njrat | f911a357abf083c321d7240e1070b470c9d2a64c1503700dbec45980c88c0aa4

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
31-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Majid Z Hacker.exe
Size

413KB
MD5

d546dc22ad3450598ab32de298a72a80
SHA1

6c0b509488bdb86a679a4499e6ebf276ac9d8ea1
SHA256

b29885d1b7a7710d0bb85861609520cc7bd53524ab5525cd9b9c47690f0103a2
SHA512

79e5bca20e23b0cff3d7d98003ae6d69d8932a75eeff23f31ec4c0aae93a02d41593c60d3a6fcb8a06600e21bfa7190210e4842bcba3ba8e9a7d62f344b48980
SSDEEP

12288:6+81qE0efXk6XLUwx7YfR43JDOpedYhN7zf+:6o5yU6XIGYqJDOpJPzf+

Score

10^/10

njrat hacked evasion persistence trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

hackerguru.duckdns.org:6666

Mutex

8b3c87226fd3a4e8b8191141ea7a593c

Attributes

reg_key
8b3c87226fd3a4e8b8191141ea7a593c
splitter
|'|'|

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\script.vbs	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1700 netsh.exe

pid	process
1700	netsh.exe

Drops startup file 3 IoCs

Processes:

Windows Program.exewindows registry.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DNLEWE.lnk	Windows Program.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b3c87226fd3a4e8b8191141ea7a593c.exe	windows registry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8b3c87226fd3a4e8b8191141ea7a593c.exe	windows registry.exe

Executes dropped EXE 2 IoCs

Processes:

windows registry.exeWindows Program.exe

pid process

2996 windows registry.exe
1624 Windows Program.exe
Loads dropped DLL 3 IoCs

Processes:

Majid Z Hacker.exeWindows Program.exe

pid process

2424 Majid Z Hacker.exe
2424 Majid Z Hacker.exe
1624 Windows Program.exe

pid	process
2996	windows registry.exe
1624	Windows Program.exe

pid	process
2424	Majid Z Hacker.exe
2424	Majid Z Hacker.exe
1624	Windows Program.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Windows Program.exe	upx
behavioral15/memory/1624-17-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-184-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-186-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-185-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-189-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-190-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-191-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-193-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-194-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-195-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-196-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-197-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-198-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-199-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-200-0x0000000000400000-0x00000000004CA000-memory.dmp	upx
behavioral15/memory/1624-201-0x0000000000400000-0x00000000004CA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows Program.exewindows registry.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\DNLEWE = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windata\\Windows Program.exe\""	Windows Program.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\8b3c87226fd3a4e8b8191141ea7a593c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows registry.exe\" .."	windows registry.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8b3c87226fd3a4e8b8191141ea7a593c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\windows registry.exe\" .."	windows registry.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipapi.co
3 ipapi.co

flow	ioc
5	ipapi.co
3	ipapi.co

AutoIT Executable 15 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral15/memory/1624-184-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-186-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-185-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-189-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-190-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-191-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-193-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-194-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-195-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-196-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-197-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-198-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-199-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-200-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe
behavioral15/memory/1624-201-0x0000000000400000-0x00000000004CA000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Windows Program.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Windows Program.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Windows Program.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Windows Program.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Windows Program.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows Program.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
2664	powershell.exe
2760	powershell.exe
2388	powershell.exe
2572	powershell.exe
2472	powershell.exe
2512	powershell.exe
3012	powershell.exe
1712	powershell.exe
2544	powershell.exe
808	powershell.exe
2480	powershell.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe
1624	Windows Program.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Windows Program.exe

pid process

1624 Windows Program.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewindows registry.exe

description	pid	process
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe
Token: 33	2996	windows registry.exe
Token: SeIncBasePriorityPrivilege	2996	windows registry.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Majid Z Hacker.exeWScript.exeWScript.exeWindows Program.exe

description	pid	process	target process
PID 2424 wrote to memory of 2948	2424	Majid Z Hacker.exe	WScript.exe
PID 2424 wrote to memory of 2948	2424	Majid Z Hacker.exe	WScript.exe
PID 2424 wrote to memory of 2948	2424	Majid Z Hacker.exe	WScript.exe
PID 2424 wrote to memory of 2948	2424	Majid Z Hacker.exe	WScript.exe
PID 2424 wrote to memory of 2996	2424	Majid Z Hacker.exe	windows registry.exe
PID 2424 wrote to memory of 2996	2424	Majid Z Hacker.exe	windows registry.exe
PID 2424 wrote to memory of 2996	2424	Majid Z Hacker.exe	windows registry.exe
PID 2424 wrote to memory of 2996	2424	Majid Z Hacker.exe	windows registry.exe
PID 2424 wrote to memory of 1624	2424	Majid Z Hacker.exe	Windows Program.exe
PID 2424 wrote to memory of 1624	2424	Majid Z Hacker.exe	Windows Program.exe
PID 2424 wrote to memory of 1624	2424	Majid Z Hacker.exe	Windows Program.exe
PID 2424 wrote to memory of 1624	2424	Majid Z Hacker.exe	Windows Program.exe
PID 2948 wrote to memory of 2172	2948	WScript.exe	WScript.exe
PID 2948 wrote to memory of 2172	2948	WScript.exe	WScript.exe
PID 2948 wrote to memory of 2172	2948	WScript.exe	WScript.exe
PID 2948 wrote to memory of 2172	2948	WScript.exe	WScript.exe
PID 2172 wrote to memory of 2572	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2572	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2572	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2572	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2472	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2472	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2472	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2472	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2664	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2664	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2664	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2664	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2760	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2760	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2760	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2760	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2388	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2388	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2388	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2388	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2512	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2512	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2512	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2512	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2480	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2480	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2480	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2480	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2544	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2544	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2544	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 2544	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 3012	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 3012	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 3012	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 3012	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 1712	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 1712	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 1712	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 1712	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 808	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 808	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 808	2172	WScript.exe	powershell.exe
PID 2172 wrote to memory of 808	2172	WScript.exe	powershell.exe
PID 1624 wrote to memory of 1080	1624	Windows Program.exe	WSCript.exe
PID 1624 wrote to memory of 1080	1624	Windows Program.exe	WSCript.exe
PID 1624 wrote to memory of 1080	1624	Windows Program.exe	WSCript.exe
PID 1624 wrote to memory of 1080	1624	Windows Program.exe	WSCript.exe

C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Majid Z Hacker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs" /elevate
3⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Users\Admin\AppData\Local\Temp\windows registry.exe
"C:\Users\Admin\AppData\Local\Temp\windows registry.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\windows registry.exe" "windows registry.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1700

C:\Users\Admin\AppData\Local\Temp\Windows Program.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Program.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\DNLEWE.vbs
3⤵
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1853.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNLEWE.vbs
Filesize
850B

MD5
59ccb6ffd3155d4e1e16509c1d2b424b

SHA1
c4b3aaa2e1f972aa6f1ae4a1543452d93bf1491c

SHA256
ba844c991f9fc79f240573cf20e975ac60ae70adc4f45298059e53474df49d1c

SHA512
8b1f99c486b756305dc3480182e2b6a37454e156050da9a3e2ff21ce131e7a34a3ebe740f7f07ed17e79e79a5ddf4213e509d009391d69c317b643b5f183b053

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1A9B.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\script.vbs
Filesize
1KB

MD5
77a4da4863ffcaba51ce05d3c632158d

SHA1
253f9a594a6ca3a7a23acb90f8dc81939215ba4b

SHA256
ecd586281fc4655e40108fcf118beeae3411c1c1176951a763e47fb66d2e421f

SHA512
ba215fa65a011f5841f5e92b4053895c13368e894817551a982ca3e821726b8bbb13616bca8781fed08f4c83528d0d3ac233fa1f3e14ad4253fdefd9a22253cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
cab9c7ea927d8a4f113d4cc0c2ce27c0

SHA1
2c6494b06208ab14871fdcf338eb45c719885a59

SHA256
325beaeab3efad933af92208e0d4abf699ff6f9bcb2a82357485b5234f916da4

SHA512
4a2e715301eebf8966e62a3b17999ebb5283f7787eacc4c10367ddf5c8cb3bb39bf545f2292f969546094c8c86212b356750204292268ce5f9a702321089feb9

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Program.exe
Filesize
356KB

MD5
470c1aaa600dfd81af4cfb23bee7490c

SHA1
17cc0969b22f293b9bab656da3c9e4e4f6a3dbd0

SHA256
438c6c0291603bd92a66731abcf32e478dc19093c1c0f3c75ee5117192913809

SHA512
9a9927ce72abab495474fcc153dc65fcbe15f46cd08e03e892f05b1ad2025d80301b40cf922fee9bbfb4cc2aeffe867a772bc381c1694289e13cf1fde591fbee

Download Submit
\Users\Admin\AppData\Local\Temp\windows registry.exe
Filesize
23KB

MD5
0e61e56cab42baa9ac421252c13809ed

SHA1
f058e2efd1181d5285eef36fa2bae9658ccc20f9

SHA256
6f788d9f8b51ba8321f1837e02d10c5d94efc74c7be26f734c34a4d602b8d1bc

SHA512
e5cd90240468d86f5230d1c9f7c355c32cdbf3b5a0c041914d009c8145d260f469f75cf28e2b307964c64b6c6255a6fc6e258b5bb6525b50824365227c38e624

Download Submit
memory/1624-195-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-190-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-201-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-184-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-186-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-185-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-200-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-188-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/1624-189-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-181-0x00000000034B0000-0x00000000034C0000-memory.dmp

Filesize
64KB

Download
memory/1624-191-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-193-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-194-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-17-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-196-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-197-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-198-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/1624-199-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2996-187-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/2996-20-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download