njrat | 787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d

Analysis

max time kernel
756s
max time network
761s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
19-02-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

molbfgsxjpwv.exe
Size

764KB
MD5

3943e12f7f33ccff610fbad61defc66f
SHA1

b893d92e017997f411cfcda76425cc42ddd5405f
SHA256

22f66ff240dfda2244e7ce17c600985e70d3640764564ed9a5bd401502c0383b
SHA512

4d135ff5836505be56998c42edf9be83c9c7eb4d479c6123f3594b675c6f9dbcdf95ad8027f0a2dc0a11f44c9eefe36f22d1a5beb05678ac0142346c6325d5e3
SSDEEP

12288:gfQQEGPVle8phMeVUF5nqLL7fNfM3q9RNIwo:gr3+F5nqTN03qD

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

8.tcp.ngrok.io:19346

Mutex

bca7344ec33c4f045ea133b6b48694e2

Attributes

reg_key
bca7344ec33c4f045ea133b6b48694e2
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral7/memory/4644-604-0x0000000001630000-0x000000000163A000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

molbfgsxjpwv.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe"	molbfgsxjpwv.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

molbfgsxjpwv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	molbfgsxjpwv.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

molbfgsxjpwv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	molbfgsxjpwv.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

Trojan.exe

pid process

5880 Trojan.exe

pid	process
5880	Trojan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

molbfgsxjpwv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2694788800-2737334826-1937309534-1000\Software\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe"	molbfgsxjpwv.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

molbfgsxjpwv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	molbfgsxjpwv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

28 0.tcp.eu.ngrok.io
33 0.tcp.eu.ngrok.io
2 0.tcp.eu.ngrok.io
8 0.tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

molbfgsxjpwv.exe

description pid process target process

PID 4644 set thread context of 3500 4644 molbfgsxjpwv.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

molbfgsxjpwv.exe

description ioc process

File created C:\Windows\xdwd.dll molbfgsxjpwv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
28	0.tcp.eu.ngrok.io
33	0.tcp.eu.ngrok.io
2	0.tcp.eu.ngrok.io
8	0.tcp.eu.ngrok.io

description	pid	process	target process
PID 4644 set thread context of 3500	4644	molbfgsxjpwv.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	molbfgsxjpwv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

molbfgsxjpwv.exeWmiApSrv.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4644	molbfgsxjpwv.exe
4640	WmiApSrv.exe
4640	WmiApSrv.exe
3248	powershell.exe
3248	powershell.exe
3248	powershell.exe
3248	powershell.exe
3248	powershell.exe
4216	powershell.exe
4216	powershell.exe
348	powershell.exe
348	powershell.exe
3804	powershell.exe
3804	powershell.exe
2528	powershell.exe
2528	powershell.exe
1964	powershell.exe
1964	powershell.exe
4216	powershell.exe
4216	powershell.exe
348	powershell.exe
348	powershell.exe
4556	powershell.exe
4556	powershell.exe
2308	powershell.exe
2308	powershell.exe
4232	powershell.exe
4232	powershell.exe
2528	powershell.exe
2528	powershell.exe
4268	powershell.exe
4268	powershell.exe
3500	powershell.exe
3500	powershell.exe
4216	powershell.exe
3804	powershell.exe
3804	powershell.exe
2688	powershell.exe
2688	powershell.exe
2456	powershell.exe
2456	powershell.exe
348	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

molbfgsxjpwv.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4644	molbfgsxjpwv.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeIncreaseQuotaPrivilege	3248	powershell.exe
Token: SeSecurityPrivilege	3248	powershell.exe
Token: SeTakeOwnershipPrivilege	3248	powershell.exe
Token: SeLoadDriverPrivilege	3248	powershell.exe
Token: SeSystemProfilePrivilege	3248	powershell.exe
Token: SeSystemtimePrivilege	3248	powershell.exe
Token: SeProfSingleProcessPrivilege	3248	powershell.exe
Token: SeIncBasePriorityPrivilege	3248	powershell.exe
Token: SeCreatePagefilePrivilege	3248	powershell.exe
Token: SeBackupPrivilege	3248	powershell.exe
Token: SeRestorePrivilege	3248	powershell.exe
Token: SeShutdownPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeSystemEnvironmentPrivilege	3248	powershell.exe
Token: SeRemoteShutdownPrivilege	3248	powershell.exe
Token: SeUndockPrivilege	3248	powershell.exe
Token: SeManageVolumePrivilege	3248	powershell.exe
Token: 33	3248	powershell.exe
Token: 34	3248	powershell.exe
Token: 35	3248	powershell.exe
Token: 36	3248	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeIncreaseQuotaPrivilege	4216	powershell.exe
Token: SeSecurityPrivilege	4216	powershell.exe
Token: SeTakeOwnershipPrivilege	4216	powershell.exe
Token: SeLoadDriverPrivilege	4216	powershell.exe
Token: SeSystemProfilePrivilege	4216	powershell.exe
Token: SeSystemtimePrivilege	4216	powershell.exe
Token: SeProfSingleProcessPrivilege	4216	powershell.exe
Token: SeIncBasePriorityPrivilege	4216	powershell.exe
Token: SeCreatePagefilePrivilege	4216	powershell.exe
Token: SeBackupPrivilege	4216	powershell.exe
Token: SeRestorePrivilege	4216	powershell.exe
Token: SeShutdownPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeSystemEnvironmentPrivilege	4216	powershell.exe
Token: SeRemoteShutdownPrivilege	4216	powershell.exe
Token: SeUndockPrivilege	4216	powershell.exe
Token: SeManageVolumePrivilege	4216	powershell.exe
Token: 33	4216	powershell.exe
Token: 34	4216	powershell.exe
Token: 35	4216	powershell.exe
Token: 36	4216	powershell.exe
Token: SeIncreaseQuotaPrivilege	348	powershell.exe
Token: SeSecurityPrivilege	348	powershell.exe
Token: SeTakeOwnershipPrivilege	348	powershell.exe
Token: SeLoadDriverPrivilege	348	powershell.exe
Token: SeSystemProfilePrivilege	348	powershell.exe
Token: SeSystemtimePrivilege	348	powershell.exe
Token: SeProfSingleProcessPrivilege	348	powershell.exe
Token: SeIncBasePriorityPrivilege	348	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

molbfgsxjpwv.exeRegAsm.execmd.exe

description	pid	process	target process
PID 4644 wrote to memory of 3248	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 3248	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 4216	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 4216	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 348	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 348	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 3804	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 3804	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 2528	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 2528	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 1964	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 1964	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 4556	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 4556	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 2308	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 2308	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 4232	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 4232	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 4268	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 4268	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 3500	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 3500	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 2688	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 2688	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 2456	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 2456	4644	molbfgsxjpwv.exe	powershell.exe
PID 4644 wrote to memory of 5560	4644	molbfgsxjpwv.exe	RegAsm.exe
PID 4644 wrote to memory of 5560	4644	molbfgsxjpwv.exe	RegAsm.exe
PID 4644 wrote to memory of 5560	4644	molbfgsxjpwv.exe	RegAsm.exe
PID 4644 wrote to memory of 3500	4644	molbfgsxjpwv.exe	RegAsm.exe
PID 4644 wrote to memory of 3500	4644	molbfgsxjpwv.exe	RegAsm.exe
PID 4644 wrote to memory of 3500	4644	molbfgsxjpwv.exe	RegAsm.exe
PID 4644 wrote to memory of 3500	4644	molbfgsxjpwv.exe	RegAsm.exe
PID 4644 wrote to memory of 3500	4644	molbfgsxjpwv.exe	RegAsm.exe
PID 4644 wrote to memory of 3500	4644	molbfgsxjpwv.exe	RegAsm.exe
PID 4644 wrote to memory of 3500	4644	molbfgsxjpwv.exe	RegAsm.exe
PID 4644 wrote to memory of 3500	4644	molbfgsxjpwv.exe	RegAsm.exe
PID 3500 wrote to memory of 5880	3500	RegAsm.exe	Trojan.exe
PID 3500 wrote to memory of 5880	3500	RegAsm.exe	Trojan.exe
PID 3500 wrote to memory of 5880	3500	RegAsm.exe	Trojan.exe
PID 4644 wrote to memory of 3528	4644	molbfgsxjpwv.exe	cmd.exe
PID 4644 wrote to memory of 3528	4644	molbfgsxjpwv.exe	cmd.exe
PID 3528 wrote to memory of 5668	3528	cmd.exe	powershell.exe
PID 3528 wrote to memory of 5668	3528	cmd.exe	powershell.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

molbfgsxjpwv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	molbfgsxjpwv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	molbfgsxjpwv.exe

C:\Users\Admin\AppData\Local\Temp\molbfgsxjpwv.exe
"C:\Users\Admin\AppData\Local\Temp\molbfgsxjpwv.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:5560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:5880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\zm3lpzea.jjc.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\zm3lpzea.jjc.exe"'
3⤵
PID:5668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
2⤵
PID:6068

C:\Windows\system32\shutdown.exe
Shutdown /s /f /t 00
3⤵
PID:6012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3af2855 /state1:0x41c64e6d
1⤵
PID:5648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ac40bf44a6f9873a8f200ad96db5c4fd

SHA1
96cd2fe93eebb545ae9993f6bae2397181087d30

SHA256
0b210c1f0aa802093a0d975f472b5e8d1f98e1293f92b0646dac1b8517e62d37

SHA512
d86f8aee3d5774c5ca17a5e48e9b31d0e22a83c2d5846e120deb7e24f81f6b9cf5bfc4513d9d4f7ea3ff4c032754ee35e134524483315b5742cad3546f3da9d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
821935f046670cef9c2b4407715c0295

SHA1
26d6de90473b287e2288d69266b94056bba539c6

SHA256
a48430ce624068de63c84f26184f1fdb90d164cfc6ff9e542f92e6588ff137e4

SHA512
9c31a529b42324bbf93c96a19643337797f4603450db9c493dc3b5b2d26446fc6c0464aa05a7488a58f4a65515e1479be95cf9e50ea0512e02805f071870c856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a08dc5fda2af96515ec0a4ec3d9bc5b9

SHA1
005b6ed499f86b31567ab5b96a54054c3fd688f6

SHA256
af98b876a323f01c35279afb653417cd32f863fae8068934d0bd2af9cb169747

SHA512
7b05e351c6e4cc28afc826287497d19038c867bc123cba1eb2820b105cb6a02fe6db538590e3554826b544c2ab96743772347f3fe3f94051346d1b1412e18124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e6c209e392140251a97634b91a7cecf0

SHA1
dd4606a666092f2636a786f850ee00bde2136da3

SHA256
fdd8fa3289bf1f39b3d2980ca5adae058aca2c8e14c1375bd959a9af47910b50

SHA512
03fd28bcdb2e0fd66659ae7affff51b9ddb0cca96c5ceb2bc2426686d29a27b2ab9a3eddf7e57e4c58f2e1f452da89a083f66a0421673f60c3c9ffb126d3726c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6532fd6ad60a8c6f8d8ab75ff5fed1e4

SHA1
de111bb1e805f56d21a647d40af4ba09fcb0c83e

SHA256
30897b6fb40ce3067364146881774f24f153cd34c0695911e93f708cf2ca1b4d

SHA512
e002129ddcc20528f53f07757fc92ec99911913d3fea1d70180c1fd138084d88daab3a10a49dba75b5798cfe77a757c7444bce70e1aefad3c29e0159bc77937e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7ec6a3a108bbeb14cc3e51f5237f4d3a

SHA1
be8585bd41443b01c2636391807c51dea5e2eac3

SHA256
eeca6cec00c13ca12b19ecfe274b5fb8ab346f2c0b548333ea0025f6f3a8ada8

SHA512
2103aadf4a8b0c62cb0a3588953269322252d0b6a15a5a6dc7f3659591ee8621f1ed53804492ca654390666070b4c519b863f38db60f064e8d7f5beb42f0991d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0cd03b5dabe0c65d0b19af9654eda27f

SHA1
a3bdf2c793e9b225589cabbb0c829fa7f23f46be

SHA256
edb87bb6322719c6c584ffe8c00faef2ef3c8b6871919a94667055b0f6826cd2

SHA512
b4073879242629281260218624951c6dbf80fa4250ce792495dc1bd95997e53297ca31ad5bc5ed34793e1a8167f8aaebe64357a2746c659f9c42e7fa57f81257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
77626919486340419de1ee7b57a1a5d8

SHA1
ffa4cc2a569ac9cac3ac974a51013115d679e9aa

SHA256
7b3f55e41a750185caaa7ef336e2f3809a2b483a3fab47f38103f800a6defcf3

SHA512
e5532bb2e1a78ae1058c73930844b86de817a428101c4688105ddb74b364e5946f2d89fb505feaef6f6e56224d2b5c215a5fae0aa327e3d12f1cca0fbd5856ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
13f6925dbe96e3ea45a189ccb1160de2

SHA1
53a1349cd169d82b4cb1972574370d4764750c9c

SHA256
fd43b70f17d5f66b86353e89c064e286cb169f806c2b6d46737c1a34145cb39d

SHA512
13c9dd7ec8af1921f1fdba0f427d2d441ac10ff80eb2ccfb32899bea1e33c86c735ea1dddd97990ca3375556e1c9b7ba8faee74281ee756295709a9e1340799c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c65ad8f0531a0656a1c55e20afc195e4

SHA1
734d65185cc50f19fc2b2955160a1c90e8bc46b1

SHA256
62554f24c965ad66c71fc57e6c8ebd90fe244dcb21f70ddc212c2d756c6924c3

SHA512
c0b70f9d85ab5f221e868a2514289a038afdf709ddfca5adae948c337f2284fd2071881b16b3a95137d452df61c6b02bc93d3c38365844efe213f9914d35b8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgtobemk.lg5.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Documents\Sub\xdwdClient.exe
Filesize
764KB

MD5
3943e12f7f33ccff610fbad61defc66f

SHA1
b893d92e017997f411cfcda76425cc42ddd5405f

SHA256
22f66ff240dfda2244e7ce17c600985e70d3640764564ed9a5bd401502c0383b

SHA512
4d135ff5836505be56998c42edf9be83c9c7eb4d479c6123f3594b675c6f9dbcdf95ad8027f0a2dc0a11f44c9eefe36f22d1a5beb05678ac0142346c6325d5e3

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/348-736-0x00000156ABEB0000-0x00000156ABEC0000-memory.dmp

Filesize
64KB

Download
memory/348-733-0x00000156ABEB0000-0x00000156ABEC0000-memory.dmp

Filesize
64KB

Download
memory/348-722-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/348-815-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/348-819-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-833-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/1964-791-0x00000227B6ED0000-0x00000227B6EE0000-memory.dmp

Filesize
64KB

Download
memory/1964-760-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download
memory/1964-793-0x00000227B6ED0000-0x00000227B6EE0000-memory.dmp

Filesize
64KB

Download
memory/1964-756-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/2308-788-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/2308-799-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download
memory/2308-843-0x00000203FF5D0000-0x00000203FF5E0000-memory.dmp

Filesize
64KB

Download
memory/2308-790-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/2308-842-0x00000203FF5D0000-0x00000203FF5E0000-memory.dmp

Filesize
64KB

Download
memory/2528-729-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/2528-830-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download
memory/2528-731-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/2528-757-0x000001D976480000-0x000001D976490000-memory.dmp

Filesize
64KB

Download
memory/2528-834-0x000001D976480000-0x000001D976490000-memory.dmp

Filesize
64KB

Download
memory/2688-814-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/3248-668-0x000001C86FEB0000-0x000001C86FED2000-memory.dmp

Filesize
136KB

Download
memory/3248-710-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/3248-711-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download
memory/3248-666-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/3248-667-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/3248-671-0x000001C86FF00000-0x000001C86FF10000-memory.dmp

Filesize
64KB

Download
memory/3248-670-0x000001C86FF00000-0x000001C86FF10000-memory.dmp

Filesize
64KB

Download
memory/3248-669-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download
memory/3248-686-0x000001C86FF00000-0x000001C86FF10000-memory.dmp

Filesize
64KB

Download
memory/3500-808-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/3500-4340-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3500-812-0x000001F4FBEC0000-0x000001F4FBED0000-memory.dmp

Filesize
64KB

Download
memory/3804-821-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/3804-770-0x000001F911850000-0x000001F911860000-memory.dmp

Filesize
64KB

Download
memory/3804-781-0x000001F911850000-0x000001F911860000-memory.dmp

Filesize
64KB

Download
memory/3804-752-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download
memory/3804-726-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/4216-820-0x000002C7D1D80000-0x000002C7D1D90000-memory.dmp

Filesize
64KB

Download
memory/4216-720-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download
memory/4216-716-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/4216-724-0x000002C7D1D80000-0x000002C7D1D90000-memory.dmp

Filesize
64KB

Download
memory/4216-714-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/4232-802-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/4232-805-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download
memory/4268-854-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download
memory/4268-807-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/4268-810-0x000001E2EFA60000-0x000001E2EFA70000-memory.dmp

Filesize
64KB

Download
memory/4556-841-0x0000015061880000-0x0000015061890000-memory.dmp

Filesize
64KB

Download
memory/4556-785-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/4556-839-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download
memory/4556-836-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/4556-806-0x0000015061880000-0x0000015061890000-memory.dmp

Filesize
64KB

Download
memory/4640-39-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/4640-38-0x00007FFCA4D70000-0x00007FFCA4D71000-memory.dmp

Filesize
4KB

Download
memory/4640-36-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/4640-35-0x00007FFCA4D80000-0x00007FFCA4F5B000-memory.dmp

Filesize
1.9MB

Download
memory/4644-604-0x0000000001630000-0x000000000163A000-memory.dmp

Filesize
40KB

Download
memory/4644-603-0x00000000017A0000-0x0000000001816000-memory.dmp

Filesize
472KB

Download
memory/4644-180-0x000000001C130000-0x000000001C140000-memory.dmp

Filesize
64KB

Download
memory/4644-605-0x0000000001660000-0x000000000167E000-memory.dmp

Filesize
120KB

Download
memory/4644-37-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download
memory/4644-32-0x000000001C130000-0x000000001C140000-memory.dmp

Filesize
64KB

Download
memory/4644-0-0x0000000000F60000-0x0000000001026000-memory.dmp

Filesize
792KB

Download
memory/4644-1-0x00007FFC87DF0000-0x00007FFC887DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads