njrat | 161ac2f439eae6165af8090e8b6a1ca2180e16038af766a9337eb668cf134cab

Analysis

max time kernel
599s
max time network
598s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-09-2024 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RatClient.exe
Size

39KB
MD5

535183e6c2778357f5380a900e22a48e
SHA1

9a93b202f921fb8e8b477bf812befc5d74e2eab2
SHA256

161ac2f439eae6165af8090e8b6a1ca2180e16038af766a9337eb668cf134cab
SHA512

1b4aa4c83d89b112cbd813bc94bd1fa2bb99e76437d6b31f64fe5026d4a9ecc44125dcb6fecd417daa5a71869f774edafae81b96c65a93e538d11d04234ebb71
SSDEEP

768:wvhux8CPRPWROIfQpxybMGUOkKL2fA86TUg5WVTYdai6JuC:0O8CPNrI64opXZiUgo6EZb

Score

10^/10

njrat долбаеб persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

долбаеб

127.0.0.1:6636

Mutex

Client.exe

Attributes

reg_key
Client.exe
splitter
|Ghost|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	Client.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url	Client.exe

Executes dropped EXE 11 IoCs

pid	Process
3244	Client.exe
2316	Client.exe
696	Client.exe
408	Client.exe
4564	Client.exe
2168	Client.exe
676	Client.exe
212	Client.exe
2872	Client.exe
1924	Client.exe
980	Client.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Client.exe\" .."	Client.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Client.exe\" .."	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 26 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2408	schtasks.exe
5036	schtasks.exe
2272	schtasks.exe
3528	schtasks.exe
4424	schtasks.exe
4108	schtasks.exe
4408	schtasks.exe
4968	schtasks.exe
4052	schtasks.exe
4408	schtasks.exe
3608	schtasks.exe
4276	schtasks.exe
168	schtasks.exe
2796	schtasks.exe
1104	schtasks.exe
424	schtasks.exe
1616	schtasks.exe
5096	schtasks.exe
5004	schtasks.exe
3356	schtasks.exe
3220	schtasks.exe
5000	schtasks.exe
2984	schtasks.exe
5104	schtasks.exe
312	schtasks.exe
3148	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe
Token: SeIncBasePriorityPrivilege	3244	Client.exe
Token: 33	3244	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 3244	4104	RatClient.exe	73
PID 4104 wrote to memory of 3244	4104	RatClient.exe	73
PID 3244 wrote to memory of 212	3244	Client.exe	74
PID 3244 wrote to memory of 212	3244	Client.exe	74
PID 3244 wrote to memory of 5104	3244	Client.exe	76
PID 3244 wrote to memory of 5104	3244	Client.exe	76
PID 3244 wrote to memory of 4656	3244	Client.exe	81
PID 3244 wrote to memory of 4656	3244	Client.exe	81
PID 3244 wrote to memory of 2408	3244	Client.exe	83
PID 3244 wrote to memory of 2408	3244	Client.exe	83
PID 3244 wrote to memory of 4260	3244	Client.exe	85
PID 3244 wrote to memory of 4260	3244	Client.exe	85
PID 3244 wrote to memory of 3356	3244	Client.exe	87
PID 3244 wrote to memory of 3356	3244	Client.exe	87
PID 3244 wrote to memory of 4704	3244	Client.exe	89
PID 3244 wrote to memory of 4704	3244	Client.exe	89
PID 3244 wrote to memory of 2796	3244	Client.exe	91
PID 3244 wrote to memory of 2796	3244	Client.exe	91
PID 3244 wrote to memory of 508	3244	Client.exe	94
PID 3244 wrote to memory of 508	3244	Client.exe	94
PID 3244 wrote to memory of 3528	3244	Client.exe	96
PID 3244 wrote to memory of 3528	3244	Client.exe	96
PID 3244 wrote to memory of 2020	3244	Client.exe	98
PID 3244 wrote to memory of 2020	3244	Client.exe	98
PID 3244 wrote to memory of 4108	3244	Client.exe	100
PID 3244 wrote to memory of 4108	3244	Client.exe	100
PID 3244 wrote to memory of 3832	3244	Client.exe	103
PID 3244 wrote to memory of 3832	3244	Client.exe	103
PID 3244 wrote to memory of 3220	3244	Client.exe	105
PID 3244 wrote to memory of 3220	3244	Client.exe	105
PID 3244 wrote to memory of 5104	3244	Client.exe	107
PID 3244 wrote to memory of 5104	3244	Client.exe	107
PID 3244 wrote to memory of 312	3244	Client.exe	109
PID 3244 wrote to memory of 312	3244	Client.exe	109
PID 3244 wrote to memory of 2404	3244	Client.exe	111
PID 3244 wrote to memory of 2404	3244	Client.exe	111
PID 3244 wrote to memory of 4408	3244	Client.exe	113
PID 3244 wrote to memory of 4408	3244	Client.exe	113
PID 3244 wrote to memory of 4992	3244	Client.exe	116
PID 3244 wrote to memory of 4992	3244	Client.exe	116
PID 3244 wrote to memory of 3148	3244	Client.exe	118
PID 3244 wrote to memory of 3148	3244	Client.exe	118
PID 3244 wrote to memory of 1260	3244	Client.exe	120
PID 3244 wrote to memory of 1260	3244	Client.exe	120
PID 3244 wrote to memory of 5036	3244	Client.exe	122
PID 3244 wrote to memory of 5036	3244	Client.exe	122
PID 3244 wrote to memory of 2740	3244	Client.exe	125
PID 3244 wrote to memory of 2740	3244	Client.exe	125
PID 3244 wrote to memory of 1104	3244	Client.exe	127
PID 3244 wrote to memory of 1104	3244	Client.exe	127
PID 3244 wrote to memory of 3364	3244	Client.exe	129
PID 3244 wrote to memory of 3364	3244	Client.exe	129
PID 3244 wrote to memory of 3608	3244	Client.exe	131
PID 3244 wrote to memory of 3608	3244	Client.exe	131
PID 3244 wrote to memory of 3200	3244	Client.exe	133
PID 3244 wrote to memory of 3200	3244	Client.exe	133
PID 3244 wrote to memory of 424	3244	Client.exe	135
PID 3244 wrote to memory of 424	3244	Client.exe	135
PID 3244 wrote to memory of 1120	3244	Client.exe	138
PID 3244 wrote to memory of 1120	3244	Client.exe	138
PID 3244 wrote to memory of 2272	3244	Client.exe	140
PID 3244 wrote to memory of 2272	3244	Client.exe	140
PID 3244 wrote to memory of 3540	3244	Client.exe	142
PID 3244 wrote to memory of 3540	3244	Client.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RatClient.exe
"C:\Users\Admin\AppData\Local\Temp\RatClient.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\Client.exe
  "C:\Users\Admin\Client.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:212
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5104
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4656
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2408
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4260
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3356
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4704
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2796
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:508
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3528
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2020
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4108
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3832
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3220
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:5104
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:312
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2404
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4408
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4992
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3148
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1260
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5036
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2740
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1104
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3364
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3608
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3200
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:424
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1120
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2272
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3540
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4276
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3240
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4968
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2300
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:168
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2404
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4408
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4980
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5000
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1540
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1616
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2052
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5096
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2284
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4424
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4764
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5004
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4828
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2984
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:4012
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\Client.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4052

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:2316

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:696

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:2168

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:676

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:212

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\Client.exe
C:\Users\Admin\Client.exe
1⤵
- Executes dropped EXE
PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
1KB

MD5
ada37846cea22757d6153e65b720a367

SHA1
d9c9e33987d095b32c364fe40dd6f054feaf7ea9

SHA256
7daa4e8a6296b9e3df9669f6a574cbe481f2df9c751affbeb41a541173264520

SHA512
592640e40ad0c6bcd8719f2cdbf828f2e322ad729c23ac3b44dd252a9c0b08d370a1cfcbcb9038cdffed0866ae4d2f8762c421f5e1a89c8d9273f482d9d2662f

Download Submit
C:\Users\Admin\Client.exe

Filesize
39KB

MD5
535183e6c2778357f5380a900e22a48e

SHA1
9a93b202f921fb8e8b477bf812befc5d74e2eab2

SHA256
161ac2f439eae6165af8090e8b6a1ca2180e16038af766a9337eb668cf134cab

SHA512
1b4aa4c83d89b112cbd813bc94bd1fa2bb99e76437d6b31f64fe5026d4a9ecc44125dcb6fecd417daa5a71869f774edafae81b96c65a93e538d11d04234ebb71

Download Submit
memory/3244-9-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3244-13-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3244-14-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3244-15-0x00007FFF3A570000-0x00007FFF3AF5C000-memory.dmp

Filesize
9.9MB

Download
memory/4104-0-0x00007FFF3A573000-0x00007FFF3A574000-memory.dmp

Filesize
4KB

Download
memory/4104-1-0x0000000000880000-0x0000000000888000-memory.dmp

Filesize
32KB

Download
memory/4104-2-0x0000000001010000-0x0000000001026000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads