njrat | 7833bf16b7c7c64dff43ca86f7ef1119284cedbc43fc7c31184d531b17e6bbf0

Resubmissions

16/07/2024, 00:43

240716-a232nsxckr 10

16/07/2024, 00:41

240716-a16q6szdmc 10

16/07/2024, 00:38

240716-azamcazcpc 10

15/07/2024, 20:46

240715-zkpv6a1dlh 10

Analysis

max time kernel
49s
max time network
156s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0928f36599b47ba66582d1f5a5cb6fb0N.exe
Size

23KB
MD5

0928f36599b47ba66582d1f5a5cb6fb0
SHA1

bef519e4db670bbea44d8cba6cbf104050ae551d
SHA256

7833bf16b7c7c64dff43ca86f7ef1119284cedbc43fc7c31184d531b17e6bbf0
SHA512

edf35a5457744d7792c8d4ea5d99e8e3beecef2a516a18f0296891d6f4baf3bf543cf00ba63a11aac5ad18af2567aa8781e840e339d80097d8e7a2e837b8ca3e
SSDEEP

384:/oWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZI2:Y7O89p2rRpcnuY

Score

10^/10

njrat hacked evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

10.10.1.11:5552

Mutex

7657c14284185fbd3fb108b43c7467ba

Attributes

reg_key
7657c14284185fbd3fb108b43c7467ba
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2924	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
1908	server.exe

Loads dropped DLL 1 IoCs

pid	Process
2152	0928f36599b47ba66582d1f5a5cb6fb0N.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	chrome.exe
2968	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1872	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	server.exe
Token: 33	1908	server.exe
Token: SeIncBasePriorityPrivilege	1908	server.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: 33	1908	server.exe
Token: SeIncBasePriorityPrivilege	1908	server.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: 33	1908	server.exe
Token: SeIncBasePriorityPrivilege	1908	server.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: 33	1908	server.exe
Token: SeIncBasePriorityPrivilege	1908	server.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe
Token: SeShutdownPrivilege	2968	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe
2968	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1908	2152	0928f36599b47ba66582d1f5a5cb6fb0N.exe	30
PID 2152 wrote to memory of 1908	2152	0928f36599b47ba66582d1f5a5cb6fb0N.exe	30
PID 2152 wrote to memory of 1908	2152	0928f36599b47ba66582d1f5a5cb6fb0N.exe	30
PID 2152 wrote to memory of 1908	2152	0928f36599b47ba66582d1f5a5cb6fb0N.exe	30
PID 1908 wrote to memory of 2924	1908	server.exe	31
PID 1908 wrote to memory of 2924	1908	server.exe	31
PID 1908 wrote to memory of 2924	1908	server.exe	31
PID 1908 wrote to memory of 2924	1908	server.exe	31
PID 2968 wrote to memory of 2604	2968	chrome.exe	34
PID 2968 wrote to memory of 2604	2968	chrome.exe	34
PID 2968 wrote to memory of 2604	2968	chrome.exe	34
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2744	2968	chrome.exe	36
PID 2968 wrote to memory of 2460	2968	chrome.exe	37
PID 2968 wrote to memory of 2460	2968	chrome.exe	37
PID 2968 wrote to memory of 2460	2968	chrome.exe	37
PID 2968 wrote to memory of 2488	2968	chrome.exe	38
PID 2968 wrote to memory of 2488	2968	chrome.exe	38
PID 2968 wrote to memory of 2488	2968	chrome.exe	38
PID 2968 wrote to memory of 2488	2968	chrome.exe	38
PID 2968 wrote to memory of 2488	2968	chrome.exe	38
PID 2968 wrote to memory of 2488	2968	chrome.exe	38
PID 2968 wrote to memory of 2488	2968	chrome.exe	38
PID 2968 wrote to memory of 2488	2968	chrome.exe	38
PID 2968 wrote to memory of 2488	2968	chrome.exe	38
PID 2968 wrote to memory of 2488	2968	chrome.exe	38
PID 2968 wrote to memory of 2488	2968	chrome.exe	38

C:\Users\Admin\AppData\Local\Temp\0928f36599b47ba66582d1f5a5cb6fb0N.exe
"C:\Users\Admin\AppData\Local\Temp\0928f36599b47ba66582d1f5a5cb6fb0N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7369758,0x7fef7369768,0x7fef7369778
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:2
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2132 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2140 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1476 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:2
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1404 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=1372 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1832 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2148 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3808 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:1
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2140 --field-trial-handle=1304,i,2814799812280499199,16804762306849282112,131072 /prefetch:1
  2⤵
  PID:1372

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1452

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1480

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\BlockAdd.dxf
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
20c3fc45565292573cf0188eb681118b

SHA1
ad4a22fb77a84d518af61ec78b132ad834836830

SHA256
b2a2df73099275e9b615104b8d41bc4cdbade9b8967c38369257f77a9f09f644

SHA512
512503b3feda9a9133e6df0827864193bc1bd8b39c1c9114a72d811d5dd7afcc8d4c90c39cebf9a7edad2c84ef345003f26c2d3968b8e7102602377e9edcd158

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
052c4f29b36fdb4994feae540ef0d499

SHA1
31453e4eb8cf41ec5178abe987b9668216001ab6

SHA256
c58f7d125c03aa20fa2d70f63492bb7f7b2eee465773b5021ed6503c656b5fff

SHA512
ea91f09cb95b335769b1f845014b6589c9158a13bd6a79355d37f4d3aabb562a662c8b1edc2d149da23d773331f13df7468b995d18f9ac952aad5f6db0696f93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
6bdf720d00a49c0dc6f46c207b5efed0

SHA1
3b2989f1f9a8d209068338ba426bceffcf939307

SHA256
248728f6c1f00b81194c51f85e59f057b7cadf628458f104de8a13dfb38112cc

SHA512
2316f8e0365d6bbb27af506a9f289bc25e7cf54fc5890957f88e660f0904551ab61a5efba35d6a73085b2e5e53a17a4b93c9d8c71483f466c340786c0de74390

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
c8d690bbda69d7cade48020baefe1fed

SHA1
3dced68a53b77d2d8ccfd8891684f14fae8c7079

SHA256
0db63446164ce7ed6c65c374a3a416c867f294cd573d1ba37e20c5acb907cc3a

SHA512
8d7351d53f5065a95ef688aca1c0c394e4b11436c82fd752274f7d75bcb1d55e07bd4372fe8a3f9e4912820a1c6206cc054948ac4b31067598f0c43d32f12a0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
13f774644889fed1ef76a01529d0191c

SHA1
a1ad4c3fbc52c65467487d178665453203d910af

SHA256
429a190dc6dad33f7e8ba8d223b07a379575173526d7c1788ca86481261f130e

SHA512
6a3b66f20e8050c87bd86da104791c1963493883736c14f857e447369f160f5c7ef0ed6662a2bb8b0ae43ae7a8003e8650926655a94edb1cf21100fdfc5668e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
aa0a7f8271e2a6b1a6fb8bcf520cf3d6

SHA1
8eb09bd1bf351149544284813383a835656f9858

SHA256
6b2e21c1ed20e7bea64f29c6717d1bda6f5389e02cfc9a9de3242134f47cda3a

SHA512
dfe8332eb44cd12962342d9272fd15b73ff1cbd0b9a222829b8b35a97cfa4a11e4e56306594c8bbb4b26e3ee25f40968297414e7bc1abf1e6010349e435ac141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
09076a5438f535274312329b29f7ddd3

SHA1
bd933d80e2d445987b0ed1105876ed578f5d5c05

SHA256
c828cbc89e0a7656957f854fcec1549cf64ac70f55f07d8c59d9c72ff935742e

SHA512
109070ee256a849c8c939cd71a8a4ccb5701b845ab2541bbcf7f64bdfe09dac9cea97496bd7d51ae88076afe1278d869fb2b7ec343aba4f934e697d71ad5fe2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
696ad7cb4af7b05ba5d91acf9b875098

SHA1
bf328aafbbda5a1df9093ed1634f3064cb4ba392

SHA256
4b1718cb7e9043a2d069ea1e5f3c1cab7a717e5ef5c21f6e0548d853e330b60e

SHA512
7453cab8689780c16bb2d7ecb733fdca88be97d64f13b529aafc78c6c72d3e3515a5b2690fc8afde2148066c0a1cafa9778d2d9e04a9621e2a0b5004335920ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4be149db526855fba2d1265bffed9083

SHA1
783ef60045b3348ca04ede8d26a5f489d5913c11

SHA256
0485e92f9cf761c9294547663fc2a682c4b86469fd5e16612c2bffc498992c81

SHA512
25e2f93618b55cf67706901b55f073b3ef2025d4546a4f1a1e2ff762e3f8f951d84c0614cb319976f7548adafbcf546f09f2f8a510bb64f28dccade3090e014e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
307KB

MD5
45075bcfdd494af131563e53576e1b31

SHA1
69dbb021d5882dac744651468f402f814acd5f70

SHA256
3eb5bd90a1321a0dc406c36519a002613413ddb30c8bcc33bd84720dfcc03bd9

SHA512
9c81f911c534abb64d76453d09ada94f846a2b7abbcfdf4950dd783d37960bc8235384e8310fc52d92e5171ad12f6a020b47f86478984ca9e646d3223b7a0dd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
307KB

MD5
5cfb974c49a36eef1e7d30548feb4f96

SHA1
6956a030105ec02483372460bbe36fa876cf5a2c

SHA256
135a77fe56ec975f7981ab78c27c280c1bce86910a893e27ac1b0eddd92f7c42

SHA512
3b020f69a0e607e13ad418a1a6398afbb2b1d8716ba2bc10678e51d6f2f55abf61a93d09c8173f767281a5ced238039f041591850b54dad2bd6dc9d90129c264

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
23KB

MD5
0928f36599b47ba66582d1f5a5cb6fb0

SHA1
bef519e4db670bbea44d8cba6cbf104050ae551d

SHA256
7833bf16b7c7c64dff43ca86f7ef1119284cedbc43fc7c31184d531b17e6bbf0

SHA512
edf35a5457744d7792c8d4ea5d99e8e3beecef2a516a18f0296891d6f4baf3bf543cf00ba63a11aac5ad18af2567aa8781e840e339d80097d8e7a2e837b8ca3e

Download Submit
memory/1908-12-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-11-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-70-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-10-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-0-0x0000000074731000-0x0000000074732000-memory.dmp

Filesize
4KB

Download
memory/2152-2-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-1-0x0000000074730000-0x0000000074CDB000-memory.dmp

Filesize
5.7MB

Download