Malware Analysis Report

2025-01-22 13:08

Sample ID 240718-c6ewra1fqn
Target 5295133a194f3a5354b460ae0b321770N.exe
SHA256 e112fa8ca5b4b90888f218a211bf985e6fec8bbd4bff451ac3cee4dbe633240b
Tags
njrat jjj evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e112fa8ca5b4b90888f218a211bf985e6fec8bbd4bff451ac3cee4dbe633240b

Threat Level: Known bad

The file 5295133a194f3a5354b460ae0b321770N.exe was found to be: Known bad.

Malicious Activity Summary

njrat jjj evasion persistence privilege_escalation trojan

njRAT/Bladabindi

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-18 02:41

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 02:41

Reported

2024-07-18 02:43

Platform

win7-20240705-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" C:\ProgramData\winmgr107.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2872 set thread context of 2900 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe N/A
File created C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2664 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2664 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2664 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2976 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\ProgramData\winmgr107.exe
PID 2976 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\ProgramData\winmgr107.exe
PID 2976 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\ProgramData\winmgr107.exe
PID 2976 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\ProgramData\winmgr107.exe
PID 2872 wrote to memory of 2900 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2872 wrote to memory of 2900 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2872 wrote to memory of 2900 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2872 wrote to memory of 2900 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2872 wrote to memory of 2900 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2872 wrote to memory of 2900 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2872 wrote to memory of 2900 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2872 wrote to memory of 2900 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2872 wrote to memory of 2900 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2872 wrote to memory of 2944 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2944 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2944 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2944 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2648 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2648 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2648 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2648 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2900 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2900 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2900 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2900 wrote to memory of 2616 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2872 wrote to memory of 2408 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2408 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2408 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2408 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 580 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 580 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 580 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 580 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 1696 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 1696 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 1696 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 1696 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 572 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 572 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 572 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 572 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 1928 wrote to memory of 1416 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr107.exe
PID 1928 wrote to memory of 1416 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr107.exe
PID 1928 wrote to memory of 1416 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr107.exe
PID 1928 wrote to memory of 1416 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\winmgr107.exe
PID 2872 wrote to memory of 1076 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 1076 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 1076 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 1076 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 1916 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 1916 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 1916 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 1916 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2816 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2816 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2872 wrote to memory of 2816 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe

"C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\529513~1.TXT

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\5295133a194f3a5354b460ae0b321770N.exe.txt

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {B895E3F0-9359-4DCE-A2E0-87829B55DE2A} S-1-5-21-1385883288-3042840365-2734249351-1000:RPXOCQRF\Admin:Interactive:[1]

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 youri.mooo.com udp

Files

C:\PROGRA~3\5295133a194f3a5354b460ae0b321770N.exe.txt

MD5 c8cf7247d4cfc99a7582a42d13df4c08
SHA1 317f5588af0b3b6374c436fb00084c522fd78a83
SHA256 78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0
SHA512 5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

\ProgramData\winmgr107.exe

MD5 f10b0b92716514806a8d92e4f3c48378
SHA1 3a15d35858d3eec207dab963d99092d0cd0ed2ef
SHA256 ec550a2357dca568a3b87a7ebac7338f51599a91426e6a49749b19eb089329ff
SHA512 96acb9c4f4b2ba278fdc55ae9fc1126a97d6559f2986263c94e2846eda2b8ca54cef10520c4dedd1d2c2531eeae799a4a5a778fb888d03fab538be5c75e9e56f

memory/2900-23-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2900-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2900-26-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2900-28-0x0000000000090000-0x000000000009C000-memory.dmp

memory/2900-27-0x0000000000090000-0x000000000009C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 02:41

Reported

2024-07-18 02:43

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe"

Signatures

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe" C:\ProgramData\winmgr107.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4928 set thread context of 2412 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe:Zone.Identifier:$DATA C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe N/A
File created C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A
File opened for modification C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA C:\ProgramData\winmgr107.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A
N/A N/A C:\ProgramData\winmgr107.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2560 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\Windows\SysWOW64\cmd.exe
PID 3396 wrote to memory of 3768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3396 wrote to memory of 3768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 3396 wrote to memory of 3768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2560 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\ProgramData\winmgr107.exe
PID 2560 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\ProgramData\winmgr107.exe
PID 2560 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe C:\ProgramData\winmgr107.exe
PID 4928 wrote to memory of 2412 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4928 wrote to memory of 2412 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4928 wrote to memory of 2412 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4928 wrote to memory of 2412 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4928 wrote to memory of 2412 N/A C:\ProgramData\winmgr107.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 4928 wrote to memory of 3392 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3392 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3392 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4224 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4224 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4224 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 2412 wrote to memory of 2524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2412 wrote to memory of 2524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 2412 wrote to memory of 2524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\SysWOW64\netsh.exe
PID 4928 wrote to memory of 4188 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4188 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4188 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 464 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 464 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 464 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3372 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3372 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3372 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4500 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4500 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4500 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 2192 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 2192 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 2192 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 64 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 64 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 64 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4980 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4980 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4980 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 1456 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 1456 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 1456 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4624 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4624 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4624 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4520 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4520 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 4520 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3292 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3292 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3292 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3384 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3384 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 3384 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 2788 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 2788 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 2788 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 528 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe
PID 4928 wrote to memory of 528 N/A C:\ProgramData\winmgr107.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe

"C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\529513~1.TXT

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\5295133a194f3a5354b460ae0b321770N.exe.txt

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

0

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\ProgramData\winmgr107.exe

C:\ProgramData\winmgr107.exe

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp
US 8.8.8.8:53 youri.mooo.com udp

Files

C:\PROGRA~3\5295133a194f3a5354b460ae0b321770N.exe.txt

MD5 c8cf7247d4cfc99a7582a42d13df4c08
SHA1 317f5588af0b3b6374c436fb00084c522fd78a83
SHA256 78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0
SHA512 5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

C:\Users\Admin\AppData\Local\Temp\5295133a194f3a5354b460ae0b321770N.exe

MD5 5295133a194f3a5354b460ae0b321770
SHA1 dfd61a5e7f89175ebb331d15e866e4cca1531bc2
SHA256 e112fa8ca5b4b90888f218a211bf985e6fec8bbd4bff451ac3cee4dbe633240b
SHA512 e728111b79fb2737094e07e4b77eb0f1488fe1a768c572e2257be35f170e3edca1d6542ad42882b0e400d20861232f8bacf126426e795c9aa27e104bf8851fe0

C:\ProgramData\winmgr107.exe

MD5 774a85c59a0db49895934f6ea93df764
SHA1 1982981970f47a7f559cb4c6df24f70df3dac81d
SHA256 77f48b70c7d04e323841c30733bb490f26fe405655e5b25105295875c8da61de
SHA512 127d7f29751c5e3ff01ca5155cc3424dd1af7c8f7028740e6f18a406ed8023436e45c177fb221839790697e1ca2b27141ac406e38e8b057240439d7209fb1cc8

memory/2412-15-0x0000000000360000-0x000000000036C000-memory.dmp