njrat | ba67f398fb2c5f91c1c227725fec68eba38a9f6c81a425450baf1b94037fe77e

Analysis

max time kernel
511s
max time network
541s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Client.exe
Size

65KB
MD5

1bcb0ce08d34ba620819df0268e04011
SHA1

296765a47aa584a24bf66ddc9e67356e3203fac8
SHA256

ba67f398fb2c5f91c1c227725fec68eba38a9f6c81a425450baf1b94037fe77e
SHA512

f3409246d7cf16d9902d3420f6e5048e87859484e85a25eebc4559ddc6d26e9b40843b78b3a056c24e1bd9efc13d609f1a9ef37387789cb6994b84c7e4bd0145
SSDEEP

1536:MKqK4Tm4BoN36t4QviFw1AjHkBnvAffLteF3nLrB9z3nIaF9bXS9vM:MKqK4C4BoN36t4QviFC8EBnYfWl9zYab

Score

10^/10

njrat hacked bootkit discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

127.0.0.1:36811

Mutex

svhost.exe

Attributes

reg_key
svhost.exe
splitter
|Ghost|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2876 cmd.exe

pid	process
2876	cmd.exe

Drops startup file 2 IoCs

Processes:

svhost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe	svhost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	svhost.exe

Executes dropped EXE 10 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

pid	process
1256	svhost.exe
1660	svhost.exe
1600	svhost.exe
1336	svhost.exe
484	svhost.exe
2936	svhost.exe
2944	svhost.exe
636	svhost.exe
1152	svhost.exe
2396	26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

Loads dropped DLL 2 IoCs

Processes:

New Client.exesvhost.exe

pid process

2308 New Client.exe
1256 svhost.exe

pid	process
2308	New Client.exe
1256	svhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

description ioc process

File opened for modification \??\PhysicalDrive0 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svhost.exetaskkill.exetaskkill.exesvhost.exetaskkill.exeNew Client.exeschtasks.exetaskkill.exeschtasks.exeschtasks.exeschtasks.exesvhost.exeschtasks.exeschtasks.execmd.exeschtasks.exetaskkill.exesvhost.exeschtasks.exeschtasks.exeschtasks.exesvhost.exeschtasks.exeschtasks.exesvhost.exesvhost.exeschtasks.exesvhost.exeschtasks.exesvhost.exeschtasks.exechoice.exeschtasks.exeschtasks.exetaskkill.exetaskkill.exeschtasks.exeschtasks.exetaskkill.exeschtasks.exetaskkill.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
108	taskkill.exe
2720	taskkill.exe
916	taskkill.exe
2080	taskkill.exe
900	taskkill.exe
952	taskkill.exe
996	taskkill.exe
2256	taskkill.exe
2376	taskkill.exe
2804	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2144	schtasks.exe
2356	schtasks.exe
1944	schtasks.exe
1648	schtasks.exe
1552	schtasks.exe
1752	schtasks.exe
1612	schtasks.exe
2100	schtasks.exe
2236	schtasks.exe
2484	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svhost.exe

description	pid	process
Token: SeDebugPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe
Token: SeIncBasePriorityPrivilege	1256	svhost.exe
Token: 33	1256	svhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Client.execmd.exesvhost.exetaskeng.exe

description	pid	process	target process
PID 2308 wrote to memory of 1256	2308	New Client.exe	svhost.exe
PID 2308 wrote to memory of 1256	2308	New Client.exe	svhost.exe
PID 2308 wrote to memory of 1256	2308	New Client.exe	svhost.exe
PID 2308 wrote to memory of 1256	2308	New Client.exe	svhost.exe
PID 2308 wrote to memory of 2876	2308	New Client.exe	cmd.exe
PID 2308 wrote to memory of 2876	2308	New Client.exe	cmd.exe
PID 2308 wrote to memory of 2876	2308	New Client.exe	cmd.exe
PID 2308 wrote to memory of 2876	2308	New Client.exe	cmd.exe
PID 2876 wrote to memory of 2712	2876	cmd.exe	choice.exe
PID 2876 wrote to memory of 2712	2876	cmd.exe	choice.exe
PID 2876 wrote to memory of 2712	2876	cmd.exe	choice.exe
PID 2876 wrote to memory of 2712	2876	cmd.exe	choice.exe
PID 1256 wrote to memory of 2804	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 2804	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 2804	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 2804	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 2892	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2892	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2892	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2892	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2144	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2144	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2144	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2144	1256	svhost.exe	schtasks.exe
PID 2096 wrote to memory of 1660	2096	taskeng.exe	svhost.exe
PID 2096 wrote to memory of 1660	2096	taskeng.exe	svhost.exe
PID 2096 wrote to memory of 1660	2096	taskeng.exe	svhost.exe
PID 2096 wrote to memory of 1660	2096	taskeng.exe	svhost.exe
PID 2096 wrote to memory of 1600	2096	taskeng.exe	svhost.exe
PID 2096 wrote to memory of 1600	2096	taskeng.exe	svhost.exe
PID 2096 wrote to memory of 1600	2096	taskeng.exe	svhost.exe
PID 2096 wrote to memory of 1600	2096	taskeng.exe	svhost.exe
PID 1256 wrote to memory of 916	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 916	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 916	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 916	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 2412	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2412	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2412	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2412	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 1648	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 1648	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 1648	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 1648	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2080	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 2080	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 2080	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 2080	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 1928	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 1928	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 1928	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 1928	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2356	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2356	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2356	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2356	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 900	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 900	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 900	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 900	1256	svhost.exe	taskkill.exe
PID 1256 wrote to memory of 2180	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2180	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2180	1256	svhost.exe	schtasks.exe
PID 1256 wrote to memory of 2180	1256	svhost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2804
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2412
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2080
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2356
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:900
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2180
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:952
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1624
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1944
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:996
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2260
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2256
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:788
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:108
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2376
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2176
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2484
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712

C:\Windows\system32\taskeng.exe
taskeng.exe {0DBF5DD8-2D89-4307-8CCE-07A704292E6D} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1600
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:484
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2944
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:636
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
65KB

MD5
1bcb0ce08d34ba620819df0268e04011

SHA1
296765a47aa584a24bf66ddc9e67356e3203fac8

SHA256
ba67f398fb2c5f91c1c227725fec68eba38a9f6c81a425450baf1b94037fe77e

SHA512
f3409246d7cf16d9902d3420f6e5048e87859484e85a25eebc4559ddc6d26e9b40843b78b3a056c24e1bd9efc13d609f1a9ef37387789cb6994b84c7e4bd0145

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739.exe

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
memory/1256-12-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/1256-15-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/1256-13-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/1256-16-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2308-0-0x0000000074751000-0x0000000074752000-memory.dmp

Filesize
4KB

Download
memory/2308-1-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2308-2-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download
memory/2308-14-0x0000000074750000-0x0000000074CFB000-memory.dmp

Filesize
5.7MB

Download