njrat | 787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d

Analysis

max time kernel
754s
max time network
762s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
19-02-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ylyxcgqrxdhu.exe
Size

788KB
MD5

365077f348eecbc3107a2d6369d0141d
SHA1

6e29c1548ab75abae1f9e0761696901a3a345301
SHA256

b7c427180dec2c80489a11a9834ba13701a480889b25c13e9180b31ded039ec8
SHA512

8783c1b13d3128ed706559c5343fb641dbfdb26c80e33376079b94809e5c48ea40b15ff6cff247efeb3084e6846bcc03473185f1d43fa51fe8bb64fe1fe0f017
SSDEEP

12288:Hg3l6y0Wu/JX+opql2PVle8c3jyd74afRHBBLAAs/NfM3q9RNIwo:HE6Hcvjyd74oRHBdAfN03qD

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

8.tcp.ngrok.io:19346

Mutex

bca7344ec33c4f045ea133b6b48694e2

Attributes

reg_key
bca7344ec33c4f045ea133b6b48694e2
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral19/memory/2528-632-0x0000000000D70000-0x0000000000D7A000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ylyxcgqrxdhu.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe"	ylyxcgqrxdhu.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

ylyxcgqrxdhu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ylyxcgqrxdhu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ylyxcgqrxdhu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ylyxcgqrxdhu.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

ylyxcgqrxdhu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	ylyxcgqrxdhu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	ylyxcgqrxdhu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	ylyxcgqrxdhu.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

Trojan.exe

pid process

1068 Trojan.exe

pid	process
1068	Trojan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ylyxcgqrxdhu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1380226425-3283293370-545244236-1000\Software\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe"	ylyxcgqrxdhu.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

ylyxcgqrxdhu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	ylyxcgqrxdhu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	ylyxcgqrxdhu.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

27 0.tcp.eu.ngrok.io
32 0.tcp.eu.ngrok.io
5 0.tcp.eu.ngrok.io
14 0.tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

ylyxcgqrxdhu.exe

description pid process target process

PID 2528 set thread context of 2948 2528 ylyxcgqrxdhu.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

ylyxcgqrxdhu.exe

description ioc process

File created C:\Windows\xdwd.dll ylyxcgqrxdhu.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
27	0.tcp.eu.ngrok.io
32	0.tcp.eu.ngrok.io
5	0.tcp.eu.ngrok.io
14	0.tcp.eu.ngrok.io

description	pid	process	target process
PID 2528 set thread context of 2948	2528	ylyxcgqrxdhu.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	ylyxcgqrxdhu.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ylyxcgqrxdhu.exeWmiApSrv.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
2528	ylyxcgqrxdhu.exe
4616	WmiApSrv.exe
4616	WmiApSrv.exe
4364	powershell.exe
4364	powershell.exe
4364	powershell.exe
4364	powershell.exe
4364	powershell.exe
1508	powershell.exe
1508	powershell.exe
1508	powershell.exe
4444	powershell.exe
4444	powershell.exe
4660	powershell.exe
4660	powershell.exe
1220	powershell.exe
1220	powershell.exe
1764	powershell.exe
1764	powershell.exe
1508	powershell.exe
1528	powershell.exe
1528	powershell.exe
4444	powershell.exe
4444	powershell.exe
4856	powershell.exe
4856	powershell.exe
904	powershell.exe
904	powershell.exe
4660	powershell.exe
4660	powershell.exe
344	powershell.exe
344	powershell.exe
1220	powershell.exe
1220	powershell.exe
1764	powershell.exe
1764	powershell.exe
3720	powershell.exe
3720	powershell.exe
1528	powershell.exe
1528	powershell.exe
4856	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

ylyxcgqrxdhu.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2528	ylyxcgqrxdhu.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeIncreaseQuotaPrivilege	4364	powershell.exe
Token: SeSecurityPrivilege	4364	powershell.exe
Token: SeTakeOwnershipPrivilege	4364	powershell.exe
Token: SeLoadDriverPrivilege	4364	powershell.exe
Token: SeSystemProfilePrivilege	4364	powershell.exe
Token: SeSystemtimePrivilege	4364	powershell.exe
Token: SeProfSingleProcessPrivilege	4364	powershell.exe
Token: SeIncBasePriorityPrivilege	4364	powershell.exe
Token: SeCreatePagefilePrivilege	4364	powershell.exe
Token: SeBackupPrivilege	4364	powershell.exe
Token: SeRestorePrivilege	4364	powershell.exe
Token: SeShutdownPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeSystemEnvironmentPrivilege	4364	powershell.exe
Token: SeRemoteShutdownPrivilege	4364	powershell.exe
Token: SeUndockPrivilege	4364	powershell.exe
Token: SeManageVolumePrivilege	4364	powershell.exe
Token: 33	4364	powershell.exe
Token: 34	4364	powershell.exe
Token: 35	4364	powershell.exe
Token: 36	4364	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	496	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeIncreaseQuotaPrivilege	1764	powershell.exe
Token: SeSecurityPrivilege	1764	powershell.exe
Token: SeTakeOwnershipPrivilege	1764	powershell.exe
Token: SeLoadDriverPrivilege	1764	powershell.exe
Token: SeSystemProfilePrivilege	1764	powershell.exe
Token: SeSystemtimePrivilege	1764	powershell.exe
Token: SeProfSingleProcessPrivilege	1764	powershell.exe
Token: SeIncBasePriorityPrivilege	1764	powershell.exe
Token: SeCreatePagefilePrivilege	1764	powershell.exe
Token: SeBackupPrivilege	1764	powershell.exe
Token: SeRestorePrivilege	1764	powershell.exe
Token: SeShutdownPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeSystemEnvironmentPrivilege	1764	powershell.exe
Token: SeRemoteShutdownPrivilege	1764	powershell.exe
Token: SeUndockPrivilege	1764	powershell.exe
Token: SeManageVolumePrivilege	1764	powershell.exe
Token: 33	1764	powershell.exe
Token: 34	1764	powershell.exe
Token: 35	1764	powershell.exe
Token: 36	1764	powershell.exe
Token: SeIncreaseQuotaPrivilege	4444	powershell.exe
Token: SeSecurityPrivilege	4444	powershell.exe
Token: SeTakeOwnershipPrivilege	4444	powershell.exe
Token: SeLoadDriverPrivilege	4444	powershell.exe
Token: SeSystemProfilePrivilege	4444	powershell.exe
Token: SeSystemtimePrivilege	4444	powershell.exe
Token: SeProfSingleProcessPrivilege	4444	powershell.exe
Token: SeIncBasePriorityPrivilege	4444	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

ylyxcgqrxdhu.exeRegAsm.execmd.exe

description	pid	process	target process
PID 2528 wrote to memory of 4364	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 4364	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 1508	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 1508	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 4444	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 4444	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 4660	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 4660	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 1220	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 1220	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 1764	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 1764	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 1528	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 1528	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 4856	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 4856	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 904	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 904	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 344	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 344	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 3720	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 3720	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 496	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 496	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 3280	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 3280	2528	ylyxcgqrxdhu.exe	powershell.exe
PID 2528 wrote to memory of 2948	2528	ylyxcgqrxdhu.exe	RegAsm.exe
PID 2528 wrote to memory of 2948	2528	ylyxcgqrxdhu.exe	RegAsm.exe
PID 2528 wrote to memory of 2948	2528	ylyxcgqrxdhu.exe	RegAsm.exe
PID 2528 wrote to memory of 2948	2528	ylyxcgqrxdhu.exe	RegAsm.exe
PID 2528 wrote to memory of 2948	2528	ylyxcgqrxdhu.exe	RegAsm.exe
PID 2528 wrote to memory of 2948	2528	ylyxcgqrxdhu.exe	RegAsm.exe
PID 2528 wrote to memory of 2948	2528	ylyxcgqrxdhu.exe	RegAsm.exe
PID 2528 wrote to memory of 2948	2528	ylyxcgqrxdhu.exe	RegAsm.exe
PID 2948 wrote to memory of 1068	2948	RegAsm.exe	Trojan.exe
PID 2948 wrote to memory of 1068	2948	RegAsm.exe	Trojan.exe
PID 2948 wrote to memory of 1068	2948	RegAsm.exe	Trojan.exe
PID 2528 wrote to memory of 2956	2528	ylyxcgqrxdhu.exe	cmd.exe
PID 2528 wrote to memory of 2956	2528	ylyxcgqrxdhu.exe	cmd.exe
PID 2956 wrote to memory of 3700	2956	cmd.exe	powershell.exe
PID 2956 wrote to memory of 3700	2956	cmd.exe	powershell.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

ylyxcgqrxdhu.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	ylyxcgqrxdhu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	ylyxcgqrxdhu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	ylyxcgqrxdhu.exe

C:\Users\Admin\AppData\Local\Temp\ylyxcgqrxdhu.exe
"C:\Users\Admin\AppData\Local\Temp\ylyxcgqrxdhu.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:1068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\y0wvna4r.5rw.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\y0wvna4r.5rw.exe"'
3⤵
PID:3700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
2⤵
PID:2352

C:\Windows\system32\shutdown.exe
Shutdown /s /f /t 00
3⤵
PID:1604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af0855 /state1:0x41c64e6d
1⤵
PID:3280

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bfd1a0e2e037001cad5fca663e175f71

SHA1
ce665dbc90dc357e0d43dee0ac2b5161c425377e

SHA256
687c20d1b472277ee628f61139cc451a3cbcb95db3065bb7f7e83a1c688c2e09

SHA512
125617a745a1abcff848cd21402dc01eb4005c2301bb37d3015fc56f437845b311445bff64530f9a31bf8671eb244b2bb208f32dd495aae7efda74b47089cd87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c7e87ecdae95fe45c2c4d8463d3e886d

SHA1
2075184ae0f75a854d6861045db1112e771eac86

SHA256
b337a4eafa087754abc5a07bb3bca59e5eae46ed44b0e277a87d4e18f376eb50

SHA512
6b23932c63b6904c4c72cdb44ee96557d7e55847b550e4ca39cf08f22f28b131a0246141da5e176542818bdeffff74fd6f8efc66ddab3cc9ce169734ac561eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7bf1e40fe6e65090d645700a84733c42

SHA1
8fc07406c83afc5618dda035a5eca62148f15a89

SHA256
520109669e71c248243b703fbf2c65aae20ca2eb847393aab850b8ed86387546

SHA512
331e071de104a6165bc94aff049d83b10ec862ec644cae4c561ff471eeefdd01739c67a0cf20a9470fa997bdc569fd533ebed9f49197b89a061bc07f3f2e898b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1312fa0bf7a1da48c5a6d8c71287fc20

SHA1
d51c12839e73f471abc0e78063fe6c43699bffdd

SHA256
8cab9a1bcfb2c390a48ea62247bcf7be3a2d4f89900dc96f6fb9e6a8ba396851

SHA512
38fc75e2e3dac1d8460353d0f22d324da278884f64b036cf342be3581fe06c5fb2fd755d8aa8b49e627c12db7a22b0edc7d562a8d6ec3811d8f459869e636766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9efaa8cb826eaf328b197843c662736c

SHA1
38e349628eadcf2e46c46b3965524a4fa1caf8fe

SHA256
97c0bd89058aaeb4ceb8e53ad45f98ac1f68f81c030f02442abaa4cf631184df

SHA512
66e72261990f797f94b6db0efa2df7cdf73dace599672eeae2b42cdb05f2e90fb6dbf0cfde83b3dbc2237f2ef4f2ae98d8cf5e4ed49110aa69ff4513d9537d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
40c9826662c3f0f35a5690ea27472884

SHA1
74a530bfd2c88564e9d6752d5db3ee9cf62ffa3a

SHA256
5f79ea39719399de10220eec2d384340a0b90edfff4b92f34304867559e89c62

SHA512
de5e794f2fbf9cf7f39086a3ad9173a9a3b5e448778092d9d58393618e9b8bac02f098cb346b25985a224ac0aed5b0775b1d5bcd563308ebffa238cfa6be7cc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3595b1e9a7bfed45540207e016520a92

SHA1
87e9a16eb02e3cf1113d7d5ca901c6f8c1b33779

SHA256
48ee6400f6df56eaaf769acb8ef24fb47767c0b1441d98141e3781f4dce51293

SHA512
97fd9f8c5a7103f394ab4f8615e9b1e6ecefe10e79ee0d68c8567802417698a2aad39737c8114ca44d348c80e4e6f2dbb62771f464d37efe9c527cc3913d4e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ac72a2251be64e95470f9b21561f5361

SHA1
17e3b0cc6b3ab1c675bd63eebf013024773406b6

SHA256
42eb6b3197b49c01f2c76119d568a821bdaa245fcdf8aae4ddb3f92bf4a30fb6

SHA512
990d9af0b60b43ef1ca28051135be7d645b67d1623319023ce7ba95a7c96d281add9a2c0c43d533156d3d53a1ec62295a00fe7acaf4097472fd6e04b20ad1548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4ca569f2da9c43b8b7f07e462ba30a67

SHA1
62a31a86cb76d3214bc08e2eb00925f1ed5f1e6c

SHA256
ea81211dba2a41971d55467bfdde34b6b91348e0356d7f943c54ad2e7d4bbf1c

SHA512
1cc9c99e493144858271aaa1cb4c30aaa17b27a60077e5bf36120a19c2400e5f6ff314f2c18666728da2d825e4423ca7bc36a2b85c0c1fd0ccb20c6b51cb4681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d3a8417d751cc0ab667e42685a11b356

SHA1
599ea5c26b1a17d0539b18421bb3dc93e94e92a2

SHA256
fa0d807840b9f1bb6e33d99a5ad1d9f67570514bfd3e85e44c14a8202fa7e4d9

SHA512
9b85bc569a531663754047eaee39c5b3ad47781880f9656e1dbf2597950d5daba4a721a1c8765d8cd2487814776150d65e8294a06ce50cba4ba5affdec329e58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c96e50da4af668f4d2c65e081c597eae

SHA1
e2110c423aa73950e11f8fc7e83191d37fc4a493

SHA256
0bf24f0c41df6be43aa4213031a7acf86ee4ddb039f28f8b66139de29be48852

SHA512
ac261182e1216bb9f998be76a35e3df12dec1b18a2bf06301ccf6473e23ed0d781297aeea0ca41cf0aff9b6e34a073601b46cc368eced08844d8b45b2de61b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5fge51a.wkm.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Documents\Sub\xdwdClient.exe
Filesize
788KB

MD5
365077f348eecbc3107a2d6369d0141d

SHA1
6e29c1548ab75abae1f9e0761696901a3a345301

SHA256
b7c427180dec2c80489a11a9834ba13701a480889b25c13e9180b31ded039ec8

SHA512
8783c1b13d3128ed706559c5343fb641dbfdb26c80e33376079b94809e5c48ea40b15ff6cff247efeb3084e6846bcc03473185f1d43fa51fe8bb64fe1fe0f017

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/344-841-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/344-862-0x00000254EFE20000-0x00000254EFE30000-memory.dmp

Filesize
64KB

Download
memory/496-872-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/496-874-0x00007FFCEEE60000-0x00007FFCEF84C000-memory.dmp

Filesize
9.9MB

Download
memory/496-900-0x000001B45BE20000-0x000001B45BE30000-memory.dmp

Filesize
64KB

Download
memory/904-816-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/904-861-0x0000024B37D30000-0x0000024B37D40000-memory.dmp

Filesize
64KB

Download
memory/904-818-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/904-830-0x00007FFCEEE60000-0x00007FFCEF84C000-memory.dmp

Filesize
9.9MB

Download
memory/1220-756-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/1220-798-0x000002C83A050000-0x000002C83A060000-memory.dmp

Filesize
64KB

Download
memory/1220-777-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/1220-800-0x000002C83A050000-0x000002C83A060000-memory.dmp

Filesize
64KB

Download
memory/1220-785-0x00007FFCEEE60000-0x00007FFCEF84C000-memory.dmp

Filesize
9.9MB

Download
memory/1508-747-0x00007FFCEEE60000-0x00007FFCEF84C000-memory.dmp

Filesize
9.9MB

Download
memory/1508-745-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/1508-753-0x0000022D318E0000-0x0000022D318F0000-memory.dmp

Filesize
64KB

Download
memory/1508-751-0x0000022D318E0000-0x0000022D318F0000-memory.dmp

Filesize
64KB

Download
memory/1508-743-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/1528-805-0x00007FFCEEE60000-0x00007FFCEF84C000-memory.dmp

Filesize
9.9MB

Download
memory/1528-796-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/1528-822-0x00000171480D0000-0x00000171480E0000-memory.dmp

Filesize
64KB

Download
memory/1764-765-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/1764-793-0x00007FFCEEE60000-0x00007FFCEF84C000-memory.dmp

Filesize
9.9MB

Download
memory/1764-814-0x000001CF70EE0000-0x000001CF70EF0000-memory.dmp

Filesize
64KB

Download
memory/1764-787-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/2528-631-0x0000000000F20000-0x0000000000F96000-memory.dmp

Filesize
472KB

Download
memory/2528-0-0x00000000006D0000-0x000000000079C000-memory.dmp

Filesize
816KB

Download
memory/2528-633-0x0000000000DA0000-0x0000000000DBE000-memory.dmp

Filesize
120KB

Download
memory/2528-632-0x0000000000D70000-0x0000000000D7A000-memory.dmp

Filesize
40KB

Download
memory/2528-208-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2528-67-0x00007FFCEEE60000-0x00007FFCEF84C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-33-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/2528-1-0x00007FFCEEE60000-0x00007FFCEF84C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-4219-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3280-895-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/3720-888-0x0000019C7AE90000-0x0000019C7AEA0000-memory.dmp

Filesize
64KB

Download
memory/3720-882-0x0000019C7AE90000-0x0000019C7AEA0000-memory.dmp

Filesize
64KB

Download
memory/3720-860-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/4364-698-0x00007FFCEEE60000-0x00007FFCEF84C000-memory.dmp

Filesize
9.9MB

Download
memory/4364-694-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/4364-696-0x00007FFD0B8E0000-0x00007FFD0B8E1000-memory.dmp

Filesize
4KB

Download
memory/4364-695-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/4364-697-0x00000170EA250000-0x00000170EA272000-memory.dmp

Filesize
136KB

Download
memory/4364-700-0x00000170EA100000-0x00000170EA110000-memory.dmp

Filesize
64KB

Download
memory/4364-699-0x00000170EA100000-0x00000170EA110000-memory.dmp

Filesize
64KB

Download
memory/4364-715-0x00000170EA100000-0x00000170EA110000-memory.dmp

Filesize
64KB

Download
memory/4364-739-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/4364-740-0x00007FFCEEE60000-0x00007FFCEF84C000-memory.dmp

Filesize
9.9MB

Download
memory/4444-768-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/4444-759-0x0000022419C40000-0x0000022419C50000-memory.dmp

Filesize
64KB

Download
memory/4444-748-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/4444-772-0x00007FFCEEE60000-0x00007FFCEF84C000-memory.dmp

Filesize
9.9MB

Download
memory/4444-780-0x0000022419C40000-0x0000022419C50000-memory.dmp

Filesize
64KB

Download
memory/4616-38-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/4616-36-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/4616-37-0x00007FFD0BA30000-0x00007FFD0BA31000-memory.dmp

Filesize
4KB

Download
memory/4616-35-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/4660-755-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/4660-763-0x00007FFCEEE60000-0x00007FFCEF84C000-memory.dmp

Filesize
9.9MB

Download
memory/4660-775-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/4660-788-0x000001A5F5E20000-0x000001A5F5E30000-memory.dmp

Filesize
64KB

Download
memory/4856-808-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download
memory/4856-859-0x000001475AD20000-0x000001475AD30000-memory.dmp

Filesize
64KB

Download
memory/4856-811-0x00007FFD0BA40000-0x00007FFD0BC1B000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads