njrat | 787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d

Analysis

max time kernel
760s
max time network
763s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

puugtqapzxao.exe
Size

769KB
MD5

0b8d6a7e6d09d1ef259d04a5580a5138
SHA1

34beda8270e99335cfd90907f5037250c8fa682e
SHA256

9b49cb61c6998d160a3fd448926df1f08277866e62999223ee7bc1455e023ad8
SHA512

be6bdef101cdf04f21dd9ddf1166866510b8a1b31ce08b4c962a8fb678f68864c54f729be53c22daaae8b1f6f643f5607fb5a882810f142152a78a016ccb4df5
SSDEEP

12288:sunmOayKUGPPVle8m4Ou1bypH3etxcvj8NfM3q9RNIwo:smayKg4OuC3iN03qD

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

8.tcp.ngrok.io:19346

Mutex

bca7344ec33c4f045ea133b6b48694e2

Attributes

reg_key
bca7344ec33c4f045ea133b6b48694e2
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral14/memory/4796-665-0x0000000000B30000-0x0000000000B3A000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

puugtqapzxao.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe"	puugtqapzxao.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

puugtqapzxao.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	puugtqapzxao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	puugtqapzxao.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	puugtqapzxao.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	puugtqapzxao.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

puugtqapzxao.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	puugtqapzxao.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	puugtqapzxao.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	puugtqapzxao.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

4312 netsh.exe

pid	process
4312	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

puugtqapzxao.exemacqgpa0.klo.exeTrojan.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	puugtqapzxao.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	macqgpa0.klo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Trojan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 2 IoCs

Processes:

Trojan.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bca7344ec33c4f045ea133b6b48694e2.exe	Trojan.exe

Executes dropped EXE 3 IoCs

Processes:

Trojan.exemacqgpa0.klo.exeTrojan.exe

pid process

4780 Trojan.exe
5048 macqgpa0.klo.exe
1904 Trojan.exe

pid	process
4780	Trojan.exe
5048	macqgpa0.klo.exe
1904	Trojan.exe

Loads dropped DLL 23 IoCs

Processes:

WmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exemsedge.exe

pid	process
400
4740
4916	WmiApSrv.exe
800
4100
1240
2900
2044
1448	powershell.exe
4396
2764
4624
3152	powershell.exe
4952
3916
3224
3292	msedge.exe
5008	msedge.exe
740	msedge.exe
4208
4892	CompPkgSrv.exe
3036	CompPkgSrv.exe
2908	msedge.exe

Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

puugtqapzxao.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" puugtqapzxao.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	puugtqapzxao.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

puugtqapzxao.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe"	puugtqapzxao.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

puugtqapzxao.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	puugtqapzxao.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	puugtqapzxao.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

55 0.tcp.eu.ngrok.io
68 0.tcp.eu.ngrok.io
73 8.tcp.ngrok.io
159 8.tcp.ngrok.io
165 0.tcp.eu.ngrok.io
22 0.tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

puugtqapzxao.exe

description pid process target process

PID 4796 set thread context of 1692 4796 puugtqapzxao.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

puugtqapzxao.exe

description ioc process

File created C:\Windows\xdwd.dll puugtqapzxao.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
55	0.tcp.eu.ngrok.io
68	0.tcp.eu.ngrok.io
73	8.tcp.ngrok.io
159	8.tcp.ngrok.io
165	0.tcp.eu.ngrok.io
22	0.tcp.eu.ngrok.io

description	pid	process	target process
PID 4796 set thread context of 1692	4796	puugtqapzxao.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	puugtqapzxao.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

puugtqapzxao.exeWmiApSrv.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeCompPkgSrv.exeCompPkgSrv.exeidentity_helper.exemsedge.exe

pid	process
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4796	puugtqapzxao.exe
4916	WmiApSrv.exe
4916	WmiApSrv.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
1448	powershell.exe
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
3292	msedge.exe
3292	msedge.exe
5008	msedge.exe
5008	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
4892	CompPkgSrv.exe
5008	msedge.exe
5008	msedge.exe
3036	CompPkgSrv.exe
4060	identity_helper.exe
4060	identity_helper.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe
2908	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

5008 msedge.exe
5008 msedge.exe
5008 msedge.exe
5008 msedge.exe
5008 msedge.exe
5008 msedge.exe
5008 msedge.exe
5008 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

puugtqapzxao.exepowershell.exepowershell.exeTrojan.exe

description	pid	process
Token: SeDebugPrivilege	4796	puugtqapzxao.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe
Token: 33	1904	Trojan.exe
Token: SeIncBasePriorityPrivilege	1904	Trojan.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe
5008	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

puugtqapzxao.exeRegAsm.execmd.exepowershell.exemacqgpa0.klo.exeTrojan.execmd.exemsedge.exe

description	pid	process	target process
PID 4796 wrote to memory of 1448	4796	puugtqapzxao.exe	powershell.exe
PID 4796 wrote to memory of 1448	4796	puugtqapzxao.exe	powershell.exe
PID 4796 wrote to memory of 1692	4796	puugtqapzxao.exe	RegAsm.exe
PID 4796 wrote to memory of 1692	4796	puugtqapzxao.exe	RegAsm.exe
PID 4796 wrote to memory of 1692	4796	puugtqapzxao.exe	RegAsm.exe
PID 4796 wrote to memory of 1692	4796	puugtqapzxao.exe	RegAsm.exe
PID 4796 wrote to memory of 1692	4796	puugtqapzxao.exe	RegAsm.exe
PID 4796 wrote to memory of 1692	4796	puugtqapzxao.exe	RegAsm.exe
PID 4796 wrote to memory of 1692	4796	puugtqapzxao.exe	RegAsm.exe
PID 4796 wrote to memory of 1692	4796	puugtqapzxao.exe	RegAsm.exe
PID 1692 wrote to memory of 4780	1692	RegAsm.exe	Trojan.exe
PID 1692 wrote to memory of 4780	1692	RegAsm.exe	Trojan.exe
PID 1692 wrote to memory of 4780	1692	RegAsm.exe	Trojan.exe
PID 4796 wrote to memory of 5068	4796	puugtqapzxao.exe	cmd.exe
PID 4796 wrote to memory of 5068	4796	puugtqapzxao.exe	cmd.exe
PID 5068 wrote to memory of 3152	5068	cmd.exe	powershell.exe
PID 5068 wrote to memory of 3152	5068	cmd.exe	powershell.exe
PID 3152 wrote to memory of 5048	3152	powershell.exe	macqgpa0.klo.exe
PID 3152 wrote to memory of 5048	3152	powershell.exe	macqgpa0.klo.exe
PID 3152 wrote to memory of 5048	3152	powershell.exe	macqgpa0.klo.exe
PID 5048 wrote to memory of 1904	5048	macqgpa0.klo.exe	Trojan.exe
PID 5048 wrote to memory of 1904	5048	macqgpa0.klo.exe	Trojan.exe
PID 5048 wrote to memory of 1904	5048	macqgpa0.klo.exe	Trojan.exe
PID 1904 wrote to memory of 4312	1904	Trojan.exe	netsh.exe
PID 1904 wrote to memory of 4312	1904	Trojan.exe	netsh.exe
PID 1904 wrote to memory of 4312	1904	Trojan.exe	netsh.exe
PID 1904 wrote to memory of 2240	1904	Trojan.exe	cmd.exe
PID 1904 wrote to memory of 2240	1904	Trojan.exe	cmd.exe
PID 1904 wrote to memory of 2240	1904	Trojan.exe	cmd.exe
PID 2240 wrote to memory of 5008	2240	cmd.exe	msedge.exe
PID 2240 wrote to memory of 5008	2240	cmd.exe	msedge.exe
PID 5008 wrote to memory of 3292	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 3292	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe
PID 5008 wrote to memory of 4992	5008	msedge.exe	msedge.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

puugtqapzxao.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	puugtqapzxao.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	puugtqapzxao.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	puugtqapzxao.exe

C:\Users\Admin\AppData\Local\Temp\puugtqapzxao.exe
"C:\Users\Admin\AppData\Local\Temp\puugtqapzxao.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:4780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\macqgpa0.klo.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\macqgpa0.klo.exe"'
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\macqgpa0.klo.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\macqgpa0.klo.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
5⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
6⤵
- Modifies Windows Firewall
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBBA8.tmp.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.redtube.com/
7⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffe57446f8,0x7fffe5744708,0x7fffe5744718
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
8⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
8⤵
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
8⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
8⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
8⤵
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
8⤵
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
8⤵
PID:2720

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
8⤵
PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
8⤵
PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
8⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
8⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4908 /prefetch:2
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
8⤵
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,14508129107336473325,3534997624639076728,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
8⤵
PID:2276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
2⤵
PID:3920

C:\Windows\system32\shutdown.exe
Shutdown /s /f /t 00
3⤵
PID:4912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa394a055 /state1:0x41c64e6d
1⤵
PID:4536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5e77545b7e1c504b2f5ce7c5cc2ce1fe

SHA1
d81a6af13cf31fa410b85471e4509124ebeaff7e

SHA256
cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11

SHA512
cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
bb000cde0a3181833085294f01a3ffa6

SHA1
38c6c9bc12d41a6b108f61b3d6e8ea89054454ff

SHA256
f6616c42dbb9cbf27a7b5fd2afdc461175e41333596fb016b1c62096fab5d4b2

SHA512
7bad00ab2cd7d9d52c68b95413b3234e1e86cccf4972ad1acacd3a81ab647685031d5db42a1ad84dd2f5725ddf0196527e2a93a2aeefc86614dc4cc3fc092014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
f43d388c12576c71fbaab55e31e2fc72

SHA1
c8d08e73da6b35d97b3e73bd34099d140acb3377

SHA256
1d31573e32e638e9e6738ee4d2dd21912fd087e3c7409b2df8aca8494105e13a

SHA512
9bf4b3b40f31642a837ed99d9deb4e447ab4632b0c4edf2c8e46a5bd35524a551e4a561d959868f4207dcbda9e704914300ed7dabc6be3108e47410477d6db50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a2ee0a399abdaf35a0e6b86e0db2e4ac

SHA1
7b31ffd8a2e0ad0645c88c25ff5028d2826fffb6

SHA256
47ff6efa31dd9e4634e87c60e2853a6765bfd336fe2d41c103321d83a7efd18e

SHA512
c92af9ea67c676bc8ee52ec61a952405d71f74599d471d3ca6967f25ca186859a7f5a3397b7cbffd18182f9748676bdab705f68959c028a04ca914cd5586fa4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
a87665667f23e760c5dbbadc215db175

SHA1
2d7286ef74b48b7618cbfc69fca2d99f0f2f6641

SHA256
e2793154ffcc7b7ca9e8b3537f3617b10f2bd0eeb59bf87038002361e8b83283

SHA512
9e1bac77840a29668711471229f2d5157fc5e5e9e392033b152f8576eb6e4c0830c0894067d5788b133ad4a7899782dbbbf4e1342a3c6445dfd8c7d5840aca6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
6db2d2ceb22a030bd1caa72b32cfbf98

SHA1
fe50f35e60f88624a28b93b8a76be1377957618b

SHA256
7b22b0b16088ab7f7d6f938d7cfe9ae807856662ce3a63e7de6c8107186853e4

SHA512
d5a67a394003f559c98e1a1e9e31c2d473d04cc075b08bb0aab115ce42744da536895df2cec73fa54fc36f38d38e4906680cfacfbf4698ee925f1609fbb07912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
168B

MD5
fffffa74062a3deb871751a2b1eb8e21

SHA1
dbde5e57f95563fddb81003c88d781b5e449b591

SHA256
53820192f790eee34448fd4ac33d62996a139866328f62297c56c2c1d5c60817

SHA512
0f531e631bcbb5a9add2676f25631c3854cd229ab74be3405a304b3433172d7a2ed2a6c3499a477bde3831741d73a1a19380d1d455d8c6d7e40f9757eba20138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe602167.TMP
Filesize
48B

MD5
3feaa2c835aa358526a2f6089a624d59

SHA1
cef34ef6baf28d3bb37b3177796cc62573309235

SHA256
cddf70f09e5e37666e88742bd989f488407af8f5177c7106edf7e6d726f51bef

SHA512
693d5ede3baa78bb34228c84968edd0e5951fbff963778b3733721fff5b9d991ee8881d080407f271fda3a228e8ab9630ffb372f717b8ad9d7caccb5279346e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
f1b85c52b4bb73c54f29c121c15045e2

SHA1
8638956bb1cf456206ec1a0a93c3cad2cecb10a0

SHA256
7b13a4010b239fcacebf3338cdd1ccc0e1a4db724a86768b49a6c998521b14a9

SHA512
0001af84d87c011d5cb81d820ceea04d5deb20295c5f1e4d4e3037091dd8fdd77e4ef1ee979ca5c77a917d6a10fba2f8de1c58a2cb40ef5d18cf787bdff4cb5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
c1087e5765a4173a9dc0bbdae0110883

SHA1
2cb4ff3adefd6dc2a8ebc8015092bd727c5e7889

SHA256
51252947e3d111bf12c821a7b4282a786e0bf4d98e3af99ed763682759744801

SHA512
af61fc862b495e8e140bde73b64619e718f865d119119daf9d4b6254d356d9794efa581aad260a1ca7359d3e3673a9e20d195210c77b5ea0c2b9c4f0a95b12cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s0vgwedz.gqr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBBA8.tmp.bat
Filesize
37B

MD5
f5726d253fe5d4ecc9568bd9999883ca

SHA1
8fec12574c36283782076dd020fe67bbd6c49b8b

SHA256
1ede0c20a3dc0fd37285a36f19be95d0770f162e199e3514713301ecc8d05687

SHA512
2bc5d23a1eac45030c181f585c1a44b74386779d1e6e9448e190210d4eae4f98273923b7e055985d06c17e629429098fa78fa11a365d40fc93406cf6a13c9ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\macqgpa0.klo.exe
Filesize
23KB

MD5
2c16e91ad2c6bdd99a1c2d419fbb0ec3

SHA1
f9b7ff51da9f9010fe3c9ab9cdcbc0febdb137da

SHA256
5b7d0d117902bffd1821b5d5cf7b0ace5061c0913f546e7bebd3e6a62c65e6ed

SHA512
ecd2ff0e6fa203daac5e51e814fa8c46b049857c15f90edfa6e9da8903bed72d9cdd4e98bc471e104cd2ee6b79dc780f361bf85aa7a8e2351a1e5099c73974cc

Download Submit
C:\Users\Admin\Documents\Sub\xdwdClient.exe
Filesize
769KB

MD5
0b8d6a7e6d09d1ef259d04a5580a5138

SHA1
34beda8270e99335cfd90907f5037250c8fa682e

SHA256
9b49cb61c6998d160a3fd448926df1f08277866e62999223ee7bc1455e023ad8

SHA512
be6bdef101cdf04f21dd9ddf1166866510b8a1b31ce08b4c962a8fb678f68864c54f729be53c22daaae8b1f6f643f5607fb5a882810f142152a78a016ccb4df5

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
\??\pipe\LOCAL\crashpad_5008_FHRKYXEJTJIEHVXT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1448-726-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/1448-737-0x00000216BE150000-0x00000216BE160000-memory.dmp

Filesize
64KB

Download
memory/1448-743-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/1448-742-0x00007FFFD68C0000-0x00007FFFD7381000-memory.dmp

Filesize
10.8MB

Download
memory/1448-732-0x00000216BE150000-0x00000216BE160000-memory.dmp

Filesize
64KB

Download
memory/1448-738-0x00000216BE0E0000-0x00000216BE102000-memory.dmp

Filesize
136KB

Download
memory/1448-739-0x00007FFFD68C0000-0x00007FFFD7381000-memory.dmp

Filesize
10.8MB

Download
memory/1448-725-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/1692-3713-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1692-3714-0x00000000051A0000-0x000000000523C000-memory.dmp

Filesize
624KB

Download
memory/1692-3715-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/1692-3716-0x00000000057F0000-0x0000000005D94000-memory.dmp

Filesize
5.6MB

Download
memory/1692-3785-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/1904-4277-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/1904-6641-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/1904-4592-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/1904-4278-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/1904-4478-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/1904-4479-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/1904-4393-0x0000000000E00000-0x0000000000E10000-memory.dmp

Filesize
64KB

Download
memory/3036-4722-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/3036-4724-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/3036-4725-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/3152-4201-0x0000027A39560000-0x0000027A39570000-memory.dmp

Filesize
64KB

Download
memory/3152-4200-0x00007FFFD68C0000-0x00007FFFD7381000-memory.dmp

Filesize
10.8MB

Download
memory/3152-4207-0x00007FFFD68C0000-0x00007FFFD7381000-memory.dmp

Filesize
10.8MB

Download
memory/3152-4189-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/3152-4188-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/3152-4206-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/3152-4202-0x0000027A39560000-0x0000027A39570000-memory.dmp

Filesize
64KB

Download
memory/4536-6612-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/4780-3787-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

Filesize
72KB

Download
memory/4780-3790-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/4780-3788-0x0000000074F20000-0x00000000756D0000-memory.dmp

Filesize
7.7MB

Download
memory/4796-664-0x000000001CF10000-0x000000001CF86000-memory.dmp

Filesize
472KB

Download
memory/4796-666-0x0000000000B60000-0x0000000000B7E000-memory.dmp

Filesize
120KB

Download
memory/4796-214-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/4796-0-0x0000000000450000-0x0000000000516000-memory.dmp

Filesize
792KB

Download
memory/4796-1-0x00007FFFD68C0000-0x00007FFFD7381000-memory.dmp

Filesize
10.8MB

Download
memory/4796-33-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/4796-6579-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/4796-3712-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/4796-66-0x00007FFFD68C0000-0x00007FFFD7381000-memory.dmp

Filesize
10.8MB

Download
memory/4796-665-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/4796-6640-0x00007FFFD68C0000-0x00007FFFD7381000-memory.dmp

Filesize
10.8MB

Download
memory/4892-4723-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/4892-4706-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/4892-4705-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/4912-6611-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/4916-69-0x00007FFFF4920000-0x00007FFFF4921000-memory.dmp

Filesize
4KB

Download
memory/4916-68-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/4916-70-0x00007FFFF4930000-0x00007FFFF4B25000-memory.dmp

Filesize
2.0MB

Download
memory/5048-4209-0x0000000001910000-0x0000000001920000-memory.dmp

Filesize
64KB

Download
memory/5048-4276-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/5048-4208-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download
memory/5048-4210-0x0000000075070000-0x0000000075621000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads