Malware Analysis Report

2025-01-22 13:16

Sample ID 240716-1sqyvs1hpp
Target winmod.exe
SHA256 1ef86b1cfa7e45f6602e24a18e76d5e556f781abb0acf18f92eaca95bb53e25d
Tags
njrat quewexsite evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ef86b1cfa7e45f6602e24a18e76d5e556f781abb0acf18f92eaca95bb53e25d

Threat Level: Known bad

The file winmod.exe was found to be: Known bad.

Malicious Activity Summary

njrat quewexsite evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Deletes itself

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-16 21:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-16 21:55

Reported

2024-07-16 21:57

Platform

win7-20240708-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\winmod.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Windows\WindowsHealthChecker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\7799a186f618ba54cc458f7422abc774 = "\"C:\\Windows\\WindowsHealthChecker.exe\" .." C:\Windows\WindowsHealthChecker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7799a186f618ba54cc458f7422abc774 = "\"C:\\Windows\\WindowsHealthChecker.exe\" .." C:\Windows\WindowsHealthChecker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WindowsHealthChecker.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 2208 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 2208 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 2208 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 2208 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 2732 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2732 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 2208 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2680 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2680 wrote to memory of 2420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2832 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 2832 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 2832 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 2832 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 1972 wrote to memory of 108 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe
PID 1972 wrote to memory of 108 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe
PID 1972 wrote to memory of 108 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe
PID 1972 wrote to memory of 108 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\winmod.exe

"C:\Users\Admin\AppData\Local\Temp\winmod.exe"

C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\fakecmd.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp94D0.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\WindowsHealthChecker.exe

"C:\Windows\WindowsHealthChecker.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\WindowsHealthChecker.exe" "WindowsHealthChecker.exe" ENABLE

Network

Country Destination Domain Proto
FR 88.168.211.65:6522 tcp

Files

memory/2208-0-0x000007FEF5753000-0x000007FEF5754000-memory.dmp

memory/2208-1-0x00000000000D0000-0x00000000000E6000-memory.dmp

memory/2208-7-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe

MD5 b075f9e4015e2f43154b9903d9ec5fb5
SHA1 0717b04115360a6d1d4451c90d0f6b0f781d249f
SHA256 103cb14f2460de6ef7c780becc87bac0599bdd0527e176c0ec87aad2397b57e6
SHA512 4f71a17234a0078733bd61fa80bd3463341dda0c1ac31ac9c496efd528ecd8657cf206160d6b9205e4fab6aa3b10fdd8f1764bc574223c63a38213735fd3939b

C:\Users\Admin\AppData\Local\Temp\fakecmd.bat

MD5 f96d7ee1c050f915b080bd319564c817
SHA1 6f095907e07e178f9063a01020caf2921d982c7a
SHA256 5d92d1af825219719e4009d70a50a63a8ed5e51e2faf79e2e83bc212e55cad21
SHA512 69e2dbafd04bbae273c957bb6a2afbfc9910a45c3223a00e88975a42c24ee544458f51a43eb39cd12af15cc852779d3c8ede83331b0a159086bc849e69c031bd

memory/2832-18-0x0000000074611000-0x0000000074612000-memory.dmp

memory/2052-25-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

memory/2832-24-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2832-23-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2052-26-0x00000000027E0000-0x00000000027E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp94D0.tmp.bat

MD5 d2a126d58388c72f7f15250c994afadb
SHA1 4cd3c72d7d09d3125ca1d5c78f465adb02890ca7
SHA256 1b4c5f1285e12c521f2f48cac83cd842e3a37c9f751ac9e7b1581ee367429fd0
SHA512 1cb933d393a011c7901263f17159cbeac988d3dd34319a1dcd05582987f9f77d36e015196619d0b7b01a8d653fe482ea798c08bf140f15825d805f467cd20388

memory/2208-35-0x000007FEF5750000-0x000007FEF613C000-memory.dmp

memory/2832-42-0x0000000074610000-0x0000000074BBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-16 21:55

Reported

2024-07-16 21:57

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\winmod.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\winmod.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Windows\WindowsHealthChecker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7799a186f618ba54cc458f7422abc774 = "\"C:\\Windows\\WindowsHealthChecker.exe\" .." C:\Windows\WindowsHealthChecker.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7799a186f618ba54cc458f7422abc774 = "\"C:\\Windows\\WindowsHealthChecker.exe\" .." C:\Windows\WindowsHealthChecker.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WindowsHealthChecker.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: 33 N/A C:\Windows\WindowsHealthChecker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\WindowsHealthChecker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 1704 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 1704 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe
PID 1704 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 1704 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 4132 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 376 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 376 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe C:\Windows\WindowsHealthChecker.exe
PID 1704 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 1704 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\winmod.exe C:\Windows\system32\cmd.exe
PID 668 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 668 wrote to memory of 2276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3508 wrote to memory of 3620 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe
PID 3508 wrote to memory of 3620 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe
PID 3508 wrote to memory of 3620 N/A C:\Windows\WindowsHealthChecker.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\winmod.exe

"C:\Users\Admin\AppData\Local\Temp\winmod.exe"

C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe

"C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fakecmd.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\WindowsHealthChecker.exe

"C:\Windows\WindowsHealthChecker.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC1D.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\WindowsHealthChecker.exe" "WindowsHealthChecker.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FR 88.168.211.65:6522 tcp
US 8.8.8.8:53 65.211.168.88.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1704-0-0x00007FF8CEFE3000-0x00007FF8CEFE5000-memory.dmp

memory/1704-1-0x0000000000720000-0x0000000000736000-memory.dmp

memory/1704-3-0x00007FF8CEFE0000-0x00007FF8CFAA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WindowsModificator.exe

MD5 b075f9e4015e2f43154b9903d9ec5fb5
SHA1 0717b04115360a6d1d4451c90d0f6b0f781d249f
SHA256 103cb14f2460de6ef7c780becc87bac0599bdd0527e176c0ec87aad2397b57e6
SHA512 4f71a17234a0078733bd61fa80bd3463341dda0c1ac31ac9c496efd528ecd8657cf206160d6b9205e4fab6aa3b10fdd8f1764bc574223c63a38213735fd3939b

memory/376-14-0x0000000074B82000-0x0000000074B83000-memory.dmp

memory/376-15-0x0000000074B80000-0x0000000075131000-memory.dmp

memory/376-16-0x0000000074B80000-0x0000000075131000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fakecmd.bat

MD5 f96d7ee1c050f915b080bd319564c817
SHA1 6f095907e07e178f9063a01020caf2921d982c7a
SHA256 5d92d1af825219719e4009d70a50a63a8ed5e51e2faf79e2e83bc212e55cad21
SHA512 69e2dbafd04bbae273c957bb6a2afbfc9910a45c3223a00e88975a42c24ee544458f51a43eb39cd12af15cc852779d3c8ede83331b0a159086bc849e69c031bd

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jzojpumt.4jc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1540-27-0x000001AE2F540000-0x000001AE2F562000-memory.dmp

memory/1540-28-0x000001AE2F950000-0x000001AE2F994000-memory.dmp

memory/1540-29-0x000001AE2FA20000-0x000001AE2FA96000-memory.dmp

memory/376-39-0x0000000074B80000-0x0000000075131000-memory.dmp

memory/1704-43-0x00007FF8CEFE0000-0x00007FF8CFAA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDC1D.tmp.bat

MD5 b512c634a8c1932e444f67463495644a
SHA1 376ae0a96a6901c82fcdf22c1e4545b58ec8448b
SHA256 8080728055f8d69baa059681f4a164ab629e65dfe3cf0252d236b5f96bb77d1b
SHA512 a739640af9611dac510bd9c82f59af51a32d23ac26ff69af73bd9cae5b2406bd7104fbe5495bf860db2a6ba00c24338014023e3a0a8ec2a019326a3ad3407200