Malware Analysis Report

2025-01-22 13:16

Sample ID 240716-18mldasgkn
Target 2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.zip
SHA256 37153916998994c1afe3f907d087cf3798df4d3aee1cb1a981e0d67ab0082d57
Tags
njrat baslayalim evasion persistence privilege_escalation trojan execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

37153916998994c1afe3f907d087cf3798df4d3aee1cb1a981e0d67ab0082d57

Threat Level: Known bad

The file 2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.zip was found to be: Known bad.

Malicious Activity Summary

njrat baslayalim evasion persistence privilege_escalation trojan execution

UAC bypass

Njrat family

njRAT/Bladabindi

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 22:19

Signatures

Njrat family

njrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 22:19

Reported

2024-07-16 22:21

Platform

win7-20240708-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\46f87cb2b7a37b42307390e98359779e = "\"C:\\Users\\Admin\\WinUpdate.exe\" .." C:\Users\Admin\WinUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\46f87cb2b7a37b42307390e98359779e = "\"C:\\Users\\Admin\\WinUpdate.exe\" .." C:\Users\Admin\WinUpdate.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchosts.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\WinUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\svchosts.exe
PID 2668 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\svchosts.exe
PID 2668 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\svchosts.exe
PID 2668 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\svchosts.exe
PID 2668 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
PID 2668 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
PID 2668 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
PID 2668 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
PID 2668 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
PID 2668 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
PID 2668 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
PID 2668 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\cheats.exe
PID 2668 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\cheats.exe
PID 2668 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\cheats.exe
PID 2668 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\cheats.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe C:\Users\Admin\WinUpdate.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe C:\Users\Admin\WinUpdate.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe C:\Users\Admin\WinUpdate.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe C:\Users\Admin\WinUpdate.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe C:\Users\Admin\WinUpdate.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe C:\Users\Admin\WinUpdate.exe
PID 2116 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe C:\Users\Admin\WinUpdate.exe
PID 2596 wrote to memory of 796 N/A C:\Users\Admin\WinUpdate.exe C:\Windows\SysWOW64\netsh.exe
PID 2596 wrote to memory of 796 N/A C:\Users\Admin\WinUpdate.exe C:\Windows\SysWOW64\netsh.exe
PID 2596 wrote to memory of 796 N/A C:\Users\Admin\WinUpdate.exe C:\Windows\SysWOW64\netsh.exe
PID 2596 wrote to memory of 796 N/A C:\Users\Admin\WinUpdate.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe

"C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe"

C:\Users\Admin\AppData\Local\Temp\svchosts.exe

"C:\Users\Admin\AppData\Local\Temp\svchosts.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\cheats.exe

"C:\Users\Admin\AppData\Local\Temp\cheats.exe"

C:\Users\Admin\WinUpdate.exe

"C:\Users\Admin\WinUpdate.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\WinUpdate.exe" "WinUpdate.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 91.92.242.187:1339 tcp
NL 91.92.242.187:1339 tcp
NL 91.92.242.187:1339 tcp
NL 91.92.242.187:1339 tcp
NL 91.92.242.187:1339 tcp
NL 91.92.242.187:1339 tcp

Files

memory/2668-0-0x000007FEF5543000-0x000007FEF5544000-memory.dmp

memory/2668-1-0x0000000000FD0000-0x0000000002488000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchosts.exe

MD5 53eb30021c7269f24a42a7f5502451dc
SHA1 d1fe5103eb56c2f23d0c175249ba413dd8de81fe
SHA256 2f3c009d3aec329dbe8ef333fdd307524b94afc294b23598ba1c57819590d49f
SHA512 407c398c56e20c536570a70a94be385e23d0b8ea9b99f2b8d34dc245ca95af3ef72b363d5e16e5c04615ff01ef23c1a6a8df322ba93088928e5e6b7a96f84d1f

C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe

MD5 accc6c2e2e1e5878ecc63f0b09ae9a5b
SHA1 617ad738c22ba7d4fdda56d5eec25bf15d8a1035
SHA256 e67250c52276f7b5c9df01af7fd73ca3fe8ccf74c48c6fdc264071607f289009
SHA512 e2bf7dbad9e394ac891d51f7d355688d61e14a5b343b2796bb0f18027935aa1d2fb46829e10330148f97f626fed3c105471b95c13c1af94ee2fce61e5172fb95

C:\Users\Admin\AppData\Local\Temp\cheats.exe

MD5 cc5178946ac7da047c34937e3f4abe77
SHA1 1a1ad4285c931ea9d837ae70e4c0a55c230419b3
SHA256 52efeac657313acc6c9458b0d8f8bb26bc95433b19f29876fecd845303231140
SHA512 b7b03531e7da000952eb5e87366b989063593d0a71e98e4ae332540db82d453faa25debe868f6daaf9083bbf6b9f2da19944a8632f0f8d0c2dfa01717018e02d

memory/2752-20-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

memory/2732-21-0x0000000001190000-0x000000000262C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 22:19

Reported

2024-07-16 22:21

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\svchosts.exe N/A

njRAT/Bladabindi

trojan njrat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchosts.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\46f87cb2b7a37b42307390e98359779e = "\"C:\\Users\\Admin\\WinUpdate.exe\" .." C:\Users\Admin\WinUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\46f87cb2b7a37b42307390e98359779e = "\"C:\\Users\\Admin\\WinUpdate.exe\" .." C:\Users\Admin\WinUpdate.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\svchosts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\svchosts.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A
N/A N/A C:\Users\Admin\WinUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchosts.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\WinUpdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1576 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\svchosts.exe
PID 1576 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\svchosts.exe
PID 1576 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\svchosts.exe
PID 1576 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
PID 1576 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
PID 1576 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe
PID 1576 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\cheats.exe
PID 1576 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\cheats.exe
PID 1576 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe C:\Users\Admin\AppData\Local\Temp\cheats.exe
PID 3180 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe C:\Users\Admin\WinUpdate.exe
PID 3180 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe C:\Users\Admin\WinUpdate.exe
PID 3180 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe C:\Users\Admin\WinUpdate.exe
PID 1588 wrote to memory of 2908 N/A C:\Users\Admin\WinUpdate.exe C:\Windows\SysWOW64\netsh.exe
PID 1588 wrote to memory of 2908 N/A C:\Users\Admin\WinUpdate.exe C:\Windows\SysWOW64\netsh.exe
PID 1588 wrote to memory of 2908 N/A C:\Users\Admin\WinUpdate.exe C:\Windows\SysWOW64\netsh.exe
PID 4296 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\svchosts.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\svchosts.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\svchosts.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\svchosts.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\svchosts.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\svchosts.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1872 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2144 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2144 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2144 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\svchosts.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe

"C:\Users\Admin\AppData\Local\Temp\2dab12f7051b607ecbd5812188a6294c2b373f71f6041696848119817b143a38.exe"

C:\Users\Admin\AppData\Local\Temp\svchosts.exe

"C:\Users\Admin\AppData\Local\Temp\svchosts.exe"

C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe"

C:\Users\Admin\AppData\Local\Temp\cheats.exe

"C:\Users\Admin\AppData\Local\Temp\cheats.exe"

C:\Users\Admin\WinUpdate.exe

"C:\Users\Admin\WinUpdate.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\WinUpdate.exe" "WinUpdate.exe" ENABLE

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\,C:\Users\Admin\AppData\Roaming

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C schtasks /create /tn svchosts /tr C:\Users\Admin\AppData\Roaming\svchosts.exe /sc onlogon

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\,C:\Users\Admin\AppData\Roaming

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn svchosts /tr C:\Users\Admin\AppData\Roaming\svchosts.exe /sc onlogon

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 91.92.242.187:1339 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
NL 91.92.242.187:1339 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 38.58.20.217.in-addr.arpa udp
NL 91.92.242.187:1339 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 91.92.242.187:1339 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
NL 91.92.242.187:1339 tcp
NL 91.92.242.187:1339 tcp
US 8.8.8.8:53 121.150.79.40.in-addr.arpa udp

Files

memory/1576-0-0x00007FFD6AFA3000-0x00007FFD6AFA5000-memory.dmp

memory/1576-1-0x0000000000020000-0x00000000014D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchosts.exe

MD5 53eb30021c7269f24a42a7f5502451dc
SHA1 d1fe5103eb56c2f23d0c175249ba413dd8de81fe
SHA256 2f3c009d3aec329dbe8ef333fdd307524b94afc294b23598ba1c57819590d49f
SHA512 407c398c56e20c536570a70a94be385e23d0b8ea9b99f2b8d34dc245ca95af3ef72b363d5e16e5c04615ff01ef23c1a6a8df322ba93088928e5e6b7a96f84d1f

C:\Users\Admin\AppData\Local\Temp\WinUpdate.exe

MD5 accc6c2e2e1e5878ecc63f0b09ae9a5b
SHA1 617ad738c22ba7d4fdda56d5eec25bf15d8a1035
SHA256 e67250c52276f7b5c9df01af7fd73ca3fe8ccf74c48c6fdc264071607f289009
SHA512 e2bf7dbad9e394ac891d51f7d355688d61e14a5b343b2796bb0f18027935aa1d2fb46829e10330148f97f626fed3c105471b95c13c1af94ee2fce61e5172fb95

C:\Users\Admin\AppData\Local\Temp\cheats.exe

MD5 cc5178946ac7da047c34937e3f4abe77
SHA1 1a1ad4285c931ea9d837ae70e4c0a55c230419b3
SHA256 52efeac657313acc6c9458b0d8f8bb26bc95433b19f29876fecd845303231140
SHA512 b7b03531e7da000952eb5e87366b989063593d0a71e98e4ae332540db82d453faa25debe868f6daaf9083bbf6b9f2da19944a8632f0f8d0c2dfa01717018e02d

memory/3180-33-0x0000000074E72000-0x0000000074E73000-memory.dmp

memory/4296-32-0x00000000746CE000-0x00000000746CF000-memory.dmp

memory/236-36-0x0000000000800000-0x0000000000808000-memory.dmp

memory/3180-35-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/3180-37-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4296-39-0x0000000000310000-0x00000000017AC000-memory.dmp

memory/4296-53-0x0000000006650000-0x0000000006BF4000-memory.dmp

memory/4296-54-0x0000000006190000-0x0000000006222000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WinUpdate.exe.log

MD5 824ba7b7eed8b900a98dd25129c4cd83
SHA1 54478770b2158000ef365591d42977cb854453a1
SHA256 d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03
SHA512 ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e

memory/3180-60-0x0000000074E70000-0x0000000075421000-memory.dmp

memory/4296-61-0x0000000006250000-0x000000000625A000-memory.dmp

memory/4296-68-0x00000000098B0000-0x0000000009926000-memory.dmp

memory/3028-69-0x0000000003180000-0x00000000031B6000-memory.dmp

memory/3028-70-0x0000000005B70000-0x0000000006198000-memory.dmp

memory/4296-71-0x0000000009880000-0x000000000989E000-memory.dmp

memory/3028-72-0x0000000005680000-0x00000000056A2000-memory.dmp

memory/3028-74-0x00000000059D0000-0x0000000005A36000-memory.dmp

memory/3028-73-0x00000000058F0000-0x0000000005956000-memory.dmp

memory/3028-87-0x00000000061A0000-0x00000000064F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdguqkoy.iaj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\MicrosoftCompabilityTelemetry.exe

MD5 cda194ea63190e49e5eb5776a722c0fa
SHA1 e610fb61a7c0e804ba4b7938f089c71a280a1e4c
SHA256 6fea0b7f1d5b147d2ebcad8c19283bc341de33252f0761767af05c7294a79e1d
SHA512 eafd85e10ed86e38c44b74920fb3832508cd3865d361a12ce3c94c31e207b247e400f1667674ef7396f690d9c2f42e1c552d8da9bb81c4f109e4ca0b1540952b

memory/3028-94-0x0000000006730000-0x000000000674E000-memory.dmp

memory/3028-95-0x00000000067C0000-0x000000000680C000-memory.dmp

memory/3028-96-0x0000000006CF0000-0x0000000006D22000-memory.dmp

memory/3028-107-0x00000000076F0000-0x000000000770E000-memory.dmp

memory/3028-108-0x00000000079C0000-0x0000000007A63000-memory.dmp

memory/3028-97-0x000000006D730000-0x000000006D77C000-memory.dmp

memory/3028-109-0x00000000080F0000-0x000000000876A000-memory.dmp

memory/3028-110-0x0000000007790000-0x00000000077AA000-memory.dmp

memory/3028-111-0x0000000007AD0000-0x0000000007ADA000-memory.dmp

memory/3028-112-0x0000000007CC0000-0x0000000007D56000-memory.dmp

memory/3028-113-0x0000000007C50000-0x0000000007C61000-memory.dmp

memory/3028-114-0x0000000007C80000-0x0000000007C8E000-memory.dmp

memory/3028-115-0x0000000007C90000-0x0000000007CA4000-memory.dmp

memory/3028-116-0x0000000007D80000-0x0000000007D9A000-memory.dmp

memory/3028-117-0x0000000007D70000-0x0000000007D78000-memory.dmp

memory/4296-120-0x00000000746CE000-0x00000000746CF000-memory.dmp