njrat | e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe
Size

5.2MB
MD5

4b33f2982aa4df81f65b713a7e398b3c
SHA1

630b0be15443733a06412b072441ec00075e2f83
SHA256

e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84
SHA512

7efceddfe0d85ea082650d47e3897dd35b3117154fa20b391f2db8626bcb2a3ba04bb0ae3e7efff9fb5585c4c95262f0669c7aa72ff322a8138cb35d8d841205
SSDEEP

98304:Oh9o1ezhQcSZcOb+sX1ZvbeG4Z0FGRABTgtse6vzovknQp:Oh9hhQcERCsXDjfZkJMQp

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

127.0.0.1:8848

Mutex

SecurityHealthService.exe

Attributes

reg_key
SecurityHealthService.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

main.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation main.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	main.exe

Drops startup file 3 IoCs

Processes:

SecurityHealthService.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthService.exe	SecurityHealthService.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthService.exe	SecurityHealthService.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthService.url	SecurityHealthService.exe

Executes dropped EXE 3 IoCs

Processes:

main.exeSecurityHealthService.exeSecurityHealthService.exe

pid process

1480 main.exe
4352 SecurityHealthService.exe
2968 SecurityHealthService.exe

pid	process
1480	main.exe
4352	SecurityHealthService.exe
2968	SecurityHealthService.exe

Loads dropped DLL 4 IoCs

Processes:

e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe

pid	process
3376	e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe
3376	e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe
3376	e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe
3376	e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SecurityHealthService.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService.exe\" .."	SecurityHealthService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SecurityHealthService.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\SecurityHealthService.exe\" .."	SecurityHealthService.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

31 pastebin.com
30 pastebin.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
31	pastebin.com
30	pastebin.com

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1956	schtasks.exe
4944	schtasks.exe
5008	schtasks.exe
5036	schtasks.exe
3692	schtasks.exe
4324	schtasks.exe
3488	schtasks.exe
2856	schtasks.exe
1408	schtasks.exe
5096	schtasks.exe
4280	schtasks.exe
3392	schtasks.exe
2984	schtasks.exe
1500	schtasks.exe
3312	schtasks.exe
1696	schtasks.exe
4628	schtasks.exe
3096	schtasks.exe
2288	schtasks.exe
4420	schtasks.exe
512	schtasks.exe
3940	schtasks.exe
2172	schtasks.exe
2020	schtasks.exe
3540	schtasks.exe
4332	schtasks.exe
4516	schtasks.exe
860	schtasks.exe
4392	schtasks.exe
1864	schtasks.exe
2464	schtasks.exe
4792	schtasks.exe
3764	schtasks.exe
4532	schtasks.exe
856	schtasks.exe
4288	schtasks.exe
2480	schtasks.exe
832	schtasks.exe
3172	schtasks.exe
1664	schtasks.exe
3584	schtasks.exe
4216	schtasks.exe
1904	schtasks.exe
3196	schtasks.exe
2176	schtasks.exe
4492	schtasks.exe
748	schtasks.exe
2076	schtasks.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

SecurityHealthService.exe

description	pid	process
Token: SeDebugPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe
Token: 33	4352	SecurityHealthService.exe
Token: SeIncBasePriorityPrivilege	4352	SecurityHealthService.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exee01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.execmd.exemain.exeSecurityHealthService.exe

description	pid	process	target process
PID 1512 wrote to memory of 3376	1512	e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe	e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe
PID 1512 wrote to memory of 3376	1512	e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe	e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe
PID 3376 wrote to memory of 2264	3376	e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe	cmd.exe
PID 3376 wrote to memory of 2264	3376	e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe	cmd.exe
PID 2264 wrote to memory of 1480	2264	cmd.exe	main.exe
PID 2264 wrote to memory of 1480	2264	cmd.exe	main.exe
PID 2264 wrote to memory of 1480	2264	cmd.exe	main.exe
PID 1480 wrote to memory of 4352	1480	main.exe	SecurityHealthService.exe
PID 1480 wrote to memory of 4352	1480	main.exe	SecurityHealthService.exe
PID 1480 wrote to memory of 4352	1480	main.exe	SecurityHealthService.exe
PID 4352 wrote to memory of 4840	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4840	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4840	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 3692	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 3692	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 3692	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4228	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4228	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4228	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4324	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4324	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4324	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4020	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4020	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4020	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 2464	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 2464	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 2464	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 868	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 868	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 868	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 1696	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 1696	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 1696	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4112	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4112	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4112	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 5096	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 5096	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 5096	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 944	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 944	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 944	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4516	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4516	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4516	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 3180	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 3180	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 3180	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 3196	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 3196	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 3196	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4400	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4400	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4400	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4288	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4288	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4288	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 2352	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 2352	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 2352	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4628	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4628	4352	SecurityHealthService.exe	schtasks.exe
PID 4352 wrote to memory of 4628	4352	SecurityHealthService.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe
"C:\Users\Admin\AppData\Local\Temp\e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe
"C:\Users\Admin\AppData\Local\Temp\e01df4c5286089fb07206d0c3b7c245b5321a88fb9e19e413ca431608a0e7e84.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\\main.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\main.exe
C:\\main.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
"C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe"
5⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4840

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:3692

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4228

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4324

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4020

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:2464

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:868

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:1696

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4112

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:5096

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:944

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4516

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:3180

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:3196

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4400

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4288

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:2352

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4628

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:1452

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4792

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:2892

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:3940

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:2372

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:2176

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4500

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:832

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:1740

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4280

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:3868

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:860

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:2264

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:3488

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4740

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:3172

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:1292

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:3392

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:2896

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4476

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:2480

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:2616

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:2172

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:1288

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:2856

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4380

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:3584

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4272

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4392

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:1388

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:2020

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4744

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4216

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:5048

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:3096

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:1376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:1976

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:748

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4620

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:1956

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:3376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:2076

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:348

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:2288

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:3760

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4944

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:2860

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4420

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:2196

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4492

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:1688

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:3764

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:1472

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4532

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:3492

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:856

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:3036

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:3540

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:3408

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:5008

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:552

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:2984

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:2388

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:5036

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4456

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:1408

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:876

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:1864

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:4864

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:512

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:2868

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:4332

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:1700

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "SecurityHealthService" /f
6⤵
PID:2776

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "SecurityHealthService" /tr C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
6⤵
- Creates scheduled task(s)
PID:3312

C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
C:\Users\Admin\AppData\Roaming\SecurityHealthService.exe
1⤵
- Executes dropped EXE
PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI15122\VCRUNTIME140.dll
Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15122\_bz2.pyd
Filesize
84KB

MD5
e91b4f8e1592da26bacaceb542a220a8

SHA1
5459d4c2147fa6db75211c3ec6166b869738bd38

SHA256
20895fa331712701ebfdbb9ab87e394309e910f1d782929fd65b59ed76d9c90f

SHA512
cb797fa758c65358e5b0fef739181f6b39e0629758a6f8d5c4bd7dc6422001769a19df0c746724fb2567a58708b18bbd098327bfbdf3378426049b113eb848e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15122\_decimal.pyd
Filesize
264KB

MD5
65287fd87a64bc756867a1afddec9e29

SHA1
cda1db353f81df7a4a818add8f87bca9ac840455

SHA256
df19c2e6ec3145166fa8d206c11db78bc1979a027105c4f21d40410b5082ba34

SHA512
3e3f19cf965b260ffc68e45d5101234e8a957411c076a0d487d307dcfa714a9801cb501224fe7621937aebdf90275f655c8a70dd6675bcfb5374404fda53236f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15122\_hashlib.pyd
Filesize
64KB

MD5
7c69cb3cb3182a97e3e9a30d2241ebed

SHA1
1b8754ff57a14c32bcadc330d4880382c7fffc93

SHA256
12a84bacb071b1948a9f751ac8d0653ba71a8f6b217a69fe062608e532065c20

SHA512
96dbabbc6b98d473cbe06dcd296f6c6004c485e57ac5ba10560a377393875192b22df8a7103fe4a22795b8d81b8b0ae14ce7646262f87cb609b9e2590a93169e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15122\_lzma.pyd
Filesize
159KB

MD5
493c33ddf375b394b648c4283b326481

SHA1
59c87ee582ba550f064429cb26ad79622c594f08

SHA256
6384ded31408788d35a89dc3f7705ea2928f6bbdeb8b627f0d1b2d7b1ea13e16

SHA512
a4a83f04c7fc321796ce6a932d572dca1ad6ecefd31002320aeaa2453701ed49ef9f0d9ba91c969737565a6512b94fbb0311aee53d355345a03e98f43e6f98b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15122\_socket.pyd
Filesize
78KB

MD5
fd1cfe0f0023c5780247f11d8d2802c9

SHA1
5b29a3b4c6edb6fa176077e1f1432e3b0178f2bc

SHA256
258a5f0b4d362b2fed80b24eeabcb3cdd1602e32ff79d87225da6d15106b17a6

SHA512
b304a2e56829a557ec401c6fdda78d6d05b7495a610c1ed793d6b25fc5af891cb2a1581addb27ab5e2a6cb0be24d9678f67b97828015161bc875df9b7b5055ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15122\base_library.zip
Filesize
826KB

MD5
2abe470164e060916c6842da1263e5ad

SHA1
197163bfb26ce54420fa6eba03cf0fa0a5622934

SHA256
151a4c8ea261130b5ae94653e5470ac6fe4663de269c187b2b38d6fccadc1baa

SHA512
01e2c58b24f7d3d7b31df97c6dbe8aee0c0f61f457c78d62830fa954c17dffb74b4e5389ef389926b5ba78f96deb08ad4cd61c9ecea256bf35e0a99cd2366d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15122\libcrypto-1_1.dll
Filesize
3.2MB

MD5
89511df61678befa2f62f5025c8c8448

SHA1
df3961f833b4964f70fcf1c002d9fd7309f53ef8

SHA256
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf

SHA512
9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15122\main.zip
Filesize
65KB

MD5
e87566acf4ca1c9983971705a6c60906

SHA1
895740f5e3a9e70f720092946fc1e883466a26bc

SHA256
52507bc59bce399e5db789241fcc171a2ca5c868a8c2c985d3e02364af1a4990

SHA512
0bcd79fcdfc1490f8f5078bc12bd6c11ff7d66c875c95523a64fd8df63deb94f83046247ff2823f25eac7b70920180cac50a90130bc03470249595dbf97284d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15122\python39.dll
Filesize
4.3MB

MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15122\select.pyd
Filesize
28KB

MD5
0e3cf5d792a3f543be8bbc186b97a27a

SHA1
50f4c70fce31504c6b746a2c8d9754a16ebc8d5e

SHA256
c7ffae6dc927cf10ac5da08614912bb3ad8fc52aa0ef9bc376d831e72dd74460

SHA512
224b42e05b4dbdf7275ee7c5d3eb190024fc55e22e38bd189c1685efee2a3dd527c6dfcb2feeec525b8d6dc35aded1eac2423ed62bb2599bb6a9ea34e842c340

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15122\unicodedata.pyd
Filesize
1.1MB

MD5
7af51031368619638cca688a7275db14

SHA1
64e2cc5ac5afe8a65af690047dc03858157e964c

SHA256
7f02a99a23cc3ff63ecb10ba6006e2da7bf685530bad43882ebf90d042b9eeb6

SHA512
fbde24501288ff9b06fc96faff5e7a1849765df239e816774c04a4a6ef54a0c641adf4325bfb116952082d3234baef12288174ad8c18b62407109f29aa5ab326

Download Submit
C:\main.exe
Filesize
65KB

MD5
fef0fb51e5e35ca9244420c7675bb346

SHA1
ed4284dc3642bf59f8301b68b48fbb03ad5387f3

SHA256
21f539d71ad30ea865ccf0ee4dfdf6322b4895ce2cf8af67f120c2dfc84af33b

SHA512
66ec13dedfad899f29a5676ae6cb06d5eb357a8b31806154d91764069f748f1f4f5eb479211029bc72f0ee7b1dc3628ba5a8bb0a7e376d37bd4d94c18fb0f043

Download Submit
memory/1480-32-0x0000000075312000-0x0000000075313000-memory.dmp

Filesize
4KB

Download
memory/1480-33-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/1480-34-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/1480-44-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4352-45-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4352-46-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4352-50-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download
memory/4352-51-0x0000000075310000-0x00000000758C1000-memory.dmp

Filesize
5.7MB

Download