Analysis
-
max time kernel
1800s -
max time network
1799s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26/06/2024, 14:37
Behavioral task
behavioral1
Sample
Njrat.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Njrat.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Njrat.exe
Resource
win10v2004-20240611-en
General
-
Target
Njrat.exe
-
Size
3.1MB
-
MD5
7bbb27a3b9ace5f7d403ba8d6ef58d28
-
SHA1
5effbe830a93770824ee60f65eac790dda1ee807
-
SHA256
d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c
-
SHA512
32774b5efc9a4c771ed74cb59d6e4221d4cfb92e05d18cf9d3ad53b957005cce84892ef9e563d2c4c932127dac595394e23d8bc3e2a6ab3a654acef5e24e0327
-
SSDEEP
49152:VbA3GVZoGDweuD4gWA7evLcjM3wwwZHFXIJ5nDWhVGUwwB3SNZts8zOqhsg:VbZDweuD4rcH9Vl65Dac7ssNj
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2812 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1416 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2092 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1804 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2360 2404 schtasks.exe 32 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2404 schtasks.exe 32 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hyperblockport.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Hyperblockport.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Hyperblockport.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe -
resource yara_rule behavioral1/files/0x0021000000013400-9.dat dcrat behavioral1/memory/2720-13-0x0000000001390000-0x0000000001672000-memory.dmp dcrat behavioral1/memory/2096-119-0x0000000000900000-0x0000000000BE2000-memory.dmp dcrat behavioral1/memory/2640-160-0x0000000000DB0000-0x0000000001092000-memory.dmp dcrat behavioral1/memory/1096-161-0x0000000000310000-0x00000000005F2000-memory.dmp dcrat behavioral1/memory/1060-164-0x0000000000010000-0x00000000002F2000-memory.dmp dcrat behavioral1/memory/1752-168-0x0000000000FD0000-0x00000000012B2000-memory.dmp dcrat behavioral1/memory/872-171-0x0000000000950000-0x0000000000C32000-memory.dmp dcrat behavioral1/memory/672-172-0x00000000013C0000-0x00000000016A2000-memory.dmp dcrat behavioral1/memory/2152-175-0x00000000012E0000-0x00000000015C2000-memory.dmp dcrat behavioral1/memory/2148-177-0x0000000000F50000-0x0000000001232000-memory.dmp dcrat behavioral1/memory/784-180-0x0000000000D30000-0x0000000001012000-memory.dmp dcrat behavioral1/memory/2860-183-0x0000000000120000-0x0000000000402000-memory.dmp dcrat behavioral1/memory/2280-186-0x00000000011B0000-0x0000000001492000-memory.dmp dcrat behavioral1/memory/552-189-0x0000000000210000-0x00000000004F2000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1096 powershell.exe 1116 powershell.exe 1640 powershell.exe 536 powershell.exe 1504 powershell.exe 2408 powershell.exe 816 powershell.exe 576 powershell.exe 584 powershell.exe 2972 powershell.exe 688 powershell.exe 1012 powershell.exe 400 powershell.exe -
Executes dropped EXE 20 IoCs
pid Process 2720 Hyperblockport.exe 2096 System.exe 1096 wininit.exe 2640 csrss.exe 1060 dwm.exe 1240 System.exe 1752 smss.exe 672 csrss.exe 872 wininit.exe 2152 lsass.exe 2148 dwm.exe 1632 System.exe 784 wininit.exe 2540 csrss.exe 2860 smss.exe 624 csrss.exe 2280 wininit.exe 552 lsass.exe 1320 dwm.exe 2524 System.exe -
Loads dropped DLL 2 IoCs
pid Process 2844 cmd.exe 2844 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hyperblockport.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hyperblockport.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ipinfo.io 8 ipinfo.io -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\6cb0b6c459d5d3 Hyperblockport.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe Hyperblockport.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6203df4a6bafc7 Hyperblockport.exe File created C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe Hyperblockport.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\L2Schemas\smss.exe Hyperblockport.exe File opened for modification C:\Windows\L2Schemas\smss.exe Hyperblockport.exe File created C:\Windows\L2Schemas\69ddcba757bf72 Hyperblockport.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 System.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 System.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1416 schtasks.exe 2664 schtasks.exe 2060 schtasks.exe 1552 schtasks.exe 1776 schtasks.exe 1652 schtasks.exe 2316 schtasks.exe 2360 schtasks.exe 1804 schtasks.exe 2816 schtasks.exe 1964 schtasks.exe 1936 schtasks.exe 1616 schtasks.exe 2092 schtasks.exe 1080 schtasks.exe 2828 schtasks.exe 1736 schtasks.exe 2812 schtasks.exe 3036 schtasks.exe 1856 schtasks.exe 1984 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2720 Hyperblockport.exe 2720 Hyperblockport.exe 2720 Hyperblockport.exe 2720 Hyperblockport.exe 2720 Hyperblockport.exe 2720 Hyperblockport.exe 2720 Hyperblockport.exe 2972 powershell.exe 536 powershell.exe 576 powershell.exe 1640 powershell.exe 1116 powershell.exe 1096 powershell.exe 2408 powershell.exe 400 powershell.exe 688 powershell.exe 1012 powershell.exe 584 powershell.exe 1504 powershell.exe 816 powershell.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe 2096 System.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2096 System.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 2720 Hyperblockport.exe Token: SeDebugPrivilege 2972 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 576 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 688 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe Token: SeDebugPrivilege 816 powershell.exe Token: SeDebugPrivilege 2096 System.exe Token: SeBackupPrivilege 2576 vssvc.exe Token: SeRestorePrivilege 2576 vssvc.exe Token: SeAuditPrivilege 2576 vssvc.exe Token: SeDebugPrivilege 2640 csrss.exe Token: SeDebugPrivilege 1096 wininit.exe Token: SeDebugPrivilege 1060 dwm.exe Token: SeDebugPrivilege 1240 System.exe Token: SeDebugPrivilege 1752 smss.exe Token: SeDebugPrivilege 872 wininit.exe Token: SeDebugPrivilege 672 csrss.exe Token: SeDebugPrivilege 2152 lsass.exe Token: SeDebugPrivilege 2148 dwm.exe Token: SeDebugPrivilege 2540 csrss.exe Token: SeDebugPrivilege 784 wininit.exe Token: SeDebugPrivilege 1632 System.exe Token: SeDebugPrivilege 2860 smss.exe Token: SeDebugPrivilege 624 csrss.exe Token: SeDebugPrivilege 2280 wininit.exe Token: SeDebugPrivilege 1320 dwm.exe Token: SeDebugPrivilege 552 lsass.exe Token: SeDebugPrivilege 2524 System.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2096 System.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2424 2500 Njrat.exe 28 PID 2500 wrote to memory of 2424 2500 Njrat.exe 28 PID 2500 wrote to memory of 2424 2500 Njrat.exe 28 PID 2500 wrote to memory of 2424 2500 Njrat.exe 28 PID 2424 wrote to memory of 2844 2424 WScript.exe 29 PID 2424 wrote to memory of 2844 2424 WScript.exe 29 PID 2424 wrote to memory of 2844 2424 WScript.exe 29 PID 2424 wrote to memory of 2844 2424 WScript.exe 29 PID 2844 wrote to memory of 2720 2844 cmd.exe 31 PID 2844 wrote to memory of 2720 2844 cmd.exe 31 PID 2844 wrote to memory of 2720 2844 cmd.exe 31 PID 2844 wrote to memory of 2720 2844 cmd.exe 31 PID 2720 wrote to memory of 2972 2720 Hyperblockport.exe 54 PID 2720 wrote to memory of 2972 2720 Hyperblockport.exe 54 PID 2720 wrote to memory of 2972 2720 Hyperblockport.exe 54 PID 2720 wrote to memory of 2408 2720 Hyperblockport.exe 55 PID 2720 wrote to memory of 2408 2720 Hyperblockport.exe 55 PID 2720 wrote to memory of 2408 2720 Hyperblockport.exe 55 PID 2720 wrote to memory of 536 2720 Hyperblockport.exe 56 PID 2720 wrote to memory of 536 2720 Hyperblockport.exe 56 PID 2720 wrote to memory of 536 2720 Hyperblockport.exe 56 PID 2720 wrote to memory of 688 2720 Hyperblockport.exe 58 PID 2720 wrote to memory of 688 2720 Hyperblockport.exe 58 PID 2720 wrote to memory of 688 2720 Hyperblockport.exe 58 PID 2720 wrote to memory of 400 2720 Hyperblockport.exe 60 PID 2720 wrote to memory of 400 2720 Hyperblockport.exe 60 PID 2720 wrote to memory of 400 2720 Hyperblockport.exe 60 PID 2720 wrote to memory of 816 2720 Hyperblockport.exe 61 PID 2720 wrote to memory of 816 2720 Hyperblockport.exe 61 PID 2720 wrote to memory of 816 2720 Hyperblockport.exe 61 PID 2720 wrote to memory of 1012 2720 Hyperblockport.exe 63 PID 2720 wrote to memory of 1012 2720 Hyperblockport.exe 63 PID 2720 wrote to memory of 1012 2720 Hyperblockport.exe 63 PID 2720 wrote to memory of 1504 2720 Hyperblockport.exe 65 PID 2720 wrote to memory of 1504 2720 Hyperblockport.exe 65 PID 2720 wrote to memory of 1504 2720 Hyperblockport.exe 65 PID 2720 wrote to memory of 1640 2720 Hyperblockport.exe 66 PID 2720 wrote to memory of 1640 2720 Hyperblockport.exe 66 PID 2720 wrote to memory of 1640 2720 Hyperblockport.exe 66 PID 2720 wrote to memory of 1116 2720 Hyperblockport.exe 67 PID 2720 wrote to memory of 1116 2720 Hyperblockport.exe 67 PID 2720 wrote to memory of 1116 2720 Hyperblockport.exe 67 PID 2720 wrote to memory of 584 2720 Hyperblockport.exe 68 PID 2720 wrote to memory of 584 2720 Hyperblockport.exe 68 PID 2720 wrote to memory of 584 2720 Hyperblockport.exe 68 PID 2720 wrote to memory of 576 2720 Hyperblockport.exe 69 PID 2720 wrote to memory of 576 2720 Hyperblockport.exe 69 PID 2720 wrote to memory of 576 2720 Hyperblockport.exe 69 PID 2720 wrote to memory of 1096 2720 Hyperblockport.exe 70 PID 2720 wrote to memory of 1096 2720 Hyperblockport.exe 70 PID 2720 wrote to memory of 1096 2720 Hyperblockport.exe 70 PID 2720 wrote to memory of 1548 2720 Hyperblockport.exe 80 PID 2720 wrote to memory of 1548 2720 Hyperblockport.exe 80 PID 2720 wrote to memory of 1548 2720 Hyperblockport.exe 80 PID 1548 wrote to memory of 2396 1548 cmd.exe 82 PID 1548 wrote to memory of 2396 1548 cmd.exe 82 PID 1548 wrote to memory of 2396 1548 cmd.exe 82 PID 1548 wrote to memory of 2096 1548 cmd.exe 83 PID 1548 wrote to memory of 2096 1548 cmd.exe 83 PID 1548 wrote to memory of 2096 1548 cmd.exe 83 PID 2096 wrote to memory of 1820 2096 System.exe 84 PID 2096 wrote to memory of 1820 2096 System.exe 84 PID 2096 wrote to memory of 1820 2096 System.exe 84 PID 2096 wrote to memory of 1556 2096 System.exe 85 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hyperblockport.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Hyperblockport.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Hyperblockport.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" System.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" System.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Njrat.exe"C:\Users\Admin\AppData\Local\Temp\Njrat.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\containerperf\9nepdzd6Yg.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\containerperf\MJF5L0LGrR45RopQV75MoqBbC.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\containerperf\Hyperblockport.exe"C:\containerperf\Hyperblockport.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2720 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GO75tdUpkG.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2396
-
-
C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe"C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2096 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e5eed7f-f8c5-4873-96b6-1bfd3a68abcd.vbs"7⤵PID:1820
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c27e7e3-f3fd-4cf1-b691-c0e0afdc5151.vbs"7⤵PID:1556
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\containerperf\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\containerperf\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\containerperf\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2784
-
C:\Windows\system32\taskeng.exetaskeng.exe {E76F7959-11C7-441B-9246-F819828A01E4} S-1-5-21-2812790648-3157963462-487717889-1000:JAFTUVRJ\Admin:Interactive:[1]1⤵PID:2780
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Users\Public\wininit.exeC:\Users\Public\wininit.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe"C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exeC:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\L2Schemas\smss.exeC:\Windows\L2Schemas\smss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
C:\Users\Public\wininit.exeC:\Users\Public\wininit.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152
-
-
C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe"C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exeC:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Users\Public\wininit.exeC:\Users\Public\wininit.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
C:\Windows\L2Schemas\smss.exeC:\Windows\L2Schemas\smss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860
-
-
C:\Users\Default User\csrss.exe"C:\Users\Default User\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:624
-
-
C:\Users\Public\wininit.exeC:\Users\Public\wininit.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe"C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe"C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\dwm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
C:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exeC:\Recovery\fc26e022-289f-11ef-a973-46d84c032646\System.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
511B
MD54f59493b5b9db1e284f78e1d47839e24
SHA1e78835bfef1e4c09123a17ec3094a9e1083b9c08
SHA2562f470576ca4c68ac6d4ac98d55c2ddd51372d7585b59b7fb2d722105755f3f82
SHA5120adbaf10e6ab51192a6953ef0d0e32b15b6e592a237ad8e2d81d8cff7cfe06a3c388fee578dff8caa3c8eaff010ef3c8e261effda745ebe58d94afa7c83a3c23
-
Filesize
735B
MD50d6bd04c43bb370cf0dddd9f4ee86546
SHA171247c0e10b0e4d5c9dbb92a1160c84a0dd20d4f
SHA25674ccc724735d1fa72295cdd09a6c471c8644fa61e1b3f9ca802f6414ce817beb
SHA51273bac33bfa40d93663cd357351be25ae5cfeda1d179e9ad5cf312dafeeca6665f8991c648aff506113505f310eb0a861a42fe7f84f4fa182f8249f7a4d33af1a
-
Filesize
224B
MD5b56d35029ca988c42b6fdd6a80643c71
SHA1bbc39369188bae24d0f81c34f9e581e74a36d5f1
SHA2566bf38c667e2fb084aed3224b7c5ff911f9b93bf1ac717df50ce9bc343668d842
SHA5122472969e427122e039164620f686daef7e462225ccdca7973afc0b93cb3c9b2213f1fd63f4cf7f2b613f446a517c631b016c6ef5c6e6121208e97d4bf5bc0c0a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59e6b4c6b02d13f2b654a59f66c80768f
SHA10c4767858506eeffd297a40132e5a1d4fcc3e24e
SHA256656111ea96de1d6c28da5e0dc91b0027286f0d716c1a201c8f6ea72351c95dc9
SHA512c9c9ab5f7a15ad7bf21534d1815f43a7af257bc355002425b2aa016ddf665302886cb90dec734b68d70f936734298f74412f11966536840bd87455e87bc2ecf3
-
Filesize
226B
MD5fd73bba1ae261c1bde0a83ff425994c4
SHA17e9e51cef1374547c885b6e8bd62ed2a1dc6902b
SHA25616f04c862e66dbdf8631baaa3c37e771281f59d68d60420d4dac89701c1fb732
SHA51220644ded806f97cdd62b136fa4cd6bff7ed61d8c4f6d533dee3c71d3f12923243551e910f56d4504a0c67a89a3e50064fa8f53cb3b307150cf185c9016e004e4
-
Filesize
48B
MD57a122e2bf760c3ba657e5ba59337bce2
SHA1e9ac1ad5c6b04628fdea1a0657f0e466a2a06261
SHA256b9469f10268a8e4a44814d71f3eb6530f2a4970933b586f6dc5e3eebb2fe33f8
SHA51289912e65857c9975e0c6ab2b3ea94f07547cba9e875b7db26dc87a6d2ec8ba79b9aa7421a78f8203587ffc70fe39df2c8fc95566c47d4681fa59f933129c6c64
-
Filesize
2.9MB
MD5a5eb91d9ffb09e43c86d3ac84354107f
SHA1ab225fd443f3c209c4493e1dd823093c87364075
SHA25613da0ed8f7f0cfbf7187ae5d3fe222a0aac5a0fad6e0c1f011f0ef3f8d126906
SHA5123259e901d0347db552f658f89c11c711f328831a5da203b18e8383740a202b87aea4a2c84c33d3ca6d9a8200d1f933f8820379a7b77e094c005a004c9f3c59ee