njrat | 307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ce

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe
Size

936KB
MD5

4f66f2d3347a0466104e506a6d71f1b0
SHA1

63d77b6043bfcfa477d743a30c3476997f6dcf09
SHA256

307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ce
SHA512

10c7a1e0477830cdcc40a385a40ef884e2bb9ab3e2d1ecebee1e9760d9615d035fc2b55d3b9c9c81b3aeddedbb1ab0c869a00d278653ca59344059feea3bc660
SSDEEP

12288:9MdXQ94Gh9tkeWMsMQ3WmvekJTaS9ynMpx5hum+yw0DMdXQ94Gh9tkeWMsMQ3Wm9:af7XHuPf7XHu

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

22.ip.gl.ply.gg:57731

Mutex

32ce84f74d25f1e71aac67667a2c8d24

Attributes

reg_key
32ce84f74d25f1e71aac67667a2c8d24
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	LocalfRDeAalfWC.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1804	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	LocalfRDeAalfWC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	%tmp%.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	64651.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundll32 .exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32ce84f74d25f1e71aac67667a2c8d24.exe	Dllhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\32ce84f74d25f1e71aac67667a2c8d24.exe	Dllhost.exe

Executes dropped EXE 4 IoCs

pid	Process
2104	LocalfRDeAalfWC.exe
3916	%tmp%.exe
4072	64651.exe
2500	Dllhost.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Roaming\\rundll32 .exe"	LocalfRDeAalfWC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\%tmp%.exe = "C:\\Program Files (x86)\\%tmp%.exe"	%tmp%.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32ce84f74d25f1e71aac67667a2c8d24 = "\"C:\\ProgramData\\Dllhost.exe\" .."	Dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\32ce84f74d25f1e71aac67667a2c8d24 = "\"C:\\ProgramData\\Dllhost.exe\" .."	Dllhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3916 set thread context of 4368	3916	%tmp%.exe	101

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\%tmp%.exe	%tmp%.exe
File opened for modification	C:\Program Files (x86)\%tmp%.exe	%tmp%.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	%tmp%.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rEG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64651.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LocalfRDeAalfWC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	LocalfRDeAalfWC.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1464	rEG.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3664	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
2104	LocalfRDeAalfWC.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe
3916	%tmp%.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3664	vlc.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	LocalfRDeAalfWC.exe
Token: SeDebugPrivilege	3916	%tmp%.exe
Token: SeRestorePrivilege	2380	dw20.exe
Token: SeBackupPrivilege	2380	dw20.exe
Token: SeBackupPrivilege	404	dw20.exe
Token: SeBackupPrivilege	404	dw20.exe
Token: SeBackupPrivilege	2380	dw20.exe
Token: SeBackupPrivilege	404	dw20.exe
Token: SeBackupPrivilege	2380	dw20.exe
Token: SeBackupPrivilege	404	dw20.exe
Token: SeDebugPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe
Token: 33	2500	Dllhost.exe
Token: SeIncBasePriorityPrivilege	2500	Dllhost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3664	vlc.exe
3664	vlc.exe
3664	vlc.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3664	vlc.exe
3664	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3664	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 2104	2560	307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe	82
PID 2560 wrote to memory of 2104	2560	307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe	82
PID 2560 wrote to memory of 2104	2560	307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe	82
PID 2104 wrote to memory of 936	2104	LocalfRDeAalfWC.exe	83
PID 2104 wrote to memory of 936	2104	LocalfRDeAalfWC.exe	83
PID 2104 wrote to memory of 936	2104	LocalfRDeAalfWC.exe	83
PID 2104 wrote to memory of 4716	2104	LocalfRDeAalfWC.exe	85
PID 2104 wrote to memory of 4716	2104	LocalfRDeAalfWC.exe	85
PID 2104 wrote to memory of 4716	2104	LocalfRDeAalfWC.exe	85
PID 2104 wrote to memory of 4828	2104	LocalfRDeAalfWC.exe	87
PID 2104 wrote to memory of 4828	2104	LocalfRDeAalfWC.exe	87
PID 2104 wrote to memory of 4828	2104	LocalfRDeAalfWC.exe	87
PID 936 wrote to memory of 876	936	cmd.exe	86
PID 936 wrote to memory of 876	936	cmd.exe	86
PID 936 wrote to memory of 876	936	cmd.exe	86
PID 2104 wrote to memory of 1096	2104	LocalfRDeAalfWC.exe	88
PID 2104 wrote to memory of 1096	2104	LocalfRDeAalfWC.exe	88
PID 2104 wrote to memory of 1096	2104	LocalfRDeAalfWC.exe	88
PID 2104 wrote to memory of 668	2104	LocalfRDeAalfWC.exe	89
PID 2104 wrote to memory of 668	2104	LocalfRDeAalfWC.exe	89
PID 2104 wrote to memory of 668	2104	LocalfRDeAalfWC.exe	89
PID 2104 wrote to memory of 3664	2104	LocalfRDeAalfWC.exe	90
PID 2104 wrote to memory of 3664	2104	LocalfRDeAalfWC.exe	90
PID 876 wrote to memory of 4440	876	wscript.exe	91
PID 876 wrote to memory of 4440	876	wscript.exe	91
PID 876 wrote to memory of 4440	876	wscript.exe	91
PID 2104 wrote to memory of 3916	2104	LocalfRDeAalfWC.exe	92
PID 2104 wrote to memory of 3916	2104	LocalfRDeAalfWC.exe	92
PID 2104 wrote to memory of 3916	2104	LocalfRDeAalfWC.exe	92
PID 2104 wrote to memory of 4968	2104	LocalfRDeAalfWC.exe	93
PID 2104 wrote to memory of 4968	2104	LocalfRDeAalfWC.exe	93
PID 2104 wrote to memory of 4968	2104	LocalfRDeAalfWC.exe	93
PID 2104 wrote to memory of 1464	2104	LocalfRDeAalfWC.exe	95
PID 2104 wrote to memory of 1464	2104	LocalfRDeAalfWC.exe	95
PID 2104 wrote to memory of 1464	2104	LocalfRDeAalfWC.exe	95
PID 3916 wrote to memory of 4648	3916	%tmp%.exe	98
PID 3916 wrote to memory of 4648	3916	%tmp%.exe	98
PID 3916 wrote to memory of 4648	3916	%tmp%.exe	98
PID 4648 wrote to memory of 1468	4648	csc.exe	100
PID 4648 wrote to memory of 1468	4648	csc.exe	100
PID 4648 wrote to memory of 1468	4648	csc.exe	100
PID 3916 wrote to memory of 4368	3916	%tmp%.exe	101
PID 3916 wrote to memory of 4368	3916	%tmp%.exe	101
PID 3916 wrote to memory of 4368	3916	%tmp%.exe	101
PID 3916 wrote to memory of 4368	3916	%tmp%.exe	101
PID 3916 wrote to memory of 4368	3916	%tmp%.exe	101
PID 3916 wrote to memory of 4368	3916	%tmp%.exe	101
PID 3916 wrote to memory of 4368	3916	%tmp%.exe	101
PID 3916 wrote to memory of 4368	3916	%tmp%.exe	101
PID 4368 wrote to memory of 2380	4368	vbc.exe	102
PID 4368 wrote to memory of 2380	4368	vbc.exe	102
PID 4368 wrote to memory of 2380	4368	vbc.exe	102
PID 3916 wrote to memory of 4072	3916	%tmp%.exe	103
PID 3916 wrote to memory of 4072	3916	%tmp%.exe	103
PID 3916 wrote to memory of 4072	3916	%tmp%.exe	103
PID 3916 wrote to memory of 404	3916	%tmp%.exe	104
PID 3916 wrote to memory of 404	3916	%tmp%.exe	104
PID 3916 wrote to memory of 404	3916	%tmp%.exe	104
PID 4072 wrote to memory of 2500	4072	64651.exe	110
PID 4072 wrote to memory of 2500	4072	64651.exe	110
PID 4072 wrote to memory of 2500	4072	64651.exe	110
PID 2500 wrote to memory of 1804	2500	Dllhost.exe	114
PID 2500 wrote to memory of 1804	2500	Dllhost.exe	114
PID 2500 wrote to memory of 1804	2500	Dllhost.exe	114

C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe
"C:\Users\Admin\AppData\Local\Temp\307b96d57138b6d00f497d65316874c5c93a734fd4e3d97e8c6beb33afba87ceN.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\LocalfRDeAalfWC.exe
  "C:\Users\Admin\AppData\LocalfRDeAalfWC.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\java.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\wscript.exe
      wscript.exe "C:\Users\Admin\AppData\Roaming\invs.vbs" "C:\Users\Admin\AppData\Roaming\java2.bat
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\java2.bat" "
        5⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:4440
- - C:\Windows\Temp\System.exe
    C:\Windows\Temp\System.exe
    3⤵
    PID:4716
- - C:\Windows\Temp\System.exe
    C:\Windows\Temp\System.exe
    3⤵
    PID:4828
- - C:\Windows\Temp\System.exe
    C:\Windows\Temp\System.exe
    3⤵
    PID:1096
- - C:\Windows\Temp\System.exe
    C:\Windows\Temp\System.exe
    3⤵
    PID:668
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Default.mp3"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3664
- - C:\Users\Admin\AppData\Local\Temp\%tmp%.exe
    "C:\Users\Admin\AppData\Local\Temp\%tmp%.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iyrycnkv.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4648
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9674.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9673.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4368
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 788
        5⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
  - - C:\Users\Admin\AppData\Roaming\64651.exe
      "C:\Users\Admin\AppData\Roaming\64651.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\ProgramData\Dllhost.exe
        
        "C:\ProgramData\Dllhost.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\ProgramData\Dllhost.exe" "Dllhost.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1840
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:404
- - C:\Windows\SysWOW64\REG.exe
    REG add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4968
- - C:\Windows\SysWOW64\rEG.exe
    rEG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\%tmp%.exe

Filesize
132KB

MD5
6b97067ea717e5c72685a38a15109ecc

SHA1
0ec286ff24307650bcd1881106980d420c646610

SHA256
b62c4ffb4b0622b0dc2fcf684b86863a54636c3af773e71a036c3064075eaf17

SHA512
80613f0da03c01d5d35dedb4617e811a7b2e72032eeedc5ccdb2b8f6c6408ec9f66ad3f9a10f6e357e4ec85c9bb8374c3d64874a5d9699e6def23cdc9748fb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Default.mp3

Filesize
27KB

MD5
071720d5f39c31b27711d70b09ef9b3b

SHA1
1fe68bf69c8418454a0d91ad321b99fe9065a1db

SHA256
f8bc97b18db5452e5be748390037c16e606aaf0f61f0896531528d0d5fd08cc7

SHA512
7db5e2039e075916874b071f30aef7c29133182b9bdbc2e3cb9c2296db8a67f2cfd4e49701d85126b6b58d59bd6198f2ce6c5f4eec382209a6576c628d354014

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9674.tmp

Filesize
1KB

MD5
8dc49aa6dfd07b07e1e8c8d494afb319

SHA1
a39ad18455a6b8a3713fdcd19c9dbfaabae7a5b1

SHA256
6afea8f5cb5949aa91d403ec5dea82c7bdf4986de9f2e855cd65a0ecfda232ce

SHA512
79c0b9b16f3c48bab9ef913035cd069193707b9f876d9850dc43e3aec564f3dc0981d5c531b4b6f45a12b464761b818707facf312d98d9ee423d7210e257f6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyrycnkv.dll

Filesize
5KB

MD5
40684d934003ae8ac267577a51689027

SHA1
f6f2bf3e792581fa98df3249462c8783aa482c44

SHA256
de8e9e4ae8b08a6d63db5e16169a3812f8f364c897509e83aa4afbd41371e41b

SHA512
fcc51629f2b43fb7dd6f6ccff4d544c0d5e193a2c52dc4cc052676cb51e2abdd6d2324aea4a4483b30ae1760a18e540894b8cd16295a23d473fa2d0de6c21476

Download Submit
C:\Users\Admin\AppData\LocalfRDeAalfWC.exe

Filesize
461KB

MD5
97ae997014319227a2a3b08033fd81df

SHA1
95b7acd68273a81951ed13890ac6efd746258c42

SHA256
ef41566edb201f685cfedd097970f9b1edb4832c2dabb6309a79f0fb34ee0402

SHA512
103931d8c70e3d9a3f1757b81428b7313c7cda178f3d19ffb4c1ee169e3c642156468ea8d9a4c33802bc0afc0408bc81a6d248789c023565f31b8dd7f45c0fd1

Download Submit
C:\Users\Admin\AppData\Roaming\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Roaming\java.bat

Filesize
53B

MD5
1896de26a454df8628034ca3e0649905

SHA1
76b98d95a85d043539706b89194c46cf14464abe

SHA256
d85e713743c7e622166fb0f79478de5eabd53d3fe92bd2011ab441bc85ef2208

SHA512
ef69dacd7e717dff05f8a70c5b9a94011f2df3201cc41d5f8cc030f350b069dc090c5b0d3d0bd19098a187977a82d570e1ee153849f609a65889ba789da953d2

Download Submit
C:\Users\Admin\AppData\Roaming\java2.bat

Filesize
160B

MD5
e8170b6565dfb34d114cfa398ba77296

SHA1
9079335b0ec9a509b7344cb98713fc0b52afa36e

SHA256
76ff7c88cc815c8acd61f835033baf5b92eee085e7316c7230f7c363d1e1974b

SHA512
1b473fe0a68642ff1741f4619f819b040f8d54696d40e74dd9ad692b56729e455bbe54cb76b382bb1fce5e1eae97dd8c99aeb762915f7147bba59d0ba60d004d

Download Submit
C:\Windows\Temp\System.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9673.tmp

Filesize
652B

MD5
33246cd755f83f60337758d9e0733d92

SHA1
5cb6f79fe4cb9346ff0e7c8b64a570bfaaf440e7

SHA256
eef1c300f9e939b9533b32d4249b8a4c16a3301acad2686bef28a54ce8a0e36c

SHA512
b8035a6a33c5db9f4f1b1a593cbe2f184466f199fb341e565953b1ade5946edf66a78e1acb4f76345915f005ffed4cf62d117e536fcebff3c01a774f139d67a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iyrycnkv.0.cs

Filesize
4KB

MD5
b63430207638c1a36b9b27002e0da3da

SHA1
54356082f32c71498c4ac5f85f4588e0d1c57ad0

SHA256
fa125ed8e48d596788a8ad5589bc996b918de3fc27008bea888b9e1b5efa2193

SHA512
29ea956fb37628dac43693d5f234698510923d562ab22e53131b1919f788ed5fd3116ed501be79554e47113d795b06f5ad255c7dfee2bb9e021eb0ab14e9b737

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\iyrycnkv.cmdline

Filesize
206B

MD5
595e3d08434cf988aa8893a1a6b1db14

SHA1
7ec51ce4cc2b61595d211db5b8df27c0d69f9dc9

SHA256
e546764ea515b2fedfe1ba55ed1417676b1fcf2d5cd250f2c9278288acd2112e

SHA512
c4ef0b2dee6dfaac968adc3641b4964dc1f95e59dc1c19d1ade1167252ece51fb655d131b68544db8cce57d834557c1f2a5294fc77ca71fda0a513479b5dcd0c

Download Submit
memory/2104-19-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/2104-22-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/2104-18-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/2104-16-0x0000000074D42000-0x0000000074D43000-memory.dmp

Filesize
4KB

Download
memory/2104-20-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/2104-99-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/2104-130-0x0000000074D40000-0x00000000752F1000-memory.dmp

Filesize
5.7MB

Download
memory/2104-98-0x0000000074D42000-0x0000000074D43000-memory.dmp

Filesize
4KB

Download
memory/2560-17-0x00007FF892600000-0x00007FF892FA1000-memory.dmp

Filesize
9.6MB

Download
memory/2560-4-0x00007FF892600000-0x00007FF892FA1000-memory.dmp

Filesize
9.6MB

Download
memory/2560-1-0x00007FF892600000-0x00007FF892FA1000-memory.dmp

Filesize
9.6MB

Download
memory/2560-0-0x00007FF8928B5000-0x00007FF8928B6000-memory.dmp

Filesize
4KB

Download
memory/3664-119-0x00007FF8927B0000-0x00007FF8929BB000-memory.dmp

Filesize
2.0MB

Download
memory/3664-111-0x00007FF8929C0000-0x00007FF892C76000-memory.dmp

Filesize
2.7MB

Download
memory/3664-109-0x00007FF77F050000-0x00007FF77F148000-memory.dmp

Filesize
992KB

Download
memory/3664-113-0x00007FF8A2010000-0x00007FF8A2027000-memory.dmp

Filesize
92KB

Download
memory/3664-118-0x00007FF8A1BA0000-0x00007FF8A1BB1000-memory.dmp

Filesize
68KB

Download
memory/3664-117-0x00007FF8A1BC0000-0x00007FF8A1BDD000-memory.dmp

Filesize
116KB

Download
memory/3664-116-0x00007FF8A1E90000-0x00007FF8A1EA1000-memory.dmp

Filesize
68KB

Download
memory/3664-115-0x00007FF8A1EB0000-0x00007FF8A1EC7000-memory.dmp

Filesize
92KB

Download
memory/3664-120-0x00007FF8A12B0000-0x00007FF8A12F1000-memory.dmp

Filesize
260KB

Download
memory/3664-161-0x00007FF891700000-0x00007FF8927B0000-memory.dmp

Filesize
16.7MB

Download
memory/3664-114-0x00007FF8A1ED0000-0x00007FF8A1EE1000-memory.dmp

Filesize
68KB

Download
memory/3664-110-0x00007FF8A2090000-0x00007FF8A20C4000-memory.dmp

Filesize
208KB

Download
memory/3664-112-0x00007FF8AA350000-0x00007FF8AA368000-memory.dmp

Filesize
96KB

Download
memory/3664-126-0x00007FF89D9D0000-0x00007FF89D9E1000-memory.dmp

Filesize
68KB

Download
memory/3664-125-0x00007FF89E6E0000-0x00007FF89E6F1000-memory.dmp

Filesize
68KB

Download
memory/3664-124-0x00007FF89E700000-0x00007FF89E711000-memory.dmp

Filesize
68KB

Download
memory/3664-123-0x00007FF8A1290000-0x00007FF8A12A8000-memory.dmp

Filesize
96KB

Download
memory/3664-122-0x00007FF8A1700000-0x00007FF8A1721000-memory.dmp

Filesize
132KB

Download
memory/3664-121-0x00007FF891700000-0x00007FF8927B0000-memory.dmp

Filesize
16.7MB

Download
memory/4368-75-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4368-97-0x0000000000410000-0x00000000004D9000-memory.dmp

Filesize
804KB

Download