njrat | 64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11-07-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe
Size

7.7MB
MD5

6ca08efccb785d2b8c23c54a05930356
SHA1

c4de56535545a5a6555af998b2b3fbb254637625
SHA256

64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed
SHA512

8da14f29989d5c99b0335be45951e4e87dccabefccae73a8e5cf13d91e6d47fcf1408b9020a965015b15175239f6d732d8cd4b6b11e07b232386827984b77b14
SSDEEP

196608:p9xmKlBELQL73HTSddEVnvbG3eVvMJxOf2X6QDpTrTMA:Yf03QdEc3eJMJxOf25VT3D

Score

10^/10

njrat umbral xworm evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Extracted

Family

umbral

https://discord.com/api/webhooks/1255561908631900262/FBfFOJC5RNZ6gSVwbGsinrWT1Tk0AcX2fxXrs9EMYvCvgKrDx5R4TOUhy9LGN7mz_JKs

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/memory/4328-68-0x0000020F74610000-0x0000020F74650000-memory.dmp	family_umbral
behavioral2/files/0x00070000000234bf-66.dat	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234c1-61.dat	family_xworm
behavioral2/memory/1400-83-0x00000000002E0000-0x00000000002F0000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3280	powershell.exe
3104	powershell.exe
5008	powershell.exe
1956	powershell.exe
1460	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1608	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	conhost.exe

Executes dropped EXE 10 IoCs

pid	Process
4700	Server.exe
4956	3.exe
4592	msxml6.EXE
3336	Server.exe
4328	3.exe
908	conhost.exe
1400	conhost.exe
4072	server.exe
1220	Ondrive.exe
3664	Ondrive.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2680	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4268	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4052	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
908	conhost.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4328	3.exe
3104	powershell.exe
3104	powershell.exe
968	powershell.exe
968	powershell.exe
5008	powershell.exe
5008	powershell.exe
3060	powershell.exe
3060	powershell.exe
1956	powershell.exe
624	powershell.exe
1956	powershell.exe
624	powershell.exe
1460	powershell.exe
1460	powershell.exe
3280	powershell.exe
3280	powershell.exe
4724	powershell.exe
4724	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe
Token: SeDebugPrivilege	1400	conhost.exe
Token: SeDebugPrivilege	908	conhost.exe
Token: SeDebugPrivilege	4328	3.exe
Token: SeIncreaseQuotaPrivilege	2460	wmic.exe
Token: SeSecurityPrivilege	2460	wmic.exe
Token: SeTakeOwnershipPrivilege	2460	wmic.exe
Token: SeLoadDriverPrivilege	2460	wmic.exe
Token: SeSystemProfilePrivilege	2460	wmic.exe
Token: SeSystemtimePrivilege	2460	wmic.exe
Token: SeProfSingleProcessPrivilege	2460	wmic.exe
Token: SeIncBasePriorityPrivilege	2460	wmic.exe
Token: SeCreatePagefilePrivilege	2460	wmic.exe
Token: SeBackupPrivilege	2460	wmic.exe
Token: SeRestorePrivilege	2460	wmic.exe
Token: SeShutdownPrivilege	2460	wmic.exe
Token: SeDebugPrivilege	2460	wmic.exe
Token: SeSystemEnvironmentPrivilege	2460	wmic.exe
Token: SeRemoteShutdownPrivilege	2460	wmic.exe
Token: SeUndockPrivilege	2460	wmic.exe
Token: SeManageVolumePrivilege	2460	wmic.exe
Token: 33	2460	wmic.exe
Token: 34	2460	wmic.exe
Token: 35	2460	wmic.exe
Token: 36	2460	wmic.exe
Token: SeIncreaseQuotaPrivilege	2460	wmic.exe
Token: SeSecurityPrivilege	2460	wmic.exe
Token: SeTakeOwnershipPrivilege	2460	wmic.exe
Token: SeLoadDriverPrivilege	2460	wmic.exe
Token: SeSystemProfilePrivilege	2460	wmic.exe
Token: SeSystemtimePrivilege	2460	wmic.exe
Token: SeProfSingleProcessPrivilege	2460	wmic.exe
Token: SeIncBasePriorityPrivilege	2460	wmic.exe
Token: SeCreatePagefilePrivilege	2460	wmic.exe
Token: SeBackupPrivilege	2460	wmic.exe
Token: SeRestorePrivilege	2460	wmic.exe
Token: SeShutdownPrivilege	2460	wmic.exe
Token: SeDebugPrivilege	2460	wmic.exe
Token: SeSystemEnvironmentPrivilege	2460	wmic.exe
Token: SeRemoteShutdownPrivilege	2460	wmic.exe
Token: SeUndockPrivilege	2460	wmic.exe
Token: SeManageVolumePrivilege	2460	wmic.exe
Token: 33	2460	wmic.exe
Token: 34	2460	wmic.exe
Token: 35	2460	wmic.exe
Token: 36	2460	wmic.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeIncreaseQuotaPrivilege	1196	wmic.exe
Token: SeSecurityPrivilege	1196	wmic.exe
Token: SeTakeOwnershipPrivilege	1196	wmic.exe
Token: SeLoadDriverPrivilege	1196	wmic.exe
Token: SeSystemProfilePrivilege	1196	wmic.exe
Token: SeSystemtimePrivilege	1196	wmic.exe
Token: SeProfSingleProcessPrivilege	1196	wmic.exe
Token: SeIncBasePriorityPrivilege	1196	wmic.exe
Token: SeCreatePagefilePrivilege	1196	wmic.exe
Token: SeBackupPrivilege	1196	wmic.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4700	4412	64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe	87
PID 4412 wrote to memory of 4700	4412	64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe	87
PID 4412 wrote to memory of 4956	4412	64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe	88
PID 4412 wrote to memory of 4956	4412	64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe	88
PID 4412 wrote to memory of 4592	4412	64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe	89
PID 4412 wrote to memory of 4592	4412	64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe	89
PID 4700 wrote to memory of 3336	4700	Server.exe	91
PID 4700 wrote to memory of 3336	4700	Server.exe	91
PID 4700 wrote to memory of 3336	4700	Server.exe	91
PID 4956 wrote to memory of 4328	4956	3.exe	92
PID 4956 wrote to memory of 4328	4956	3.exe	92
PID 4700 wrote to memory of 908	4700	Server.exe	93
PID 4700 wrote to memory of 908	4700	Server.exe	93
PID 4956 wrote to memory of 1400	4956	3.exe	94
PID 4956 wrote to memory of 1400	4956	3.exe	94
PID 4328 wrote to memory of 2460	4328	3.exe	95
PID 4328 wrote to memory of 2460	4328	3.exe	95
PID 4328 wrote to memory of 1716	4328	3.exe	97
PID 4328 wrote to memory of 1716	4328	3.exe	97
PID 4328 wrote to memory of 3104	4328	3.exe	99
PID 4328 wrote to memory of 3104	4328	3.exe	99
PID 4328 wrote to memory of 968	4328	3.exe	101
PID 4328 wrote to memory of 968	4328	3.exe	101
PID 908 wrote to memory of 5008	908	conhost.exe	103
PID 908 wrote to memory of 5008	908	conhost.exe	103
PID 4328 wrote to memory of 3060	4328	3.exe	105
PID 4328 wrote to memory of 3060	4328	3.exe	105
PID 908 wrote to memory of 1956	908	conhost.exe	107
PID 908 wrote to memory of 1956	908	conhost.exe	107
PID 4328 wrote to memory of 624	4328	3.exe	109
PID 4328 wrote to memory of 624	4328	3.exe	109
PID 908 wrote to memory of 1460	908	conhost.exe	111
PID 908 wrote to memory of 1460	908	conhost.exe	111
PID 908 wrote to memory of 3280	908	conhost.exe	113
PID 908 wrote to memory of 3280	908	conhost.exe	113
PID 4328 wrote to memory of 1196	4328	3.exe	115
PID 4328 wrote to memory of 1196	4328	3.exe	115
PID 4328 wrote to memory of 3612	4328	3.exe	117
PID 4328 wrote to memory of 3612	4328	3.exe	117
PID 4328 wrote to memory of 4560	4328	3.exe	119
PID 4328 wrote to memory of 4560	4328	3.exe	119
PID 4328 wrote to memory of 4724	4328	3.exe	121
PID 4328 wrote to memory of 4724	4328	3.exe	121
PID 908 wrote to memory of 4052	908	conhost.exe	123
PID 908 wrote to memory of 4052	908	conhost.exe	123
PID 4328 wrote to memory of 2680	4328	3.exe	125
PID 4328 wrote to memory of 2680	4328	3.exe	125
PID 3336 wrote to memory of 4072	3336	Server.exe	127
PID 3336 wrote to memory of 4072	3336	Server.exe	127
PID 3336 wrote to memory of 4072	3336	Server.exe	127
PID 4328 wrote to memory of 2608	4328	3.exe	128
PID 4328 wrote to memory of 2608	4328	3.exe	128
PID 4072 wrote to memory of 1608	4072	server.exe	130
PID 4072 wrote to memory of 1608	4072	server.exe	130
PID 4072 wrote to memory of 1608	4072	server.exe	130
PID 2608 wrote to memory of 4268	2608	cmd.exe	132
PID 2608 wrote to memory of 4268	2608	cmd.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1716	attrib.exe

C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe
"C:\Users\Admin\AppData\Local\Temp\64787cd5380092f4842918dde01f0bfe92c133a925cdaef9f7289e6e53af4eed.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Users\Admin\AppData\Roaming\Server.exe
    "C:\Users\Admin\AppData\Roaming\Server.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1608
- - C:\Users\Admin\AppData\Roaming\conhost.exe
    "C:\Users\Admin\AppData\Roaming\conhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3280
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4052
- C:\Users\Admin\AppData\Local\Temp\3.exe
  "C:\Users\Admin\AppData\Local\Temp\3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Roaming\3.exe
    "C:\Users\Admin\AppData\Roaming\3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2460
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\3.exe"
      4⤵
      Views/modifies file attributes
      PID:1716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:624
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1196
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:3612
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4724
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2680
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\3.exe" && pause
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:4268
- - C:\Users\Admin\AppData\Roaming\conhost.exe
    "C:\Users\Admin\AppData\Roaming\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- C:\Users\Admin\AppData\Local\Temp\msxml6.EXE
  "C:\Users\Admin\AppData\Local\Temp\msxml6.EXE"
  2⤵
  - Executes dropped EXE
  PID:4592

C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
1⤵
- Executes dropped EXE
PID:1220

C:\Users\Admin\AppData\Roaming\Ondrive.exe
C:\Users\Admin\AppData\Roaming\Ondrive.exe
1⤵
- Executes dropped EXE
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
2af06a6b36db9473e4a7d9c7ab72b70b

SHA1
8ef34b9b961e51bdd1b8d7d9db2ec1b0a4764645

SHA256
18a2aa7e245c6732f95fb7749b2b4d29007f2c56a9c5bfbc5e3c127bdfe5f158

SHA512
3495567a5d5af94ae27be51313d9e2630c52017d808042fe0d56baa34fa1d246eb15c253d14c77c77a1d8f2f1c81680e623044ae95415b095696e7fa141ac7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f67f3b36c4df412d0c8bbc8d19054c52

SHA1
ac3ec40d0c8d98c567d6e46ec0e980a2300ca5e9

SHA256
42f9b1e7aedb4c68c96b95e2a6b76c73edd7101a8401ee5bf9b1ed26eb7caf6b

SHA512
ce789933e2b626345d5e5f7713712c38b0482e3c3213f496cfcb4413ebb8bd2dc38d8608b62eb1da9746e5ec5939a025baa7722bd25a682962fef55c06efd8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
019a54d1f0d6469396d1d79bcca4d41d

SHA1
f7998bbb060a580079940ddc583dfaf798867fa7

SHA256
8dc87996c13c37f8c745ae8c49d477ff1b5e578845ed76f0bab90b157e42040a

SHA512
e3484f695ac2ebfc0430264e63e49a34f9617ac10112929112031baa6c74f1f406ea5e150fd1eb44ab9e0a8470e1bc7c9d416c93357dda9986a80038f26b21d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d14ccefeb263594e60b1765e131f7a3

SHA1
4a9ebdc0dff58645406c40b7b140e1b174756721

SHA256
57cd435c8b2bf10a2c77698301789c032e1b6b623ff1420c72e8bca0b10f1e5c

SHA512
2013a26123f72a4106524fd9d7389ac4654f97033d22707efc084fb2a3ad01c298eb64f01bb64861ab603615022dbe7cfc97475346edb16b3ba72e905127f101

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
274KB

MD5
ed59c6590b199b2ee53eec444322472b

SHA1
6c91f4e2489a9869ab971061fdd67a0eeb1e7007

SHA256
aa4abbb1305525b1703a23521db1e817dfd39f014527c319a16a153d2d9dcb0f

SHA512
7dd903995d2c673a3778c5f4f5006cdf3e177ad9093649e5e953894e49f386049ae1e58103095874f09b91d4e21d963d05f02ea9644ed67dd3054aa10b47ba97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
71KB

MD5
f9b08bd21b40a938122b479095b7c70c

SHA1
eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

SHA256
c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

SHA512
fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t3uxucwf.hl3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msxml6.EXE

Filesize
7.7MB

MD5
8b39a0c9d351c316ae38251db3e917da

SHA1
71c988393af62584e93ebe721a600c1a51fa7c29

SHA256
aacbefe172556a5df9e5bf52834aaa22893002edeb46533e1a85866cc7462a15

SHA512
092f06c5f373a65be4f4784357596422df1bb50dcd81c0056464c70f99a0845d71e6819f01c8e7a2ca3f663ad4125588b6e48d88ec0736e7305a70bd8c59e9af

Download Submit
C:\Users\Admin\AppData\Roaming\3.exe

Filesize
227KB

MD5
66d7e8125484efe9585adf807f3860ec

SHA1
aad54a84cc6bfcd422631bfce7b187b001ec0128

SHA256
9cc7b63b2a2c95cfdd1f0f9044f6f760d8dae0d622aa07cb18ce071d9c491d4e

SHA512
f0eabf14bab037689568dc6f7bb6126d1c5922e08432b650e338567c7ae2d70d1ac3420dfec0501453a0e8fece11482071434137e70d62e1136dd482a791d5d5

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
23KB

MD5
32fe01ccb93b0233503d0aaaa451f7b2

SHA1
58e5a63142150e8fb175dbb4dedea2ce405d7db0

SHA256
6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

SHA512
76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
37KB

MD5
b37dd1a1f0507baf993471ae1b7a314c

SHA1
9aff9d71492ffff8d51f8e8d67f5770755899882

SHA256
e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

SHA512
ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

Download Submit
memory/1400-83-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/3104-88-0x0000023DB3060000-0x0000023DB3082000-memory.dmp

Filesize
136KB

Download
memory/4328-113-0x0000020F76F30000-0x0000020F76F4E000-memory.dmp

Filesize
120KB

Download
memory/4328-181-0x0000020F76E50000-0x0000020F76E5A000-memory.dmp

Filesize
40KB

Download
memory/4328-223-0x0000020F76AB0000-0x0000020F76BB2000-memory.dmp

Filesize
1.0MB

Download
memory/4328-68-0x0000020F74610000-0x0000020F74650000-memory.dmp

Filesize
256KB

Download
memory/4328-111-0x0000020F76E80000-0x0000020F76EF6000-memory.dmp

Filesize
472KB

Download
memory/4328-112-0x0000020F76E00000-0x0000020F76E50000-memory.dmp

Filesize
320KB

Download
memory/4328-219-0x0000020F76AB0000-0x0000020F76BB2000-memory.dmp

Filesize
1.0MB

Download
memory/4328-182-0x0000020F76F00000-0x0000020F76F12000-memory.dmp

Filesize
72KB

Download
memory/4412-1-0x0000000000D80000-0x0000000001540000-memory.dmp

Filesize
7.8MB

Download
memory/4412-0-0x00007FFBC4A63000-0x00007FFBC4A65000-memory.dmp

Filesize
8KB

Download
memory/4412-81-0x00007FFBC4A60000-0x00007FFBC5521000-memory.dmp

Filesize
10.8MB

Download
memory/4412-2-0x00007FFBC4A60000-0x00007FFBC5521000-memory.dmp

Filesize
10.8MB

Download
memory/4700-24-0x0000000000F70000-0x0000000000F88000-memory.dmp

Filesize
96KB

Download
memory/4700-26-0x00007FFBC4A60000-0x00007FFBC5521000-memory.dmp

Filesize
10.8MB

Download
memory/4700-82-0x00007FFBC4A60000-0x00007FFBC5521000-memory.dmp

Filesize
10.8MB

Download
memory/4956-28-0x0000000000460000-0x00000000004AA000-memory.dmp

Filesize
296KB

Download
memory/4956-35-0x00007FFBC4A60000-0x00007FFBC5521000-memory.dmp

Filesize
10.8MB

Download
memory/4956-84-0x00007FFBC4A60000-0x00007FFBC5521000-memory.dmp

Filesize
10.8MB

Download