njrat | 787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d

Analysis

max time kernel
754s
max time network
766s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

oboekjkdross.exe
Size

799KB
MD5

4220d4a32781415bf36e0e159fd38ce1
SHA1

832933a30b0833e805f02af041cd787f3169f7d9
SHA256

e6b63cd513768974b5415cd8d65e2344f2064f5eed7002c9b58c52b92435c124
SHA512

a18e173b375586a1c38cdeac9e4d4d57d07c484fd0a94d853ae5b63e20a3abfbd281fc8f1c89f8c1ea548cd43bde7c6bc3b08a095f7d5c8dd06f46d2640942ed
SSDEEP

12288:VZCDjstPVle8oyXeViFmvVsr9puiCNfM3q9RNIwo:V0DjOuYFwV4aN03qD

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

8.tcp.ngrok.io:19346

Mutex

bca7344ec33c4f045ea133b6b48694e2

Attributes

reg_key
bca7344ec33c4f045ea133b6b48694e2
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral12/memory/2800-524-0x0000000000B40000-0x0000000000B4A000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

oboekjkdross.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe"	oboekjkdross.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

oboekjkdross.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	oboekjkdross.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

oboekjkdross.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	oboekjkdross.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1164 netsh.exe

pid	process
1164	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeoboekjkdross.execgwpw1ma.n2m.exeTrojan.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	oboekjkdross.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	cgwpw1ma.n2m.exe
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	Trojan.exe

Drops startup file 2 IoCs

Processes:

Trojan.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe	Trojan.exe

Executes dropped EXE 3 IoCs

Processes:

Trojan.execgwpw1ma.n2m.exeTrojan.exe

pid process

4792 Trojan.exe
4376 cgwpw1ma.n2m.exe
1364 Trojan.exe

pid	process
4792	Trojan.exe
4376	cgwpw1ma.n2m.exe
1364	Trojan.exe

Loads dropped DLL 25 IoCs

Processes:

WmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exemsedge.exeshutdown.exeLogonUI.exe

pid	process
1360
1156
3564
1852
3396	WmiApSrv.exe
4156
4636	powershell.exe
3024
4932
2440
1372	powershell.exe
3348
5008
3252
2524	msedge.exe
2852	msedge.exe
3232	msedge.exe
3720
2848	CompPkgSrv.exe
4788	CompPkgSrv.exe
2068	msedge.exe
3312
2340	shutdown.exe
744	LogonUI.exe
3012

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

oboekjkdross.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" oboekjkdross.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	oboekjkdross.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

oboekjkdross.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe"	oboekjkdross.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

oboekjkdross.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	oboekjkdross.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

162 8.tcp.ngrok.io
168 0.tcp.eu.ngrok.io
22 0.tcp.eu.ngrok.io
60 0.tcp.eu.ngrok.io
86 0.tcp.eu.ngrok.io
90 8.tcp.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

oboekjkdross.exe

description pid process target process

PID 2800 set thread context of 2724 2800 oboekjkdross.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

oboekjkdross.exe

description ioc process

File created C:\Windows\xdwd.dll oboekjkdross.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
162	8.tcp.ngrok.io
168	0.tcp.eu.ngrok.io
22	0.tcp.eu.ngrok.io
60	0.tcp.eu.ngrok.io
86	0.tcp.eu.ngrok.io
90	8.tcp.ngrok.io

description	pid	process	target process
PID 2800 set thread context of 2724	2800	oboekjkdross.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	oboekjkdross.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

Processes:

oboekjkdross.exeWmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exeidentity_helper.exemsedge.exeshutdown.exeLogonUI.exe

pid	process
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
2800	oboekjkdross.exe
3396	WmiApSrv.exe
3396	WmiApSrv.exe
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe
2524	msedge.exe
2524	msedge.exe
2852	msedge.exe
2852	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
2852	msedge.exe
2852	msedge.exe
2848	CompPkgSrv.exe
4788	CompPkgSrv.exe
2504	identity_helper.exe
2504	identity_helper.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2340	shutdown.exe
2340	shutdown.exe
744	LogonUI.exe
744	LogonUI.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2852 msedge.exe
2852 msedge.exe
2852 msedge.exe
2852 msedge.exe
2852 msedge.exe
2852 msedge.exe
2852 msedge.exe
2852 msedge.exe
2852 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

oboekjkdross.exepowershell.exepowershell.exeTrojan.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	2800	oboekjkdross.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: 33	1364	Trojan.exe
Token: SeIncBasePriorityPrivilege	1364	Trojan.exe
Token: SeShutdownPrivilege	2340	shutdown.exe
Token: SeRemoteShutdownPrivilege	2340	shutdown.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

744 LogonUI.exe

pid	process
744	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

oboekjkdross.exeRegAsm.execmd.exepowershell.execgwpw1ma.n2m.exeTrojan.execmd.exemsedge.exe

description	pid	process	target process
PID 2800 wrote to memory of 4636	2800	oboekjkdross.exe	powershell.exe
PID 2800 wrote to memory of 4636	2800	oboekjkdross.exe	powershell.exe
PID 2800 wrote to memory of 2724	2800	oboekjkdross.exe	RegAsm.exe
PID 2800 wrote to memory of 2724	2800	oboekjkdross.exe	RegAsm.exe
PID 2800 wrote to memory of 2724	2800	oboekjkdross.exe	RegAsm.exe
PID 2800 wrote to memory of 2724	2800	oboekjkdross.exe	RegAsm.exe
PID 2800 wrote to memory of 2724	2800	oboekjkdross.exe	RegAsm.exe
PID 2800 wrote to memory of 2724	2800	oboekjkdross.exe	RegAsm.exe
PID 2800 wrote to memory of 2724	2800	oboekjkdross.exe	RegAsm.exe
PID 2800 wrote to memory of 2724	2800	oboekjkdross.exe	RegAsm.exe
PID 2724 wrote to memory of 4792	2724	RegAsm.exe	Trojan.exe
PID 2724 wrote to memory of 4792	2724	RegAsm.exe	Trojan.exe
PID 2724 wrote to memory of 4792	2724	RegAsm.exe	Trojan.exe
PID 2800 wrote to memory of 2968	2800	oboekjkdross.exe	cmd.exe
PID 2800 wrote to memory of 2968	2800	oboekjkdross.exe	cmd.exe
PID 2968 wrote to memory of 1372	2968	cmd.exe	powershell.exe
PID 2968 wrote to memory of 1372	2968	cmd.exe	powershell.exe
PID 1372 wrote to memory of 4376	1372	powershell.exe	cgwpw1ma.n2m.exe
PID 1372 wrote to memory of 4376	1372	powershell.exe	cgwpw1ma.n2m.exe
PID 1372 wrote to memory of 4376	1372	powershell.exe	cgwpw1ma.n2m.exe
PID 4376 wrote to memory of 1364	4376	cgwpw1ma.n2m.exe	Trojan.exe
PID 4376 wrote to memory of 1364	4376	cgwpw1ma.n2m.exe	Trojan.exe
PID 4376 wrote to memory of 1364	4376	cgwpw1ma.n2m.exe	Trojan.exe
PID 1364 wrote to memory of 1164	1364	Trojan.exe	netsh.exe
PID 1364 wrote to memory of 1164	1364	Trojan.exe	netsh.exe
PID 1364 wrote to memory of 1164	1364	Trojan.exe	netsh.exe
PID 1364 wrote to memory of 2620	1364	Trojan.exe	cmd.exe
PID 1364 wrote to memory of 2620	1364	Trojan.exe	cmd.exe
PID 1364 wrote to memory of 2620	1364	Trojan.exe	cmd.exe
PID 2620 wrote to memory of 2852	2620	cmd.exe	msedge.exe
PID 2620 wrote to memory of 2852	2620	cmd.exe	msedge.exe
PID 2852 wrote to memory of 2524	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 2524	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe
PID 2852 wrote to memory of 3776	2852	msedge.exe	msedge.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

oboekjkdross.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	oboekjkdross.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	oboekjkdross.exe

C:\Users\Admin\AppData\Local\Temp\oboekjkdross.exe
"C:\Users\Admin\AppData\Local\Temp\oboekjkdross.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:4792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cgwpw1ma.n2m.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cgwpw1ma.n2m.exe"'
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cgwpw1ma.n2m.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cgwpw1ma.n2m.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4376

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
5⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC462.tmp.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.redtube.com/
7⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffaec9746f8,0x7ffaec974708,0x7ffaec974718
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:2
8⤵
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
8⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
8⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
8⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
8⤵
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
8⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
8⤵
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:8
8⤵
PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:8
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
8⤵
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
8⤵
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5748 /prefetch:2
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
8⤵
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,18178432436181541559,1654850588186403299,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
8⤵
PID:4932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
2⤵
PID:3568

C:\Windows\system32\shutdown.exe
Shutdown /s /f /t 00
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4788

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b0855 /state1:0x41c64e6d
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
eb20b5930f48aa090358398afb25b683

SHA1
4892c8b72aa16c5b3f1b72811bf32b89f2d13392

SHA256
2695ab23c2b43aa257f44b6943b6a56b395ea77dc24e5a9bd16acc2578168a35

SHA512
d0c6012a0059bc1bb49b2f293e6c07019153e0faf833961f646a85b992b47896092f33fdccc893334c79f452218d1542e339ded3f1b69bd8e343d232e6c3d9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
432B

MD5
3565b347411a502879e3d33f17fef621

SHA1
07c043c8bd2247cff4b96b7f44805eadea19e8f7

SHA256
95a4760713b87377c2980ea4e04c93f6efd398d136feeb9aa983294b958a2b81

SHA512
a3ef51aa381c05e9d2823b44970294c2794567abb6c55e2675747518450dee54d7d332139ecba7841e49f421da95fb2d6673f0ec5357e304b83952ef34a39eb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
dba7f0a31c886b27e9d9b783daf8a23d

SHA1
669a29667d0219a24b92f5735dfa6685de3ad9c9

SHA256
97479326e0bc7648b4e519146c4bdd5dcf2b9ada2f1b8a47e66b5a6c56261383

SHA512
9b26dff32414c72510b4c50a2bd5562b72c797c962383daee93435a7373828263be2b27231b53f9b45d7f895e62466f745cd33d75cc077d56762b7f6b8e6eb38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
20a6f18a61ba350edb3d49da5dd4d33b

SHA1
40034003ddf1272814589a87b47fa7a38976b1f3

SHA256
70e6811058f01253b0d868203aaaed5844e870ffa98bafbc335fbdb10ebcfce4

SHA512
f06dc5f746f199c26f7d4e18f50439c7a9963342d7a485f556ff5a186affe2b2a9d34681088cf0060ee1ec5321bd021ac2969875f20a7eae29fdb0781ea7dd89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b79d8c3ccee285853a5a6622ff429bb9

SHA1
f7ded00cc0ecbe063fffc379948611e87dbaca20

SHA256
c3dd82c730930b031753b11273632eebac0fa4e45e083256baec93491ec46c03

SHA512
fa641f434d2f3cd14ad6c8267c636a0fb8cd49a57d724552010cab504b01993b40f392e780e128c5224141344c6be1cd3c585d150658967993452377a1aa8670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
2bbbdb35220e81614659f8e50e6b8a44

SHA1
7729a18e075646fb77eb7319e30d346552a6c9de

SHA256
73f853ad74a9ac44bc4edf5a6499d237c940c905d3d62ea617fbb58d5e92a8dd

SHA512
59c5c7c0fbe53fa34299395db6e671acfc224dee54c7e1e00b1ce3c8e4dfb308bf2d170dfdbdda9ca32b4ad0281cde7bd6ae08ea87544ea5324bcb94a631f899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
168B

MD5
4f26525ec3d69c38938ac12f7c43b134

SHA1
3ab6d7692c743da49b3b4572a8e671cb56fcfa82

SHA256
e6ffb66259403193954ba2a3e60007a97e380df2e8541fe72f40f96068051c82

SHA512
38ccb23d170f19b198b86627c4c5f0394d138e69ed489152add766861d765047fcfbb669d73b73ff55087b25b0f450fe8f2c4b0c3d194e4fb13f2793d2b63a16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe603935.TMP
Filesize
48B

MD5
eb8be0bf8b9665c95bbd55677e0af828

SHA1
62142147bf9cef5265a857c1e96ba5eb8457e3d4

SHA256
daf3063252b7e5c842f5c323492d9e5e4e58bf32d96558f72fa3456aec6ca1e8

SHA512
c3ff6a6be6eba80401128503b67d9d543d0e9baf5916e58960daa48e2a90334ba64e3685fbd450f4e54f990066010be57ee149297cbe4afa8bdb22137ab90148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
194aef65fe441278a3b1b815645882cc

SHA1
8c1e5349b40e8a1c0a63b3a93aa4f52948b77f51

SHA256
88434ad6488b0534d0b51ff94ae91836016721c40ede311cd298b3914994b8f9

SHA512
e85a54f9cbeee0334f85a4b3a28f2bc2f7ee0a9eb214d2ef8442153cb9d01bff86ba610ae9041a3c385158dd8268c9ace18ea8f601541da86828e6173cc59aa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
250839cc75da35cc5f6a6de1deb6d431

SHA1
1d51c6541c4565fe94cb131947d934d2eceb3e58

SHA256
14a443963f3e49614049bfdb6c7d1a580bf89543a5cbbc0a67b229deaaed5f8f

SHA512
1c492ff21f35df42e7d047594a3fbaf4c2df5cfad841eb8e3d3a865d95a18a1d6bad5a989610a6798a42151aa7f821187c67d00097f8fa0500cdfa3564391ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zy1nmpzo.mw1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC462.tmp.bat
Filesize
37B

MD5
f5726d253fe5d4ecc9568bd9999883ca

SHA1
8fec12574c36283782076dd020fe67bbd6c49b8b

SHA256
1ede0c20a3dc0fd37285a36f19be95d0770f162e199e3514713301ecc8d05687

SHA512
2bc5d23a1eac45030c181f585c1a44b74386779d1e6e9448e190210d4eae4f98273923b7e055985d06c17e629429098fa78fa11a365d40fc93406cf6a13c9ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cgwpw1ma.n2m.exe
Filesize
23KB

MD5
2c16e91ad2c6bdd99a1c2d419fbb0ec3

SHA1
f9b7ff51da9f9010fe3c9ab9cdcbc0febdb137da

SHA256
5b7d0d117902bffd1821b5d5cf7b0ace5061c0913f546e7bebd3e6a62c65e6ed

SHA512
ecd2ff0e6fa203daac5e51e814fa8c46b049857c15f90edfa6e9da8903bed72d9cdd4e98bc471e104cd2ee6b79dc780f361bf85aa7a8e2351a1e5099c73974cc

Download Submit
C:\Users\Admin\Documents\Sub\xdwdClient.exe
Filesize
799KB

MD5
4220d4a32781415bf36e0e159fd38ce1

SHA1
832933a30b0833e805f02af041cd787f3169f7d9

SHA256
e6b63cd513768974b5415cd8d65e2344f2064f5eed7002c9b58c52b92435c124

SHA512
a18e173b375586a1c38cdeac9e4d4d57d07c484fd0a94d853ae5b63e20a3abfbd281fc8f1c89f8c1ea548cd43bde7c6bc3b08a095f7d5c8dd06f46d2640942ed

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
\??\pipe\LOCAL\crashpad_2852_KLBFHGEXVUUBEQFY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/744-6383-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/1364-4125-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1364-4226-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/1364-4312-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1364-4119-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/1364-4424-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/1364-4311-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/1364-6417-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1364-4124-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/1372-4033-0x00007FFAE3BE0000-0x00007FFAE46A1000-memory.dmp

Filesize
10.8MB

Download
memory/1372-4023-0x000002274A0A0000-0x000002274A0B0000-memory.dmp

Filesize
64KB

Download
memory/1372-4038-0x00007FFAE3BE0000-0x00007FFAE46A1000-memory.dmp

Filesize
10.8MB

Download
memory/1372-4039-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/1372-4020-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/1372-4021-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/1372-4022-0x000002274A0A0000-0x000002274A0B0000-memory.dmp

Filesize
64KB

Download
memory/2340-6382-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/2724-3546-0x00000000740E0000-0x0000000074890000-memory.dmp

Filesize
7.7MB

Download
memory/2724-3645-0x00000000740E0000-0x0000000074890000-memory.dmp

Filesize
7.7MB

Download
memory/2724-3562-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/2724-3558-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/2724-3545-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2800-3544-0x000000001C6A0000-0x000000001C6AC000-memory.dmp

Filesize
48KB

Download
memory/2800-0-0x0000000000150000-0x000000000021E000-memory.dmp

Filesize
824KB

Download
memory/2800-6378-0x000000001AFB0000-0x000000001AFB8000-memory.dmp

Filesize
32KB

Download
memory/2800-525-0x000000001C680000-0x000000001C69E000-memory.dmp

Filesize
120KB

Download
memory/2800-524-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/2800-523-0x000000001CCC0000-0x000000001CD36000-memory.dmp

Filesize
472KB

Download
memory/2800-213-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/2800-6407-0x00007FFAE3BE0000-0x00007FFAE46A1000-memory.dmp

Filesize
10.8MB

Download
memory/2800-66-0x00007FFAE3BE0000-0x00007FFAE46A1000-memory.dmp

Filesize
10.8MB

Download
memory/2800-18-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/2800-1-0x00007FFAE3BE0000-0x00007FFAE46A1000-memory.dmp

Filesize
10.8MB

Download
memory/2848-4539-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/2848-4538-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/2848-4555-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3396-69-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3396-71-0x00007FFB01C80000-0x00007FFB01C81000-memory.dmp

Filesize
4KB

Download
memory/3396-70-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/3396-92-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/4376-4120-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/4376-4056-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download
memory/4376-4055-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/4376-4054-0x0000000074610000-0x0000000074BC1000-memory.dmp

Filesize
5.7MB

Download
memory/4636-603-0x00007FFAE3BE0000-0x00007FFAE46A1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-596-0x00007FFAE3BE0000-0x00007FFAE46A1000-memory.dmp

Filesize
10.8MB

Download
memory/4636-584-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/4636-602-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/4636-599-0x0000017CF6AC0000-0x0000017CF6AD0000-memory.dmp

Filesize
64KB

Download
memory/4636-598-0x0000017CF6AC0000-0x0000017CF6AD0000-memory.dmp

Filesize
64KB

Download
memory/4636-597-0x0000017CF6AC0000-0x0000017CF6AD0000-memory.dmp

Filesize
64KB

Download
memory/4636-585-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/4636-595-0x0000017CF6B40000-0x0000017CF6B62000-memory.dmp

Filesize
136KB

Download
memory/4788-4558-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/4788-4557-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/4788-4556-0x00007FFB01C90000-0x00007FFB01E85000-memory.dmp

Filesize
2.0MB

Download
memory/4792-3647-0x0000000000E80000-0x0000000000E92000-memory.dmp

Filesize
72KB

Download
memory/4792-3648-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4792-3650-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads