc19dff0f1d308b5c2ec5663185dbbcc3576cde1490f3303110ab1be23d88bf9a757d94a7f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 cf9247d361eb82e0998705690cf8bec9
SHA1 9806ffc837a20d9928fd93aaebef55f8c51a711f
SHA256 663bfa5f36559bf94c7e665fbd29154e12df25976b5ce960f1a80ad5188d32c7
SHA512 32b3130415ea527fd796afc84286e522c1690b01772de10325806f31d61b7c4a4e18f0f6cfd705ee30bd5bc882493e0e64eee508514405abb5c1a0230cee1674

memory/2720-37-0x0000000000AC0000-0x0000000000B40000-memory.dmp

memory/2720-38-0x000007FEF5C50000-0x000007FEF65ED000-memory.dmp

memory/2552-39-0x0000000074B80000-0x000000007512B000-memory.dmp

memory/2552-40-0x00000000004C0000-0x0000000000500000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 04:00

Reported

2024-01-29 04:02

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4287.tmpizqighvc.exe C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tmp4287.tmpizqighvc.exe C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tmp4287.tmpizqighvc = "C:\\Users\\Admin\\AppData\\Roaming\\tmp4287.tmpizqighvc.exe" C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 8.tcp.ngrok.io N/A N/A
N/A 8.tcp.ngrok.io N/A N/A
N/A 8.tcp.ngrok.io N/A N/A
N/A 8.tcp.ngrok.io N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Payload.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe
PID 2256 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe
PID 2256 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe
PID 2256 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe
PID 2256 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe
PID 3908 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 3908 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 3908 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe C:\Users\Admin\AppData\Local\Temp\Payload.exe
PID 3908 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe C:\Windows\SysWOW64\attrib.exe
PID 3908 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe C:\Windows\SysWOW64\attrib.exe
PID 3908 wrote to memory of 3932 N/A C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe

"C:\Users\Admin\AppData\Local\Temp\7ed42ba337d1cb153fb2470c0938fef0.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe"

C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe

"C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"

C:\Users\Admin\AppData\Local\Temp\Payload.exe

"C:\Users\Admin\AppData\Local\Temp\Payload.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 56.129.142.3.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 3.142.129.56:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 4.167.142.3.in-addr.arpa udp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 3.142.167.4:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 3.142.81.166:10093 8.tcp.ngrok.io tcp
US 8.8.8.8:53 166.81.142.3.in-addr.arpa udp
US 3.142.81.166:10093 8.tcp.ngrok.io tcp
US 3.142.81.166:10093 8.tcp.ngrok.io tcp
US 3.142.81.166:10093 8.tcp.ngrok.io tcp
US 3.142.81.166:10093 8.tcp.ngrok.io tcp
US 3.142.81.166:10093 8.tcp.ngrok.io tcp
US 3.142.81.166:10093 8.tcp.ngrok.io tcp
US 3.142.81.166:10093 8.tcp.ngrok.io tcp
US 3.142.81.166:10093 8.tcp.ngrok.io tcp
US 3.142.81.166:10093 8.tcp.ngrok.io tcp

Files

memory/2256-0-0x000000001BCD0000-0x000000001BD76000-memory.dmp

memory/2256-2-0x0000000001720000-0x0000000001730000-memory.dmp

memory/2256-1-0x00007FF85DEA0000-0x00007FF85E841000-memory.dmp

memory/2256-4-0x00007FF85DEA0000-0x00007FF85E841000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4287.tmpizqighvc.exe

MD5 9d02de8e771827f73c26a3d669e579d7
SHA1 4a8cdec5afa86832bafd59f17812896b47c4464f
SHA256 0531fa8add852becdab7c5235a9de90de117c0c6b06dcbcc58a397538e968f96
SHA512 daa07f74ab83c2c6bd183b679aa5cd9e055985f402bae968ee422cab4a056cad0a5b7ae5e30f65846eb041711f203751b809f75efc35cdd46920275a55787dc6

C:\Users\Admin\AppData\Local\Temp\tmp4305.tmpuhjkr.exe

MD5 67f4d91c4725ce8f1d86e15f49ef57c2
SHA1 de32cb8976e32543130eda1f3f8a495f324502f8
SHA256 485dadce98a6cbc3c5ce2a5208bd22975451f3e00826c40e7fad474d1a05c679
SHA512 348ed6bb2f8ee62cfae877d86dcc7ad2b915f6875aaf4c8c773d00754e9c77652f5db717cf7e2aaaa9f1418baae33aee1b61814dd921acb64049b74b842a86e0

memory/3572-27-0x000000001C090000-0x000000001C0F2000-memory.dmp

memory/3572-26-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

memory/2256-28-0x00007FF85DEA0000-0x00007FF85E841000-memory.dmp

memory/3572-29-0x00007FF85DEA0000-0x00007FF85E841000-memory.dmp

memory/3572-24-0x000000001BB00000-0x000000001BFCE000-memory.dmp

memory/3572-23-0x00007FF85DEA0000-0x00007FF85E841000-memory.dmp

memory/3908-31-0x0000000001060000-0x0000000001070000-memory.dmp

memory/3908-30-0x0000000074B60000-0x0000000075111000-memory.dmp

memory/3572-34-0x000000001C9F0000-0x000000001CA8C000-memory.dmp

memory/3572-38-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

memory/4028-49-0x0000000074B60000-0x0000000075111000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

MD5 22cb0526d259a32938e991b4d90f8c40
SHA1 743a47e1b9f4941c4c7450bf650e2c2c62b10fd9
SHA256 454087eae3ab0ef4cbe2389aa85dfee562a0cb92e7fd3ed4f35a5c8089b9e295
SHA512 c7dd4c17565bce130750b1a44a88edaeba193a95edac1f3dc25f9e5e24643a15867b91cce549f08d41ecb6d969a6fa843b593d1f88b481b79beb64eb155be511

memory/4028-50-0x0000000074B60000-0x0000000075111000-memory.dmp

memory/3908-48-0x0000000074B60000-0x0000000075111000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

MD5 ea09e68527bab5fd3c199172a8e34245
SHA1 28fdeb23907f350133827d84b2af791e6eb1776c
SHA256 070dd70f232d0f6af8db13d0653be8102617dd0233d8fb4d3b5bc15d78e8f751
SHA512 ab13c8807319a660bbe8efa91b413a5f7ec8b36cc7e1d18a374622f09671a2f612acc0bafa51b6df7bbd067451adaafdef0d489d2f67162606a720b04ec063cd

memory/3572-55-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

memory/3572-56-0x00007FF85DEA0000-0x00007FF85E841000-memory.dmp

memory/3572-57-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

memory/4028-58-0x0000000074B60000-0x0000000075111000-memory.dmp