Analysis
-
max time kernel
199s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
09-06-2024 15:14
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Extracted
metasploit
windows/download_exec
http://149.129.72.37:23456/SNpK
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)
Extracted
crimsonrat
185.136.161.124
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Signatures
-
CrimsonRAT main payload 1 IoCs
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
ModiLoader First Stage 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 18 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 9 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
NTFS ADS 5 IoCs
-
Script User-Agent 14 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd92c546f8,0x7ffd92c54708,0x7ffd92c547182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1792 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\CobaltStrike (1).doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe3⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1920 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6424 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5448 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1888 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\Notepad.exeC:\Windows\System32\Notepad.exe4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "5⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f6⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "6⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I6⤵
-
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f6⤵
- Modifies registry key
-
-
-
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"3⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ILOVEYOU.vbs"2⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ILOVEYOU.vbs"2⤵
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"4⤵
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5756 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,9934200901223996785,3537013900748688442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3388 /prefetch:82⤵
-
-
C:\Users\Admin\Downloads\MeltingScreen.exe"C:\Users\Admin\Downloads\MeltingScreen.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE2⤵
- Modifies Windows Firewall
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Downloads\NJRat.exe"C:\Users\Admin\Downloads\NJRat.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2fc 0x4e81⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
Filesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
Filesize
86KB
MD596ff9d4cac8d3a8e73c33fc6bf72f198
SHA117d7edf6e496dec4695d686e7d0e422081cd5cbe
SHA25696db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d
SHA51223659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46
-
Filesize
2KB
MD523b5fbd43f4cde3805398bfa45c62a23
SHA120839610ddd827369329fb7cbd2ebbe28475ef61
SHA2566bc4a4c8b568f9dc6bfedba3d0ac98dae74a05455a8985203a39cdef407e0f1e
SHA512738a3d98cfb9cb9577392d9a1c600bf61762296967332fb7a047118ff5ba655eef2a3fe788b153ba1deaf67e9f1f950b43fb90a369a1e4875b33169fbdbc806e
-
Filesize
1KB
MD5b2471fbf45cd625862da155af60ee343
SHA1797da97407f9d7d90634fa01b45520a86fb7a1a5
SHA256d5eadfccb2a6b4f6777aae8c06c5e9af14d55a9a71ee208c1088dcebcc1be70e
SHA512d4d9d2dacd63a76a6b0469e061dfa44141ec68e8d8e6af873f53136ad9d7fe662d9925d2a8cd8dcc6c5e9f9ede25944415e17cc1766e3f56661c1da2e52ce50e
-
Filesize
579B
MD5a7d1701142cca705f833d70023ef4e1e
SHA11b76853132abfcddb4fefac42bf9df5d013c9815
SHA2566c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7
SHA512806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0
-
Filesize
579B
MD58bbf66ae9ec386af4152e640d99ee79f
SHA16eed11e2861ec6509f508ae7197d0338897fb869
SHA25663323b56c49b79c0cc4e1d4860f2121f462a4813f256a028c777604470013209
SHA512fa2ca0c0a7a8f8d3396001a6e23113ed50d54ae83af55b5b0f4db40fee7d04590eb316f315eadc08677fcb6a731d9b662d1bff18faea70a66f566a1136792ecb
-
Filesize
6KB
MD510f5a90957b40896838d1cc5698ec753
SHA1e480e0b03541132870868d58e0784b4bc44aa547
SHA2567a600aa12db68d8321a5fac5fd5d22033344aadffd69cfe990374ff6e54fb4af
SHA51244dd8b06593d6c85c7be846121d8d44e99b41ad68c12a5db8ff7bf426e1f6b06b28d5a186e3f35fd55775b198ec2000effcc1ba38a8dafbed0c12abe744148d6
-
Filesize
5KB
MD5060b32ae220e9837e0946708de8d9356
SHA1added328b9270f0452e7ca1113e38ee071b5f47b
SHA256132c728184dfa3b74462069b68800a11c1dc6b8508b2cd9ee4d886c5d5171783
SHA51207aa4611dd5dd5fd7ff1c892e6823836dd90f2eb1b4ee9ac9efe317c5f530776aee43fd5cc4e331f3fa24e91938ac524fb86af7e08baedd2a0f48fd3ed1c7b2e
-
Filesize
6KB
MD51d886acd848703def850df6d7631cad0
SHA124808c1bdf8d93ff97d7d288719adb18873ae005
SHA25636600650a2d71b361e597ec5ce3d447a2478deb6bdfdd3f348d533bab850c427
SHA512571175eb126440436e02ce8ada88223a91496105e985661a118f40fe4eac10e6e2c732f47ddfe3a89b6bb497fe513dbe7938448b1aaee451f896b3259a91d835
-
Filesize
1KB
MD57ba56e7f4f8b0c719ca4375522080116
SHA1dc01a25143ceb46dd2930783f6c6419bf9a2201b
SHA256af26ab5054e8e034489ac8f387493c02af0fc53ef2bf8bdc1b6545900a103796
SHA512eb2682c9575506b255ec17d8329462ed60261cbb1cd506ecac196977948ac4c2cbc7161412ec7b54ccf86a433491b5c5bed73e23d3278b977ad55bc1ed061879
-
Filesize
1KB
MD5925b9b76c753b1253f25e8a7ba18bec8
SHA1a9cd3f597021f2472645f009e4eb52d99c6f2136
SHA25665b2edc6c77bbd2d922b1a82a80c07227cf924abc2b2f6b19f68ac68495f0db1
SHA512abba74b7c1fbbe15e46bf30fb90b5f5378c2aa96be679c6ce508487f2a013974adeaa763379cc0f78bfbd2a23a822d6fe772ede8e8686dd431d54f4b1bd4c7f5
-
Filesize
1KB
MD5804b3d942066003e7a51c529a3c3db66
SHA1066f47aea24503433e61cad5b82c4e696594555b
SHA256af79e441accb4c6df71443f9289a3eb37e89cf546cf81c8919121f345d300406
SHA5126958c07070095e7dabbff58bcd68a071a36a262866e568506682ce0b09a1ff7e5dc119b6b1317e6fdf1316b9fefe0b4624a80fcd59232a483b3ab341e07d31b8
-
Filesize
1KB
MD51ad34af390b96054192d64e9b4c60313
SHA18a9ccf10105fc4666128190df8f3e71b484d0c3e
SHA256b6f7ae8196dc4a7d2204d4a085af4db666925e2e5acf178b8756dcf09b9594ac
SHA512ffd768226fffa41fc2c7f8fec358ea3c7481a703def734e3e4c880be5ad80fae5102bc8c87dbbd7f179abe7fe9eba46e45faffca74d42261a6adc50fea247676
-
Filesize
874B
MD55e6c181ab2dfe7f92f90b4a0844d2a78
SHA1be908bd0acd451f822f4144ea1e617ab7a9f94c1
SHA2564d659e94fc94ef1e075ff6b240dd7f916c3cf75bba85ea002732fc7c4aa62642
SHA512b42b5c00adc5cd382660038c75c58a70734441aa20d24753d57fd3553b4f12bed16cc8d75c2286b61287b6e47a5e0707c65729c0a84aee49c4145273c6425c87
-
Filesize
1KB
MD5b8cd844a26e129c916201557cdf9745b
SHA10512dfba286f33ddd8457e54700d24cbb4ad9ad1
SHA25668df1b967892d096810495c9dc7be7c8e0f4e29004b9bc7269d3632e85d490e6
SHA5126a62903a6a704b2bc75a0128b7553af0f68fd7a44dfe61fc508662a9df7c910f8d537777a554fe010bc7a478dc8dc4e5941677dd679f4c2a8c7b740890d926d5
-
Filesize
1KB
MD558f805f7e058d6354a49ef9fa18f32ba
SHA153658cf15d3c16db99f0493836ab91cc33c8648d
SHA25671c2b4df45bb5f973bb263be8d1bac3a7124f4c535b02c801e7b71e5cb9064d1
SHA5129dc407073679581c730ce115c46fe0173fb41d29f76bbd375ae6493b6d8c7dd18c1f0b35256075c22e39720b923d5b1b3fb60c999f3abb1ed5ed365893ef5c87
-
Filesize
874B
MD5d502db36174e23e33452ef743a5a2e29
SHA15763303e5b8de91692ae2973eaa9363e6d4762cc
SHA2560b6362fcac742914bbcb906c2de4e9f09ca172214ca573d56dd3da67e9143570
SHA512d50a99f0ddd523d7d88306924100548f91dbba2159c6b8179c9353661646b0d7cb58745142ce0f81abc225f744a1d6bf307a81a93e9ce96de3e65dd42c61401b
-
Filesize
1KB
MD51f6da8b8a9c0bdab46cdc8139b835020
SHA14d2e87317f08d394562edca87f9c94012d33d615
SHA25608dce0fd158f445910bc720880eb812cfbb58b786324478fa45919b456979f06
SHA51278d4456cbfd4173ddac5b67ceffdd8726febffc77793c22fc65473d7d90a12c78b35cf5ff2929310527842ee0e7d9508411cfc7e01f24becb83b173270bef705
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD55f3489843c72867662d43fd877d1f081
SHA105328265a13c76a36349c752b0f686b6095ddf77
SHA256a6d47d2e291197780a5a63ecb2532a344e1eb0dbe37422fcfbaee977d294ed78
SHA512fe96c3064c88575df428da27c482774e885e41f5a9af5ce31da9d978ab519696fb704ddacf16b4876f6e76274f1cb30231e5607d0d6acbc768a7d0ecdfde05cc
-
Filesize
11KB
MD55feb144e770699b6e66238baee0b55f3
SHA13bfcd188c75194ad0232e670502289f0b2f53778
SHA2565679f8a2903af041221178890c06c10c9ad0929008fc38588f15a110c20acea7
SHA5120067e440fdd500732e0aeda1ba974883c16cabf63be69b31d4497deeabc04a52e92140abe8f05de70ce0e51e45fb08b8de852e6f63aedcaa687fc38003447657
-
Filesize
10KB
MD573708bbf38e9a93b4fbabd4ece669ea7
SHA1f8a3868f412c35482122d67849a1bca5ba796270
SHA256c7ee764d124849d6f6429191d96fd04c57fc4035f2a895f4f2f6ec43a36bcfc0
SHA512be037b6e03ad82e63ab91fff6cebf798c0218c96e9ba89ae32a8099e78ce8b48ff27c13c8e875c72fe756198cb2cc97e49fe0dddaee572708d297269731c6482
-
Filesize
11KB
MD50b11bb089843305fbb19da566b1256ca
SHA1814618969a888f6a12e0688d3d841114550c43f4
SHA2562f92f856346a89672200c77bf5a4d75374666ad799c8b5637b8e8488a51ce3d5
SHA5126e918d4488b10f4d10f4ea1a72103f22ea578dfad5731f33716b90ba24ee20190e2cab5cd658dadf1a370c6bff88b7e3d8e1fb0383ae11f3d7eec31f6fb35d1b
-
Filesize
4KB
MD5f15d37994c4a0ea169e7c5f2cf03ad4b
SHA195af7bea86a21c1b1e57eed2b6595d48701d473f
SHA256e017605eeba4070a9904f9776162b16a30c5eb5fb703c122617096b33a2cfe53
SHA5129bfeb3b929278f9c4b48a3cc094b2eca0ef44145f2a58d66c3b1086660605d661b2ea39155b2e38e507fd137da4fa83d3ddbae413d8fc555b1a7b9d36689568c
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
265B
MD59d09e1fce3dd97dfe8042242cd93d8b8
SHA182eb159b5926690a15d72e9d378cab50e7b7fd56
SHA2561c454548634500c495feb620ee9b4edfe44673399bf2602389fab50dac6370ce
SHA5120ed6c30e2cd415fb4d8a0fb2e6722727b33043f0edd6c7bb551e5cc52864c5e81473d1952d00d5b7690b3d5782db0c73e647cad5fe2b0ea6f06c045aa7748ac2
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
8KB
MD5198dbe75c01dc527d475b229145ab3f4
SHA1db6880fc862cd499670b20a2b03bfc1dae8edbe3
SHA2569f353c8dcd897b845408cff8237c85a57176820b864f53198f010f0013eebab6
SHA512462e2f3d4ac010118b18bdd8e20270e2d5c53ab170825b2723c9437abd844f2a5beb65b0423f47c58673729404aafa96867653045ecd3633083f91d4b9d32da4
-
Filesize
3KB
MD5836dd3e9db6c3462eb6f2461d030225c
SHA13c770d744fac50c93793571354b0e6715110d692
SHA2563d90892f5df9c793d8ba1075e8428f29e62f05fa5961d00e217592227189a596
SHA512989c734065dffad1e72e34dcfbb3e1e1710bf394e6012e4fe99badffa2cf3673682a0da758ceb126dc0377a642dcd89b6879223047d3e653eb14db09666f3406
-
Filesize
3KB
MD531d0b42026282edcc1e1b4563087a3d5
SHA11e530de6d192d051330fbc42aa5fb28de8949fbe
SHA256739415d8ace29adfc62f6bfc519d3ff999f2a4dc93d495075e7e5a5cd501073a
SHA5127215acb4d8898aefeb83fef5ef4a8ab4f9544154ce3b634ad65d03feb52cf2344314140ddf011913dc1705996fee7b8dd1f10e9eae0e79587988b81b871c14c9
-
Filesize
1.2MB
MD57621f79a7f66c25ad6c636d5248abeb9
SHA198304e41f82c3aee82213a286abdee9abf79bcce
SHA256086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d
SHA51259ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd
-
Filesize
10KB
MD58e2c097ca623ca32723d57968b9d2525
SHA1dccfb092fa979fb51c8c8ca64368a6f43349e41d
SHA256556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1
SHA512a468476a8463c36c2db914e3fe4dc7aee67ac35e5e39292107431d68ab1553ca3c74255a741432ba71e8a650cf19eb55d43983363bfc9710e65b212fba37bbde
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
17KB
MD54784e42c3b15d1a141a5e0c8abc1205c
SHA148c958deba25a4763ef244ac87e87983c6534179
SHA2569d355e4f9a51536b05269f696b304859155985957ba95eb575f3f38c599d913c
SHA512d63d20a38602d4d228367b6596454a0f5b2884c831e3a95237d23b882abd624de59ea47835636b06a96e216f1decf8c468caacd45e5d3b16a5eb9e87bc69eb97
-
Filesize
31KB
MD529a37b6532a7acefa7580b826f23f6dd
SHA1a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f
SHA2567a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69
SHA512a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
-
Filesize
283B
MD55cc1682955fd9f5800a8f1530c9a4334
SHA1e09b6a4d729f2f4760ee42520ec30c3192c85548
SHA2565562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3
SHA51280767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
440KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.1MB