njrat | 905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe
Size

8.7MB
MD5

0ba6892e146f9f39c493a83a90d42a93
SHA1

7c2f6a255d1dfb6a52056a578f4eed82f8343125
SHA256

905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9
SHA512

4051b974bd9bf1e185903f7057f8d52759430959130015c3d95a25469d31d5ed0d1eefe62683bdce687e6fe24e90174e3f972edec7a2e8c91c788d1af10ad89a
SSDEEP

196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbY:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmc

Score

10^/10

njrat jjj evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes

reg_key
e936a10f968ac948cd351c9629dbd36d
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

388 netsh.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation cmd.exe
Executes dropped EXE 3 IoCs

Processes:

winmgr107.exewinmgr107.exewinmgr107.exe

pid process

336 winmgr107.exe
4768 winmgr107.exe
1468 winmgr107.exe

pid	process
388	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
336	winmgr107.exe
4768	winmgr107.exe
1468	winmgr107.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exewinmgr107.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe"	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe"	winmgr107.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\ProgramData\winmgr107.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winmgr107.exe

description pid process target process

PID 336 set thread context of 2736 336 winmgr107.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 336 set thread context of 2736	336	winmgr107.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 26 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2092	schtasks.exe
3348	schtasks.exe
1124	schtasks.exe
3628	schtasks.exe
4680	schtasks.exe
3428	schtasks.exe
3084	schtasks.exe
2672	schtasks.exe
1904	schtasks.exe
2952	schtasks.exe
212	schtasks.exe
1884	schtasks.exe
4508	schtasks.exe
1592	schtasks.exe
5116	schtasks.exe
2348	schtasks.exe
220	schtasks.exe
2700	schtasks.exe
4872	schtasks.exe
3456	schtasks.exe
940	schtasks.exe
2392	schtasks.exe
3192	schtasks.exe
2832	schtasks.exe
4300	schtasks.exe
3624	schtasks.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe

NTFS ADS 4 IoCs

Processes:

winmgr107.exewinmgr107.exewinmgr107.exe905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe

description	ioc	process
File created	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe
File opened for modification	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe
File opened for modification	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe
File created	C:\Users\Admin\AppData\Local\Temp\905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe:Zone.Identifier:$DATA	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exewinmgr107.exewinmgr107.exewinmgr107.exe

pid	process
2940	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe
2940	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
4768	winmgr107.exe
4768	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
1468	winmgr107.exe
1468	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe
336	winmgr107.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe
Token: 33	2736	RegAsm.exe
Token: SeIncBasePriorityPrivilege	2736	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.execmd.exewinmgr107.exeRegAsm.exe

description	pid	process	target process
PID 2940 wrote to memory of 4776	2940	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	cmd.exe
PID 2940 wrote to memory of 4776	2940	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	cmd.exe
PID 2940 wrote to memory of 4776	2940	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	cmd.exe
PID 4776 wrote to memory of 2036	4776	cmd.exe	NOTEPAD.EXE
PID 4776 wrote to memory of 2036	4776	cmd.exe	NOTEPAD.EXE
PID 4776 wrote to memory of 2036	4776	cmd.exe	NOTEPAD.EXE
PID 2940 wrote to memory of 336	2940	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	winmgr107.exe
PID 2940 wrote to memory of 336	2940	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	winmgr107.exe
PID 2940 wrote to memory of 336	2940	905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe	winmgr107.exe
PID 336 wrote to memory of 2736	336	winmgr107.exe	RegAsm.exe
PID 336 wrote to memory of 2736	336	winmgr107.exe	RegAsm.exe
PID 336 wrote to memory of 2736	336	winmgr107.exe	RegAsm.exe
PID 336 wrote to memory of 2736	336	winmgr107.exe	RegAsm.exe
PID 336 wrote to memory of 2736	336	winmgr107.exe	RegAsm.exe
PID 336 wrote to memory of 3628	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 3628	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 3628	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 212	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 212	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 212	336	winmgr107.exe	schtasks.exe
PID 2736 wrote to memory of 388	2736	RegAsm.exe	netsh.exe
PID 2736 wrote to memory of 388	2736	RegAsm.exe	netsh.exe
PID 2736 wrote to memory of 388	2736	RegAsm.exe	netsh.exe
PID 336 wrote to memory of 2832	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 2832	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 2832	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 4680	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 4680	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 4680	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 1884	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 1884	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 1884	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 3084	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 3084	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 3084	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 2672	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 2672	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 2672	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 4872	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 4872	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 4872	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 2092	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 2092	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 2092	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 2348	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 2348	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 2348	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 220	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 220	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 220	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 3348	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 3348	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 3348	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 1904	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 1904	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 1904	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 4300	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 4300	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 4300	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 940	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 940	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 940	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 4508	336	winmgr107.exe	schtasks.exe
PID 336 wrote to memory of 4508	336	winmgr107.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe
"C:\Users\Admin\AppData\Local\Temp\905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\905DAD~1.TXT
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe.txt
    3⤵
    PID:2036
- C:\ProgramData\winmgr107.exe
  C:\ProgramData\winmgr107.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:388
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3628
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:212
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2832
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4680
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1884
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3084
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2672
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4872
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2092
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2348
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:220
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3348
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1904
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4300
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:940
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:4508
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2952
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1592
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3456
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:5116
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2700
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3428
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:2392
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3624
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:3192
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Creates scheduled task(s)
    PID:1124

C:\ProgramData\winmgr107.exe
C:\ProgramData\winmgr107.exe
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\ProgramData\winmgr107.exe
C:\ProgramData\winmgr107.exe
1⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe.txt

Filesize
992B

MD5
c8cf7247d4cfc99a7582a42d13df4c08

SHA1
317f5588af0b3b6374c436fb00084c522fd78a83

SHA256
78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0

SHA512
5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
8.7MB

MD5
818953ded4be4877feb435bfb24659f9

SHA1
49db5efe469e5c34fa5366c5dac3b343f188622d

SHA256
364b0d0d62f278bfa15cbf78d144a71d848c3ec6e8d42cb756fea725469a8c31

SHA512
d7b032d433a8ffbd8a032f7708d4b2da572cd4feb0ef3e124f48b5c3990a5cee73445ef2f5d7bcc690dcac6d792e0654cac7b0afda50ff2a5b3bfd0db9f57d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9.exe

Filesize
8.7MB

MD5
0ba6892e146f9f39c493a83a90d42a93

SHA1
7c2f6a255d1dfb6a52056a578f4eed82f8343125

SHA256
905dad7e9a57d7569f32b4bb8908f62954c784204f640f650966a5ec5e1338f9

SHA512
4051b974bd9bf1e185903f7057f8d52759430959130015c3d95a25469d31d5ed0d1eefe62683bdce687e6fe24e90174e3f972edec7a2e8c91c788d1af10ad89a

Download Submit
memory/2736-15-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download