njrat | 787cb0fab96ebe518dea4d2ebd90528db5ebf6019cb2c0d62ad77413bcd36e2d

Analysis

max time kernel
752s
max time network
763s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
19-02-2024 15:26

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

msxsbkvjyoho.exe
Size

769KB
MD5

0f6650adff096ba42febd82cbc3a64fe
SHA1

7673c6646eb405a25df0751fbd00fb83fe303585
SHA256

a35331e95e0329556d7b0e88d2573a12db668314ee1326a1f23c01a427abdc66
SHA512

072b0ec2cc7342b58ea142fc3615e71bbb28219b55ee34d24d1b76d62f75c499dc457efdd75c6f5e71bb3807f275599f2e988ef836f45d45f035e59f3a682950
SSDEEP

12288:9yl3GIPVle8AlSCtbIs1WLKc049GNfM3q9RNIwo:9LdlSSIs1WHL9GN03qD

Score

10^/10

njrat lammer evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

8.tcp.ngrok.io:19346

Mutex

bca7344ec33c4f045ea133b6b48694e2

Attributes

reg_key
bca7344ec33c4f045ea133b6b48694e2
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral9/memory/8-540-0x00000000015C0000-0x00000000015CA000-memory.dmp	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msxsbkvjyoho.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Documents\\Sub\\xdwdClient.exe"	msxsbkvjyoho.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 3 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

msxsbkvjyoho.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	msxsbkvjyoho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	msxsbkvjyoho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	msxsbkvjyoho.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

msxsbkvjyoho.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	msxsbkvjyoho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	msxsbkvjyoho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	msxsbkvjyoho.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

Trojan.exe

pid process

4076 Trojan.exe

pid	process
4076	Trojan.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msxsbkvjyoho.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-79906965-4104874056-73860534-1000\Software\Microsoft\Windows\CurrentVersion\Run\SDLKFJHDLKHDkh = "C:\\Users\\Admin\\Documents\\Sub\\xdwdWatchDog.exe"	msxsbkvjyoho.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

msxsbkvjyoho.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	msxsbkvjyoho.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua	msxsbkvjyoho.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

2 0.tcp.eu.ngrok.io
8 0.tcp.eu.ngrok.io
22 0.tcp.eu.ngrok.io
26 0.tcp.eu.ngrok.io
Suspicious use of SetThreadContext 1 IoCs

Processes:

msxsbkvjyoho.exe

description pid process target process

PID 8 set thread context of 920 8 msxsbkvjyoho.exe RegAsm.exe
Drops file in Windows directory 1 IoCs

Processes:

msxsbkvjyoho.exe

description ioc process

File created C:\Windows\xdwd.dll msxsbkvjyoho.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	0.tcp.eu.ngrok.io
8	0.tcp.eu.ngrok.io
22	0.tcp.eu.ngrok.io
26	0.tcp.eu.ngrok.io

description	pid	process	target process
PID 8 set thread context of 920	8	msxsbkvjyoho.exe	RegAsm.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	msxsbkvjyoho.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msxsbkvjyoho.exeWmiApSrv.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
8	msxsbkvjyoho.exe
4652	WmiApSrv.exe
4652	WmiApSrv.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1400	powershell.exe
1476	powershell.exe
1476	powershell.exe
3036	powershell.exe
3036	powershell.exe
4004	powershell.exe
4004	powershell.exe
652	powershell.exe
652	powershell.exe
1476	powershell.exe
4820	powershell.exe
4820	powershell.exe
2760	powershell.exe
2760	powershell.exe
5112	powershell.exe
5112	powershell.exe
3036	powershell.exe
3036	powershell.exe
4896	powershell.exe
4896	powershell.exe
4920	powershell.exe
4920	powershell.exe
3060	powershell.exe
3060	powershell.exe
2672	powershell.exe
2672	powershell.exe
1476	powershell.exe
1476	powershell.exe
4004	powershell.exe
4004	powershell.exe
652	powershell.exe
652	powershell.exe
3036	powershell.exe
4924	powershell.exe
4924	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msxsbkvjyoho.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	8	msxsbkvjyoho.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeIncreaseQuotaPrivilege	1400	powershell.exe
Token: SeSecurityPrivilege	1400	powershell.exe
Token: SeTakeOwnershipPrivilege	1400	powershell.exe
Token: SeLoadDriverPrivilege	1400	powershell.exe
Token: SeSystemProfilePrivilege	1400	powershell.exe
Token: SeSystemtimePrivilege	1400	powershell.exe
Token: SeProfSingleProcessPrivilege	1400	powershell.exe
Token: SeIncBasePriorityPrivilege	1400	powershell.exe
Token: SeCreatePagefilePrivilege	1400	powershell.exe
Token: SeBackupPrivilege	1400	powershell.exe
Token: SeRestorePrivilege	1400	powershell.exe
Token: SeShutdownPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeSystemEnvironmentPrivilege	1400	powershell.exe
Token: SeRemoteShutdownPrivilege	1400	powershell.exe
Token: SeUndockPrivilege	1400	powershell.exe
Token: SeManageVolumePrivilege	1400	powershell.exe
Token: 33	1400	powershell.exe
Token: 34	1400	powershell.exe
Token: 35	1400	powershell.exe
Token: 36	1400	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeIncreaseQuotaPrivilege	1476	powershell.exe
Token: SeSecurityPrivilege	1476	powershell.exe
Token: SeTakeOwnershipPrivilege	1476	powershell.exe
Token: SeLoadDriverPrivilege	1476	powershell.exe
Token: SeSystemProfilePrivilege	1476	powershell.exe
Token: SeSystemtimePrivilege	1476	powershell.exe
Token: SeProfSingleProcessPrivilege	1476	powershell.exe
Token: SeIncBasePriorityPrivilege	1476	powershell.exe
Token: SeCreatePagefilePrivilege	1476	powershell.exe
Token: SeBackupPrivilege	1476	powershell.exe
Token: SeRestorePrivilege	1476	powershell.exe
Token: SeShutdownPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeSystemEnvironmentPrivilege	1476	powershell.exe
Token: SeRemoteShutdownPrivilege	1476	powershell.exe
Token: SeUndockPrivilege	1476	powershell.exe
Token: SeManageVolumePrivilege	1476	powershell.exe
Token: 33	1476	powershell.exe
Token: 34	1476	powershell.exe
Token: 35	1476	powershell.exe
Token: 36	1476	powershell.exe
Token: SeIncreaseQuotaPrivilege	3036	powershell.exe
Token: SeSecurityPrivilege	3036	powershell.exe
Token: SeTakeOwnershipPrivilege	3036	powershell.exe
Token: SeLoadDriverPrivilege	3036	powershell.exe
Token: SeSystemProfilePrivilege	3036	powershell.exe
Token: SeSystemtimePrivilege	3036	powershell.exe
Token: SeProfSingleProcessPrivilege	3036	powershell.exe
Token: SeIncBasePriorityPrivilege	3036	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2364 LogonUI.exe

pid	process
2364	LogonUI.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

msxsbkvjyoho.exeRegAsm.execmd.execmd.exe

description	pid	process	target process
PID 8 wrote to memory of 1400	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 1400	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 1476	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 1476	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 4004	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 4004	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 3036	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 3036	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 652	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 652	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 4820	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 4820	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 5112	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 5112	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 2760	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 2760	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 4896	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 4896	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 4920	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 4920	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 3060	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 3060	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 2672	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 2672	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 4924	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 4924	8	msxsbkvjyoho.exe	powershell.exe
PID 8 wrote to memory of 920	8	msxsbkvjyoho.exe	RegAsm.exe
PID 8 wrote to memory of 920	8	msxsbkvjyoho.exe	RegAsm.exe
PID 8 wrote to memory of 920	8	msxsbkvjyoho.exe	RegAsm.exe
PID 8 wrote to memory of 920	8	msxsbkvjyoho.exe	RegAsm.exe
PID 8 wrote to memory of 920	8	msxsbkvjyoho.exe	RegAsm.exe
PID 8 wrote to memory of 920	8	msxsbkvjyoho.exe	RegAsm.exe
PID 8 wrote to memory of 920	8	msxsbkvjyoho.exe	RegAsm.exe
PID 8 wrote to memory of 920	8	msxsbkvjyoho.exe	RegAsm.exe
PID 920 wrote to memory of 4076	920	RegAsm.exe	Trojan.exe
PID 920 wrote to memory of 4076	920	RegAsm.exe	Trojan.exe
PID 920 wrote to memory of 4076	920	RegAsm.exe	Trojan.exe
PID 8 wrote to memory of 1796	8	msxsbkvjyoho.exe	cmd.exe
PID 8 wrote to memory of 1796	8	msxsbkvjyoho.exe	cmd.exe
PID 1796 wrote to memory of 372	1796	cmd.exe	powershell.exe
PID 1796 wrote to memory of 372	1796	cmd.exe	powershell.exe
PID 8 wrote to memory of 1564	8	msxsbkvjyoho.exe	cmd.exe
PID 8 wrote to memory of 1564	8	msxsbkvjyoho.exe	cmd.exe
PID 1564 wrote to memory of 5112	1564	cmd.exe	shutdown.exe
PID 1564 wrote to memory of 5112	1564	cmd.exe	shutdown.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

msxsbkvjyoho.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0"	msxsbkvjyoho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0"	msxsbkvjyoho.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0"	msxsbkvjyoho.exe

C:\Users\Admin\AppData\Local\Temp\msxsbkvjyoho.exe
"C:\Users\Admin\AppData\Local\Temp\msxsbkvjyoho.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\Trojan.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
3⤵
- Executes dropped EXE
PID:4076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\yek00ykb.10j.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\yek00ykb.10j.exe"'
3⤵
PID:372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
2⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\shutdown.exe
Shutdown /s /f /t 00
3⤵
PID:5112

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4652

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae5055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2364

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6689dde6023fabfb674ab37768efe944

SHA1
620e1d125580f980d20e88e9e24c8ca99f519984

SHA256
d4eb3275edfd82982ed2aa211ef7698e840c16260fba4ae785ef5d7dc9cce350

SHA512
86e00cbda7ca74b66865b2e7af574d91079d9eb3284b4be5166d571df6731fc3e60811ca16e439669c8abda9931c5a81f29b849c431a9a397e0a0f48ace4f143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ba2be2fd18c009ec733fb285230cbd8d

SHA1
fc68ffadaffbb432a8b702eca23d9d91c7bf38b2

SHA256
e9fc6f453a04ea7185ab280bdd74cca193818e661e745aebd4223428c3fa9226

SHA512
a98caeb5cadad045cc3ecc058ded6d5cfad452bf20ff7d6ded297650e3e32133f27b5280a2d7b26f1741640b33b22bd5586b0b00f275fca8c78e475f3b542916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
32a06d56c83ff0cbb1290f803ceca0cb

SHA1
03caf6351c71089a961c7a75a22bc808e41f85a4

SHA256
e9705feedb3c50982bb8a00d7906eeeb41c26c635e9c654c19686c8ea6dd2462

SHA512
cf3caa70a2fe59ff16617374fe1e4e78f973a9902c9ab139cab2cb8a373a6b1184522782b1004c3f4b27ba885fa154a04feea11b9f9965a7e9ef3f77ce1536d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b94a66da4c90e5f78544ff4626141da1

SHA1
b108bc9bcae69909b8185b50683af38c6136e29e

SHA256
e7016db633fecc506ea7ee5655562e9079c402ca5f010c08c0c5c0ad1dbf8cfb

SHA512
28c1a01c74f7ff53e30288ec1da9b6901e0317e9e9678d39559fe80d74540a52530076f1078ed2db04ae6a90656bf4ab90e11f835371d4e455323fe9a2ad491c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f72cab8ec4be245e89e763fe6e6f9a06

SHA1
1e7e17e07efb9385222327c08747967d96205b8e

SHA256
b15b20a0ff4bc673b9a5367703b8e00e57b98ae1864baff49a0c69201c693fe8

SHA512
884d21d91b7b291958de388139777d1373eb8b839ce8bb985317302a1d11e216174055ab1f4e87e6fbf14108c8b6cfeaaa2412eed12a35c2d52831e71e704d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4bd71b8b1009c5b1b23fe37e9eaf6799

SHA1
c0bb4ecfaf8f6af8ff3b474abe69fbe8fe16d19d

SHA256
01c2f016fd76213d325821f365e87df45d186f07c25d908878c6efe6369f8e66

SHA512
05b66fbb83a6b92a5d2fc30f007c490647f746868125d7165684f843bd45ebd6f991ad7cae9a7ed55303b365153d36dffa9efb837b6bfb73bca7aef23a6fbf86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cb67b18cce5ce917ef8daa01f34c93e7

SHA1
da0368df4b5d648b032bb829ceb369d4d56e4cfc

SHA256
f63b4e57e6af981d8037ffc50e8e97dfcf3e4d0eaa5721318713a53fa4bc90fe

SHA512
aa8d6401ab816b27a00ce229b3659cae837ed7efbdb16360719f25908eb590b8cdbb1cc29e96efc1f80bc299f4e62d3eb67494755afe35696fcafbfe31f65cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3351824c12a897a4beaec43ee760aa11

SHA1
8cadfcf491e6db2e6734b2674f099be382f03f2b

SHA256
f43f7a94265d58c9a732706d5c24d1f37730a018bbd77cb1f5c1be721884c8a5

SHA512
df9127b6840dc04ef5c242407cd4a28b939b5849fd41977b1b6a21da6656fd32fd2c797989920df60fd6f130cb2db3c377a49d973806498ba99e828749711532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
64ddc4b4e3be76a257b3517fe8f22eed

SHA1
4673240f71d1aae9bec1083cb19a59261ffb9b62

SHA256
82b4fb87650cdb03a6fde44d42d6569117edaa5f26b1634ba1cb723bc8f5c6c9

SHA512
8b9c3c6d6b97063c65cbcd673bfa24448081146301cec7b8c11504253630373a3cb7fe63afe43872179e2525ae9eb58133829e8df9de9a88690066dadac6c8c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
22423a1947ff47f4697cca2709be5e8f

SHA1
0eaddcbc0f2d3654f482d3e53e78ce2d6ea54db2

SHA256
687ab6bb4fa1d65213f0e60f2d25cfa1953ec9a7aa1ba6979839b0a256db6767

SHA512
94fa72ec8888fd528a10eebf1c476a9b2b44fdda2161a7bd7ddbb7f220c70d05623c1755cddb0efe551831cf73a07ea0246d156580ee8bba72756a9087567066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ce01620e5f1ef4c5f6eea4e623915ffe

SHA1
4fdb3db7c69c7a39343fa968f0ea894dbf154acd

SHA256
eacc67ab1b7f3b391a6a791c1614eb278070a81c3cfcc8b47df09f8d115353a7

SHA512
5a2c98a889b2ab3b4b84d93ae9284ea6cdb9fd3dedc64c0e44e7c849463d4794f6555d1cf2ff58a4c73a183ef8a67169b6f16c414bd6edb60b4051bf57653084

Download Submit
C:\Users\Admin\AppData\Local\Temp\Trojan.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svkd3ijg.mho.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Documents\Sub\xdwdClient.exe
Filesize
769KB

MD5
0f6650adff096ba42febd82cbc3a64fe

SHA1
7673c6646eb405a25df0751fbd00fb83fe303585

SHA256
a35331e95e0329556d7b0e88d2573a12db668314ee1326a1f23c01a427abdc66

SHA512
072b0ec2cc7342b58ea142fc3615e71bbb28219b55ee34d24d1b76d62f75c499dc457efdd75c6f5e71bb3807f275599f2e988ef836f45d45f035e59f3a682950

Download Submit
C:\Windows\xdwd.dll
Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/8-540-0x00000000015C0000-0x00000000015CA000-memory.dmp

Filesize
40KB

Download
memory/8-33-0x000000001C380000-0x000000001C390000-memory.dmp

Filesize
64KB

Download
memory/8-0-0x0000000000E70000-0x0000000000F36000-memory.dmp

Filesize
792KB

Download
memory/8-538-0x0000000001640000-0x00000000016B6000-memory.dmp

Filesize
472KB

Download
memory/8-548-0x00000000015F0000-0x000000000160E000-memory.dmp

Filesize
120KB

Download
memory/8-207-0x000000001C380000-0x000000001C390000-memory.dmp

Filesize
64KB

Download
memory/8-63-0x00007FFBEA1B0000-0x00007FFBEAB9C000-memory.dmp

Filesize
9.9MB

Download
memory/8-1-0x00007FFBEA1B0000-0x00007FFBEAB9C000-memory.dmp

Filesize
9.9MB

Download
memory/652-783-0x00007FFBEA1B0000-0x00007FFBEAB9C000-memory.dmp

Filesize
9.9MB

Download
memory/652-788-0x000001768D0E0000-0x000001768D0F0000-memory.dmp

Filesize
64KB

Download
memory/652-709-0x000001768D0E0000-0x000001768D0F0000-memory.dmp

Filesize
64KB

Download
memory/652-775-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/652-672-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/920-4219-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1400-582-0x00007FFBEA1B0000-0x00007FFBEAB9C000-memory.dmp

Filesize
9.9MB

Download
memory/1400-583-0x0000016421240000-0x0000016421250000-memory.dmp

Filesize
64KB

Download
memory/1400-579-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/1400-600-0x0000016421320000-0x0000016421342000-memory.dmp

Filesize
136KB

Download
memory/1400-606-0x0000016421240000-0x0000016421250000-memory.dmp

Filesize
64KB

Download
memory/1400-578-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/1400-653-0x00007FFBEA1B0000-0x00007FFBEAB9C000-memory.dmp

Filesize
9.9MB

Download
memory/1400-590-0x0000016421240000-0x0000016421250000-memory.dmp

Filesize
64KB

Download
memory/1400-654-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/1476-658-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/1476-659-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/1476-662-0x00007FFBEA1B0000-0x00007FFBEAB9C000-memory.dmp

Filesize
9.9MB

Download
memory/1476-764-0x000001E96A520000-0x000001E96A530000-memory.dmp

Filesize
64KB

Download
memory/1476-663-0x000001E96A520000-0x000001E96A530000-memory.dmp

Filesize
64KB

Download
memory/2672-763-0x000002ABD43C0000-0x000002ABD43D0000-memory.dmp

Filesize
64KB

Download
memory/2672-759-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/2672-762-0x00007FFBEA1B0000-0x00007FFBEAB9C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-750-0x0000029DFF1F0000-0x0000029DFF200000-memory.dmp

Filesize
64KB

Download
memory/2760-742-0x0000029DFF1F0000-0x0000029DFF200000-memory.dmp

Filesize
64KB

Download
memory/2760-710-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/2760-799-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/2760-726-0x00007FFBEA1B0000-0x00007FFBEAB9C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-684-0x00000191AA100000-0x00000191AA110000-memory.dmp

Filesize
64KB

Download
memory/3036-767-0x00007FFBEA1B0000-0x00007FFBEAB9C000-memory.dmp

Filesize
9.9MB

Download
memory/3036-685-0x00000191AA100000-0x00000191AA110000-memory.dmp

Filesize
64KB

Download
memory/3036-665-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/3036-666-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/3060-758-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/3060-761-0x00000111DEDB0000-0x00000111DEDC0000-memory.dmp

Filesize
64KB

Download
memory/4004-678-0x00007FFBEA1B0000-0x00007FFBEAB9C000-memory.dmp

Filesize
9.9MB

Download
memory/4004-765-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/4004-687-0x0000023F19300000-0x0000023F19310000-memory.dmp

Filesize
64KB

Download
memory/4004-690-0x0000023F19300000-0x0000023F19310000-memory.dmp

Filesize
64KB

Download
memory/4004-669-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/4652-64-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/4652-65-0x00007FFBF6A00000-0x00007FFBF6A01000-memory.dmp

Filesize
4KB

Download
memory/4652-66-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/4820-719-0x000002BCAC4E0000-0x000002BCAC4F0000-memory.dmp

Filesize
64KB

Download
memory/4820-707-0x00007FFBEA1B0000-0x00007FFBEAB9C000-memory.dmp

Filesize
9.9MB

Download
memory/4820-787-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/4820-721-0x000002BCAC4E0000-0x000002BCAC4F0000-memory.dmp

Filesize
64KB

Download
memory/4820-681-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/4896-755-0x000002111E1E0000-0x000002111E1F0000-memory.dmp

Filesize
64KB

Download
memory/4896-734-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/4896-747-0x00007FFBEA1B0000-0x00007FFBEAB9C000-memory.dmp

Filesize
9.9MB

Download
memory/4896-753-0x000002111E1E0000-0x000002111E1F0000-memory.dmp

Filesize
64KB

Download
memory/4920-739-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/4920-757-0x000002F07BFC0000-0x000002F07BFD0000-memory.dmp

Filesize
64KB

Download
memory/5112-748-0x00000213A8CC0000-0x00000213A8CD0000-memory.dmp

Filesize
64KB

Download
memory/5112-717-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download
memory/5112-800-0x00007FFBF6B40000-0x00007FFBF6D1B000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads