Overview
overview
10Static
static
10Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...0.html
windows7-x64
1Venom-Rat-...0.html
windows10-2004-x64
1Venom-Rat-...il.dll
windows7-x64
1Venom-Rat-...il.dll
windows10-2004-x64
1Venom-Rat-...at.dll
windows7-x64
1Venom-Rat-...at.dll
windows10-2004-x64
1Venom-Rat-...me.dll
windows7-x64
1Venom-Rat-...me.dll
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
8Venom-Rat-...ed.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
8Majid Z Hacker.exe
windows10-2004-x64
8Majid Z Hacker.exe
windows7-x64
10Majid Z Hacker.exe
windows10-2004-x64
10Windows Program.exe
windows7-x64
7Windows Program.exe
windows10-2004-x64
7script.vbs
windows7-x64
10script.vbs
windows10-2004-x64
10windows registry.exe
windows7-x64
10windows registry.exe
windows10-2004-x64
10firewall.exe
windows7-x64
8firewall.exe
windows10-2004-x64
Venom Cracked.exe
windows7-x64
1Venom Cracked.exe
windows10-2004-x64
1Venom-Rat-...er.exe
windows7-x64
1Venom-Rat-...er.exe
windows10-2004-x64
1Venom-Rat-...ed.exe
windows7-x64
10Venom-Rat-...ed.exe
windows10-2004-x64
10Majid Z Ha...te.exe
windows7-x64
10Majid Z Ha...te.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 12:30
Behavioral task
behavioral1
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Venom-Rat-Cracked--main/Clients/Morpheus@DESKTOP-ALON1A1_367DDFD/Logs/10-31-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Venom-Rat-Cracked--main/Clients/Sam@DESKTOP-1HP3JNB_440CF1F/Logs/05-17-2020.html
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Venom-Rat-Cracked--main/Mono.Cecil.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
Venom-Rat-Cracked--main/Mono.Nat.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win7-20231129-en
Behavioral task
behavioral10
Sample
Venom-Rat-Cracked--main/VelyseTheme.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
Venom-Rat-Cracked--main/Venom Activated Cracked.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
Majid Z Hacker.exe
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
Majid Z Hacker.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
Majid Z Hacker.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
Windows Program.exe
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
Windows Program.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
script.vbs
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
script.vbs
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
windows registry.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
windows registry.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
firewall.exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
firewall.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
Venom Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
Venom Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
Venom-Rat-Cracked--main/Venom Binder.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Venom-Rat-Cracked--main/Venom Software RAT Activated Cracked.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
Majid Z Hacker Website.exe
Resource
win7-20240508-en
Behavioral task
behavioral32
Sample
Majid Z Hacker Website.exe
Resource
win10v2004-20240508-en
General
-
Target
Majid Z Hacker.exe
-
Size
413KB
-
MD5
d546dc22ad3450598ab32de298a72a80
-
SHA1
6c0b509488bdb86a679a4499e6ebf276ac9d8ea1
-
SHA256
b29885d1b7a7710d0bb85861609520cc7bd53524ab5525cd9b9c47690f0103a2
-
SHA512
79e5bca20e23b0cff3d7d98003ae6d69d8932a75eeff23f31ec4c0aae93a02d41593c60d3a6fcb8a06600e21bfa7190210e4842bcba3ba8e9a7d62f344b48980
-
SSDEEP
12288:6+81qE0efXk6XLUwx7YfR43JDOpedYhN7zf+:6o5yU6XIGYqJDOpJPzf+
Malware Config
Extracted
njrat
0.7d
HacKed
hackerguru.duckdns.org:6666
8b3c87226fd3a4e8b8191141ea7a593c
-
reg_key
8b3c87226fd3a4e8b8191141ea7a593c
-
splitter
|'|'|
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\script.vbs disable_win_def -
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" WScript.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1700 netsh.exe -
Drops startup file 3 IoCs
Processes:
Windows Program.exewindows registry.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DNLEWE.lnk Windows Program.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b3c87226fd3a4e8b8191141ea7a593c.exe windows registry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b3c87226fd3a4e8b8191141ea7a593c.exe windows registry.exe -
Executes dropped EXE 2 IoCs
Processes:
windows registry.exeWindows Program.exepid process 2996 windows registry.exe 1624 Windows Program.exe -
Loads dropped DLL 3 IoCs
Processes:
Majid Z Hacker.exeWindows Program.exepid process 2424 Majid Z Hacker.exe 2424 Majid Z Hacker.exe 1624 Windows Program.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Windows Program.exe upx behavioral15/memory/1624-17-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-184-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-186-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-185-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-189-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-190-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-191-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-193-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-194-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-195-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-196-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-197-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-198-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-199-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-200-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral15/memory/1624-201-0x0000000000400000-0x00000000004CA000-memory.dmp upx -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Windows Program.exewindows registry.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\DNLEWE = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Windows Program.exe\"" Windows Program.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b3c87226fd3a4e8b8191141ea7a593c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows registry.exe\" .." windows registry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8b3c87226fd3a4e8b8191141ea7a593c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows registry.exe\" .." windows registry.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ipapi.co 3 ipapi.co -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral15/memory/1624-184-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-186-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-185-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-189-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-190-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-191-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-193-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-194-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-195-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-196-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-197-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-198-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-199-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-200-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe behavioral15/memory/1624-201-0x0000000000400000-0x00000000004CA000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
Windows Program.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Windows Program.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Windows Program.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Windows Program.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Windows Program.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows Program.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 2664 powershell.exe 2760 powershell.exe 2388 powershell.exe 2572 powershell.exe 2472 powershell.exe 2512 powershell.exe 3012 powershell.exe 1712 powershell.exe 2544 powershell.exe 808 powershell.exe 2480 powershell.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe 1624 Windows Program.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Windows Program.exepid process 1624 Windows Program.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewindows registry.exedescription pid process Token: SeDebugPrivilege 2664 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2572 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe Token: SeDebugPrivilege 2512 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 808 powershell.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe Token: 33 2996 windows registry.exe Token: SeIncBasePriorityPrivilege 2996 windows registry.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Majid Z Hacker.exeWScript.exeWScript.exeWindows Program.exedescription pid process target process PID 2424 wrote to memory of 2948 2424 Majid Z Hacker.exe WScript.exe PID 2424 wrote to memory of 2948 2424 Majid Z Hacker.exe WScript.exe PID 2424 wrote to memory of 2948 2424 Majid Z Hacker.exe WScript.exe PID 2424 wrote to memory of 2948 2424 Majid Z Hacker.exe WScript.exe PID 2424 wrote to memory of 2996 2424 Majid Z Hacker.exe windows registry.exe PID 2424 wrote to memory of 2996 2424 Majid Z Hacker.exe windows registry.exe PID 2424 wrote to memory of 2996 2424 Majid Z Hacker.exe windows registry.exe PID 2424 wrote to memory of 2996 2424 Majid Z Hacker.exe windows registry.exe PID 2424 wrote to memory of 1624 2424 Majid Z Hacker.exe Windows Program.exe PID 2424 wrote to memory of 1624 2424 Majid Z Hacker.exe Windows Program.exe PID 2424 wrote to memory of 1624 2424 Majid Z Hacker.exe Windows Program.exe PID 2424 wrote to memory of 1624 2424 Majid Z Hacker.exe Windows Program.exe PID 2948 wrote to memory of 2172 2948 WScript.exe WScript.exe PID 2948 wrote to memory of 2172 2948 WScript.exe WScript.exe PID 2948 wrote to memory of 2172 2948 WScript.exe WScript.exe PID 2948 wrote to memory of 2172 2948 WScript.exe WScript.exe PID 2172 wrote to memory of 2572 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2572 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2572 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2572 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2472 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2472 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2472 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2472 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2664 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2664 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2664 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2664 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2760 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2760 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2760 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2760 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2388 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2388 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2388 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2388 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2512 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2512 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2512 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2512 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2480 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2480 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2480 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2480 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2544 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2544 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2544 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 2544 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 3012 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 3012 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 3012 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 3012 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 1712 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 1712 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 1712 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 1712 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 808 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 808 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 808 2172 WScript.exe powershell.exe PID 2172 wrote to memory of 808 2172 WScript.exe powershell.exe PID 1624 wrote to memory of 1080 1624 Windows Program.exe WSCript.exe PID 1624 wrote to memory of 1080 1624 Windows Program.exe WSCript.exe PID 1624 wrote to memory of 1080 1624 Windows Program.exe WSCript.exe PID 1624 wrote to memory of 1080 1624 Windows Program.exe WSCript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate3⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\windows registry.exe"C:\Users\Admin\AppData\Local\Temp\windows registry.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\windows registry.exe" "windows registry.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\Windows Program.exe"C:\Users\Admin\AppData\Local\Temp\Windows Program.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WSCript.exeWSCript C:\Users\Admin\AppData\Local\Temp\DNLEWE.vbs3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\Cab1853.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\DNLEWE.vbsFilesize
850B
MD559ccb6ffd3155d4e1e16509c1d2b424b
SHA1c4b3aaa2e1f972aa6f1ae4a1543452d93bf1491c
SHA256ba844c991f9fc79f240573cf20e975ac60ae70adc4f45298059e53474df49d1c
SHA5128b1f99c486b756305dc3480182e2b6a37454e156050da9a3e2ff21ce131e7a34a3ebe740f7f07ed17e79e79a5ddf4213e509d009391d69c317b643b5f183b053
-
C:\Users\Admin\AppData\Local\Temp\Tar1A9B.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\script.vbsFilesize
1KB
MD577a4da4863ffcaba51ce05d3c632158d
SHA1253f9a594a6ca3a7a23acb90f8dc81939215ba4b
SHA256ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f
SHA512ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5cab9c7ea927d8a4f113d4cc0c2ce27c0
SHA12c6494b06208ab14871fdcf338eb45c719885a59
SHA256325beaeab3efad933af92208e0d4abf699ff6f9bcb2a82357485b5234f916da4
SHA5124a2e715301eebf8966e62a3b17999ebb5283f7787eacc4c10367ddf5c8cb3bb39bf545f2292f969546094c8c86212b356750204292268ce5f9a702321089feb9
-
\Users\Admin\AppData\Local\Temp\Windows Program.exeFilesize
356KB
MD5470c1aaa600dfd81af4cfb23bee7490c
SHA117cc0969b22f293b9bab656da3c9e4e4f6a3dbd0
SHA256438c6c0291603bd92a66731abcf32e478dc19093c1c0f3c75ee5117192913809
SHA5129a9927ce72abab495474fcc153dc65fcbe15f46cd08e03e892f05b1ad2025d80301b40cf922fee9bbfb4cc2aeffe867a772bc381c1694289e13cf1fde591fbee
-
\Users\Admin\AppData\Local\Temp\windows registry.exeFilesize
23KB
MD50e61e56cab42baa9ac421252c13809ed
SHA1f058e2efd1181d5285eef36fa2bae9658ccc20f9
SHA2566f788d9f8b51ba8321f1837e02d10c5d94efc74c7be26f734c34a4d602b8d1bc
SHA512e5cd90240468d86f5230d1c9f7c355c32cdbf3b5a0c041914d009c8145d260f469f75cf28e2b307964c64b6c6255a6fc6e258b5bb6525b50824365227c38e624
-
memory/1624-195-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-190-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-201-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-184-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-186-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-185-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-200-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-188-0x00000000034B0000-0x00000000034C0000-memory.dmpFilesize
64KB
-
memory/1624-189-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-181-0x00000000034B0000-0x00000000034C0000-memory.dmpFilesize
64KB
-
memory/1624-191-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-193-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-194-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-17-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-196-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-197-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-198-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/1624-199-0x0000000000400000-0x00000000004CA000-memory.dmpFilesize
808KB
-
memory/2996-187-0x0000000000450000-0x0000000000490000-memory.dmpFilesize
256KB
-
memory/2996-20-0x0000000000450000-0x0000000000490000-memory.dmpFilesize
256KB