njrat | 905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe
Size

8.7MB
MD5

0ba6892e146f9f39c493a83a90d42a93
SHA1

7c2f6a255d1dfb6a52056a578f4eed82f8343125
SHA256

905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9
SHA512

4051b974bd9bf1e185903f7057f8d52759430959130015c3d95a25469d31d5ed0d1eefe62683bdce687e6fe24e90174e3f972edec7a2e8c91c788d1af10ad89a
SSDEEP

196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbY:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmc

Score

10^/10

njrat jjj evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes

reg_key
e936a10f968ac948cd351c9629dbd36d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2440 netsh.exe
Executes dropped EXE 3 IoCs

Processes:

winmgr107.exewinmgr107.exewinmgr107.exe

pid process

2748 winmgr107.exe
264 winmgr107.exe
1264 winmgr107.exe
Loads dropped DLL 1 IoCs

Processes:

905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe

pid process

1684 905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe

pid	process
2440	netsh.exe

pid	process
2748	winmgr107.exe
264	winmgr107.exe
1264	winmgr107.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exewinmgr107.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe"	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe"	winmgr107.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\ProgramData\winmgr107.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winmgr107.exe

description pid process target process

PID 2748 set thread context of 2868 2748 winmgr107.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2748 set thread context of 2868	2748	winmgr107.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 26 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
776	schtasks.exe
1568	schtasks.exe
2896	schtasks.exe
1120	schtasks.exe
1036	schtasks.exe
1900	schtasks.exe
1844	schtasks.exe
1764	schtasks.exe
1732	schtasks.exe
1336	schtasks.exe
2644	schtasks.exe
548	schtasks.exe
2864	schtasks.exe
2144	schtasks.exe
1700	schtasks.exe
1616	schtasks.exe
2084	schtasks.exe
2956	schtasks.exe
344	schtasks.exe
2520	schtasks.exe
1472	schtasks.exe
1968	schtasks.exe
2872	schtasks.exe
2300	schtasks.exe
1020	schtasks.exe
2924	schtasks.exe

NTFS ADS 4 IoCs

Processes:

winmgr107.exewinmgr107.exe905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exewinmgr107.exe

description	ioc	process
File opened for modification	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe
File opened for modification	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe
File created	C:\Users\Admin\AppData\Local\Temp\905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe:Zone.Identifier:$DATA	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe
File created	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exewinmgr107.exewinmgr107.exewinmgr107.exe

pid	process
1684	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
264	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
1264	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe
2748	winmgr107.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe
Token: 33	2868	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2868	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.execmd.exewinmgr107.exeRegAsm.exetaskeng.exe

description	pid	process	target process
PID 1684 wrote to memory of 2340	1684	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	cmd.exe
PID 1684 wrote to memory of 2340	1684	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	cmd.exe
PID 1684 wrote to memory of 2340	1684	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	cmd.exe
PID 1684 wrote to memory of 2340	1684	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	cmd.exe
PID 2340 wrote to memory of 2128	2340	cmd.exe	NOTEPAD.EXE
PID 2340 wrote to memory of 2128	2340	cmd.exe	NOTEPAD.EXE
PID 2340 wrote to memory of 2128	2340	cmd.exe	NOTEPAD.EXE
PID 2340 wrote to memory of 2128	2340	cmd.exe	NOTEPAD.EXE
PID 1684 wrote to memory of 2748	1684	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	winmgr107.exe
PID 1684 wrote to memory of 2748	1684	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	winmgr107.exe
PID 1684 wrote to memory of 2748	1684	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	winmgr107.exe
PID 1684 wrote to memory of 2748	1684	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	winmgr107.exe
PID 2748 wrote to memory of 2868	2748	winmgr107.exe	RegAsm.exe
PID 2748 wrote to memory of 2868	2748	winmgr107.exe	RegAsm.exe
PID 2748 wrote to memory of 2868	2748	winmgr107.exe	RegAsm.exe
PID 2748 wrote to memory of 2868	2748	winmgr107.exe	RegAsm.exe
PID 2748 wrote to memory of 2868	2748	winmgr107.exe	RegAsm.exe
PID 2748 wrote to memory of 2868	2748	winmgr107.exe	RegAsm.exe
PID 2748 wrote to memory of 2868	2748	winmgr107.exe	RegAsm.exe
PID 2748 wrote to memory of 2868	2748	winmgr107.exe	RegAsm.exe
PID 2748 wrote to memory of 2868	2748	winmgr107.exe	RegAsm.exe
PID 2748 wrote to memory of 2644	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 2644	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 2644	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 2644	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 2520	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 2520	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 2520	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 2520	2748	winmgr107.exe	schtasks.exe
PID 2868 wrote to memory of 2440	2868	RegAsm.exe	netsh.exe
PID 2868 wrote to memory of 2440	2868	RegAsm.exe	netsh.exe
PID 2868 wrote to memory of 2440	2868	RegAsm.exe	netsh.exe
PID 2868 wrote to memory of 2440	2868	RegAsm.exe	netsh.exe
PID 2748 wrote to memory of 1700	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1700	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1700	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1700	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1968	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1968	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1968	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1968	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1616	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1616	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1616	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1616	2748	winmgr107.exe	schtasks.exe
PID 2156 wrote to memory of 264	2156	taskeng.exe	winmgr107.exe
PID 2156 wrote to memory of 264	2156	taskeng.exe	winmgr107.exe
PID 2156 wrote to memory of 264	2156	taskeng.exe	winmgr107.exe
PID 2156 wrote to memory of 264	2156	taskeng.exe	winmgr107.exe
PID 2748 wrote to memory of 776	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 776	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 776	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 776	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1900	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1900	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1900	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1900	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1472	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1472	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1472	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1472	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1568	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1568	2748	winmgr107.exe	schtasks.exe
PID 2748 wrote to memory of 1568	2748	winmgr107.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe
"C:\Users\Admin\AppData\Local\Temp\905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\905DAD~1.TXT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe.txt
    3⤵
    PID:2128
- C:\ProgramData\winmgr107.exe
  C:\ProgramData\winmgr107.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2440
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2644
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2520
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1700
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1968
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1616
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:776
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1900
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1472
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1568
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2896
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2084
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2956
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1844
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2872
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1120
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2144
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1764
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2300
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:548
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1036
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2864
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1732
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1336
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:344
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1020
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2924

C:\Windows\system32\taskeng.exe
taskeng.exe {5BB606CA-C854-467B-BD8E-66BA80C7FDDD} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2156
- C:\ProgramData\winmgr107.exe
  C:\ProgramData\winmgr107.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:264
- C:\ProgramData\winmgr107.exe
  C:\ProgramData\winmgr107.exe
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe.txt

Filesize
992B

MD5
c8cf7247d4cfc99a7582a42d13df4c08

SHA1
317f5588af0b3b6374c436fb00084c522fd78a83

SHA256
78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0

SHA512
5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

Download Submit
\ProgramData\winmgr107.exe

Filesize
8.7MB

MD5
6a116503a7f6896f8e12c799cc18444f

SHA1
4dd6ea78d8519c49c585f1f77628087a1ba234bb

SHA256
d8dfbca44144c0567791d702fc547d1396a0e153cca7279d00cc15f22c070818

SHA512
ebc03ca13bb17a1bfe636a9e2db63baa2d1372925956c722356cea43c26501e8dea53a85d10529fd2c56bc9230762451eacedab9f51245c48257f7448446fc73

Download Submit
memory/2340-9-0x0000000002570000-0x0000000002670000-memory.dmp

Filesize
1024KB

Download
memory/2868-27-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/2868-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-29-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/2868-30-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/2868-31-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download