njrat | b265e60e06bda29421a137a1758790c82f7a45becc3fd645138ab6bc6894f4e4

Analysis

max time kernel
283s
max time network
284s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 07:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Payload.exe
Size

55KB
MD5

22083c1737572d5008554502d5fa6472
SHA1

0215475841738e2d3f2047724fc7aef260eff79b
SHA256

b265e60e06bda29421a137a1758790c82f7a45becc3fd645138ab6bc6894f4e4
SHA512

820182ce48e4cba18590d530a569f281d4d2a269ffe8939c3a5aef9a925c2775cda29df62a8cb8c82889cfa580e89a227ff24d7ee3f25a539bab19906a492762
SSDEEP

768:ywbHFOt1MankGn2NsW6ingB3wkkSN5mwFvfu0YMDHPsXL7XJSxI3pmDm:ywZcDn4NsRinqtDAwsNMD6XExI3pmDm

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	LogonUI.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 13 IoCs

evasion

pid	Process
3136	taskkill.exe
3364	taskkill.exe
2916	taskkill.exe
808	taskkill.exe
4864	taskkill.exe
4568	taskkill.exe
4928	taskkill.exe
3244	taskkill.exe
4376	taskkill.exe
4864	taskkill.exe
2392	taskkill.exe
4524	taskkill.exe
3932	taskkill.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "5"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8484aac9-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 01000000000000004edb85bd6915db01	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "182"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8484aac9-0000-0000-0000-d01200000000}\MaxCapacity = "14116"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{8484aac9-0000-0000-0000-d01200000000}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4464	msedge.exe
4464	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	1600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1600	AUDIODG.EXE
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	808	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	4928	taskkill.exe
Token: SeDebugPrivilege	4524	taskkill.exe
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	4376	taskkill.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: SeShutdownPrivilege	3708	LogonUI.exe
Token: SeCreatePagefilePrivilege	3708	LogonUI.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe
Token: 33	2136	Payload.exe
Token: SeIncBasePriorityPrivilege	2136	Payload.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3708	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 4580	2312	msedge.exe	96
PID 2312 wrote to memory of 4580	2312	msedge.exe	96
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4208	2312	msedge.exe	97
PID 2312 wrote to memory of 4464	2312	msedge.exe	98
PID 2312 wrote to memory of 4464	2312	msedge.exe	98
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99
PID 2312 wrote to memory of 1936	2312	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Firefox.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1004
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Firefox.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Chromium.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Chromium.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Opera.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Opera.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im OperaGX.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3532
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OperaGX.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im MsEdge.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4244
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MsEdge.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Safari.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Safari.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Brave.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Brave.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Iridium.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Iridium.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Dissenter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4048
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dissenter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3364
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im PaleMoon.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2212
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im PaleMoon.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im Vivaldi.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Vivaldi.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im iExplore.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im iExplore.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  cmd /c rundll32.exe user32.dll,LockWorkStation
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5100
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe user32.dll,LockWorkStation
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffcffab46f8,0x7ffcffab4708,0x7ffcffab4718
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,11859296438783835367,13726153815308097880,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,11859296438783835367,13726153815308097880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,11859296438783835367,13726153815308097880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11859296438783835367,13726153815308097880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11859296438783835367,13726153815308097880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11859296438783835367,13726153815308097880,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,11859296438783835367,13726153815308097880,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:2252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:864

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa394c055 /state1:0x41c64e6d
1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-1194130065-3471212556-1656947724-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg

Filesize
478KB

MD5
0aeadd16501da752a7e0789c2887f09e

SHA1
5062a1498d723c34d7c0fc506b1dc181ae8e8fe7

SHA256
79ec1ed083f594314c59cbb1ca40163b368a8e37d96117f0d7750f764d6725a0

SHA512
a75d3c43a8d4dd84be8bb9dd918745c3da22ac998c8b305168cd07126b65fbcefa4b30e3627ddbe1543eda30f06636b6eb3054dfefa281178cd3e5338a3ad3a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8231719063054cb381eae270f75ddd47

SHA1
fda734eac0cef7a53692b7742bd96560a2d93cb5

SHA256
6d9d0135fbd7f52855b9e9840623d93339610a58badc91d2ccdb455125ed497e

SHA512
ccf80b8f8a5beeaf6b3a48fc3c5a8946eda08eb9a030bbe405b90a65dbc1818b35501a8ee96192abd35e3ba2a718fd17b337feeccffa31dc300869b42f1fadb3

Download Submit
memory/2136-3-0x00000000747B2000-0x00000000747B3000-memory.dmp

Filesize
4KB

Download
memory/2136-6-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/2136-7-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/2136-5-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/2136-4-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/2136-0-0x00000000747B2000-0x00000000747B3000-memory.dmp

Filesize
4KB

Download
memory/2136-2-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/2136-1-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download
memory/2136-50-0x00000000747B0000-0x0000000074D61000-memory.dmp

Filesize
5.7MB

Download