njrat | a9dfed16b30cfef2106e4d1626e4cb7cffdacbdcbf2fc13865be64a918e0f255

Analysis

max time kernel
119s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
Size

1.1MB
MD5

d2208a80c24abd0ccfcaf45dd9d332ab
SHA1

ae076b92ee7853ae263ccb4f73c39e6441066b3b
SHA256

a9dfed16b30cfef2106e4d1626e4cb7cffdacbdcbf2fc13865be64a918e0f255
SHA512

1f8fc8b99c3138db816b90e4335ff5a31cd4226795e6bcc1a3a8c0d1934d5893d8f26dfd4ddfd5354ab2d2bc2b35f06d715b5b71eb67b62de4a696d4c112f0a9
SSDEEP

24576:64lavt0LkLL9IMixoEgeakVR0x3+Dey45nxGq9MmCS:Nkwkn9IMHeakHYuf+EaPCS

Score

10^/10

njrat hacked discovery evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

192.168.31.130:5552

Mutex

0a2e5cfbc3a5b8d96d011c7841e3236a

Attributes

reg_key
0a2e5cfbc3a5b8d96d011c7841e3236a
splitter
|'|'|

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 4 IoCs

pid	Process
1560	7366.exe
2684	Server.exe
3000	cat2.exe
2996	Server.exe

Loads dropped DLL 9 IoCs

pid	Process
1796	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
1796	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
1796	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
1796	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
1560	7366.exe
1560	7366.exe
1560	7366.exe
1560	7366.exe
2684	Server.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 2996	2684	Server.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7366.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cat2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BF74A3B1-6D23-11EF-9E32-4A174794FC88} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431880449"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80af5da53001db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000000895506a961aed03cbef197ed7b1a3b7967a1ee0e8a167fc320ccab435c97c12000000000e80000000020000200000009706d1e6f42d5fcb933dd3ffabbba92bd35baa2cc96af9cbccace157acf0fba32000000019fa06c5d7661812ffa814ba3371fce19042448edc90b14a377be2c8e26fa62940000000c4e3cc38dc74f480814300190a1ff8e301a826456040065e29e594e25648d0059ffeb0e15d677c48ec49e10b8cff44f09b3e059b4e6e37b6ddf7e27379a4464e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000343160feb910615cf346655f1827ffa47121d173526f71c886aa867bdf4fadfa000000000e8000000002000020000000d2866f07ce7a7300ccef3ac5538df6cd270cac2c8f3fd8325fb264cdfb06829c90000000f376fcbd4540dfef7c29a86954cbd93bd583fcc0e490d0c644cacf4a2a852bfae33cc75de556425e2cc1fec3a156f7428ab99225cdfa2101efa1d50966147d2802f88d62b7ba21ea28d1f84e32474964565935c3991c8d424db33284bfa565a9d61d2affdb3300d4bfaf60b772b02e627613efe4f5f345bd918ae72b65d103db9942b4bfaf205008a15c26d1ed6411a3400000008eb548024b32936ba7f4566a47de9a362b00f27c1988ed62f5ecf759ccb05e0e3e28ad4432bc960a139493fa4a54051a0a99912e0c5a1976f669476aca53fdf7	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2552	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2684	Server.exe
2552	iexplore.exe
2552	iexplore.exe
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1560	1796	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe	31
PID 1796 wrote to memory of 1560	1796	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe	31
PID 1796 wrote to memory of 1560	1796	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe	31
PID 1796 wrote to memory of 1560	1796	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe	31
PID 1560 wrote to memory of 2684	1560	7366.exe	32
PID 1560 wrote to memory of 2684	1560	7366.exe	32
PID 1560 wrote to memory of 2684	1560	7366.exe	32
PID 1560 wrote to memory of 2684	1560	7366.exe	32
PID 1560 wrote to memory of 3000	1560	7366.exe	33
PID 1560 wrote to memory of 3000	1560	7366.exe	33
PID 1560 wrote to memory of 3000	1560	7366.exe	33
PID 1560 wrote to memory of 3000	1560	7366.exe	33
PID 2684 wrote to memory of 2996	2684	Server.exe	34
PID 2684 wrote to memory of 2996	2684	Server.exe	34
PID 2684 wrote to memory of 2996	2684	Server.exe	34
PID 2684 wrote to memory of 2996	2684	Server.exe	34
PID 2684 wrote to memory of 2996	2684	Server.exe	34
PID 2684 wrote to memory of 2996	2684	Server.exe	34
PID 2684 wrote to memory of 2996	2684	Server.exe	34
PID 2684 wrote to memory of 2996	2684	Server.exe	34
PID 2684 wrote to memory of 2996	2684	Server.exe	34
PID 2996 wrote to memory of 2552	2996	Server.exe	35
PID 2996 wrote to memory of 2552	2996	Server.exe	35
PID 2996 wrote to memory of 2552	2996	Server.exe	35
PID 2996 wrote to memory of 2552	2996	Server.exe	35
PID 2552 wrote to memory of 2128	2552	iexplore.exe	36
PID 2552 wrote to memory of 2128	2552	iexplore.exe	36
PID 2552 wrote to memory of 2128	2552	iexplore.exe	36
PID 2552 wrote to memory of 2128	2552	iexplore.exe	36

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d2208a80c24abd0ccfcaf45dd9d332ab_JaffaCakes118.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1796
- C:\Users\Admin\AppData\Local\Temp\7366\7366.exe
  "C:\Users\Admin\AppData\Local\Temp\7366\7366.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp\Server.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=Server.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2128
- - C:\Users\Admin\AppData\Local\Temp\cat2.exe
    "C:\Users\Admin\AppData\Local\Temp\cat2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
67e11ac2b5a4f2fd80730f02c81c944c

SHA1
ebad1d542cf7f49b6f68c0342491ed940f4503a7

SHA256
f27e6257fc1849aa0acb0767ad67a71f6876186467d1b7860671d1055816cd24

SHA512
fa37c2d6400154869405e26f90195768536403cd0b64426a97861824a5eb0eca78a4997a22b3f9c3825a7ac54e2c783cf498e48e3da0c871f6650c79e75ad57f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d781eb1483939e3cac593c52200830f

SHA1
e1cea36a15869cc29795c7fa4fa62f3d9a066903

SHA256
d1c1bdcdc71d84bce391ae88d1d527cdc893960b63f0a13b42a475d71b1896ca

SHA512
c507eb1deccae5a1ee425a97374b8fe3b5803b1ac84c7d9f40919575851a326b0039a7344bb79796b2a30b1330c9254ca0871c2bfd819c902add161307753910

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f92e54d7a079ce00c4026d7976bdfd2

SHA1
9578bddd00574dbac6f82a57c81582ea404d9238

SHA256
b66250ddf7f05beed6a94ad18ca82559f7fc663d83030912598709b6d5c1f15e

SHA512
5f0ac43f93963c7c5a8ebb08a2cbff2c918d188833ba4888842db1122889e76bd1d09ed76728bccae43313fd0cc4a8419ff3d1d67139023b263c07ae1fcc2781

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05728f3327893d62e5bc120fa6151296

SHA1
47c64226a36e5e01086b10cf99cd961f4bac42af

SHA256
4155c439d221e2771076728b71b97c5609a1f7eb1f4e7f5a1ab8a77fa8f3b540

SHA512
82c8a95826b5e715990c6010abadc95b8b1dc4eabed508293ff9a109b4c41a48845ccacdd63e2b5e6800dafbad41977efbb05c22fbbe2d32dda4dca20b29d8e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd32fd351e881426518a02cd4cd0d431

SHA1
32a8cf5794b948636410fa8262f506050456764d

SHA256
b5caa011f06c3431d3b58ac957513570cecac04efa3402db4a19e2ee5473c6e8

SHA512
9cc05deeaad08c6bebffab638663b13074a6aaafc95d3afe3ed9a9e7f2752a93824c4e649adda7c2227091481b1a7574ecfed8ca3b13fb1fad9972e6a4b268c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d692ecf721ab0d468e663b916197a880

SHA1
42969546e8affa902b7d4d3b33344581fa2abc4a

SHA256
d0555972d0dc531eb754eca7236258beea5f4b0d836e2e7ee9a78c5787e881e9

SHA512
4e9fcc7c4f2e99583e5046aaed7683e55e91bff79eaf1b8aa7fb598c04cc2680243cba1470007908c4417bb7a756af5f2f38c30430032b7bd0744038519bc5b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
331f501f5eac6090617a8d445862c27a

SHA1
a2f889ab7b0745db615b5cce4c5af34bd685482c

SHA256
2bc6427bd35db922c18f7456a9a2213333b244391fec001fac565017af2de2ea

SHA512
5cd230a6825d5a5722b14a736130a1d7ce3b08cd049e8ceb0bc8ae456c0fc0c0662d4d5d386189e74f7f82b0eebd081fc9d3c3e0b75f073e9edcc3e3a4149d92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11772f922cf9a7a085df29fa99b60f1b

SHA1
77a5d7c2c496829393a765612b86507471668c84

SHA256
acb45627470cfe0beb6967c522800014d35220ea4a30e5004013f7e53080c139

SHA512
9db2b01aaf61c19eb097c96312a32938b028da8cbee04a7908b6b82793e2ede357e9c4d189b58121622a3c6193944bc661465d7465a8195f6122a1f31a99b5d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93988cc1f03e3fcb2277edf0325ef160

SHA1
28eb21148a63e7659adae7aa59cc97fc502202ca

SHA256
8a3e6535ff7526c1f069d7d2195a22025163127b89d93ea8c7602312a50c2f5a

SHA512
f7db92eab1cf2a10407247f79dc3385857f61ff56696478108c4ccd10cd98206808cd1be174b9289dfd98483121a6c21d2a0fbb7362e0e687790018be92a04c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd24fe06825b1bb42e99dd099a8c22a0

SHA1
46d104e7b4ade6d856af4003d7ccc1ed4e160e44

SHA256
2b6f9f7b4c0334595723552636c32e00e9c9dc89ba1dbfc1e2549b267fe24da5

SHA512
a33c8b68d6859b79e030a869d724a93422077b24cf8be1357889f5a3d2aaaf8c3b6dbef387d01221aa61712e4ba431fa230c00a082b2527744424ea209df0543

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed77c52b557cb6f19c351cb02a85e5f3

SHA1
d01ce00c98d721da16ac1d5bf430f5580cd6b9d9

SHA256
b0d144e776619cd667e960649c4aef2b293d5f210bcf418fd7a7001d6dd4f2ff

SHA512
ff2c5a8d95b8036d8449f1e62621ee51aa06d03fdf4de2b2c04c565fcd660f0c0d795758c29dc990a7d664536ff22d2b92cc1b6c2495bb02670c3138d9d93012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1334c5b8369585c3f6bdcfe56991b6c6

SHA1
be34d6af4849fe4ead7aa50f2b9632b261826ab1

SHA256
4baf4859376c39b92b7e70cb26862e72c354c9ac0727374b03c8ff9149e3be4b

SHA512
f8a0fb198ec210345b3cb53e55ff4d615d9b8eea1cff9ae5d1c65e7e8aeed87ba2381ac1d899e749114855e9d271985198df183bfdc5eb638ded93f47cec139a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90494320c665b104339f5945172f55f2

SHA1
35551d65722cea57b035ca18477e8cf7076f67bb

SHA256
94e939d292e8c9c449aecdcd983abb8ae66bda47f0ecc8c8b384879a117878d3

SHA512
26bc0430b4eb2b379970e73f15f6bf6ac0be725b0747b6029552eb58e9ef693073cac1fd351fe6f69825bb038dffd116bf5d0e932241895456514ef1115ebd93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea0506455d995d029586961a7e8970e6

SHA1
a656b47ddd28ca3f3a8d4791b13e500f055fc96c

SHA256
226c6cc0f811e6f35f7286dbb3aea24b126c2f356b9a3cdd0ef448d74377a1ce

SHA512
3aeca910c6b94e4f4916a2d1f25a09349d9274b23b7be30682ab7cb6b236aca492f8dd84352ceb446420f145c9cdbee43dc55749ffea7b12025350eefb78de3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e59ce04ddd8300dc8e1033fbcc5cd52

SHA1
3cc81b5f8d5bb0a139a4ad1b13534f6e02019f19

SHA256
07efeb720ee8d14daa0a1f027e816aa87c35a696782c51e696a7e996e8b04e50

SHA512
d926f116bd8a41c0b2c62205ac089d3456dfb42269b909da39b18125ec4bf1850bebb5450e6ae9e036255a02e487572e2e8b2f83ce23a951774921c9aa1c9629

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73a9ca22addfbddb7529f1d96a081414

SHA1
18c38a7f0cb7450794e4a86531202bb366529e1d

SHA256
bd1c9a2c38a0174b737ab0c9a8e604cbd5cdfcf910e68ace6893372c3d01e26c

SHA512
051ee6719f013ee5a9bf1b806ea6d815a32c19320e0c16f98cc5ac1e85a06c7334b6db9bf26131544a7baf5fc7ad09d8bb0e74d20493b02440d89d534ca0d6c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
229f9a14494184ff5e66063c263af635

SHA1
569b7d0b4469a40f148c559262af6347c65f4fc3

SHA256
73310b115bafbc341d85313dbffcdbf5810d2342bebbfd324847f1b11df3b6b3

SHA512
94d50b271121e44bba996c5bc3a1cafb918f0e62a95187c2a47d4504e7297e6c94a0dc0575ceb93ec929cc87a2057a451d61a3e9d0ac7f0769d32628b0addd80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09df50afe526bf534096c4b1e9e5a7ae

SHA1
850c64b96832f6fe6be139a8c350f94f1d809037

SHA256
b79f93d12a59bf06a71e637eabecb2e7287b95bf14022d5e7a1833304dc11479

SHA512
257cac56a32672c639e562f19a6b85d0c5100d48c5d69a3bc8fcd0063e8bff17ffd25ed763cf3e6c0466fd15de1a39f8688514d541f17b5eb6c6cd808b789f61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b168c1d5cfcf7a5087278985172ca9f

SHA1
ddd3d0243d83b05be2a4284da3de98704c587674

SHA256
fa36158c6b5e592642ae5ed84c3ffb295ee2c5fe8fab2de5689a032493354355

SHA512
ddb327841b37c0dc8cab401caeaf933ab8fe510afeeec64c1f0c2ed125096f0826b4e4e0fe574af05a9f7841708d15126ae56f06ae48800e753f71560f680caf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c51a83dbbc64175f5533b76d5c70639

SHA1
2eb916fd0ea85c749bfb9b0ffcda0811d655f5c3

SHA256
f5991d50b84bad9ebe86270ea3254fb96212ce2806f8621f48e1e8f227e99a0c

SHA512
fefd83219b1072fda2be685540d4df6a35cda09c003da17f39f4bfce481fc3eb32f5af846dcca67d0c032c7fba1ce8b209bd173e009cee0c2b2bc6c65df08fca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e4550cea3a7bd0313566cec8536e425

SHA1
28a5d8089d8e1dbe31a12845857ca1e0a87bb3ec

SHA256
12990ae3a5e4604fbe2179871fc3597e2c1d9a4b8235203efc5711c47b70b302

SHA512
0cb2152fe00aec73d84fd5c7f11718588adb3de285e28b1f2d85e6d0bcf56cc6038190ab0f13bfef538e5ecba3fb7d4e86aa9464e26c0434c864025d24992ed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce4bd29ce5784daa09945904612f223c

SHA1
1a51e293f4cd66935ba7ffed6f16d3ad453433ec

SHA256
75bb182beaa0bc535fb1a8dd471e6a690985d7a6b30d9792dd30923a7abf71dc

SHA512
4aad8ebce694eda9f2d3beab3d6abb7a979e4536a78fbf2995fab4e3ad17504ab95710e863174ec579945ceb8a474f7c8f156acdbb5e900118f47bb67afa79d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
191455f9cad91263b79dacd9c3f9f32f

SHA1
704c0109424b49947f79690e866b004fbaefa1ac

SHA256
098dd29da56f3c64eef5a33c769aa7339c843e6c80815311287bd3ddccc7277e

SHA512
3a6f87eceac70454c298064cf388453df4af10bb128ffb1a7f4f4011392ef53df8847a697e2df83ec0220940a6cfc25f1abc5457164816ebe2cfe68ad92224bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82116a04315b2c5a6e99723038e4dc12

SHA1
cfd725fa4295f4d2994d7816e37dbddbc92d25cb

SHA256
81e2aa9a9f6d55f3a8f13c472aad3fd8382f164390d45d2df270b5c68645d4ff

SHA512
e15bc3cb676992469029c38b704ea6a9fa9e98c4952cec1168a498e37587034ec0fb9ae8d0da8aa48873c775eb590fb05533ce9f0bea2ea74c84f2c1b47646db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e8c243d3ddafd313027dcaf2c2806b2

SHA1
0672ee409ff8f2734f3e0f63b890594cdb7d7e61

SHA256
1eeb1dd7cff0573f9c3d5f98d0b215023d781e12694ba1a7d6184933f0c0e271

SHA512
0efbc13bb757b695c5f9057f85239158001fbe1bfdb4bf2257e0074355f96106a85ba85efbe9aca4cc82e7b784e6d71fd640bfb09b1d7d1f647684f5ab5f8a6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53ec59fdfeb74ae54f97621a2b9daafc

SHA1
06e9652fca7cea8c11cf355a7bceb8bc44dc768c

SHA256
134d9c1f43e20f15972a0eafbe041b81536a2631d5710782fa7898c0b93f00c8

SHA512
c68e42921b09e9730af043086097197ab71bd7fa579ee334913ad6e00be9dd8e10d1204eebd0d812da9e6d2619379fcfb1b38f1d0f0eb720fc16de78a2a074be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0afe859782a05c74a2a78d97d7174d15

SHA1
427d4285f902920b5278b8e93da2b7c1fe58d679

SHA256
3d71b4a21745124c30dac771be2b791c549d6af46ad82db29d7b626d1957b1e9

SHA512
7ebebd88775a719503a477896972d363ea9972237561edbdade2ab1f13aa6be9c42fe477ad6787b9f973450b1c7a50a52c30ee7ccfe54f51b1e5ab6e420a9017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd00892765770ae9238edb6683ce1237

SHA1
74dc3544e88a9f00913ca439e59b901e6d7e1fbc

SHA256
5701daff0fb44204ab673d37b8b6f3fa672bb6152031b2ab6ca9ef0b6ba51777

SHA512
c96d5666d1ef1490261f988e9700c667712ae96e6847138bb490eb078575c418a76b3c0ff5fe6b3702c4d5b9f5801e5aa8f80b6a6fd0e0163738f4a757520b6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2ce908d10887c6c7c1dab013510c44f

SHA1
b3b42d16307d58169cf160b6451c9f85e096664b

SHA256
bf51388a51cfefe9a0a55cff8fc1e3c138134fa438afb8801f617fd3177d4596

SHA512
66aa502746158707b2e4e0a7496ceab60aabed7c3cc398c3c7f22d209944b3188382a3455ebb62eabe74e2d89ec2b72a40be1bf3af9243f4f32dce745d8290c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7bd2c4f350e7e9ab82a458600c582ad

SHA1
9d4ab3f233c1c7ed04b0d0c7756a9de9aff995d1

SHA256
d667ce40904eb0ffaccfcc3267084367076a481f4bb567f7d1ff105671e70989

SHA512
3b40ba04453aaf9e1a36990b952e74d43d192876ead542c2908837cf6792ecdc3c3297e4feeb8d9eb66666d7a9115c37a901ffe2ae7279b9748a975ada9b847b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c863c5b4cc5e5dba6520fabe128524e0

SHA1
07340b8958005a02b011afbbaa29b02e2b0c089d

SHA256
85ee3335f4d51eee6c419d6231e7c3026e8f3ee8c03847d906bf9ec093afe8cf

SHA512
315db839f8da37fc95f0e2fe7eefa2304488996a7f4bfda18ff8dbb184183094300fec03b54c96f93b623897eaa3307c82d5aef73259e7e5be8c910e410b9d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8631ff89fa13030889076aeaa90547a7

SHA1
4eb6afd8bbf4c1561915a86837e6d0891e93c3d4

SHA256
80d81902a250b16ba8d7d9a79a726434f7083b501f6d5255b1216a16212c296c

SHA512
b47a08d1cc5b2cc1c3fe9d9451c8df139e22876ccce3a2f8fd245914595f893d0131650ada5254237fe7eb8130f208a9c6fb09196eb5e9936583a06c2f8f2b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5580.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar55F2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\7366\7366.exe

Filesize
195KB

MD5
8434e4174c6477cf4f53c667d8403ab1

SHA1
cd33e7822c591d85225c07217c78189c25b5f75b

SHA256
662b4f9336665edd36208b48c94f61bdcf32df0c6e5f92f03e34c662c0c09be4

SHA512
540bb033b2099138a1498554ea2f5216236d56db106ba07589e6842a2272a1ee468e2e894a2b4d214ab6f614bad9added522950d319de899a39ebc46f1a9cdd1

Download Submit
\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
47KB

MD5
e3d8ec29da5489a16a5e9630bafb4a40

SHA1
298c51871b537951eadf69f13d3b3c61e1e8e55c

SHA256
18b0624fbc10e1732b69a6e87dbe4b09f13368119a7085153b7f12d6802a1c81

SHA512
4fb4b54729dcaf8d53c998fa18ebeaff743be20df30f49a153f5c2e366302a42c32011fc3a0fa350748490e2cc069333ba3b1e28f3f9a831fec2c27792a34369

Download Submit
\Users\Admin\AppData\Local\Temp\cat2.exe

Filesize
372KB

MD5
cdf4fedcd923d85043598b7f5232a794

SHA1
35043dec26dd11862797ffeb87611e0a6e466b2a

SHA256
540e5a66a4241fb7a2a68a007abb96c2cb6b49755a3482e796a98ca93d654b8a

SHA512
4685560f46c32c170c850e686f7c504d5800caf005428ba145c54ab0cdc429f5ef361db2f0a114a0054085be80bcf3d74393e59fbb6402efc89a5d159bb70359

Download Submit
memory/1560-39-0x0000000000400000-0x000000000043299E-memory.dmp

Filesize
202KB

Download
memory/1560-20-0x0000000000400000-0x000000000043299E-memory.dmp

Filesize
202KB

Download
memory/1796-57-0x0000000000B00000-0x0000000000B33000-memory.dmp

Filesize
204KB

Download
memory/1796-4-0x0000000000B00000-0x0000000000B33000-memory.dmp

Filesize
204KB

Download
memory/1796-17-0x0000000000B00000-0x0000000000B33000-memory.dmp

Filesize
204KB

Download
memory/1796-16-0x0000000000B00000-0x0000000000B33000-memory.dmp

Filesize
204KB

Download
memory/2996-50-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2996-53-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2996-55-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2996-45-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2996-47-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2996-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2996-46-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2996-48-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads