njrat | 787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d

Analysis

max time kernel
748s
max time network
762s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
19-02-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

oboekjkdross.exe
Size

799KB
MD5

4220d4a32781415bf36e0e159fd38ce1
SHA1

832933a30b0833e805f02af041cd787f3169f7d9
SHA256

e6b63cd513768974b5415cd8d65e2344f2064f5eed7002c9b58c52b92435c124
SHA512

a18e173b375586a1c38cdeac9e4d4d57d07c484fd0a94d853ae5b63e20a3abfbd281fc8f1c89f8c1ea548cd43bde7c6bc3b08a095f7d5c8dd06f46d2640942ed
SSDEEP

12288:VZCDjstPVle8oyXeViFmvVsr9puiCNfM3q9RNIwo:V0DjOuYFwV4aN03qD

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

8.tcp.ngrok.io:19346

Mutex

bca7344ec33c4f045ea133b6b48694e2

Attributes

reg_key
bca7344ec33c4f045ea133b6b48694e2
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral11/memory/3840-520-0x0000000000E30000-0x0000000000E3A000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

oboekjkdross.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe"	oboekjkdross.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

oboekjkdross.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	oboekjkdross.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

oboekjkdross.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	oboekjkdross.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

Trojan.exe

pid process

6004 Trojan.exe

pid	process
6004	Trojan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

oboekjkdross.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-455411700-4159991363-783884305-1000\Software\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe"	oboekjkdross.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

oboekjkdross.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	oboekjkdross.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

2 0.tcp.eu.ngrok.io
9 0.tcp.eu.ngrok.io
23 0.tcp.eu.ngrok.io
28 0.tcp.eu.ngrok.io
31 0.tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

oboekjkdross.exe

description pid process target process

PID 3840 set thread context of 872 3840 oboekjkdross.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

oboekjkdross.exe

description ioc process

File created C:\Windows\xdwd.dll oboekjkdross.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	0.tcp.eu.ngrok.io
9	0.tcp.eu.ngrok.io
23	0.tcp.eu.ngrok.io
28	0.tcp.eu.ngrok.io
31	0.tcp.eu.ngrok.io

description	pid	process	target process
PID 3840 set thread context of 872	3840	oboekjkdross.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	oboekjkdross.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

oboekjkdross.exeWmiApSrv.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
3840	oboekjkdross.exe
2860	WmiApSrv.exe
2860	WmiApSrv.exe
4320	powershell.exe
4320	powershell.exe
4320	powershell.exe
4320	powershell.exe
4320	powershell.exe
4508	powershell.exe
4508	powershell.exe
4484	powershell.exe
4484	powershell.exe
788	powershell.exe
788	powershell.exe
3396	powershell.exe
3396	powershell.exe
2204	powershell.exe
2204	powershell.exe
4508	powershell.exe
4508	powershell.exe
2360	powershell.exe
2360	powershell.exe
4484	powershell.exe
4484	powershell.exe
1144	powershell.exe
1144	powershell.exe
4172	powershell.exe
4172	powershell.exe
3396	powershell.exe
3396	powershell.exe
788	powershell.exe
788	powershell.exe
4832	powershell.exe
4832	powershell.exe
728	powershell.exe
728	powershell.exe
2204	powershell.exe
2204	powershell.exe
2360	powershell.exe
2360	powershell.exe
3436	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

oboekjkdross.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3840	oboekjkdross.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeIncreaseQuotaPrivilege	4320	powershell.exe
Token: SeSecurityPrivilege	4320	powershell.exe
Token: SeTakeOwnershipPrivilege	4320	powershell.exe
Token: SeLoadDriverPrivilege	4320	powershell.exe
Token: SeSystemProfilePrivilege	4320	powershell.exe
Token: SeSystemtimePrivilege	4320	powershell.exe
Token: SeProfSingleProcessPrivilege	4320	powershell.exe
Token: SeIncBasePriorityPrivilege	4320	powershell.exe
Token: SeCreatePagefilePrivilege	4320	powershell.exe
Token: SeBackupPrivilege	4320	powershell.exe
Token: SeRestorePrivilege	4320	powershell.exe
Token: SeShutdownPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeSystemEnvironmentPrivilege	4320	powershell.exe
Token: SeRemoteShutdownPrivilege	4320	powershell.exe
Token: SeUndockPrivilege	4320	powershell.exe
Token: SeManageVolumePrivilege	4320	powershell.exe
Token: 33	4320	powershell.exe
Token: 34	4320	powershell.exe
Token: 35	4320	powershell.exe
Token: 36	4320	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeIncreaseQuotaPrivilege	4172	powershell.exe
Token: SeSecurityPrivilege	4172	powershell.exe
Token: SeTakeOwnershipPrivilege	4172	powershell.exe
Token: SeLoadDriverPrivilege	4172	powershell.exe
Token: SeSystemProfilePrivilege	4172	powershell.exe
Token: SeSystemtimePrivilege	4172	powershell.exe
Token: SeProfSingleProcessPrivilege	4172	powershell.exe
Token: SeIncBasePriorityPrivilege	4172	powershell.exe
Token: SeCreatePagefilePrivilege	4172	powershell.exe
Token: SeBackupPrivilege	4172	powershell.exe
Token: SeRestorePrivilege	4172	powershell.exe
Token: SeShutdownPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeSystemEnvironmentPrivilege	4172	powershell.exe
Token: SeRemoteShutdownPrivilege	4172	powershell.exe
Token: SeUndockPrivilege	4172	powershell.exe
Token: SeManageVolumePrivilege	4172	powershell.exe
Token: 33	4172	powershell.exe
Token: 34	4172	powershell.exe
Token: 35	4172	powershell.exe
Token: 36	4172	powershell.exe
Token: SeIncreaseQuotaPrivilege	788	powershell.exe
Token: SeSecurityPrivilege	788	powershell.exe
Token: SeTakeOwnershipPrivilege	788	powershell.exe
Token: SeLoadDriverPrivilege	788	powershell.exe
Token: SeSystemProfilePrivilege	788	powershell.exe
Token: SeSystemtimePrivilege	788	powershell.exe
Token: SeProfSingleProcessPrivilege	788	powershell.exe
Token: SeIncBasePriorityPrivilege	788	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4724 LogonUI.exe

pid	process
4724	LogonUI.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

oboekjkdross.exeRegAsm.execmd.execmd.exe

description	pid	process	target process
PID 3840 wrote to memory of 4320	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 4320	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 4508	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 4508	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 788	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 788	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 4484	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 4484	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 3396	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 3396	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 2204	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 2204	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 2360	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 2360	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 1144	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 1144	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 4172	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 4172	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 728	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 728	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 4832	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 4832	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 3436	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 3436	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 4852	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 4852	3840	oboekjkdross.exe	powershell.exe
PID 3840 wrote to memory of 2204	3840	oboekjkdross.exe	RegAsm.exe
PID 3840 wrote to memory of 2204	3840	oboekjkdross.exe	RegAsm.exe
PID 3840 wrote to memory of 2204	3840	oboekjkdross.exe	RegAsm.exe
PID 3840 wrote to memory of 872	3840	oboekjkdross.exe	RegAsm.exe
PID 3840 wrote to memory of 872	3840	oboekjkdross.exe	RegAsm.exe
PID 3840 wrote to memory of 872	3840	oboekjkdross.exe	RegAsm.exe
PID 3840 wrote to memory of 872	3840	oboekjkdross.exe	RegAsm.exe
PID 3840 wrote to memory of 872	3840	oboekjkdross.exe	RegAsm.exe
PID 3840 wrote to memory of 872	3840	oboekjkdross.exe	RegAsm.exe
PID 3840 wrote to memory of 872	3840	oboekjkdross.exe	RegAsm.exe
PID 3840 wrote to memory of 872	3840	oboekjkdross.exe	RegAsm.exe
PID 872 wrote to memory of 6004	872	RegAsm.exe	Trojan.exe
PID 872 wrote to memory of 6004	872	RegAsm.exe	Trojan.exe
PID 872 wrote to memory of 6004	872	RegAsm.exe	Trojan.exe
PID 3840 wrote to memory of 5612	3840	oboekjkdross.exe	cmd.exe
PID 3840 wrote to memory of 5612	3840	oboekjkdross.exe	cmd.exe
PID 5612 wrote to memory of 2740	5612	cmd.exe	powershell.exe
PID 5612 wrote to memory of 2740	5612	cmd.exe	powershell.exe
PID 3840 wrote to memory of 236	3840	oboekjkdross.exe	cmd.exe
PID 3840 wrote to memory of 236	3840	oboekjkdross.exe	cmd.exe
PID 236 wrote to memory of 4584	236	cmd.exe	shutdown.exe
PID 236 wrote to memory of 4584	236	cmd.exe	shutdown.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

oboekjkdross.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	oboekjkdross.exe

C:\Users\Admin\AppData\Local\Temp\oboekjkdross.exe
"C:\Users\Admin\AppData\Local\Temp\oboekjkdross.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:6004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hho1vpwo.owg.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:5612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hho1vpwo.owg.exe"'
3⤵
PID:2740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
2⤵
- Suspicious use of WriteProcessMemory
PID:236

C:\Windows\system32\shutdown.exe
Shutdown /s /f /t 00
3⤵
PID:4584

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae7055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c2d93ae8d0b8b709a16eb0703d03fdd6

SHA1
5945059c8abb44fc0ee20ab255a5e4e787f979c0

SHA256
347a00bb46b2bf3f48d854f77a8e8dd1df56bbdf486031b69f3632bc9275717a

SHA512
480f83457cd000aa134d89a63e6f124921927d79a854cb6f29d4ee42ee10b625852f6698ec6c1a147e6cce01427bfd6e0ba7c71217c3be01299032c30ba8644c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
955d0d7ca2d1521e1c609b76d2bcc1a1

SHA1
ac588ea925a6bad3a44622a35f9d70524f28b693

SHA256
e4a8299362dafedd4ae115c90ada7ee1f7b176936d885f6c697f59559a8d179f

SHA512
7ccbd37b83c70c162b470682e389814ba0d71f6e0ece9dd6b34b5bf3ff2317136278875bb8148740e8ca1f50c744c1a94c2328068adc3ea6f06ab8766f3d4cec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ee8fcbf6e2e457f3590c016cedf527f4

SHA1
f141ec4c54f60145e75395b04b3878fdfef196be

SHA256
44915f3bbe96ee60920171d9d04dc5053f9e73986f7704affc9263b1d37a7537

SHA512
a80a32c8f73382457898c7468c023701534a4e919640bcd6fc23a01ea92fddee52380e5c0eca8facc3b3c4f20cb5a2ba0d4b59c8aa1fbf68cbf4e29c6ce3c354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c20213d121e2cbc7f18f7e04f630fce7

SHA1
9fa4c04dd1c997562833f30534bcab55f92944b4

SHA256
0e3e57488426f0b7d8c08a74478609e3d905b1ffcf7a25875f3701f8a4787922

SHA512
93ea5fe15b16482dffc6af5316b30ae1709332d5c37837abf0bbcd9c38aed8f278aeebcd63875a0442df1e09edc92625d4563db1a8acdfe521c684cc94c195ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fabf3713859182d35e49174c69e30ff6

SHA1
ba2b70a7714ca97a55a55247409d5d2aa3fda538

SHA256
cc1944243558ba92e7627c17117f406f531781b8f9d7d53b6d0f015ab6d82d52

SHA512
20c030959c283ddee1145cbbe57eb2af92847eb2d4d219657f511b05150863ab668dad81f1373389debb76a45ffd9f583ba702824da90bfcfe0561b2a62946c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3d897a8de832aa6501e5c8675b685292

SHA1
9f7e973fb0b4761b52295783385edc1991bbdce2

SHA256
7346329669e386653c22b530034048dd47225c3c4456752a4b263243b2df5900

SHA512
673e9adbc7f4b012d504d3563463604d293bdadbc26c3791a504539a7f97722a0804ed287ef69fa1f75cb3a22424ca574d6241173936b6c76f175a32fa0ba756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0169b43d789dc7a231f7cc59f7259b66

SHA1
fd1132973d1b3533340870652344aed879c3093d

SHA256
631a001187027469fa75f12d836ca6a785541a8bea501a2b5a77aa9bff4578eb

SHA512
fcb349644a2e8d337ad94a59147ed0019f4f4db82f43e6ff291e8f416c88c614aa84dd524dcd0fc5a9181123c051e698f46981052832a7ed2ee2297fb3a11fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4917f4473545d733c9829c5afa528477

SHA1
f10f2e39a294700b724f9da5c283e8c9be809955

SHA256
d29f0f381d41bc8d4c443627f29de9d66fdfcb94cda0b714cba51a34881d666c

SHA512
2417651ce8c6bddc480aa113bc625f44304625cab45bf29b0f7566ca2e0b0836062e244de949e0cb7ffad4b296086c3461cc714b89dc9f545bb006624c32d63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yaac2oxc.ol2.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Documents\Sub\xdwdClient.exe
Filesize
799KB

MD5
4220d4a32781415bf36e0e159fd38ce1

SHA1
832933a30b0833e805f02af041cd787f3169f7d9

SHA256
e6b63cd513768974b5415cd8d65e2344f2064f5eed7002c9b58c52b92435c124

SHA512
a18e173b375586a1c38cdeac9e4d4d57d07c484fd0a94d853ae5b63e20a3abfbd281fc8f1c89f8c1ea548cd43bde7c6bc3b08a095f7d5c8dd06f46d2640942ed

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/728-736-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/728-1417-0x0000027ABCCA0000-0x0000027ABCCF1000-memory.dmp

Filesize
324KB

Download
memory/728-1135-0x0000027ABCCA0000-0x0000027ABCCF1000-memory.dmp

Filesize
324KB

Download
memory/728-735-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/728-750-0x0000027AD6C30000-0x0000027AD6C40000-memory.dmp

Filesize
64KB

Download
memory/728-737-0x00007FFA92850000-0x00007FFA9323C000-memory.dmp

Filesize
9.9MB

Download
memory/788-1360-0x000001B0AA560000-0x000001B0AA5B1000-memory.dmp

Filesize
324KB

Download
memory/788-693-0x000001B0C2C30000-0x000001B0C2C40000-memory.dmp

Filesize
64KB

Download
memory/788-1092-0x000001B0AA560000-0x000001B0AA5B1000-memory.dmp

Filesize
324KB

Download
memory/788-678-0x00007FFA92850000-0x00007FFA9323C000-memory.dmp

Filesize
9.9MB

Download
memory/788-666-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/788-662-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/872-4218-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1144-1426-0x00000201E11B0000-0x00000201E1201000-memory.dmp

Filesize
324KB

Download
memory/1144-731-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/1144-1120-0x00000201E11B0000-0x00000201E1201000-memory.dmp

Filesize
324KB

Download
memory/1144-728-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/1144-738-0x00000201E1340000-0x00000201E1350000-memory.dmp

Filesize
64KB

Download
memory/2204-704-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/2204-1388-0x00000120F3E60000-0x00000120F3EB1000-memory.dmp

Filesize
324KB

Download
memory/2204-719-0x00000120F3FA0000-0x00000120F3FB0000-memory.dmp

Filesize
64KB

Download
memory/2204-1109-0x00000120F3E60000-0x00000120F3EB1000-memory.dmp

Filesize
324KB

Download
memory/2204-701-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/2360-726-0x0000020FC2000000-0x0000020FC2010000-memory.dmp

Filesize
64KB

Download
memory/2360-715-0x00007FFA92850000-0x00007FFA9323C000-memory.dmp

Filesize
9.9MB

Download
memory/2360-1113-0x0000020FA8070000-0x0000020FA80C1000-memory.dmp

Filesize
324KB

Download
memory/2360-1395-0x0000020FA8070000-0x0000020FA80C1000-memory.dmp

Filesize
324KB

Download
memory/2360-705-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/2860-38-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/2860-35-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/2860-37-0x00007FFAAF640000-0x00007FFAAF641000-memory.dmp

Filesize
4KB

Download
memory/2860-36-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/3396-1100-0x000002445E1B0000-0x000002445E201000-memory.dmp

Filesize
324KB

Download
memory/3396-691-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/3396-709-0x000002445FB30000-0x000002445FB40000-memory.dmp

Filesize
64KB

Download
memory/3396-717-0x000002445FB30000-0x000002445FB40000-memory.dmp

Filesize
64KB

Download
memory/3396-1394-0x000002445E1B0000-0x000002445E201000-memory.dmp

Filesize
324KB

Download
memory/3396-697-0x00007FFA92850000-0x00007FFA9323C000-memory.dmp

Filesize
9.9MB

Download
memory/3436-763-0x0000026F77800000-0x0000026F77810000-memory.dmp

Filesize
64KB

Download
memory/3436-1429-0x0000026F77610000-0x0000026F77661000-memory.dmp

Filesize
324KB

Download
memory/3436-1156-0x0000026F77610000-0x0000026F77661000-memory.dmp

Filesize
324KB

Download
memory/3436-740-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/3436-741-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/3840-519-0x0000000000F90000-0x0000000001006000-memory.dmp

Filesize
472KB

Download
memory/3840-33-0x000000001BB90000-0x000000001BBA0000-memory.dmp

Filesize
64KB

Download
memory/3840-87-0x00007FFA92850000-0x00007FFA9323C000-memory.dmp

Filesize
9.9MB

Download
memory/3840-1-0x00007FFA92850000-0x00007FFA9323C000-memory.dmp

Filesize
9.9MB

Download
memory/3840-520-0x0000000000E30000-0x0000000000E3A000-memory.dmp

Filesize
40KB

Download
memory/3840-0-0x00000000007C0000-0x000000000088E000-memory.dmp

Filesize
824KB

Download
memory/3840-521-0x0000000000E60000-0x0000000000E7E000-memory.dmp

Filesize
120KB

Download
memory/3840-208-0x000000001BB90000-0x000000001BBA0000-memory.dmp

Filesize
64KB

Download
memory/4172-1128-0x000001DC0FEC0000-0x000001DC0FF11000-memory.dmp

Filesize
324KB

Download
memory/4172-743-0x000001DC286E0000-0x000001DC286F0000-memory.dmp

Filesize
64KB

Download
memory/4172-1341-0x000001DC0FEC0000-0x000001DC0FF11000-memory.dmp

Filesize
324KB

Download
memory/4172-723-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/4320-603-0x0000018EE49C0000-0x0000018EE49D0000-memory.dmp

Filesize
64KB

Download
memory/4320-579-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/4320-582-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/4320-588-0x0000018EE4950000-0x0000018EE4972000-memory.dmp

Filesize
136KB

Download
memory/4320-587-0x0000018EE49C0000-0x0000018EE49D0000-memory.dmp

Filesize
64KB

Download
memory/4320-627-0x0000018ECC2A0000-0x0000018ECC2F1000-memory.dmp

Filesize
324KB

Download
memory/4320-629-0x00007FFA92850000-0x00007FFA9323C000-memory.dmp

Filesize
9.9MB

Download
memory/4320-586-0x0000018EE49C0000-0x0000018EE49D0000-memory.dmp

Filesize
64KB

Download
memory/4320-585-0x00007FFA92850000-0x00007FFA9323C000-memory.dmp

Filesize
9.9MB

Download
memory/4320-628-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/4320-583-0x00007FFAAF640000-0x00007FFAAF641000-memory.dmp

Filesize
4KB

Download
memory/4484-1368-0x0000019204FE0000-0x0000019205031000-memory.dmp

Filesize
324KB

Download
memory/4484-660-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/4484-694-0x000001921F080000-0x000001921F090000-memory.dmp

Filesize
64KB

Download
memory/4484-1097-0x0000019204FE0000-0x0000019205031000-memory.dmp

Filesize
324KB

Download
memory/4484-699-0x000001921F080000-0x000001921F090000-memory.dmp

Filesize
64KB

Download
memory/4484-776-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/4484-682-0x00007FFA92850000-0x00007FFA9323C000-memory.dmp

Filesize
9.9MB

Download
memory/4508-641-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/4508-651-0x00007FFA92850000-0x00007FFA9323C000-memory.dmp

Filesize
9.9MB

Download
memory/4508-1088-0x0000020974470000-0x00000209744C1000-memory.dmp

Filesize
324KB

Download
memory/4508-689-0x00000209744E0000-0x00000209744F0000-memory.dmp

Filesize
64KB

Download
memory/4508-686-0x00000209744E0000-0x00000209744F0000-memory.dmp

Filesize
64KB

Download
memory/4508-1359-0x0000020974470000-0x00000209744C1000-memory.dmp

Filesize
324KB

Download
memory/4508-645-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/4832-733-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/4832-761-0x000001AAABB60000-0x000001AAABB70000-memory.dmp

Filesize
64KB

Download
memory/4832-1433-0x000001AA93420000-0x000001AA93471000-memory.dmp

Filesize
324KB

Download
memory/4832-759-0x000001AAABB60000-0x000001AAABB70000-memory.dmp

Filesize
64KB

Download
memory/4832-1147-0x000001AA93420000-0x000001AA93471000-memory.dmp

Filesize
324KB

Download
memory/4852-770-0x00000296A7360000-0x00000296A7370000-memory.dmp

Filesize
64KB

Download
memory/4852-1165-0x000002968EC00000-0x000002968EC51000-memory.dmp

Filesize
324KB

Download
memory/4852-746-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/4852-749-0x00007FFAAF650000-0x00007FFAAF82B000-memory.dmp

Filesize
1.9MB

Download
memory/4852-1441-0x000002968EC00000-0x000002968EC51000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads