njrat | 2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d

Analysis

max time kernel
599s
max time network
597s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cheat.exe
Size

65KB
MD5

596bb1dd5ae0ac50a9218910d193d4cf
SHA1

377563b67e5601266d711345f78df4a7d95cad27
SHA256

2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d
SHA512

b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299
SSDEEP

1536:fj+u2LoN36tcQviFw1A+HIBnvbLfLteF3nLrB9z3nUaF9b6S9vM:fj+uIoN36tcQviFC9oBnnfWl9zkaF9bC

Score

10^/10

njrat njrat persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

njRat

127.0.0.1:21679

Mutex

HDAudio.exe

Attributes

reg_key
HDAudio.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 3 IoCs

Processes:

HDAudio.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.url	HDAudio.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe	HDAudio.exe

Executes dropped EXE 11 IoCs

Processes:

HDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exe

pid	process
2848	HDAudio.exe
1564	HDAudio.exe
1780	HDAudio.exe
1216	HDAudio.exe
2492	HDAudio.exe
1884	HDAudio.exe
1696	HDAudio.exe
1528	HDAudio.exe
1248	HDAudio.exe
712	HDAudio.exe
1428	HDAudio.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HDAudio.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .."	HDAudio.exe

Drops file in Windows directory 2 IoCs

Processes:

Cheat.exeHDAudio.exe

description ioc process

File created C:\Windows\HDAudio.exe Cheat.exe
File opened for modification C:\Windows\HDAudio.exe HDAudio.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\HDAudio.exe	Cheat.exe
File opened for modification	C:\Windows\HDAudio.exe	HDAudio.exe

Creates scheduled task(s) 1 TTPs 26 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
884	schtasks.exe
2916	schtasks.exe
1864	schtasks.exe
1240	schtasks.exe
2220	schtasks.exe
444	schtasks.exe
2544	schtasks.exe
2624	schtasks.exe
2380	schtasks.exe
928	schtasks.exe
2576	schtasks.exe
992	schtasks.exe
2416	schtasks.exe
1492	schtasks.exe
1756	schtasks.exe
1356	schtasks.exe
1496	schtasks.exe
1608	schtasks.exe
1916	schtasks.exe
2356	schtasks.exe
2604	schtasks.exe
2944	schtasks.exe
1212	schtasks.exe
1852	schtasks.exe
2312	schtasks.exe
320	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

HDAudio.exe

description	pid	process
Token: SeDebugPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe
Token: SeIncBasePriorityPrivilege	2848	HDAudio.exe
Token: 33	2848	HDAudio.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Cheat.exeHDAudio.exetaskeng.exe

description	pid	process	target process
PID 2252 wrote to memory of 2848	2252	Cheat.exe	HDAudio.exe
PID 2252 wrote to memory of 2848	2252	Cheat.exe	HDAudio.exe
PID 2252 wrote to memory of 2848	2252	Cheat.exe	HDAudio.exe
PID 2252 wrote to memory of 2848	2252	Cheat.exe	HDAudio.exe
PID 2848 wrote to memory of 2572	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2572	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2572	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2572	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2312	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2312	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2312	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2312	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2924	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2924	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2924	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2924	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2416	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2416	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2416	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2416	2848	HDAudio.exe	schtasks.exe
PID 2168 wrote to memory of 1564	2168	taskeng.exe	HDAudio.exe
PID 2168 wrote to memory of 1564	2168	taskeng.exe	HDAudio.exe
PID 2168 wrote to memory of 1564	2168	taskeng.exe	HDAudio.exe
PID 2168 wrote to memory of 1564	2168	taskeng.exe	HDAudio.exe
PID 2848 wrote to memory of 1188	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 1188	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 1188	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 1188	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2380	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2380	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2380	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2380	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2012	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2012	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2012	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2012	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2916	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2916	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2916	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2916	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2200	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2200	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2200	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2200	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 320	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 320	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 320	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 320	2848	HDAudio.exe	schtasks.exe
PID 2168 wrote to memory of 1780	2168	taskeng.exe	HDAudio.exe
PID 2168 wrote to memory of 1780	2168	taskeng.exe	HDAudio.exe
PID 2168 wrote to memory of 1780	2168	taskeng.exe	HDAudio.exe
PID 2168 wrote to memory of 1780	2168	taskeng.exe	HDAudio.exe
PID 2848 wrote to memory of 2284	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2284	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2284	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 2284	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 444	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 444	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 444	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 444	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 324	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 324	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 324	2848	HDAudio.exe	schtasks.exe
PID 2848 wrote to memory of 324	2848	HDAudio.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\HDAudio.exe
  "C:\Windows\HDAudio.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2312
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2416
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2380
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:320
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:444
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:324
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1492
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2576
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1240
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:992
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:928
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1864
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2220
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:884
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2604
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1756
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:864
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1356
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2624
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2944
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:2356
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1496
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "RealtekHDAudio" /f
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe
    3⤵
    - Creates scheduled task(s)
    PID:1852

C:\Windows\system32\taskeng.exe
taskeng.exe {071EAAF7-025E-420E-AB76-BEFCA02D5A6E} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\HDAudio.exe
  C:\Windows\HDAudio.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\HDAudio.exe
  C:\Windows\HDAudio.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\HDAudio.exe
  C:\Windows\HDAudio.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\HDAudio.exe
  C:\Windows\HDAudio.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\HDAudio.exe
  C:\Windows\HDAudio.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\HDAudio.exe
  C:\Windows\HDAudio.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\HDAudio.exe
  C:\Windows\HDAudio.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\HDAudio.exe
  C:\Windows\HDAudio.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\HDAudio.exe
  C:\Windows\HDAudio.exe
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\HDAudio.exe
  C:\Windows\HDAudio.exe
  2⤵
  - Executes dropped EXE
  PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\HDAudio.exe

Filesize
65KB

MD5
596bb1dd5ae0ac50a9218910d193d4cf

SHA1
377563b67e5601266d711345f78df4a7d95cad27

SHA256
2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d

SHA512
b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299

Download Submit
memory/2252-0-0x0000000074431000-0x0000000074432000-memory.dmp

Filesize
4KB

Download
memory/2252-1-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download
memory/2252-2-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download
memory/2252-10-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-9-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download
memory/2848-14-0x0000000074430000-0x00000000749DB000-memory.dmp

Filesize
5.7MB

Download