762bdc2c74c2a3e76e0deeef9992dc390f6e0fb28713ab13f4ec8f0550a07fc8

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 17:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
Size

3.3MB
MD5

2d294d4ddd3fe94d76a9b487c63721b2
SHA1

9ed13cc550a981de61280cbc85a5dade0d81359c
SHA256

762bdc2c74c2a3e76e0deeef9992dc390f6e0fb28713ab13f4ec8f0550a07fc8
SHA512

a165617ad10fea3607dcb9b6e9bad09855ba1e9a672ea4ff2eb1cb2634ba6e4aab4a9a983973483074bc34e43a910478cf43f6bb0dcbe1942856332bcf8d5308
SSDEEP

49152:lBMi0HM12fGEHLaJezoLwwrOJSbXdWNJ8TUxm6Yejhz0UH3sOu+2mm7sCHDMF8Qz:lyiG2cGuRkLww7+LmbocOu+Y9kNyPL

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\nrdrvnt3.sys	nrinst03.exe
File created	C:\Windows\SysWOW64\DRIVERS\NCGUARD.SYS	ncclient.exe
File opened for modification	C:\Windows\SysWOW64\DRIVERS\NCGUARD.SYS	ncclient.exe

Executes dropped EXE 5 IoCs

pid	Process
1224	nckill.exe
1564	ncagent.exe
3972	ncstart.exe
5012	ncclient.exe
2396	nrinst03.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NetClient RC Helper = "C:\\Windows\\SysWOW64\\NetClient40\\rc\\NrDeskHlp.exe"	ncclient.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\NetClient40\rc\nrinst02.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NCFileSearch.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncmon.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncnavi.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncpnlko.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NetUnzip.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\hncrcm_kor.xml	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\n5lgn.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NCClientUI.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NCHwInfo.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncwinmgr.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\Nrcdc3.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\Nrcdc2.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\nrdrvnt2.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\nrdrvnt2.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\nrinst03.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NCDISK.VXD	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NetShare9x.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\V3VName.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\DrFtc.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\nrdrvnt1.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\fsecuv.inf	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncdist.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncmon.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncpmon40.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\NrAlram.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\Markup.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncguard.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\nrdrvnt3.dll	nrinst03.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\hncrcm_kor.xml	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncmsg.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncwinmgr.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\wpcap_1.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncinstudo.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NCDISK.VXD	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NCFileSearch.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NCPMON40.VXD	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NetShare9x.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\NRCX2.DLL	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\nrdrvnt1.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncblk.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NetUnzip.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\v3alert.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\VrInfo.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\RC\drclass.inf	nrinst03.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\CallC03.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncagent.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncmon_org.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NCPFLTV.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NCSurvey.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\netmessage_eng.bin	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\NrHost.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\NCSurvey.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NSECUV.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\NETVXD.VXD	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NCMakeId.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\NetChat.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\Libnet_1.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\ncnwkbk.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\ncwhk.dll	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NetClient40\rc\NETVXD.VXD	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\NRCX2.DLL	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\nrdrvnt1.sys	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetClient40\rc\nrinst01.exe	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	nrinst03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	nrinst03.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	nrinst03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	nrinst03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	nrinst03.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	nrinst03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	nrinst03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	nrinst03.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	nrinst03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	nrinst03.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	nrinst03.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	nrinst03.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1224	nckill.exe
1224	nckill.exe
1224	nckill.exe
1224	nckill.exe
3972	ncstart.exe
3972	ncstart.exe
5012	ncclient.exe
5012	ncclient.exe

Suspicious behavior: LoadsDriver 12 IoCs

pid	Process
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found
656	Process not Found

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 1224	1068	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	82
PID 1068 wrote to memory of 1224	1068	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	82
PID 1068 wrote to memory of 1224	1068	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	82
PID 1564 wrote to memory of 3972	1564	ncagent.exe	85
PID 1564 wrote to memory of 3972	1564	ncagent.exe	85
PID 1564 wrote to memory of 3972	1564	ncagent.exe	85
PID 3972 wrote to memory of 5012	3972	ncstart.exe	87
PID 3972 wrote to memory of 5012	3972	ncstart.exe	87
PID 3972 wrote to memory of 5012	3972	ncstart.exe	87
PID 5012 wrote to memory of 4388	5012	ncclient.exe	88
PID 5012 wrote to memory of 4388	5012	ncclient.exe	88
PID 5012 wrote to memory of 4388	5012	ncclient.exe	88
PID 5012 wrote to memory of 60	5012	ncclient.exe	91
PID 5012 wrote to memory of 60	5012	ncclient.exe	91
PID 5012 wrote to memory of 60	5012	ncclient.exe	91
PID 1068 wrote to memory of 2396	1068	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	92
PID 1068 wrote to memory of 2396	1068	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	92
PID 1068 wrote to memory of 2396	1068	2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe	92
PID 5012 wrote to memory of 780	5012	ncclient.exe	93
PID 5012 wrote to memory of 780	5012	ncclient.exe	93
PID 5012 wrote to memory of 780	5012	ncclient.exe	93
PID 5012 wrote to memory of 1252	5012	ncclient.exe	94
PID 5012 wrote to memory of 1252	5012	ncclient.exe	94
PID 5012 wrote to memory of 1252	5012	ncclient.exe	94
PID 5012 wrote to memory of 1668	5012	ncclient.exe	95
PID 5012 wrote to memory of 1668	5012	ncclient.exe	95
PID 5012 wrote to memory of 1668	5012	ncclient.exe	95

C:\Users\Admin\AppData\Local\Temp\2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d294d4ddd3fe94d76a9b487c63721b2_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Users\Admin\AppData\Local\Temp\nckill.exe
  C:\Users\Admin\AppData\Local\Temp\nckill.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\Windows\SysWOW64\NetClient40\RC\nrinst03.exe
  C:\Windows\system32\NetClient40\RC\nrinst03.exe -silent -i
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  PID:2396

C:\Windows\SysWOW64\NetClient40\ncagent.exe
C:\Windows\SysWOW64\NetClient40\ncagent.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\SysWOW64\NetClient40\ncstart.exe
  C:\Windows\SysWOW64\NetClient40\ncstart.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\SysWOW64\NetClient40\ncclient.exe
    C:\Windows\SysWOW64\NetClient40\ncclient.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\netsh.exe
      netsh -c firewall add allowedprogram program="C:\Windows\SysWOW64\NetClient40\ncclient.exe" name="NetClient1"
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:4388
  - - C:\Windows\SysWOW64\netsh.exe
      netsh -c firewall add allowedprogram program="C:\Windows\SysWOW64\NetClient40\NetChat.exe" name="NetClient2"
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:60
  - - C:\Windows\SysWOW64\netsh.exe
      netsh -c firewall add allowedprogram program="C:\Windows\SysWOW64\NetClient40\rc\DrFtc.exe" name="NetClient3"
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:780
  - - C:\Windows\SysWOW64\netsh.exe
      netsh -c firewall add allowedprogram program="C:\Windows\SysWOW64\NetClient40\rc\NrHost.exe" name="NetClient4"
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1252
  - - C:\Windows\SysWOW64\netsh.exe
      netsh -c firewall set icmpsetting type=8 mode=ENABLE profile=STANDARD
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nckill.exe

Filesize
56KB

MD5
e752ff15dc8b962501a22b08554cb0f5

SHA1
d7d6c21be2cb6f9e9f1c2a453ef28d7c6698957b

SHA256
f0e975ddd0e66bb9ed3b0d9a4bf7970763ccd807243af1e8bf6df26496777c46

SHA512
5869b4ec760ddd49fd18654002bfda9e3e271e8ada6768051468beb6d67520e245744ffe4ea8a20f784b4bca6dafab03f285d77687dd75bcf991d8cbb3e80bd1

Download Submit
C:\Windows\SysWOW64\NetClient40\NCClient.exe

Filesize
272KB

MD5
8655f18c6eed30f8813a1a61df4a690c

SHA1
8eda977e1d56587469ca06dcecddd4d336380358

SHA256
431a49dbe4cacdd7fb9d9340e0f9f81b9670fbb9acc2ed2715532f82177830c8

SHA512
7c3d4753ad49f91881f6efe51686ccac7031dde9ad89006cc8a7ec79d969348716710c72f1e9f611f0ff4aee87568464ee2be41b97dd0d2096449b50d60fe580

Download Submit
C:\Windows\SysWOW64\NetClient40\NCGUARD.SYS

Filesize
17KB

MD5
708d7915c244823d4ed14b1145145ea4

SHA1
0535bc2c5d852ea1d49beea2fb47f7a59ba1e1a3

SHA256
3ebec61ee6a180e2d5c29358e394d23d4a42b444de5d8ba85e2b1c398e0ece55

SHA512
126f719c10dbd76e0a645fd21f3af0611bc5a90fd0378fc895e5a78b56766ebba629275af06c243f74c6367bea1db4e1ba4f4e3b33853d9012869805a4a57888

Download Submit
C:\Windows\SysWOW64\NetClient40\NetChat.exe

Filesize
44KB

MD5
7a3cde5ed7efeffdae2ad35829e5908a

SHA1
008e3d3a2b2731851de3a94bc1bd7346ecd3b9bc

SHA256
aeb94ba23de90d1d018c1772cda11be7c1c2ea76b079149ed61e6678acfbeeda

SHA512
c104638422f68b80e17493e236e435f81ae2c03f3c0ecfab48a19b42ade09b5d93129aea40aa5388b32cb0f9dd2139acceb4fd0d1897b225b04db666008a5c0d

Download Submit
C:\Windows\SysWOW64\NetClient40\RC\nrdrvnt3.dll

Filesize
11KB

MD5
366b0ecc6a26035a34f619d061634f2e

SHA1
cbe3edb195f8f4b0f6fba342ec6bf3dcbfaa532f

SHA256
9b22d0eb2de909d8670b849f2f4c4b15db9f5ccf2d36085f41e0c2073fa17ceb

SHA512
8f720e28c2ffd973552062fcd88adc8e4e82e307150de7a9e8a80df1471459b4f84f1c2e2e066473257e6bb32e1490d81404aa8c9050ec5a1731682c48429bc9

Download Submit
C:\Windows\SysWOW64\NetClient40\RC\nrdrvnt3.sys

Filesize
8KB

MD5
be9a8898d0ecbace759ba05f6990882a

SHA1
9c69e304a1159e75178cb7e3bc7e95d90e4737fa

SHA256
8b6cc22781a6f0409fb9ffe0536af9083d18cd180a6ffc0142621a50302b25d2

SHA512
cf4c44d31e260c008d934a775d0c9aadb13205846908fadee8f0b58d089a1eaeccadbace7347a1de483b8df7d19b7cfe8657b77cdae84f6527fcf0ba206b4fd8

Download Submit
C:\Windows\SysWOW64\NetClient40\RC\nrinst03.exe

Filesize
69KB

MD5
6095b34e23378dd41a1600497b31c13d

SHA1
24ce72bed1bae7c20aa60b84d662bd15df03acdf

SHA256
a3b8f67773d918468ea74c9e6124709f84317393f27b811a4a675852985dc5d7

SHA512
b15f2c881eb2564840c6d4017e003255abf8bb3e36bbbb02ed588592d86b424cec1b89392bd0698ae2f95dbc0a4db9cf264eee5683f6e283f9926a75da0a77fb

Download Submit
C:\Windows\SysWOW64\NetClient40\ncagent.exe

Filesize
32KB

MD5
f754f8fa1bef20474786cd5f4b6a7f12

SHA1
42de82b7b6c2a7c995e9217a73595366e21f69ca

SHA256
6f87eba04f7ae065eed44634fb94aefb71fed8a8c8cfc2ae5d1d746727e87cd4

SHA512
0288632dd9785b46679163c029d7c9c39c55809a181cdc077866a2a399f10689787a0f46f9d7cd8c0f8825e95e02c7d5f56ecb22c9d40348b3ba8bb52f1b1296

Download Submit
C:\Windows\SysWOW64\NetClient40\ncstart.exe

Filesize
64KB

MD5
3d1e8b1be4cf5c13eab4e424204b34ab

SHA1
c54300fbb7e7759b04f23194756520d64771f740

SHA256
5d2158aa93fda80738b7a951111de3c7dc8a63c4394665af1d903c33afa883c0

SHA512
b680ee243c388b1c61c03ddc1f3e74a03024b615cef2d79bd4eda46026d4fd881099cfce25ad8f5c3f9f8de83bbf08086b450056111c52d0eb5b3ba25958cc55

Download Submit
C:\Windows\SysWOW64\NetClient40\rc\DrFtc.exe

Filesize
109KB

MD5
d3e11b73300d016c2558fb66c8c2ec99

SHA1
3c9bec7c170562d078d31723a9bd426e1bcc8381

SHA256
3b9f4e556d0489266e6a5ceee4dcf9b43bf3723e7d3d69213cf9e2ed760281f1

SHA512
6912faab8115527b8b1a3a27549f2e9557840ad339203c973eac0886e6074f6ffb9bc8c42db3286cdb78fc14e473ba2ae254c3bb7fc3fa8a512c9fba4a555c9d

Download Submit
C:\Windows\SysWOW64\NetClient40\rc\NrHost.exe

Filesize
69KB

MD5
ced94e78d89088e3815b6dac8fe5f91e

SHA1
009d7c979161445c8548825ebcaae8cf44559cc9

SHA256
3e5e05de3f9cf49cc273b4478483e9f5e38f74dba3a01fa6c412ebc85f3bc64f

SHA512
9ad46f14cf72af2bdd75b93a8fdbc16112ce25110bf0bd582876943050ef53485e4f063d5fa5ac94fadad4fac4a2a50eaac2409329a9dddd1622ac18cf5b58d8

Download Submit