njrat | 29551a26f72fa6c387909b88ffcad535db08f17e0b62781478a0097070f48dde

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SQLBOX.exe
Size

8.0MB
MD5

79f7442af52bd4ce3ccc1894d4841d16
SHA1

ec752f917e4043aa27a49a5282e9f9d4f538829f
SHA256

29551a26f72fa6c387909b88ffcad535db08f17e0b62781478a0097070f48dde
SHA512

972ebfca52b010df791ddef879f312133f7f11e3e63b4096cf901ba6203b244f9e8a3a37e9055d437476bc54931e68763369fb8c1f6fc900ab60e452fe149cd1
SSDEEP

196608:jp8UI0VdmlV8ld98BlON2jnbNswvBXvowJgzl7GSZn7ftmcg:lJPmy90jVvBXvoww77rccg

Score

10^/10

njrat hacked defense_evasion evasion execution persistence privilege_escalation themida trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

6cpanel.hackcrack.io:35798

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SQLBOX .exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1448	powershell.exe
4552	powershell.exe
396	powershell.exe
220	powershell.exe
1084	powershell.exe
3792	powershell.exe
3428	powershell.exe
3248	powershell.exe
396	powershell.exe
220	powershell.exe
1084	powershell.exe
3792	powershell.exe
3428	powershell.exe
3248	powershell.exe
1448	powershell.exe
4552	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5024	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SQLBOX .exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SQLBOX .exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	version.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SQLBOX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 8 IoCs

pid	Process
3644	Setup.exe
2964	Setup.exe
2160	SQLBOX .exe
3048	svchost.exe
2568	svchost.exe
3968	explorer.exe
4220	version.exe
2244	explorer.exe

Loads dropped DLL 1 IoCs

pid	Process
2160	SQLBOX .exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0008000000023bb2-62.dat	themida
behavioral2/memory/2160-64-0x00007FFF29CA0000-0x00007FFF2A50C000-memory.dmp	themida
behavioral2/memory/2160-63-0x00007FFF29CA0000-0x00007FFF2A50C000-memory.dmp	themida
behavioral2/memory/2160-74-0x00007FFF29CA0000-0x00007FFF2A50C000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SQLBOX .exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2076	cmd.exe
4700	cmd.exe
4148	cmd.exe
2612	cmd.exe
2404	cmd.exe
5028	cmd.exe
4760	cmd.exe
1332	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2160	SQLBOX .exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	Setup.exe
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3448	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe
3968	explorer.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	svchost.exe
Token: SeDebugPrivilege	2568	svchost.exe
Token: SeDebugPrivilege	3968	explorer.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	3428	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe
Token: 33	2244	explorer.exe
Token: SeIncBasePriorityPrivilege	2244	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3968	explorer.exe
3968	explorer.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 3644	4204	SQLBOX.exe	84
PID 4204 wrote to memory of 3644	4204	SQLBOX.exe	84
PID 4204 wrote to memory of 2964	4204	SQLBOX.exe	85
PID 4204 wrote to memory of 2964	4204	SQLBOX.exe	85
PID 4204 wrote to memory of 2160	4204	SQLBOX.exe	86
PID 4204 wrote to memory of 2160	4204	SQLBOX.exe	86
PID 3644 wrote to memory of 3048	3644	Setup.exe	87
PID 3644 wrote to memory of 3048	3644	Setup.exe	87
PID 2964 wrote to memory of 2568	2964	Setup.exe	88
PID 2964 wrote to memory of 2568	2964	Setup.exe	88
PID 3048 wrote to memory of 3968	3048	svchost.exe	106
PID 3048 wrote to memory of 3968	3048	svchost.exe	106
PID 3968 wrote to memory of 2184	3968	explorer.exe	107
PID 3968 wrote to memory of 2184	3968	explorer.exe	107
PID 4220 wrote to memory of 4760	4220	version.exe	110
PID 4220 wrote to memory of 4760	4220	version.exe	110
PID 4220 wrote to memory of 1332	4220	version.exe	112
PID 4220 wrote to memory of 1332	4220	version.exe	112
PID 4220 wrote to memory of 2076	4220	version.exe	114
PID 4220 wrote to memory of 2076	4220	version.exe	114
PID 4220 wrote to memory of 4700	4220	version.exe	116
PID 4220 wrote to memory of 4700	4220	version.exe	116
PID 4220 wrote to memory of 4148	4220	version.exe	117
PID 4220 wrote to memory of 4148	4220	version.exe	117
PID 4220 wrote to memory of 2612	4220	version.exe	120
PID 4220 wrote to memory of 2612	4220	version.exe	120
PID 4220 wrote to memory of 5028	4220	version.exe	121
PID 4220 wrote to memory of 5028	4220	version.exe	121
PID 4220 wrote to memory of 2404	4220	version.exe	122
PID 4220 wrote to memory of 2404	4220	version.exe	122
PID 4760 wrote to memory of 396	4760	cmd.exe	127
PID 4760 wrote to memory of 396	4760	cmd.exe	127
PID 1332 wrote to memory of 220	1332	cmd.exe	129
PID 1332 wrote to memory of 220	1332	cmd.exe	129
PID 4700 wrote to memory of 3792	4700	cmd.exe	130
PID 4700 wrote to memory of 3792	4700	cmd.exe	130
PID 2076 wrote to memory of 1084	2076	cmd.exe	131
PID 2076 wrote to memory of 1084	2076	cmd.exe	131
PID 2612 wrote to memory of 3428	2612	cmd.exe	132
PID 2612 wrote to memory of 3428	2612	cmd.exe	132
PID 2404 wrote to memory of 3248	2404	cmd.exe	133
PID 2404 wrote to memory of 3248	2404	cmd.exe	133
PID 5028 wrote to memory of 1448	5028	cmd.exe	134
PID 5028 wrote to memory of 1448	5028	cmd.exe	134
PID 4148 wrote to memory of 4552	4148	cmd.exe	135
PID 4148 wrote to memory of 4552	4148	cmd.exe	135
PID 3968 wrote to memory of 2244	3968	explorer.exe	139
PID 3968 wrote to memory of 2244	3968	explorer.exe	139
PID 2244 wrote to memory of 5024	2244	explorer.exe	140
PID 2244 wrote to memory of 5024	2244	explorer.exe	140

C:\Users\Admin\AppData\Local\Temp\SQLBOX.exe
"C:\Users\Admin\AppData\Local\Temp\SQLBOX.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3968
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\a3rjo43p.inf
        5⤵
        
        PID:2184
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5024
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- C:\Users\Admin\AppData\Local\Temp\SQLBOX .exe
  "C:\Users\Admin\AppData\Local\Temp\SQLBOX .exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2160

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3248

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

Filesize
408B

MD5
70f08e6585ed9994d97a4c71472fccd8

SHA1
3f44494d4747c87fb8b94bb153c3a3d717f9fd63

SHA256
87fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa

SHA512
d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log

Filesize
676B

MD5
79d206410500f74a6f755f82d514c459

SHA1
67782eff101d316ad1eb79ee76dc4095f5994db3

SHA256
697be2be7b14b3ef2953b93cc2d380b350c19e2ef41399ab289fe1c8e2281f36

SHA512
72848557148090200726fbfa30c008e54067d79e804ef604c78ee4fdc0c77d3da6c60abedb5c05e4943eb768d737873db585619b2559a1b6d1e6b917d216d822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

Filesize
588B

MD5
2f142977932b7837fa1cc70278e53361

SHA1
0a3212d221079671bfdeee176ad841e6f15904fc

SHA256
961ca2c0e803a7201adb3b656ed3abafc259d6d376e8ade66f0afff10a564820

SHA512
a25e45e41933902bcc0ea38b4daa64e96cbcd8900b446e1326cffb8c91eb1886b1e90686190bdba30d7014490001a732f91f2869bb9987c0213a8d798c7b3421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c493263bea895bb9204bea923c7ec4d7

SHA1
5ca8c342d7dea33a8da8dd3218e16ee77a8f4231

SHA256
49f79e04b40ef149868dfb4526f6d33bf43a33f85d350f710fd99320f59b78d1

SHA512
b0238cd51a8284168447ec5ab93b1b3d88cfa3f23225551c1ed6551a72dd72aaed970760d2cea8cd34582f9b56f3cdb3c3dc027f28896f4b111b06332796f6bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\0fa65e01-327d-4b20-9b75-911d8166df3c\sToRmDOT64.dll

Filesize
3.1MB

MD5
4d8082b3de02f82db9a515e9dab5d2b6

SHA1
057a20ade70244601d0fe50f7011c95bae335ea5

SHA256
936b1537b6efcece032c05661238b06beefc61ff76e82b7c5d9fe558a9360a4c

SHA512
7b9153e9948e0f911fcb0b145678a56cac4abd948fa99e07c331760f02dce096cf3be7d2d8493cf7a76460c7172e24eaa45c1283a28353501b2876c54752c60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLBOX .exe

Filesize
7.5MB

MD5
fa35e080ce9441a661011a8c2c3409a3

SHA1
57988d0350d8aa53f316fef36022062b020156ec

SHA256
d2a37daeb942c91b911206e61bc622720e9cbbb1be554c584807eaf6aec31cce

SHA512
e8d54789744fc2c99473d330c2e2fa694e5d54b45e91e592fdb29b153fa4dc01244d8e0099351ff44f3d472480600b61b0d4ea96f24805777caf5623f2ff9c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
453KB

MD5
97994092e05077b39d7fb87431ab7adb

SHA1
ff8be763236b024101522cfbc87b4251160b6a46

SHA256
76e63501c05b67e096c740e3fb4d9bc04e159e0ceafbe2e3c390864593c9b8eb

SHA512
63e10f2e52af80f75cb55efa3fe399edc9dda5637709ddf760fa7287a95b2c8ed9db3aa25e19aa58495d3d63352c36ee3e40c019f074ce43d123d11aec7f026a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_51a2nqqi.mde.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3rjo43p.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
341KB

MD5
e000e5c930a9c3d1e1e15dd8d25fc153

SHA1
1a01d9cb0d4b507aea4d119a7933fa2196a0195b

SHA256
5a8c9856cfd33fa50eeb00ea9d427b59d9e407f20393a3c25537af22382859ca

SHA512
90686821fbb9c8d022cf471387910ba3d760660ae9e55db8fbd345f7a731dce38390e40e9579dadb36b8032f071b5d61ea82cc021452aff42970f6a6adc4ce06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
319KB

MD5
52458647042feceb53ddfad2a210332a

SHA1
b85d0da8c2ba4142e43c0adc9e914c7d47287ba3

SHA256
5afe1b4584a086f703308ae0f355f67902d157dfd36db8e09c3873dcfe9143aa

SHA512
d1787d2b95462f46d22bd98980fb4f29368bd226aa1a6f98b02155d235d2df7c7575299b264cc0fa2ebfb63e99225e663ff0cb5cfb68fdc601add5139e129898

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
84KB

MD5
15ee95bc8e2e65416f2a30cf05ef9c2e

SHA1
107ca99d3414642450dec196febcd787ac8d7596

SHA256
c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

SHA512
ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

Download Submit
memory/220-104-0x000002191D130000-0x000002191D152000-memory.dmp

Filesize
136KB

Download
memory/2160-65-0x00007FFF31240000-0x00007FFF3138E000-memory.dmp

Filesize
1.3MB

Download
memory/2160-74-0x00007FFF29CA0000-0x00007FFF2A50C000-memory.dmp

Filesize
8.4MB

Download
memory/2160-48-0x000001723D910000-0x000001723E096000-memory.dmp

Filesize
7.5MB

Download
memory/2160-63-0x00007FFF29CA0000-0x00007FFF2A50C000-memory.dmp

Filesize
8.4MB

Download
memory/2160-64-0x00007FFF29CA0000-0x00007FFF2A50C000-memory.dmp

Filesize
8.4MB

Download
memory/2964-36-0x00007FFF34FE0000-0x00007FFF35981000-memory.dmp

Filesize
9.6MB

Download
memory/2964-56-0x00007FFF34FE0000-0x00007FFF35981000-memory.dmp

Filesize
9.6MB

Download
memory/2964-29-0x00007FFF34FE0000-0x00007FFF35981000-memory.dmp

Filesize
9.6MB

Download
memory/2964-27-0x00007FFF34FE0000-0x00007FFF35981000-memory.dmp

Filesize
9.6MB

Download
memory/3048-52-0x0000000002DA0000-0x0000000002DA8000-memory.dmp

Filesize
32KB

Download
memory/3644-22-0x00007FFF34FE0000-0x00007FFF35981000-memory.dmp

Filesize
9.6MB

Download
memory/3644-55-0x00007FFF34FE0000-0x00007FFF35981000-memory.dmp

Filesize
9.6MB

Download
memory/3644-19-0x000000001BE30000-0x000000001BE5A000-memory.dmp

Filesize
168KB

Download
memory/3644-18-0x00007FFF34FE0000-0x00007FFF35981000-memory.dmp

Filesize
9.6MB

Download
memory/3968-94-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/3968-97-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/4204-44-0x00007FFF34FE0000-0x00007FFF35981000-memory.dmp

Filesize
9.6MB

Download
memory/4204-0-0x00007FFF35295000-0x00007FFF35296000-memory.dmp

Filesize
4KB

Download
memory/4204-6-0x00007FFF34FE0000-0x00007FFF35981000-memory.dmp

Filesize
9.6MB

Download
memory/4204-4-0x000000001C9D0000-0x000000001CA6C000-memory.dmp

Filesize
624KB

Download
memory/4204-3-0x000000001C460000-0x000000001C92E000-memory.dmp

Filesize
4.8MB

Download
memory/4204-2-0x00007FFF34FE0000-0x00007FFF35981000-memory.dmp

Filesize
9.6MB

Download
memory/4204-1-0x000000001BEE0000-0x000000001BF86000-memory.dmp

Filesize
664KB

Download