njrat | 787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d

Analysis

max time kernel
749s
max time network
763s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
19-02-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

anhezkzllnds.exe
Size

772KB
MD5

d17aa4b3341d78c4a242afdf5a87285d
SHA1

fda2f7e9e126dbecc3d43b06f71753b7994d3dbb
SHA256

ca6737b1037065306f3828753ffc1ed1bdb0acd03d95cef88a2ae1872bfcbb0c
SHA512

de2eab87b8d49c06e5bbe2baccf44c0e92eb7bd6e3c1971bb6c58e6ea6c2ae9b2f51158cb1d75635adbe96c063828aaab00b884a37f7843193f0d1943c551fa8
SSDEEP

12288:S3oEPFPgcKEBRlkQcPVle8c8xTCSqfU6XhhdeXZmThqMwRxwkNfM3q9RNIwo:ShSch8xTSfThd5ThUNN03qD

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

8.tcp.ngrok.io:19346

Mutex

bca7344ec33c4f045ea133b6b48694e2

Attributes

reg_key
bca7344ec33c4f045ea133b6b48694e2
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/3984-520-0x00000000011C0000-0x00000000011CA000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

anhezkzllnds.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe"	anhezkzllnds.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

anhezkzllnds.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	anhezkzllnds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	anhezkzllnds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	anhezkzllnds.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

anhezkzllnds.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	anhezkzllnds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	anhezkzllnds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	anhezkzllnds.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

Trojan.exe

pid process

3496 Trojan.exe

pid	process
3496	Trojan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

anhezkzllnds.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-392952528-2979573054-2586089985-1000\Software\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe"	anhezkzllnds.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

anhezkzllnds.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	anhezkzllnds.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	anhezkzllnds.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

23 0.tcp.eu.ngrok.io
27 0.tcp.eu.ngrok.io
2 0.tcp.eu.ngrok.io
8 0.tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

anhezkzllnds.exe

description pid process target process

PID 3984 set thread context of 512 3984 anhezkzllnds.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

anhezkzllnds.exe

description ioc process

File created C:\Windows\xdwd.dll anhezkzllnds.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
23	0.tcp.eu.ngrok.io
27	0.tcp.eu.ngrok.io
2	0.tcp.eu.ngrok.io
8	0.tcp.eu.ngrok.io

description	pid	process	target process
PID 3984 set thread context of 512	3984	anhezkzllnds.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	anhezkzllnds.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

anhezkzllnds.exeWmiApSrv.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3984	anhezkzllnds.exe
3092	WmiApSrv.exe
3092	WmiApSrv.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
3668	powershell.exe
3668	powershell.exe
4548	powershell.exe
4548	powershell.exe
2004	powershell.exe
2004	powershell.exe
3676	powershell.exe
3676	powershell.exe
4844	powershell.exe
4844	powershell.exe
4140	powershell.exe
4140	powershell.exe
3668	powershell.exe
3668	powershell.exe
4548	powershell.exe
4548	powershell.exe
1564	powershell.exe
1564	powershell.exe
4932	powershell.exe
4932	powershell.exe
2004	powershell.exe
2004	powershell.exe
3900	powershell.exe
3900	powershell.exe
3676	powershell.exe
3676	powershell.exe
196	powershell.exe
196	powershell.exe
4844	powershell.exe
4844	powershell.exe
4644	powershell.exe
4644	powershell.exe
4140	powershell.exe
4140	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

anhezkzllnds.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3984	anhezkzllnds.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeIncreaseQuotaPrivilege	4076	powershell.exe
Token: SeSecurityPrivilege	4076	powershell.exe
Token: SeTakeOwnershipPrivilege	4076	powershell.exe
Token: SeLoadDriverPrivilege	4076	powershell.exe
Token: SeSystemProfilePrivilege	4076	powershell.exe
Token: SeSystemtimePrivilege	4076	powershell.exe
Token: SeProfSingleProcessPrivilege	4076	powershell.exe
Token: SeIncBasePriorityPrivilege	4076	powershell.exe
Token: SeCreatePagefilePrivilege	4076	powershell.exe
Token: SeBackupPrivilege	4076	powershell.exe
Token: SeRestorePrivilege	4076	powershell.exe
Token: SeShutdownPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeSystemEnvironmentPrivilege	4076	powershell.exe
Token: SeRemoteShutdownPrivilege	4076	powershell.exe
Token: SeUndockPrivilege	4076	powershell.exe
Token: SeManageVolumePrivilege	4076	powershell.exe
Token: 33	4076	powershell.exe
Token: 34	4076	powershell.exe
Token: 35	4076	powershell.exe
Token: 36	4076	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	4140	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	196	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeIncreaseQuotaPrivilege	4932	powershell.exe
Token: SeSecurityPrivilege	4932	powershell.exe
Token: SeTakeOwnershipPrivilege	4932	powershell.exe
Token: SeLoadDriverPrivilege	4932	powershell.exe
Token: SeSystemProfilePrivilege	4932	powershell.exe
Token: SeSystemtimePrivilege	4932	powershell.exe
Token: SeProfSingleProcessPrivilege	4932	powershell.exe
Token: SeIncBasePriorityPrivilege	4932	powershell.exe
Token: SeCreatePagefilePrivilege	4932	powershell.exe
Token: SeBackupPrivilege	4932	powershell.exe
Token: SeRestorePrivilege	4932	powershell.exe
Token: SeShutdownPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeSystemEnvironmentPrivilege	4932	powershell.exe
Token: SeRemoteShutdownPrivilege	4932	powershell.exe
Token: SeUndockPrivilege	4932	powershell.exe
Token: SeManageVolumePrivilege	4932	powershell.exe
Token: 33	4932	powershell.exe
Token: 34	4932	powershell.exe
Token: 35	4932	powershell.exe
Token: 36	4932	powershell.exe
Token: SeIncreaseQuotaPrivilege	4548	powershell.exe
Token: SeSecurityPrivilege	4548	powershell.exe
Token: SeTakeOwnershipPrivilege	4548	powershell.exe
Token: SeLoadDriverPrivilege	4548	powershell.exe
Token: SeSystemProfilePrivilege	4548	powershell.exe
Token: SeSystemtimePrivilege	4548	powershell.exe
Token: SeProfSingleProcessPrivilege	4548	powershell.exe
Token: SeIncBasePriorityPrivilege	4548	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4804 LogonUI.exe

pid	process
4804	LogonUI.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

anhezkzllnds.exeRegAsm.execmd.execmd.exe

description	pid	process	target process
PID 3984 wrote to memory of 4076	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 4076	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 3668	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 3668	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 4548	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 4548	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 2004	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 2004	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 3676	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 3676	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 4844	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 4844	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 4140	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 4140	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 1564	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 1564	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 4932	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 4932	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 3900	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 3900	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 196	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 196	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 2096	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 2096	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 4644	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 4644	3984	anhezkzllnds.exe	powershell.exe
PID 3984 wrote to memory of 2604	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 2604	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 2604	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 4916	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 4916	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 4916	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 512	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 512	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 512	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 512	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 512	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 512	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 512	3984	anhezkzllnds.exe	RegAsm.exe
PID 3984 wrote to memory of 512	3984	anhezkzllnds.exe	RegAsm.exe
PID 512 wrote to memory of 3496	512	RegAsm.exe	Trojan.exe
PID 512 wrote to memory of 3496	512	RegAsm.exe	Trojan.exe
PID 512 wrote to memory of 3496	512	RegAsm.exe	Trojan.exe
PID 3984 wrote to memory of 700	3984	anhezkzllnds.exe	cmd.exe
PID 3984 wrote to memory of 700	3984	anhezkzllnds.exe	cmd.exe
PID 700 wrote to memory of 1756	700	cmd.exe	powershell.exe
PID 700 wrote to memory of 1756	700	cmd.exe	powershell.exe
PID 3984 wrote to memory of 4552	3984	anhezkzllnds.exe	cmd.exe
PID 3984 wrote to memory of 4552	3984	anhezkzllnds.exe	cmd.exe
PID 4552 wrote to memory of 1472	4552	cmd.exe	shutdown.exe
PID 4552 wrote to memory of 1472	4552	cmd.exe	shutdown.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

anhezkzllnds.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	anhezkzllnds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	anhezkzllnds.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	anhezkzllnds.exe

C:\Users\Admin\AppData\Local\Temp\anhezkzllnds.exe
"C:\Users\Admin\AppData\Local\Temp\anhezkzllnds.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:3496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vffrmd1n.h0s.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\vffrmd1n.h0s.exe"'
3⤵
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
2⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\system32\shutdown.exe
Shutdown /s /f /t 00
3⤵
PID:1472

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3092

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3aeb055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ac74ecf52d72e7d9b9e12d1717485813

SHA1
d5596bff56dfe5b746673d7f993d3341207074d4

SHA256
852f2d81617804c32374ae1783c4023a76b883acdfeb376821992b2cbae476bd

SHA512
46be2330119219f8c91e12fcb3fdeb67d26ae4dff2ff4c61f15f9c2b638dfaa0005e2a636278bc45ba72c344e07e0070492aac133ccc18cdfcfc5dd45dc67b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f46b1b36c0cbf761f7f41f53799567ff

SHA1
4174dc180a22ea6a001c6ed4041ef34529354f62

SHA256
2986376986f76b572037cda1c168cc691b2d528e01f8a3035cc1b0ed7c63e34c

SHA512
85e278be2ca43f102313c361a89051a432af98623b04452ef1608e52e590fdbc78738e90b8289c041cb5ace34308f33d606d094a8ca31f077c29407479e3e1f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
490fb8b83513625c3c656263d73c3b44

SHA1
ccc33a19e6bdb4b43deae6d889f6b29dfd58e3ab

SHA256
a1bf64ad6ff1ab60ae8ee043c6b394b67502e7eaf3d0a6465bb8f52fd9c39280

SHA512
a6184366722bb7b68087d22369adaabfc5ffb9d21648af57196210682cb2ac5ad286942ef2133ba38d6f6d3a61f92ceb5f88bcc9677da769c26063a570b24525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
21c2df4cb21e0dc174b90745d3376e1a

SHA1
21d1957d479601be6cac721b7742d6a83b43285b

SHA256
c5d5b702ef1b3027768efdf0a76e05b182920cb89e61565f1c6a8739c04bbbc3

SHA512
52723ab8798c8b7dc8fbe397c1f180db63e1a6a166d1e8405d894c8c7ae06adf429f054bd5f5539bec709e905243487ffdce233d19fec5189b8a2667c8441606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
46033df4c5b76c1e54786c2ff89adab8

SHA1
f78eb0cc9237e92474106c8fc2f8821561e37500

SHA256
951cf9a9a90a232ba425c0c66a7cd04b7a6da60401a03b199ec221c37d8c7447

SHA512
c1e2e009772327cca64b2e81cf6b53568b60c38f87822fa5277918fcb02c98afaf7dfab1458b8a02d4f637a211fd6467537afbf3ea4d12aa617bfe983346f6d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
72df209465819295381b24494e28a572

SHA1
bda34a17dc388712e23ef3bb9e3d81d16d9df031

SHA256
00ac46720e5dcf44e6827db2f9474a36f8ab99ba256307cc096b24075618a066

SHA512
7b3bb1008731562dddbaff91d20887a8b9594de7ca63e55eaefe44a3c1e1106b6656e4863c7371b3a3c8ca9a655e44eaaf8376d624c69a4d737faff3e24edd13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
654977da0b96b7395d3847e53b89f0e9

SHA1
c93f03708f4fec4835291f7f0ff21b4fcffea160

SHA256
9b82db835d80251915c2f458b0b56630368789f1172753e94e152aad70f93fc6

SHA512
5eb7b066583ea1cccd021d11b30da27a5eadd91248e3d92e4808ded459ca6d8a2e943015f166f1d8090f731caad1dfed96b4f480a6bd7ced1b464b3d7bab701a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4ca410c1e63986ee021b61320a809a19

SHA1
ad43191f70a569acd15faaf7c70cc4521540547f

SHA256
0b499eb4ade40802ad69b257e15bab6a77914b2a4fd20f87bc4c3c3ab413d36d

SHA512
191dae71dc59eb4048882b8e79423ae413cd8aa5375f0f8d3210786b10d56aeddcded4af416c1150ba03e2a08e80a926c8dcf7d92fa93e9043413ea432a83af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a505700b9d7768d132fc17a783015e12

SHA1
ddde65a567547608189b1715a1674551d8c69b87

SHA256
46cd043daeaa2dbd1c636c9534ddfbf0ca4d65a32b63131001f5ad56923161b7

SHA512
75477421ba9e4a04ff6a313888cca90f57adfc89dd0cc473c7e0384ec9b865edd71b054a9b255c2cfc910e89963a30a5a37c47003a31ab7a54207046d1f9c6e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4917f4473545d733c9829c5afa528477

SHA1
f10f2e39a294700b724f9da5c283e8c9be809955

SHA256
d29f0f381d41bc8d4c443627f29de9d66fdfcb94cda0b714cba51a34881d666c

SHA512
2417651ce8c6bddc480aa113bc625f44304625cab45bf29b0f7566ca2e0b0836062e244de949e0cb7ffad4b296086c3461cc714b89dc9f545bb006624c32d63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5fldwjub.0fz.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Documents\Sub\xdwdClient.exe
Filesize
772KB

MD5
d17aa4b3341d78c4a242afdf5a87285d

SHA1
fda2f7e9e126dbecc3d43b06f71753b7994d3dbb

SHA256
ca6737b1037065306f3828753ffc1ed1bdb0acd03d95cef88a2ae1872bfcbb0c

SHA512
de2eab87b8d49c06e5bbe2baccf44c0e92eb7bd6e3c1971bb6c58e6ea6c2ae9b2f51158cb1d75635adbe96c063828aaab00b884a37f7843193f0d1943c551fa8

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/196-756-0x0000027241A40000-0x0000027241A50000-memory.dmp

Filesize
64KB

Download
memory/196-750-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/512-4189-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1564-720-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/1564-749-0x000001D4603D0000-0x000001D4603E0000-memory.dmp

Filesize
64KB

Download
memory/1564-726-0x00007FFA43D60000-0x00007FFA4474C000-memory.dmp

Filesize
9.9MB

Download
memory/1564-723-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/2004-704-0x000001E8860A0000-0x000001E8860B0000-memory.dmp

Filesize
64KB

Download
memory/2004-761-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/2004-777-0x000001E8860A0000-0x000001E8860B0000-memory.dmp

Filesize
64KB

Download
memory/2004-678-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/2004-691-0x00007FFA43D60000-0x00007FFA4474C000-memory.dmp

Filesize
9.9MB

Download
memory/2096-758-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/2096-760-0x0000025837930000-0x0000025837940000-memory.dmp

Filesize
64KB

Download
memory/3092-35-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/3092-36-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/3092-37-0x00007FFA605B0000-0x00007FFA605B1000-memory.dmp

Filesize
4KB

Download
memory/3092-39-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/3668-659-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/3668-661-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/3668-676-0x000002245E740000-0x000002245E750000-memory.dmp

Filesize
64KB

Download
memory/3668-668-0x000002245E740000-0x000002245E750000-memory.dmp

Filesize
64KB

Download
memory/3668-664-0x00007FFA43D60000-0x00007FFA4474C000-memory.dmp

Filesize
9.9MB

Download
memory/3676-718-0x00000259D8980000-0x00000259D8990000-memory.dmp

Filesize
64KB

Download
memory/3676-767-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/3676-698-0x00007FFA43D60000-0x00007FFA4474C000-memory.dmp

Filesize
9.9MB

Download
memory/3676-686-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/3900-754-0x000001814B080000-0x000001814B090000-memory.dmp

Filesize
64KB

Download
memory/3900-748-0x00007FFA43D60000-0x00007FFA4474C000-memory.dmp

Filesize
9.9MB

Download
memory/3900-753-0x000001814B080000-0x000001814B090000-memory.dmp

Filesize
64KB

Download
memory/3900-738-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/3900-736-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/3984-521-0x00000000011F0000-0x000000000120E000-memory.dmp

Filesize
120KB

Download
memory/3984-38-0x00007FFA43D60000-0x00007FFA4474C000-memory.dmp

Filesize
9.9MB

Download
memory/3984-208-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/3984-519-0x00000000014F0000-0x0000000001566000-memory.dmp

Filesize
472KB

Download
memory/3984-520-0x00000000011C0000-0x00000000011CA000-memory.dmp

Filesize
40KB

Download
memory/3984-33-0x0000000002BC0000-0x0000000002BD0000-memory.dmp

Filesize
64KB

Download
memory/3984-0-0x0000000000A50000-0x0000000000B18000-memory.dmp

Filesize
800KB

Download
memory/3984-1-0x00007FFA43D60000-0x00007FFA4474C000-memory.dmp

Filesize
9.9MB

Download
memory/4076-587-0x00000197B6320000-0x00000197B6330000-memory.dmp

Filesize
64KB

Download
memory/4076-656-0x00007FFA43D60000-0x00007FFA4474C000-memory.dmp

Filesize
9.9MB

Download
memory/4076-579-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/4076-581-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/4076-583-0x00007FFA605B0000-0x00007FFA605B1000-memory.dmp

Filesize
4KB

Download
memory/4076-585-0x00007FFA43D60000-0x00007FFA4474C000-memory.dmp

Filesize
9.9MB

Download
memory/4076-586-0x00000197B6320000-0x00000197B6330000-memory.dmp

Filesize
64KB

Download
memory/4076-588-0x00000197B64D0000-0x00000197B64F2000-memory.dmp

Filesize
136KB

Download
memory/4076-603-0x00000197B6320000-0x00000197B6330000-memory.dmp

Filesize
64KB

Download
memory/4076-652-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/4140-713-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/4140-715-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/4548-674-0x00007FFA43D60000-0x00007FFA4474C000-memory.dmp

Filesize
9.9MB

Download
memory/4548-684-0x000002C8ABCA0000-0x000002C8ABCB0000-memory.dmp

Filesize
64KB

Download
memory/4548-680-0x000002C8ABCA0000-0x000002C8ABCB0000-memory.dmp

Filesize
64KB

Download
memory/4548-670-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/4548-666-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/4644-759-0x000001BC6E7B0000-0x000001BC6E7C0000-memory.dmp

Filesize
64KB

Download
memory/4644-755-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/4844-710-0x00007FFA43D60000-0x00007FFA4474C000-memory.dmp

Filesize
9.9MB

Download
memory/4844-700-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/4844-769-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/4932-751-0x0000016978370000-0x0000016978380000-memory.dmp

Filesize
64KB

Download
memory/4932-729-0x00007FFA608C0000-0x00007FFA60A9B000-memory.dmp

Filesize
1.9MB

Download
memory/4932-747-0x00007FFA43D60000-0x00007FFA4474C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads