njrat | 4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2

Analysis

max time kernel
116s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
Size

543KB
MD5

e0645a7fcb592dab2658f800888693a0
SHA1

123bedbc6e4af12908f4ef59fca1ad1af262ffb9
SHA256

4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2
SHA512

62b5c98141db209a8f4f7c88be22893c85c8d23d838d1f65dcd9d3284b19bba737e75ab5e1fc41aab813f7348799d6d4ec5f5a5f49b1153328f5c3bfc93bcca0
SSDEEP

12288:yVQIBRKed0Oa7JHveGg3bdd54VBwKEjA+8e5OXhOSJDVLlwHzz3k9Lac:yhBRKedW7JHveGg3bdv4VBwKEjJ8e5O/

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

22.ip.gl.ply.gg:57731

Mutex

32ce84f74d25f1e71aac67667a2c8d24

Attributes

reg_key
32ce84f74d25f1e71aac67667a2c8d24
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1040	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32ce84f74d25f1e71aac67667a2c8d24.exe	Dllhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32ce84f74d25f1e71aac67667a2c8d24.exe	Dllhost.exe

Executes dropped EXE 7 IoCs

pid	Process
2528	%tmp%.exe
2640	System.exe
2680	System.exe
2532	System.exe
2780	System.exe
1312	18259.exe
1148	Dllhost.exe

Loads dropped DLL 8 IoCs

pid	Process
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2528	%tmp%.exe
1312	18259.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32 .exe"	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\%tmp%.exe = "C:\\Program Files (x86)\\%tmp%.exe"	%tmp%.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\32ce84f74d25f1e71aac67667a2c8d24 = "\"C:\\ProgramData\\Dllhost.exe\" .."	Dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\32ce84f74d25f1e71aac67667a2c8d24 = "\"C:\\ProgramData\\Dllhost.exe\" .."	Dllhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 2872	2528	%tmp%.exe	48

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\%tmp%.exe	%tmp%.exe
File opened for modification	C:\Program Files (x86)\%tmp%.exe	%tmp%.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rEG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	18259.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2692	rEG.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2588	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe
2528	%tmp%.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2588	vlc.exe
704	dw20.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
Token: SeDebugPrivilege	2528	%tmp%.exe
Token: SeDebugPrivilege	1148	Dllhost.exe
Token: 33	1148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1148	Dllhost.exe
Token: 33	1148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1148	Dllhost.exe
Token: 33	1148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1148	Dllhost.exe
Token: 33	1148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1148	Dllhost.exe
Token: 33	1148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1148	Dllhost.exe
Token: 33	1148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1148	Dllhost.exe
Token: 33	1148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1148	Dllhost.exe
Token: 33	1148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1148	Dllhost.exe
Token: 33	1148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1148	Dllhost.exe
Token: 33	1148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1148	Dllhost.exe
Token: 33	1148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1148	Dllhost.exe
Token: 33	1148	Dllhost.exe
Token: SeIncBasePriorityPrivilege	1148	Dllhost.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2588	vlc.exe
2588	vlc.exe
2588	vlc.exe
2588	vlc.exe
2588	vlc.exe
2588	vlc.exe
2588	vlc.exe
2588	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2588	vlc.exe
2588	vlc.exe
2588	vlc.exe
2588	vlc.exe
2588	vlc.exe
2588	vlc.exe
2588	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2588	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2144	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	30
PID 2992 wrote to memory of 2144	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	30
PID 2992 wrote to memory of 2144	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	30
PID 2992 wrote to memory of 2144	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	30
PID 2144 wrote to memory of 2764	2144	cmd.exe	32
PID 2144 wrote to memory of 2764	2144	cmd.exe	32
PID 2144 wrote to memory of 2764	2144	cmd.exe	32
PID 2144 wrote to memory of 2764	2144	cmd.exe	32
PID 2992 wrote to memory of 2780	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	33
PID 2992 wrote to memory of 2780	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	33
PID 2992 wrote to memory of 2780	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	33
PID 2992 wrote to memory of 2780	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	33
PID 2992 wrote to memory of 2680	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	34
PID 2992 wrote to memory of 2680	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	34
PID 2992 wrote to memory of 2680	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	34
PID 2992 wrote to memory of 2680	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	34
PID 2992 wrote to memory of 2532	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	35
PID 2992 wrote to memory of 2532	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	35
PID 2992 wrote to memory of 2532	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	35
PID 2992 wrote to memory of 2532	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	35
PID 2992 wrote to memory of 2640	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	36
PID 2992 wrote to memory of 2640	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	36
PID 2992 wrote to memory of 2640	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	36
PID 2992 wrote to memory of 2640	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	36
PID 2992 wrote to memory of 2588	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	37
PID 2992 wrote to memory of 2588	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	37
PID 2992 wrote to memory of 2588	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	37
PID 2992 wrote to memory of 2588	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	37
PID 2992 wrote to memory of 2528	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	38
PID 2992 wrote to memory of 2528	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	38
PID 2992 wrote to memory of 2528	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	38
PID 2992 wrote to memory of 2528	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	38
PID 2992 wrote to memory of 2600	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	39
PID 2992 wrote to memory of 2600	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	39
PID 2992 wrote to memory of 2600	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	39
PID 2992 wrote to memory of 2600	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	39
PID 2992 wrote to memory of 2692	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	40
PID 2992 wrote to memory of 2692	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	40
PID 2992 wrote to memory of 2692	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	40
PID 2992 wrote to memory of 2692	2992	4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe	40
PID 2764 wrote to memory of 1700	2764	wscript.exe	43
PID 2764 wrote to memory of 1700	2764	wscript.exe	43
PID 2764 wrote to memory of 1700	2764	wscript.exe	43
PID 2764 wrote to memory of 1700	2764	wscript.exe	43
PID 2528 wrote to memory of 2512	2528	%tmp%.exe	45
PID 2528 wrote to memory of 2512	2528	%tmp%.exe	45
PID 2528 wrote to memory of 2512	2528	%tmp%.exe	45
PID 2528 wrote to memory of 2512	2528	%tmp%.exe	45
PID 2512 wrote to memory of 576	2512	csc.exe	47
PID 2512 wrote to memory of 576	2512	csc.exe	47
PID 2512 wrote to memory of 576	2512	csc.exe	47
PID 2512 wrote to memory of 576	2512	csc.exe	47
PID 2528 wrote to memory of 2872	2528	%tmp%.exe	48
PID 2528 wrote to memory of 2872	2528	%tmp%.exe	48
PID 2528 wrote to memory of 2872	2528	%tmp%.exe	48
PID 2528 wrote to memory of 2872	2528	%tmp%.exe	48
PID 2528 wrote to memory of 2872	2528	%tmp%.exe	48
PID 2528 wrote to memory of 2872	2528	%tmp%.exe	48
PID 2528 wrote to memory of 2872	2528	%tmp%.exe	48
PID 2528 wrote to memory of 2872	2528	%tmp%.exe	48
PID 2528 wrote to memory of 2872	2528	%tmp%.exe	48
PID 2872 wrote to memory of 704	2872	vbc.exe	49
PID 2872 wrote to memory of 704	2872	vbc.exe	49
PID 2872 wrote to memory of 704	2872	vbc.exe	49

C:\Users\Admin\AppData\Local\Temp\4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe
"C:\Users\Admin\AppData\Local\Temp\4b648c2427723431eab856e3d42467c714e27cf2affaa99dd932c428094a28d2N.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\java.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\java2.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\java2.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:1700
- C:\Windows\Temp\System.exe
  C:\Windows\Temp\System.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\Temp\System.exe
  C:\Windows\Temp\System.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\Temp\System.exe
  C:\Windows\Temp\System.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\Temp\System.exe
  C:\Windows\Temp\System.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Default.mp3"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
  "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nov07iaa.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CE5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8CE4.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:576
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 412
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:704
- - C:\Users\Admin\AppData\Roaming\18259.exe
    "C:\Users\Admin\AppData\Roaming\18259.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1312
  - - C:\ProgramData\Dllhost.exe
      "C:\ProgramData\Dllhost.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1148
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\Dllhost.exe" "Dllhost.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1040
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 1124
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248
- C:\Windows\SysWOW64\REG.exe
  REG add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\SysWOW64\rEG.exe
  rEG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry key
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Default.mp3

Filesize
27KB

MD5
071720d5f39c31b27711d70b09ef9b3b

SHA1
1fe68bf69c8418454a0d91ad321b99fe9065a1db

SHA256
f8bc97b18db5452e5be748390037c16e606aaf0f61f0896531528d0d5fd08cc7

SHA512
7db5e2039e075916874b071f30aef7c29133182b9bdbc2e3cb9c2296db8a67f2cfd4e49701d85126b6b58d59bd6198f2ce6c5f4eec382209a6576c628d354014

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8CE5.tmp

Filesize
1KB

MD5
f6aeb99ee943df49eb660db60fa753c3

SHA1
6bb279686e8abaf3b1229c96b43cb68637406dcd

SHA256
d21cd1023e6bb258a50547833f52edc071a728fb43852e47e7525097765f9e00

SHA512
73e344d73ddf85403a5f25b6c1d2fc973c0a1b972d4e94c9586f598b70ed040644f4eb76ed0e9ccee21cca1b5bf325f04f68395b11b4b5ceb5cf1c5d37a02f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\nov07iaa.dll

Filesize
5KB

MD5
47f44841fb376451e3977903be462907

SHA1
6829b01e6f5bae5a278738850108d7eca15c835f

SHA256
6e7466286541a41442b6cb1bf28e3749c770f8689a9d8570995b0b15055294b4

SHA512
c4602aa6af0936ebc997e1e7d62056f7d48f138255b0fe53bae76cfb1922d50471e014a43a78801e13523416291ab6ec6e67229daa44b79e225267d024a72728

Download Submit
C:\Users\Admin\AppData\Roaming\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\java.bat

Filesize
53B

MD5
1896de26a454df8628034ca3e0649905

SHA1
76b98d95a85d043539706b89194c46cf14464abe

SHA256
d85e713743c7e622166fb0f79478de5eabd53d3fe92bd2011ab441bc85ef2208

SHA512
ef69dacd7e717dff05f8a70c5b9a94011f2df3201cc41d5f8cc030f350b069dc090c5b0d3d0bd19098a187977a82d570e1ee153849f609a65889ba789da953d2

Download Submit
C:\Users\Admin\AppData\Roaming\java2.bat

Filesize
160B

MD5
e8170b6565dfb34d114cfa398ba77296

SHA1
9079335b0ec9a509b7344cb98713fc0b52afa36e

SHA256
76ff7c88cc815c8acd61f835033baf5b92eee085e7316c7230f7c363d1e1974b

SHA512
1b473fe0a68642ff1741f4619f819b040f8d54696d40e74dd9ad692b56729e455bbe54cb76b382bb1fce5e1eae97dd8c99aeb762915f7147bba59d0ba60d004d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8CE4.tmp

Filesize
652B

MD5
10d8181be80ce82dd3205b1a0c57cc1c

SHA1
f6af10f213f69cf184345a6caa703f0cbe01b815

SHA256
7736c8471b9c60b476cbac76f5752e50663cc57c7dc37669144ab5f20274c9ed

SHA512
13c31fd0af3360aecd3565abf6accd9ace435ef05ad5cf0f6ce79087dcc7cb7fcb50da853aab6270ccf27c2240d568586fb17578a2563cd60cb8abf1c3418768

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nov07iaa.0.cs

Filesize
4KB

MD5
b63430207638c1a36b9b27002e0da3da

SHA1
54356082f32c71498c4ac5f85f4588e0d1c57ad0

SHA256
fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193

SHA512
29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nov07iaa.cmdline

Filesize
206B

MD5
0113999fad1392936cd6e9745327d504

SHA1
3cff201046d1e28846cd38d2641e7f4526a8622e

SHA256
75adbf0e20d352b643afe7ad32150646d92e8c00d73a660e99b9df18e31eed42

SHA512
b647e40f236f3d9dff50a58b4837fdfe93ce39c7695deb9812f6013495632716f1703264fcafd9a5b05624c512b56f1cedf70b8d16323418241cf3b48be45926

Download Submit
\Users\Admin\AppData\Local\Temp\%tmp%.exe

Filesize
132KB

MD5
6b97067ea717e5c72685a38a15109ecc

SHA1
0ec286ff24307650bcd1881106980d420c646610

SHA256
b62c4ffb4b0622b0dc2fcf684b86863a54636c3af773e71a036c3064075eaf17

SHA512
80613f0da03c01d5d35dedb4617e811a7b2e72032eeedc5ccdb2b8f6c6408ec9f66ad3f9a10f6e357e4ec85c9bb8374c3d64874a5d9699e6def23cdc9748fb7d

Download Submit
\Windows\Temp\System.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/2588-120-0x000007FEF5540000-0x000007FEF5551000-memory.dmp

Filesize
68KB

Download
memory/2588-110-0x000007FEF7F40000-0x000007FEF7F58000-memory.dmp

Filesize
96KB

Download
memory/2588-137-0x000007FEF3530000-0x000007FEF359D000-memory.dmp

Filesize
436KB

Download
memory/2588-136-0x000007FEF35A0000-0x000007FEF3602000-memory.dmp

Filesize
392KB

Download
memory/2588-135-0x000007FEF3610000-0x000007FEF3652000-memory.dmp

Filesize
264KB

Download
memory/2588-134-0x000007FEF3660000-0x000007FEF3676000-memory.dmp

Filesize
88KB

Download
memory/2588-133-0x000007FEFB720000-0x000007FEFB730000-memory.dmp

Filesize
64KB

Download
memory/2588-132-0x000007FEF3680000-0x000007FEF36A4000-memory.dmp

Filesize
144KB

Download
memory/2588-131-0x000007FEF36B0000-0x000007FEF36D8000-memory.dmp

Filesize
160KB

Download
memory/2588-130-0x000007FEF36E0000-0x000007FEF3737000-memory.dmp

Filesize
348KB

Download
memory/2588-129-0x000007FEF5320000-0x000007FEF5331000-memory.dmp

Filesize
68KB

Download
memory/2588-128-0x000007FEF5340000-0x000007FEF5353000-memory.dmp

Filesize
76KB

Download
memory/2588-127-0x000007FEF5360000-0x000007FEF5425000-memory.dmp

Filesize
788KB

Download
memory/2588-96-0x000000013FE00000-0x000000013FEF8000-memory.dmp

Filesize
992KB

Download
memory/2588-97-0x000007FEFB540000-0x000007FEFB574000-memory.dmp

Filesize
208KB

Download
memory/2588-98-0x000007FEF7F60000-0x000007FEF8216000-memory.dmp

Filesize
2.7MB

Download
memory/2588-99-0x000007FEFB520000-0x000007FEFB538000-memory.dmp

Filesize
96KB

Download
memory/2588-100-0x000007FEFB500000-0x000007FEFB517000-memory.dmp

Filesize
92KB

Download
memory/2588-101-0x000007FEFB4E0000-0x000007FEFB4F1000-memory.dmp

Filesize
68KB

Download
memory/2588-102-0x000007FEFB4C0000-0x000007FEFB4D7000-memory.dmp

Filesize
92KB

Download
memory/2588-103-0x000007FEFB4A0000-0x000007FEFB4B1000-memory.dmp

Filesize
68KB

Download
memory/2588-104-0x000007FEFB480000-0x000007FEFB49D000-memory.dmp

Filesize
116KB

Download
memory/2588-105-0x000007FEFB460000-0x000007FEFB471000-memory.dmp

Filesize
68KB

Download
memory/2588-106-0x000007FEF5910000-0x000007FEF69C0000-memory.dmp

Filesize
16.7MB

Download
memory/2588-107-0x000007FEF5700000-0x000007FEF590B000-memory.dmp

Filesize
2.0MB

Download
memory/2588-108-0x000007FEF6F40000-0x000007FEF6F81000-memory.dmp

Filesize
260KB

Download
memory/2588-109-0x000007FEFB430000-0x000007FEFB451000-memory.dmp

Filesize
132KB

Download
memory/2588-126-0x000007FEF5430000-0x000007FEF5441000-memory.dmp

Filesize
68KB

Download
memory/2588-111-0x000007FEF6F20000-0x000007FEF6F31000-memory.dmp

Filesize
68KB

Download
memory/2588-112-0x000007FEF6E00000-0x000007FEF6E11000-memory.dmp

Filesize
68KB

Download
memory/2588-113-0x000007FEF56E0000-0x000007FEF56F1000-memory.dmp

Filesize
68KB

Download
memory/2588-114-0x000007FEF56C0000-0x000007FEF56DB000-memory.dmp

Filesize
108KB

Download
memory/2588-115-0x000007FEF56A0000-0x000007FEF56B1000-memory.dmp

Filesize
68KB

Download
memory/2588-116-0x000007FEF5680000-0x000007FEF5698000-memory.dmp

Filesize
96KB

Download
memory/2588-117-0x000007FEF5650000-0x000007FEF5680000-memory.dmp

Filesize
192KB

Download
memory/2588-118-0x000007FEF55E0000-0x000007FEF5647000-memory.dmp

Filesize
412KB

Download
memory/2588-119-0x000007FEF5560000-0x000007FEF55DC000-memory.dmp

Filesize
496KB

Download
memory/2588-125-0x000007FEF5450000-0x000007FEF5463000-memory.dmp

Filesize
76KB

Download
memory/2588-121-0x000007FEF5520000-0x000007FEF5538000-memory.dmp

Filesize
96KB

Download
memory/2588-122-0x000007FEF5500000-0x000007FEF5511000-memory.dmp

Filesize
68KB

Download
memory/2588-123-0x000007FEF54A0000-0x000007FEF54F7000-memory.dmp

Filesize
348KB

Download
memory/2588-124-0x000007FEF5470000-0x000007FEF549F000-memory.dmp

Filesize
188KB

Download
memory/2872-74-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2872-65-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2872-72-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2872-69-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2872-73-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2872-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2872-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2872-68-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2992-4-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-0-0x0000000074AF1000-0x0000000074AF2000-memory.dmp

Filesize
4KB

Download
memory/2992-1-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-88-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-2-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download
memory/2992-139-0x0000000074AF0000-0x000000007509B000-memory.dmp

Filesize
5.7MB

Download