njrat | 6e9cab5ac9495c9799c87056bdf570dc36a2e03eab08703ed659cc7b8b35ac12

Analysis

max time kernel
43s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2024, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FOXAUTO V8/FoxAutoV8.exe
Size

17.1MB
MD5

1d54a576355df6926a7a2ef43a91b316
SHA1

26d9f73ceebb6e790d767d51921962e4eac9f8c8
SHA256

96d5de118289d25d3b8fbacf542ec7357d3a6aae61f8c953a07347654bc4ebc2
SHA512

67da0b995839413eef70247202c727e29c8635da21e234dbaf50ebc2311cabd86ff8931471811dc49b4e4eeafba79f1662cdc4281da51405ef97debf7e4bdf23
SSDEEP

393216:m3szf490qL2Vmd6m5FTodIn+LH/+zVbJR6f5zCbrZDBXRFq9Lgi0Gyu:m3szfm0qyVmdjTbJR6f5CHZDBXPq9Lg2

Score

10^/10

njrat hacked defense_evasion evasion execution persistence privilege_escalation pyinstaller trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

acpanel.hackcrack.io:16164

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1992	powershell.exe
3740	powershell.exe
4712	powershell.exe
5044	powershell.exe
3696	powershell.exe
4300	powershell.exe
4720	powershell.exe
4668	powershell.exe
4668	powershell.exe
1992	powershell.exe
3740	powershell.exe
4712	powershell.exe
5044	powershell.exe
3696	powershell.exe
4300	powershell.exe
4720	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6064	netsh.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	version.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	FoxAutoV8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 10 IoCs

pid	Process
1460	Setup.exe
1640	Setup.exe
2844	FoxAutoV8 .exe
1040	svchost.exe
4920	svchost.exe
4068	FoxAutoV8 .exe
2028	explorer.exe
3704	explorer.exe
4956	version.exe
5328	explorer.exe

Loads dropped DLL 21 IoCs

pid	Process
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe
4068	FoxAutoV8 .exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2228	cmd.exe
3456	cmd.exe
5104	cmd.exe
4872	cmd.exe
1068	cmd.exe
3564	cmd.exe
4860	cmd.exe
3448	cmd.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x00070000000234b3-29.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2908	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe
2028	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1040	svchost.exe
Token: SeDebugPrivilege	4920	svchost.exe
Token: SeDebugPrivilege	2028	explorer.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	5328	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2028	explorer.exe
2028	explorer.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1460	1408	FoxAutoV8.exe	86
PID 1408 wrote to memory of 1460	1408	FoxAutoV8.exe	86
PID 1408 wrote to memory of 1640	1408	FoxAutoV8.exe	88
PID 1408 wrote to memory of 1640	1408	FoxAutoV8.exe	88
PID 1408 wrote to memory of 2844	1408	FoxAutoV8.exe	89
PID 1408 wrote to memory of 2844	1408	FoxAutoV8.exe	89
PID 1460 wrote to memory of 1040	1460	Setup.exe	91
PID 1460 wrote to memory of 1040	1460	Setup.exe	91
PID 1640 wrote to memory of 4920	1640	Setup.exe	92
PID 1640 wrote to memory of 4920	1640	Setup.exe	92
PID 2844 wrote to memory of 4068	2844	FoxAutoV8 .exe	93
PID 2844 wrote to memory of 4068	2844	FoxAutoV8 .exe	93
PID 1040 wrote to memory of 2028	1040	svchost.exe	102
PID 1040 wrote to memory of 2028	1040	svchost.exe	102
PID 4920 wrote to memory of 3704	4920	svchost.exe	103
PID 4920 wrote to memory of 3704	4920	svchost.exe	103
PID 2028 wrote to memory of 3804	2028	explorer.exe	104
PID 2028 wrote to memory of 3804	2028	explorer.exe	104
PID 4956 wrote to memory of 1068	4956	version.exe	107
PID 4956 wrote to memory of 1068	4956	version.exe	107
PID 4956 wrote to memory of 3564	4956	version.exe	108
PID 4956 wrote to memory of 3564	4956	version.exe	108
PID 4956 wrote to memory of 4860	4956	version.exe	111
PID 4956 wrote to memory of 4860	4956	version.exe	111
PID 4956 wrote to memory of 3448	4956	version.exe	113
PID 4956 wrote to memory of 3448	4956	version.exe	113
PID 4956 wrote to memory of 2228	4956	version.exe	115
PID 4956 wrote to memory of 2228	4956	version.exe	115
PID 1068 wrote to memory of 3740	1068	cmd.exe	117
PID 1068 wrote to memory of 3740	1068	cmd.exe	117
PID 4956 wrote to memory of 3456	4956	version.exe	118
PID 4956 wrote to memory of 3456	4956	version.exe	118
PID 3564 wrote to memory of 4712	3564	cmd.exe	120
PID 3564 wrote to memory of 4712	3564	cmd.exe	120
PID 4956 wrote to memory of 5104	4956	version.exe	121
PID 4956 wrote to memory of 5104	4956	version.exe	121
PID 4956 wrote to memory of 4872	4956	version.exe	123
PID 4956 wrote to memory of 4872	4956	version.exe	123
PID 2228 wrote to memory of 5044	2228	cmd.exe	125
PID 2228 wrote to memory of 5044	2228	cmd.exe	125
PID 3448 wrote to memory of 3696	3448	cmd.exe	126
PID 3448 wrote to memory of 3696	3448	cmd.exe	126
PID 4860 wrote to memory of 4300	4860	cmd.exe	129
PID 4860 wrote to memory of 4300	4860	cmd.exe	129
PID 3456 wrote to memory of 4720	3456	cmd.exe	130
PID 3456 wrote to memory of 4720	3456	cmd.exe	130
PID 5104 wrote to memory of 4668	5104	cmd.exe	131
PID 5104 wrote to memory of 4668	5104	cmd.exe	131
PID 4872 wrote to memory of 1992	4872	cmd.exe	132
PID 4872 wrote to memory of 1992	4872	cmd.exe	132
PID 3704 wrote to memory of 5328	3704	explorer.exe	134
PID 3704 wrote to memory of 5328	3704	explorer.exe	134
PID 5328 wrote to memory of 6064	5328	explorer.exe	142
PID 5328 wrote to memory of 6064	5328	explorer.exe	142

C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe
"C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2028
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\0gdesoe3.inf
        5⤵
        
        PID:3804
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3704
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5328
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6064
- C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
  "C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe
    "C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4068

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1992

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Setup.exe.log

Filesize
1KB

MD5
7ca69c3a50dd1e107b36424371d545aa

SHA1
af96b7133f339588b8de9e29be762dd8fbe2da08

SHA256
fb56bfa6682034270cd833c70e9ab03a606372aef15b2e305da0318873394664

SHA512
bf3b5a590335e671cd44f244bf20fc30028a56c55f69f4f8b0a46aba787b248c343391998ed5267b5ca9aa0075697e169056120c18837ddc3ca97c5ace83c6fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

Filesize
1KB

MD5
cafd74774ee92e32d33d986aa1d02887

SHA1
4eba3d811e150ea0e03193916820ceb1353d7d3a

SHA256
a9a2445fa2c7695be72695fb46f2d5fbb7106691d7840d454fac2b91ddd014b0

SHA512
27baef4953ca7ffd10dfc22d6ee2e6b961c1c08aa2a9813737afb4a265bfa9dfa56d577b20b0aefa84c157ab8fbc3fc4a7456c4e5093dd480f22c3fbdef30bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0gdesoe3.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOXAUTO V8\FoxAutoV8 .exe

Filesize
16.6MB

MD5
0f2eea5fa223ff94ac2027f4c6c2d851

SHA1
83ebd61a8e21967c94a34a72926b641c5c07c321

SHA256
5bd88a3dc2360e1ea8dc2a5023a65b6fb59c81f3befebbb20c58ada689ecba84

SHA512
638f40fc75cf5bcd46a8a403b1c5aec8c4d4b64eea2e57d1123a2eb4e42abbee8f8ed621d61fe463e43074591f659181e7b9fbb382833abc30b01fad6b59996a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
461KB

MD5
ee76425b767c9ab812a53c133b8363f8

SHA1
1daa4700a5f1849eb7e810986ac24bd58786da61

SHA256
f962e1a60673963b7c2fa51a0663260df63771dfbd7423af67c2d142f7245747

SHA512
004d1b4acc7084ba8c520d94032c19342228ed6346321b04641450f87a32f78a92212e3940e4cf0790af2e5640c6001e7c805dc99cf8f9a146d752b5ee117c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_bz2.pyd

Filesize
77KB

MD5
f25a6086f553912823debfac50022783

SHA1
e7aa566b85990bc538b56cdea4b167675fe4d6f5

SHA256
460ba09fe832a852be740473343017321d3d1104d80896cd4b6e9c144c72433b

SHA512
841f3f5d13dd77ed9576f7dc4f944b45ee3113a77e2fa82711098829f7dec0bd2dc303bc07953dd08397cf4051cb2bd03c80a6c9c18af6708f20fdfa9e4d0443

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_ctypes.pyd

Filesize
116KB

MD5
b754feac42b118dbeb2d005bcf8036e3

SHA1
c48d63eea9868ed2f071e8baeb8faa7d323b48d9

SHA256
e880e94d0035bcca283a071bd5f18024d247564c2c68f41b381270eae08e1f7c

SHA512
1f6212e63bcfe562dcf611c8bd794318e76f702483cfd039062dddb0356742776d3efce96196b820a7c06208a35f4bb12cfa27996a9dc7d4e549912c9b9cb8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_decimal.pyd

Filesize
242KB

MD5
34c83e4a5ef95e9722b7758259c1d9d8

SHA1
75537cafb06d0f8fdaeff73e0b9c56522421d062

SHA256
ebf380f395b1db8d305d65b8568d91790b234a0e0650f27b645d299ff305bb03

SHA512
fb0eae45691489b353f28423565c749546a5854b6186bd245ce1924a46d5233eba6d4beeca86631f9227be19c572a971a2f2f26ae130b5a45184b5817075ade4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_hashlib.pyd

Filesize
59KB

MD5
4b4e3c144d07513be4c724741df080b7

SHA1
ee07182142982134237df15afd94c4034573bc6a

SHA256
0b2e389a4aaf10cde846629171926c87ff2d39e13bdfd2dc2a97b17f0cda659e

SHA512
b7e0399d0c855dee1a64bb50e72b278438c1cd59df7c78fa243e755eaa0d06172e6446f5bc4e8157603d91cea094246cabdfd7635a6885eb8b2967b90cc6a0fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_lzma.pyd

Filesize
150KB

MD5
28cb83c31e2bc5cdb02091196d8cc249

SHA1
b8a22821889fd85cf1f332639e5ee7befad56823

SHA256
86ff13abf066184cb9a272541baf4e6b673d33643e104113e343876c65ec923e

SHA512
5299f35455050f431c8d7704c36c54adf2dfa6505fc5446bc98555739c648d4c245251f9edce43d87446470f85f44d281e58643bbfe99d0c872d1f775761c28c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_queue.pyd

Filesize
26KB

MD5
f19d04c23de0358b3fc042dc5a5b1809

SHA1
06bcdeebe51c8b273fb8f145b8a4cacdff944118

SHA256
c05c38143268b736c494611af451cc50e26c558c58a71e625ab82f1c700799e8

SHA512
65b7b03008c8b9619b78a93ad172efd5ce72fbab1f2a51caaec47a6823773e28fa18bad7bb3df9f7a2165b40a2effd1b06048aaff00125ff6e36c7fc65a59f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_socket.pyd

Filesize
73KB

MD5
b85ad6a94540aa911f19c325e5930963

SHA1
3237b849265802124197a48c84bf320612e1197e

SHA256
7dadd3b369db35cd752e11c901a7f77329cdfb9bf027120e224446453a1463a2

SHA512
c9675e4b994ade44828c7f2d5e8e0085c09abc83a08ea4716aebf2aca93ab3c4b9478228247945ebb5fe8ffffb109568d862419e61e1776410c2bb61db8562f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_ssl.pyd

Filesize
152KB

MD5
f540e92976041ff33b224e50bef20126

SHA1
e77f0afb4cb8aea2fd18c3c8e4ac3efdc9101b8b

SHA256
f1377098d32690a8a62c275bf0581417e9f179dfe97671eb98fc4bf565daddca

SHA512
277ad1284ec41d2a063d254453ffe3c11a968e4afb7f03dc10d4a01fa22b4a57e5874d1b3cd59db9c65fbf28e2d47da754676fdfe6a0ada0e2e04e62f8b4e7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\_uuid.pyd

Filesize
20KB

MD5
0d98febeb51ac1ccf107ae166aec31b9

SHA1
ec5bb535f505c96c326bc93229ba90e7e00045e5

SHA256
59b4d0b9c0390a402cbb2b174be4c425a3b63abaf7d4af8ec0e330296d531cdc

SHA512
2440b094b41e207a221024f0c12d92197a577efc031deea272612e92828bf999a9089389afac8ca3d7f495e6bcc4e41123ec98dcf09cf000a50735b084422fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\base_library.zip

Filesize
1.0MB

MD5
f002a5b9ddb1156f6913da74a9d6ae39

SHA1
792d6e4f8d8c50148c035f6bdb6a8e9d9411ebd2

SHA256
c0feec51e98bd92409ae650763440dca90cc58f29236c70b20e1210dfb58f843

SHA512
cd5978b57efd4b3be708f2ebbb79d2654b17c0cdeaf5f70ce8e45fb0826b5aadd26fd820cadaabe0f41ada7a1771bd0b054edfa7f478d596b568573867d47530

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\charset_normalizer\md.cp310-win_amd64.pyd

Filesize
10KB

MD5
0e2a2addd0d5b21193dbaae162604181

SHA1
526b25822b2571307fe8d4208c83227c0c64cb10

SHA256
ab0a8fd8f085766a2a7001380e6ee219d5ae68d0194498eeb8d3866f922fbcae

SHA512
6e0f0fa11fff0853e4063f5e1a526936cd682303f94b13da0bd4fb6b2da5efdbb3acb378951508ee3a2dea7f7e2c1d6f968e00ae63d1b6063cc2ad932a3856e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Filesize
114KB

MD5
c6c87fc7bd7555026bb1738857066cff

SHA1
3c89dcbc228a7b689860545495f7a081721c5a12

SHA256
1a6961fd249dbb3a9ccc903fe5ec4631616594edefb19db423fb488b3dba619a

SHA512
63d5b76830d17f90c7d846c8481fac33d86cf1e606d4e33cbe5af868b41d35e7c8c95b93906258d1954809d13a46036fabad093a8693bd29121c020f743faeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\python3.dll

Filesize
60KB

MD5
f5cb0f83f8a825d4bedcddae9d730804

SHA1
07385f55b69660b8abc197cfab7580072da320ea

SHA256
a62a9c7966cf614b3083740dc856ca9a1151ddcc0b110ebc3494799511ed392b

SHA512
2bfa35eb4b8fff821b4504eccad94ed8591ef42e0cdb39a18458395789508b4d2da76f0de3708d963c3187b8b1ced66b37c66834f17eeca0ceb45a62b3a69974

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\python310.dll

Filesize
4.2MB

MD5
7e45e4d723e4775f6e26628315f370ad

SHA1
76a8104c5d073c6f7619872426d440bcabd18bb9

SHA256
7cc15b7440710f8fecaa67396b83436b3b2962e3757482dfbaf926ee74f86882

SHA512
4e11316ebbf6af953dcf991148cca98a155d48d4f8b5ee068f2bc7a56aa14c8a7661d52ecce9bc3c4aa5495868503b81010d81c4fe3a15fa789f13ce081c82fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\select.pyd

Filesize
25KB

MD5
a67a37cd1f39e95ced02b6f3e7a0c17c

SHA1
4c261ca2e826b9ec54ecae706545206f5b6c5f72

SHA256
f060ecc836852323d69d9fed9457528de58a841ad1d48130863f9a0a917014fb

SHA512
409290b6b40c27e3bdcd95675fa002fdff6dcb3f4c734521c350373e6d4f634dc7c02f67d060607d14e2c4b91f17dea6ffa415c33e167c3cfaf1d84ff5d65a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28442\unicodedata.pyd

Filesize
1.1MB

MD5
686beb1c76bce6bff2985da9acc8aa53

SHA1
b3c8feba2d45ae77dee5aca599c9f29df15e0e93

SHA256
2350440b5db37cad0fbf65b4eea4f9254870d041436209eae5ae7012844615db

SHA512
ad2c42de8ca1d754f2ae5f206b1235fd412c1591475897459122115a12f5559c54ccb668308bbdd45c887e13f83116bea6e72e804e1c40014165e43d2beb581e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbl33qbp.u0i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
319KB

MD5
794d834f4a9a70041b3cad4d0002030f

SHA1
facc1ed8ade82799866c8414406d80549c190a9b

SHA256
2ee18c24d8d7d58e740e3b12b8eacb747d2deb2139db95c4c9bb40930b40911b

SHA512
2b1a9d2a423c4ed1365b960fd706346620af4820312f67a177cf399bbf81d38acaf49830d21d3b7822072a2b1de08c028ca0855414ef7d0a53853d099736f565

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.zip

Filesize
428KB

MD5
c4e46c34047251d044082214f6c98e43

SHA1
f8a878adb7ccc995201849ea5399ea3ece227b54

SHA256
1c8b4c860f47344463708b975441129a37d64741810c5814f057d1b0108207ba

SHA512
dc320b161eb9e612501af389c8e9551b42c496e8cb05c3584d2f73d23f7231b42488186e1ebeeb0c0734390aa1a9bb166b2483f2c2109806ea5cb7617c790956

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
325KB

MD5
f36e535fdc82208fca08acfa44f790c6

SHA1
a3cc1aa7d614094faebada2aed1e6c519bd18c94

SHA256
51efbe235b492c7e99c480915c7eeecf85f5ee6d540189ee5aa54fe9f0fafcdc

SHA512
631db5246159e045ed6911867f25991ae8824951e608c2fef25bc48482271aeb3ad26f1c98a04b4cbbf431ce20ef027cacb4bf0b3d85e048885da2b709f3a9af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
46KB

MD5
c9ee90b6246b82685a26af067eada50c

SHA1
247dcdc29bdf134535c0142bc22a0a15e1033c28

SHA256
d9402ee82fb2cfc8965666cf3157bdf39547838814189106d565541522b8335e

SHA512
de676e0a7af1e59e2fd25393a976223414e6ee378f2607a409a00b37283800bacff0fd4393fca4cc53bbe1915ed46f775557a61134281aecbc27f9d98f66bb28

Download Submit
memory/1040-58-0x000000001B930000-0x000000001B938000-memory.dmp

Filesize
32KB

Download
memory/1040-43-0x0000000000C60000-0x0000000000CB6000-memory.dmp

Filesize
344KB

Download
memory/1408-1-0x0000000000260000-0x000000000137A000-memory.dmp

Filesize
17.1MB

Download
memory/1408-0-0x00007FFDB7253000-0x00007FFDB7255000-memory.dmp

Filesize
8KB

Download
memory/1460-15-0x0000000000C40000-0x0000000000C6A000-memory.dmp

Filesize
168KB

Download
memory/1460-18-0x00007FFDB7250000-0x00007FFDB7D11000-memory.dmp

Filesize
10.8MB

Download
memory/1460-17-0x00007FFDB7250000-0x00007FFDB7D11000-memory.dmp

Filesize
10.8MB

Download
memory/1460-14-0x0000000000430000-0x00000000004A8000-memory.dmp

Filesize
480KB

Download
memory/1460-65-0x00007FFDB7250000-0x00007FFDB7D11000-memory.dmp

Filesize
10.8MB

Download
memory/2028-152-0x000000001C8B0000-0x000000001CD7E000-memory.dmp

Filesize
4.8MB

Download
memory/2028-156-0x000000001BE40000-0x000000001BEDC000-memory.dmp

Filesize
624KB

Download
memory/2028-157-0x0000000001680000-0x0000000001688000-memory.dmp

Filesize
32KB

Download
memory/3704-149-0x000000001B850000-0x000000001B8F6000-memory.dmp

Filesize
664KB

Download
memory/3704-155-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/4712-166-0x000001D3D2C60000-0x000001D3D2C82000-memory.dmp

Filesize
136KB

Download