njrat | 16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee

Resubmissions

07-10-2024 06:34

241007-hb9qja1djk 10

05-05-2023 20:23

230505-y54pdaeg8y 8

Analysis

max time kernel
209s
max time network
212s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Site Hunter Pro By X-Splinter.exe
Size

744KB
MD5

9a450a05657ce80e73171556154adb60
SHA1

9db02ebf6b851397ab6d43d4c79d3785987a56b1
SHA256

16d6e1a9844554861f37ac46f86fd1ef618aa56282d83f768c47e1c191dd75ee
SHA512

c75444be53b8b55d6634ed8c632b78b523bff5b0ad1eb9171fce65778c6444a7728c11b4137bb397a75f0df635d80083aea380d9708b04a5bf97d0c40965f208
SSDEEP

12288:prBjpOUREzLw2f1WrG8HXXQGa3INlTVlRGvk4qOV7l:prBj0+EzLwW1T8HQ93IlTtO

Score

10^/10

njrat hacked defense_evasion discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

3cpanel.hackcrack.io:61448

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
808	powershell.exe
1096	powershell.exe
1108	powershell.exe
1828	powershell.exe
2808	powershell.exe
3560	powershell.exe
3300	powershell.exe
244	powershell.exe
3560	powershell.exe
3300	powershell.exe
244	powershell.exe
808	powershell.exe
1096	powershell.exe
1108	powershell.exe
1828	powershell.exe
2808	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1704	netsh.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	version.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Site Hunter Pro By X-Splinter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 8 IoCs

pid	Process
1760	Setup.exe
3408	Setup.exe
2196	Site Hunter Pro By X-Splinter .exe
2872	svchost.exe
4124	svchost.exe
4356	explorer.exe
4804	version.exe
3120	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3284	cmd.exe
4792	cmd.exe
4320	cmd.exe
4744	cmd.exe
624	cmd.exe
4048	cmd.exe
2312	cmd.exe
3144	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly	Setup.exe
File created	C:\Windows\assembly\Desktop.ini	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2676	2196	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Site Hunter Pro By X-Splinter .exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2176	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe
4356	explorer.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	svchost.exe
Token: SeDebugPrivilege	2872	svchost.exe
Token: SeDebugPrivilege	4356	explorer.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	3300	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe
Token: 33	3120	explorer.exe
Token: SeIncBasePriorityPrivilege	3120	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4356	explorer.exe
4356	explorer.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 1760	3684	Site Hunter Pro By X-Splinter.exe	82
PID 3684 wrote to memory of 1760	3684	Site Hunter Pro By X-Splinter.exe	82
PID 3684 wrote to memory of 3408	3684	Site Hunter Pro By X-Splinter.exe	83
PID 3684 wrote to memory of 3408	3684	Site Hunter Pro By X-Splinter.exe	83
PID 3684 wrote to memory of 2196	3684	Site Hunter Pro By X-Splinter.exe	84
PID 3684 wrote to memory of 2196	3684	Site Hunter Pro By X-Splinter.exe	84
PID 3684 wrote to memory of 2196	3684	Site Hunter Pro By X-Splinter.exe	84
PID 3408 wrote to memory of 2872	3408	Setup.exe	87
PID 3408 wrote to memory of 2872	3408	Setup.exe	87
PID 1760 wrote to memory of 4124	1760	Setup.exe	86
PID 1760 wrote to memory of 4124	1760	Setup.exe	86
PID 4124 wrote to memory of 4356	4124	svchost.exe	98
PID 4124 wrote to memory of 4356	4124	svchost.exe	98
PID 4356 wrote to memory of 4008	4356	explorer.exe	99
PID 4356 wrote to memory of 4008	4356	explorer.exe	99
PID 4804 wrote to memory of 4048	4804	version.exe	102
PID 4804 wrote to memory of 4048	4804	version.exe	102
PID 4804 wrote to memory of 2312	4804	version.exe	104
PID 4804 wrote to memory of 2312	4804	version.exe	104
PID 4804 wrote to memory of 3144	4804	version.exe	105
PID 4804 wrote to memory of 3144	4804	version.exe	105
PID 4804 wrote to memory of 3284	4804	version.exe	108
PID 4804 wrote to memory of 3284	4804	version.exe	108
PID 4804 wrote to memory of 4792	4804	version.exe	110
PID 4804 wrote to memory of 4792	4804	version.exe	110
PID 4804 wrote to memory of 4320	4804	version.exe	112
PID 4804 wrote to memory of 4320	4804	version.exe	112
PID 4804 wrote to memory of 4744	4804	version.exe	113
PID 4804 wrote to memory of 4744	4804	version.exe	113
PID 4804 wrote to memory of 624	4804	version.exe	116
PID 4804 wrote to memory of 624	4804	version.exe	116
PID 4048 wrote to memory of 1096	4048	cmd.exe	117
PID 4048 wrote to memory of 1096	4048	cmd.exe	117
PID 2312 wrote to memory of 1108	2312	cmd.exe	121
PID 2312 wrote to memory of 1108	2312	cmd.exe	121
PID 3144 wrote to memory of 1828	3144	cmd.exe	122
PID 3144 wrote to memory of 1828	3144	cmd.exe	122
PID 3284 wrote to memory of 2808	3284	cmd.exe	123
PID 3284 wrote to memory of 2808	3284	cmd.exe	123
PID 4792 wrote to memory of 3560	4792	cmd.exe	124
PID 4792 wrote to memory of 3560	4792	cmd.exe	124
PID 4744 wrote to memory of 3300	4744	cmd.exe	125
PID 4744 wrote to memory of 3300	4744	cmd.exe	125
PID 4320 wrote to memory of 244	4320	cmd.exe	126
PID 4320 wrote to memory of 244	4320	cmd.exe	126
PID 624 wrote to memory of 808	624	cmd.exe	127
PID 624 wrote to memory of 808	624	cmd.exe	127
PID 4356 wrote to memory of 3120	4356	explorer.exe	129
PID 4356 wrote to memory of 3120	4356	explorer.exe	129
PID 3120 wrote to memory of 1704	3120	explorer.exe	131
PID 3120 wrote to memory of 1704	3120	explorer.exe	131

C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter.exe
"C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4356
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\fh4is2to.inf
        5⤵
        
        PID:4008
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3120
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1704
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3408
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe
  "C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 1144
    3⤵
    - Program crash
    PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2196 -ip 2196
1⤵
PID:2592

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:808

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

Filesize
408B

MD5
70f08e6585ed9994d97a4c71472fccd8

SHA1
3f44494d4747c87fb8b94bb153c3a3d717f9fd63

SHA256
87fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa

SHA512
d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log

Filesize
676B

MD5
79d206410500f74a6f755f82d514c459

SHA1
67782eff101d316ad1eb79ee76dc4095f5994db3

SHA256
697be2be7b14b3ef2953b93cc2d380b350c19e2ef41399ab289fe1c8e2281f36

SHA512
72848557148090200726fbfa30c008e54067d79e804ef604c78ee4fdc0c77d3da6c60abedb5c05e4943eb768d737873db585619b2559a1b6d1e6b917d216d822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

Filesize
588B

MD5
2f142977932b7837fa1cc70278e53361

SHA1
0a3212d221079671bfdeee176ad841e6f15904fc

SHA256
961ca2c0e803a7201adb3b656ed3abafc259d6d376e8ade66f0afff10a564820

SHA512
a25e45e41933902bcc0ea38b4daa64e96cbcd8900b446e1326cffb8c91eb1886b1e90686190bdba30d7014490001a732f91f2869bb9987c0213a8d798c7b3421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4425b0ee11b6dfc8823c85ec786c73d2

SHA1
819eee2dd8db890be1c1d28e921544182c4897a1

SHA256
35a69136ee953730b3d4a422cd3f5b172a6902e1136ad78e086787b8083d6905

SHA512
1c2d6e39a95606e648f83f1966c76c3445842e9bd2256e65be51934fdc206fae76354c7befa8a1f3e222a69bff2531e1d15646da63fdab92b23a020c1257f321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7ef6da9ea4e6323dadd5719cbd92141a

SHA1
26d3e735f32c569b870bfe31964a0b54ef97d700

SHA256
ee84dcb92869ae3600043554d3c13d17bf16cfb8461137013e597860740445c7

SHA512
3c6aa0f9bf2c43820c59e5e96a3e4e877fb5728787a1519317158579dcc9bd11cfc9d5883e862fdbcc7283abd39e24b1727e729a87a6e1fc33f93d5251068466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bbc2b43d5e574fe7d193c6fc0eb7302c

SHA1
f22683b94ad593fd0513fef37df1fb5d0880cc22

SHA256
0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48

SHA512
287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Site Hunter Pro By X-Splinter .exe

Filesize
250KB

MD5
2552f20645b607660b68b578f809491a

SHA1
358c95c27218925f2a9b3558995129e06ff65ae5

SHA256
f1dd801bc8a2d3f476c195034f601d7276f85886d1fcc0a2a79d6d11f309eae3

SHA512
2f043d8b7dd4d2a309a717c002f674bf2755c42d74eb73b4509215e0334e749750758a90d1b912e7d6e1b8be4c73ac89d4e015d3694618d7d210734d337a885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b3h133h3.ndf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fh4is2to.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
358KB

MD5
e497ea1ca168098308f219189d634f5f

SHA1
634efc083024034d2df19478153df518f6b10bc4

SHA256
f20c0d9d46cab72ec02952c078e2a4b259c71103e31607613f1b1ff0064bda15

SHA512
49ac4baff98a4d5e770aab19dcc738ee9e14716b12caecbe067861013997f7e90d4783fe8a67ad50a9b30e157ff0ec46cf1e6880c37d59103e6095d66e47dafa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

Filesize
140KB

MD5
bbf128484e7ea29053c6db91849067ea

SHA1
c46ec37265740c349fb265099e47ebbef9369ba1

SHA256
5e6f03b5ae15131c2ad374c563273389b3340168ff647433a6b5e7acce468b05

SHA512
aeb756d2b2238eaa16a82673b6a86b609320abd6eafc4b742d0f5a9fe88fbbf34a1fd7e6ad9d2f30a832e288a3d7b725a73f83616df1d3edee92c8fd06984e7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
84KB

MD5
15ee95bc8e2e65416f2a30cf05ef9c2e

SHA1
107ca99d3414642450dec196febcd787ac8d7596

SHA256
c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

SHA512
ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

Download Submit
memory/1760-23-0x00007FFCC7B00000-0x00007FFCC84A1000-memory.dmp

Filesize
9.6MB

Download
memory/1760-55-0x00007FFCC7B00000-0x00007FFCC84A1000-memory.dmp

Filesize
9.6MB

Download
memory/1760-18-0x00007FFCC7B00000-0x00007FFCC84A1000-memory.dmp

Filesize
9.6MB

Download
memory/1760-19-0x000000001B3A0000-0x000000001B3CC000-memory.dmp

Filesize
176KB

Download
memory/1760-22-0x00007FFCC7B00000-0x00007FFCC84A1000-memory.dmp

Filesize
9.6MB

Download
memory/1828-99-0x0000022ED09E0000-0x0000022ED0A02000-memory.dmp

Filesize
136KB

Download
memory/2196-57-0x0000000000D90000-0x0000000000DD8000-memory.dmp

Filesize
288KB

Download
memory/2196-58-0x00000000057E0000-0x000000000587C000-memory.dmp

Filesize
624KB

Download
memory/2872-52-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/3408-54-0x00007FFCC7B00000-0x00007FFCC84A1000-memory.dmp

Filesize
9.6MB

Download
memory/3408-29-0x00007FFCC7B00000-0x00007FFCC84A1000-memory.dmp

Filesize
9.6MB

Download
memory/3408-31-0x00007FFCC7B00000-0x00007FFCC84A1000-memory.dmp

Filesize
9.6MB

Download
memory/3408-28-0x00007FFCC7B00000-0x00007FFCC84A1000-memory.dmp

Filesize
9.6MB

Download
memory/3684-46-0x00007FFCC7B00000-0x00007FFCC84A1000-memory.dmp

Filesize
9.6MB

Download
memory/3684-0-0x00007FFCC7DB5000-0x00007FFCC7DB6000-memory.dmp

Filesize
4KB

Download
memory/3684-5-0x000000001BCB0000-0x000000001BD4C000-memory.dmp

Filesize
624KB

Download
memory/3684-4-0x000000001B740000-0x000000001BC0E000-memory.dmp

Filesize
4.8MB

Download
memory/3684-3-0x00007FFCC7B00000-0x00007FFCC84A1000-memory.dmp

Filesize
9.6MB

Download
memory/3684-2-0x00007FFCC7B00000-0x00007FFCC84A1000-memory.dmp

Filesize
9.6MB

Download
memory/3684-1-0x000000001B160000-0x000000001B206000-memory.dmp

Filesize
664KB

Download
memory/4356-88-0x0000000000E40000-0x0000000000E4C000-memory.dmp

Filesize
48KB

Download
memory/4356-85-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download