njrat | 787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d

Analysis

max time kernel
753s
max time network
763s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
19-02-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

jldfefkrpayl.exe
Size

778KB
MD5

4bb30012aaf74f260f455c79615cac5d
SHA1

eeb77e509d86bdac5325c1152bf9c89d6b16bec2
SHA256

686e4b531fb9f5d3db659a5a410e5450ced562758d8a85754cb0b4f0bc3469c1
SHA512

469ec5b3f19e6e81cc6325fd53519de3884e09bd9b0bdd25ae948b6cf974aa1e7abeaf12d767cdff2d873bcaf7233dfddbf029bdfe19639ff1a3433a91e64f4d
SSDEEP

12288:71UpeAQXl+jmPVle82J+IBXEhZPNNBZuNfM3q9RNIwo:7qeVXlsXUI1EhZlNyN03qD

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

8.tcp.ngrok.io:19346

Mutex

bca7344ec33c4f045ea133b6b48694e2

Attributes

reg_key
bca7344ec33c4f045ea133b6b48694e2
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral5/memory/3968-632-0x0000000000D90000-0x0000000000D9A000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

jldfefkrpayl.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe"	jldfefkrpayl.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jldfefkrpayl.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jldfefkrpayl.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

jldfefkrpayl.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	jldfefkrpayl.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

Trojan.exe

pid process

4352 Trojan.exe

pid	process
4352	Trojan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

jldfefkrpayl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1380226425-3283293370-545244236-1000\Software\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe"	jldfefkrpayl.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

jldfefkrpayl.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	jldfefkrpayl.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

44 0.tcp.eu.ngrok.io
2 0.tcp.eu.ngrok.io
8 0.tcp.eu.ngrok.io
18 0.tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

jldfefkrpayl.exe

description pid process target process

PID 3968 set thread context of 4336 3968 jldfefkrpayl.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

jldfefkrpayl.exe

description ioc process

File created C:\Windows\xdwd.dll jldfefkrpayl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
44	0.tcp.eu.ngrok.io
2	0.tcp.eu.ngrok.io
8	0.tcp.eu.ngrok.io
18	0.tcp.eu.ngrok.io

description	pid	process	target process
PID 3968 set thread context of 4336	3968	jldfefkrpayl.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	jldfefkrpayl.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

jldfefkrpayl.exeWmiApSrv.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
3968	jldfefkrpayl.exe
4968	WmiApSrv.exe
4968	WmiApSrv.exe
428	powershell.exe
428	powershell.exe
428	powershell.exe
428	powershell.exe
428	powershell.exe
648	powershell.exe
648	powershell.exe
4148	powershell.exe
4148	powershell.exe
1132	powershell.exe
1132	powershell.exe
1120	powershell.exe
1120	powershell.exe
3156	powershell.exe
3156	powershell.exe
648	powershell.exe
648	powershell.exe
4148	powershell.exe
4148	powershell.exe
3612	powershell.exe
3612	powershell.exe
712	powershell.exe
712	powershell.exe
2372	powershell.exe
2372	powershell.exe
1132	powershell.exe
1132	powershell.exe
3156	powershell.exe
3156	powershell.exe
308	powershell.exe
308	powershell.exe
4516	powershell.exe
4516	powershell.exe
3612	powershell.exe
3612	powershell.exe
4544	powershell.exe
4544	powershell.exe
4520	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

jldfefkrpayl.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3968	jldfefkrpayl.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeIncreaseQuotaPrivilege	428	powershell.exe
Token: SeSecurityPrivilege	428	powershell.exe
Token: SeTakeOwnershipPrivilege	428	powershell.exe
Token: SeLoadDriverPrivilege	428	powershell.exe
Token: SeSystemProfilePrivilege	428	powershell.exe
Token: SeSystemtimePrivilege	428	powershell.exe
Token: SeProfSingleProcessPrivilege	428	powershell.exe
Token: SeIncBasePriorityPrivilege	428	powershell.exe
Token: SeCreatePagefilePrivilege	428	powershell.exe
Token: SeBackupPrivilege	428	powershell.exe
Token: SeRestorePrivilege	428	powershell.exe
Token: SeShutdownPrivilege	428	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeSystemEnvironmentPrivilege	428	powershell.exe
Token: SeRemoteShutdownPrivilege	428	powershell.exe
Token: SeUndockPrivilege	428	powershell.exe
Token: SeManageVolumePrivilege	428	powershell.exe
Token: 33	428	powershell.exe
Token: 34	428	powershell.exe
Token: 35	428	powershell.exe
Token: 36	428	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	308	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeIncreaseQuotaPrivilege	3156	powershell.exe
Token: SeSecurityPrivilege	3156	powershell.exe
Token: SeTakeOwnershipPrivilege	3156	powershell.exe
Token: SeLoadDriverPrivilege	3156	powershell.exe
Token: SeSystemProfilePrivilege	3156	powershell.exe
Token: SeSystemtimePrivilege	3156	powershell.exe
Token: SeProfSingleProcessPrivilege	3156	powershell.exe
Token: SeIncBasePriorityPrivilege	3156	powershell.exe
Token: SeCreatePagefilePrivilege	3156	powershell.exe
Token: SeBackupPrivilege	3156	powershell.exe
Token: SeRestorePrivilege	3156	powershell.exe
Token: SeShutdownPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeSystemEnvironmentPrivilege	3156	powershell.exe
Token: SeRemoteShutdownPrivilege	3156	powershell.exe
Token: SeUndockPrivilege	3156	powershell.exe
Token: SeManageVolumePrivilege	3156	powershell.exe
Token: 33	3156	powershell.exe
Token: 34	3156	powershell.exe
Token: 35	3156	powershell.exe
Token: 36	3156	powershell.exe
Token: SeIncreaseQuotaPrivilege	648	powershell.exe
Token: SeSecurityPrivilege	648	powershell.exe
Token: SeTakeOwnershipPrivilege	648	powershell.exe
Token: SeLoadDriverPrivilege	648	powershell.exe
Token: SeSystemProfilePrivilege	648	powershell.exe
Token: SeSystemtimePrivilege	648	powershell.exe
Token: SeProfSingleProcessPrivilege	648	powershell.exe
Token: SeIncBasePriorityPrivilege	648	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

jldfefkrpayl.exeRegAsm.execmd.exe

description	pid	process	target process
PID 3968 wrote to memory of 428	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 428	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 648	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 648	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 4148	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 4148	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 1120	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 1120	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 1132	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 1132	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 3156	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 3156	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 3612	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 3612	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 712	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 712	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 2372	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 2372	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 308	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 308	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 4516	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 4516	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 4544	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 4544	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 4520	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 4520	3968	jldfefkrpayl.exe	powershell.exe
PID 3968 wrote to memory of 4336	3968	jldfefkrpayl.exe	RegAsm.exe
PID 3968 wrote to memory of 4336	3968	jldfefkrpayl.exe	RegAsm.exe
PID 3968 wrote to memory of 4336	3968	jldfefkrpayl.exe	RegAsm.exe
PID 3968 wrote to memory of 4336	3968	jldfefkrpayl.exe	RegAsm.exe
PID 3968 wrote to memory of 4336	3968	jldfefkrpayl.exe	RegAsm.exe
PID 3968 wrote to memory of 4336	3968	jldfefkrpayl.exe	RegAsm.exe
PID 3968 wrote to memory of 4336	3968	jldfefkrpayl.exe	RegAsm.exe
PID 3968 wrote to memory of 4336	3968	jldfefkrpayl.exe	RegAsm.exe
PID 4336 wrote to memory of 4352	4336	RegAsm.exe	Trojan.exe
PID 4336 wrote to memory of 4352	4336	RegAsm.exe	Trojan.exe
PID 4336 wrote to memory of 4352	4336	RegAsm.exe	Trojan.exe
PID 3968 wrote to memory of 3676	3968	jldfefkrpayl.exe	cmd.exe
PID 3968 wrote to memory of 3676	3968	jldfefkrpayl.exe	cmd.exe
PID 3676 wrote to memory of 708	3676	cmd.exe	powershell.exe
PID 3676 wrote to memory of 708	3676	cmd.exe	powershell.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

jldfefkrpayl.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	jldfefkrpayl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	jldfefkrpayl.exe

C:\Users\Admin\AppData\Local\Temp\jldfefkrpayl.exe
"C:\Users\Admin\AppData\Local\Temp\jldfefkrpayl.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:4352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\a1mwglmc.fat.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\a1mwglmc.fat.exe"'
3⤵
PID:708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
2⤵
PID:4388

C:\Windows\system32\shutdown.exe
Shutdown /s /f /t 00
3⤵
PID:5816

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af2055 /state1:0x41c64e6d
1⤵
PID:5892

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
169c2d0fe2c18d3f842e9a88a41b0a15

SHA1
cc6621debed19c5837070c5e41aff6148e9205c5

SHA256
3fe4bf246f144835db1641de82ca985a8c845f1ff16e8ca0456a7af824a09ef3

SHA512
316ca1004aed3bd8d1c03748a55e3179274e33f50613bc2ffc247018302893ec4b802290bb7ce67c2aff24cf408f83a14ffa6c66c269091eef2e693694d4af81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
37c72a7595f2d884504a7ee1d5cda722

SHA1
2156c83d03ec25a9da5af75cd2874c9742081334

SHA256
464a1e7e617541f0cf9a45a23d286a28911a0c03250f55ae0c3f2453ded2ec42

SHA512
ba79d366d236b2368dc5381cde899986b74c49bbe09b181bc9d7b14a9f992fc5f758efcb8df5d002f16e484fd003af73fbfe0237dc10d5efed05f18177127d68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b89f99ff6c1912474bccf0efb06fd799

SHA1
e4a1f9bc665190bdd7fd634e000546636938275b

SHA256
42748086ab85efd97672a8c54deb4056e4b8c9d2c28f42321ac4059aebd940ce

SHA512
baa2c29a6f34ac9be546b1d2b21ef53536915b1b980672d1cc27cfdd9d9196fb96a9a46c78f189b8584342f5f3e87178b538e06133a4a187cf65a95bbb8a5949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9672c6b0f96536425355074a9ad317d8

SHA1
9eb892ec123d94e1345a75ba0c62aa7dfdbf39e5

SHA256
46c6782225efafb4ee1f38de0af3370a31e44d90592adbe291b7aab6dc59660c

SHA512
c63d44c423631c665dc7dd9632b239070fe9876337e4a221dc2fa4f208edc806e3512d70bc681365100996598d576268c51c14795af94938cbe927f7cab3c141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0fb72cb45d302e59d844fd05c8613cd7

SHA1
d3bc7fc178ed160abe217cc538d21d5065f71683

SHA256
fd48ec366b40102be98c5d52e08a378001cd215e6a17957ec5278b213d2a74a0

SHA512
600ef7918336818270e414f43abde6973b1f846c724b8acc46fb83f073a7e01b2d485968121e8761f6bca324391fc6176c9af5d1c1a11ae05c5d6c798e9fe278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1e14574e39c7766b28853d3ca07594db

SHA1
e5a2e7d886afdf227620d3c852b803878243d3eb

SHA256
4980d4358e9c3e98e67194f7a141c983e05f2ab436dc984e2a13b0b9c1ec2ccb

SHA512
808eae9c48aabc2500295f58f88cd8e54f29eca7e4f4ebc460269ea1ebcf1b61263f160897517dc098d0881a054615fc9652e055736331286eff421d12a670b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c88dd6c3b7029dadd5da0d0eb3d703af

SHA1
d8e94d496ef54dcf3fd171124305fe736a54c17f

SHA256
7f70603290344d018a0ebc3c1605b36ccfa4c872eac806ad2f784f913464da0f

SHA512
8968c49a175e543abd173a75f952b308654af72680a335d01bb1e46e22ac17eada2541ff03f269b88db742ddc31435c313110d4081121a4f10a0ce3419ad04db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
74233cd1bc6c521f411efa4833bc7f8e

SHA1
73f492bbeb870d20ae6aa55fdaa1ed3e026a81cb

SHA256
deb922ed3c7849317dde52d29bcb6d8e6951a9a6bacf3687f6a5e5ea66383477

SHA512
6dea6182db449bd2a860e4b0806dea64fbffb3060c924c05d3ab8363ddd43a73869ab284467028b5e42ffec1b0f12cfda398a75d00271acf27aade12f3e892e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
060fd6752b0bc840a23d56f77502fdfb

SHA1
e7914da455b8673702374f61d7fbc7ae32f1f4bf

SHA256
74abfae22c760c9fd8df56028f795718c0cdb4de5aee4780cbcee09d740cd4d2

SHA512
3c995dda01dff57cd2820cd308b4297aac4578fbd82cdfb458dfd81cca0123cf5e474db22bf8c6808746ec4ba15aa97f535cc8affcde8c459ca7de8f3671ac80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
aeedeecf955870375e443f0fa5c7ab7d

SHA1
c4b963e46be5a6d0f25f6a3d1705f4ad4a42ed42

SHA256
ba07efd1a43eb2758e60ddd361b1c62a69a33491e1c8d263005b654db55b3055

SHA512
393730fee5366858460e93fd3052a498f1542f8b57e4f9ec05f163b6b4455f081ef48e4071d3b0f16ed3a0dd3b92548404b640de5cc0ac7f652aba52cb22da7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5rdv1xb.upl.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Documents\Sub\xdwdClient.exe
Filesize
778KB

MD5
4bb30012aaf74f260f455c79615cac5d

SHA1
eeb77e509d86bdac5325c1152bf9c89d6b16bec2

SHA256
686e4b531fb9f5d3db659a5a410e5450ced562758d8a85754cb0b4f0bc3469c1

SHA512
469ec5b3f19e6e81cc6325fd53519de3884e09bd9b0bdd25ae948b6cf974aa1e7abeaf12d767cdff2d873bcaf7233dfddbf029bdfe19639ff1a3433a91e64f4d

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/308-811-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/308-808-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/308-840-0x000001B3F6B60000-0x000001B3F6B70000-memory.dmp

Filesize
64KB

Download
memory/428-715-0x00000251EC0F0000-0x00000251EC100000-memory.dmp

Filesize
64KB

Download
memory/428-683-0x00000251EDC80000-0x00000251EDCA2000-memory.dmp

Filesize
136KB

Download
memory/428-689-0x00007FFB47420000-0x00007FFB47E0C000-memory.dmp

Filesize
9.9MB

Download
memory/428-691-0x00000251EC0F0000-0x00000251EC100000-memory.dmp

Filesize
64KB

Download
memory/428-680-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/428-740-0x00007FFB47420000-0x00007FFB47E0C000-memory.dmp

Filesize
9.9MB

Download
memory/428-739-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/428-679-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/428-692-0x00000251EC0F0000-0x00000251EC100000-memory.dmp

Filesize
64KB

Download
memory/428-682-0x00007FFB63FF0000-0x00007FFB63FF1000-memory.dmp

Filesize
4KB

Download
memory/648-752-0x00000240F04D0000-0x00000240F04E0000-memory.dmp

Filesize
64KB

Download
memory/648-745-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/648-750-0x00000240F04D0000-0x00000240F04E0000-memory.dmp

Filesize
64KB

Download
memory/648-743-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/648-747-0x00007FFB47420000-0x00007FFB47E0C000-memory.dmp

Filesize
9.9MB

Download
memory/712-791-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/712-820-0x0000021569BF0000-0x0000021569C00000-memory.dmp

Filesize
64KB

Download
memory/1120-767-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/1120-789-0x000001C7EAE00000-0x000001C7EAE10000-memory.dmp

Filesize
64KB

Download
memory/1120-764-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/1120-861-0x00007FFB47420000-0x00007FFB47E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1132-783-0x000001515A280000-0x000001515A290000-memory.dmp

Filesize
64KB

Download
memory/1132-851-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/1132-778-0x00007FFB47420000-0x00007FFB47E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1132-760-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/2372-798-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/2372-814-0x000002CA1F8A0000-0x000002CA1F8B0000-memory.dmp

Filesize
64KB

Download
memory/2372-794-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/3156-772-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/3156-770-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/3156-784-0x0000022820610000-0x0000022820620000-memory.dmp

Filesize
64KB

Download
memory/3156-781-0x00007FFB47420000-0x00007FFB47E0C000-memory.dmp

Filesize
9.9MB

Download
memory/3612-800-0x00000179FDEF0000-0x00000179FDF00000-memory.dmp

Filesize
64KB

Download
memory/3612-787-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/3968-208-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/3968-632-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download
memory/3968-1-0x00007FFB47420000-0x00007FFB47E0C000-memory.dmp

Filesize
9.9MB

Download
memory/3968-0-0x0000000000710000-0x00000000007D8000-memory.dmp

Filesize
800KB

Download
memory/3968-33-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/3968-39-0x00007FFB47420000-0x00007FFB47E0C000-memory.dmp

Filesize
9.9MB

Download
memory/3968-631-0x0000000000F80000-0x0000000000FF6000-memory.dmp

Filesize
472KB

Download
memory/3968-633-0x0000000000DC0000-0x0000000000DDE000-memory.dmp

Filesize
120KB

Download
memory/4148-757-0x00007FFB47420000-0x00007FFB47E0C000-memory.dmp

Filesize
9.9MB

Download
memory/4148-755-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/4148-775-0x000002624DEC0000-0x000002624DED0000-memory.dmp

Filesize
64KB

Download
memory/4148-774-0x000002624DEC0000-0x000002624DED0000-memory.dmp

Filesize
64KB

Download
memory/4148-749-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/4336-4336-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4516-818-0x00007FFB47420000-0x00007FFB47E0C000-memory.dmp

Filesize
9.9MB

Download
memory/4516-804-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/4516-828-0x000001E6FE9F0000-0x000001E6FEA00000-memory.dmp

Filesize
64KB

Download
memory/4520-825-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/4520-823-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/4520-844-0x000001FC4F900000-0x000001FC4F910000-memory.dmp

Filesize
64KB

Download
memory/4520-838-0x00007FFB47420000-0x00007FFB47E0C000-memory.dmp

Filesize
9.9MB

Download
memory/4544-841-0x000002319F0A0000-0x000002319F0B0000-memory.dmp

Filesize
64KB

Download
memory/4544-827-0x00007FFB47420000-0x00007FFB47E0C000-memory.dmp

Filesize
9.9MB

Download
memory/4544-822-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/4968-38-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/4968-35-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/4968-36-0x00007FFB64000000-0x00007FFB641DB000-memory.dmp

Filesize
1.9MB

Download
memory/4968-37-0x00007FFB63FF0000-0x00007FFB63FF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads