njrat | 10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112

Analysis

max time kernel
32s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe
Size

8.7MB
MD5

aa47afcd87d5187c867fa721a6807edd
SHA1

f61dcf9213813a83bf036f9b43a5be7010f60b9a
SHA256

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112
SHA512

f1add09b9d3ee33fb009854bd70b24df5a77983adb4edb927c3fa529bdc695696ccbaefabd4d5cefc6c7709d011cdafa0c26896102e90d19c67604583b392d3c
SSDEEP

196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCbx:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmV

Score

10^/10

njrat jjj defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

jjj

youri.mooo.com:1605

Mutex

e936a10f968ac948cd351c9629dbd36d

Attributes

reg_key
e936a10f968ac948cd351c9629dbd36d
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3052 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

winmgr107.exe

pid process

2672 winmgr107.exe
Loads dropped DLL 1 IoCs

Processes:

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe

pid process

2708 10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe

pid	process
3052	netsh.exe

pid	process
2672	winmgr107.exe

pid	process
2708	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exewinmgr107.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe"	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\2 = "C:\\ProgramData\\winmgr107.exe"	winmgr107.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\ProgramData\winmgr107.exe	autoit_exe
C:\ProgramData\winmgr107.exe	autoit_exe
C:\ProgramData\winmgr107.exe	autoit_exe
\ProgramData\winmgr107.exe	autoit_exe
C:\ProgramData\winmgr107.exe	autoit_exe
C:\ProgramData\winmgr107.exe	autoit_exe
C:\ProgramData\winmgr107.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winmgr107.exe

description pid process target process

PID 2672 set thread context of 1588 2672 winmgr107.exe RegAsm.exe

description	pid	process	target process
PID 2672 set thread context of 1588	2672	winmgr107.exe	RegAsm.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exewinmgr107.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe:Zone.Identifier:$DATA	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe
File created	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

netsh.exe10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.execmd.exeNOTEPAD.EXEwinmgr107.exeRegAsm.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winmgr107.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

NTFS ADS 2 IoCs

Processes:

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exewinmgr107.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe:Zone.Identifier:$DATA	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe
File created	C:\ProgramData\winmgr107.exe:Zone.Identifier:$DATA	winmgr107.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2732	schtasks.exe
1468	schtasks.exe
2888	schtasks.exe
2500	schtasks.exe
1556	schtasks.exe
2476	schtasks.exe
2924	schtasks.exe
1656	schtasks.exe
2004	schtasks.exe
2864	schtasks.exe
1548	schtasks.exe
2504	schtasks.exe
3028	schtasks.exe
2356	schtasks.exe
304	schtasks.exe
1676	schtasks.exe
1836	schtasks.exe
1144	schtasks.exe
2984	schtasks.exe
2852	schtasks.exe
2540	schtasks.exe
2268	schtasks.exe
1204	schtasks.exe
2856	schtasks.exe
2716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exewinmgr107.exe

pid process

2708 10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe
2672 winmgr107.exe
2672 winmgr107.exe
2672 winmgr107.exe

pid	process
2708	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe
2672	winmgr107.exe
2672	winmgr107.exe
2672	winmgr107.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.execmd.exewinmgr107.exeRegAsm.exe

description	pid	process	target process
PID 2708 wrote to memory of 2304	2708	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe	cmd.exe
PID 2708 wrote to memory of 2304	2708	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe	cmd.exe
PID 2708 wrote to memory of 2304	2708	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe	cmd.exe
PID 2708 wrote to memory of 2304	2708	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe	cmd.exe
PID 2304 wrote to memory of 2780	2304	cmd.exe	NOTEPAD.EXE
PID 2304 wrote to memory of 2780	2304	cmd.exe	NOTEPAD.EXE
PID 2304 wrote to memory of 2780	2304	cmd.exe	NOTEPAD.EXE
PID 2304 wrote to memory of 2780	2304	cmd.exe	NOTEPAD.EXE
PID 2708 wrote to memory of 2672	2708	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe	winmgr107.exe
PID 2708 wrote to memory of 2672	2708	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe	winmgr107.exe
PID 2708 wrote to memory of 2672	2708	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe	winmgr107.exe
PID 2708 wrote to memory of 2672	2708	10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe	winmgr107.exe
PID 2672 wrote to memory of 1588	2672	winmgr107.exe	RegAsm.exe
PID 2672 wrote to memory of 1588	2672	winmgr107.exe	RegAsm.exe
PID 2672 wrote to memory of 1588	2672	winmgr107.exe	RegAsm.exe
PID 2672 wrote to memory of 1588	2672	winmgr107.exe	RegAsm.exe
PID 2672 wrote to memory of 1588	2672	winmgr107.exe	RegAsm.exe
PID 2672 wrote to memory of 1588	2672	winmgr107.exe	RegAsm.exe
PID 2672 wrote to memory of 1588	2672	winmgr107.exe	RegAsm.exe
PID 2672 wrote to memory of 1588	2672	winmgr107.exe	RegAsm.exe
PID 2672 wrote to memory of 1588	2672	winmgr107.exe	RegAsm.exe
PID 2672 wrote to memory of 1468	2672	winmgr107.exe	schtasks.exe
PID 2672 wrote to memory of 1468	2672	winmgr107.exe	schtasks.exe
PID 2672 wrote to memory of 1468	2672	winmgr107.exe	schtasks.exe
PID 2672 wrote to memory of 1468	2672	winmgr107.exe	schtasks.exe
PID 2672 wrote to memory of 2924	2672	winmgr107.exe	schtasks.exe
PID 2672 wrote to memory of 2924	2672	winmgr107.exe	schtasks.exe
PID 2672 wrote to memory of 2924	2672	winmgr107.exe	schtasks.exe
PID 2672 wrote to memory of 2924	2672	winmgr107.exe	schtasks.exe
PID 1588 wrote to memory of 3052	1588	RegAsm.exe	netsh.exe
PID 1588 wrote to memory of 3052	1588	RegAsm.exe	netsh.exe
PID 1588 wrote to memory of 3052	1588	RegAsm.exe	netsh.exe
PID 1588 wrote to memory of 3052	1588	RegAsm.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe
"C:\Users\Admin\AppData\Local\Temp\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start C:\PROGRA~3\10740A~1.TXT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\PROGRA~3\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- C:\ProgramData\winmgr107.exe
  C:\ProgramData\winmgr107.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
    0
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3052
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1468
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2924
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2356
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:304
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1656
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2888
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1676
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2540
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2268
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1836
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1144
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2500
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1548
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1556
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2004
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2504
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3028
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2476
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1204
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2856
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2716
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2984
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2852
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2864
- - C:\Windows\SysWOW64\schtasks.exe
    C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr107.exe" /tr "C:\ProgramData\winmgr107.exe" /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2732

C:\Windows\system32\taskeng.exe
taskeng.exe {6AD3BCC7-6DAD-45D3-B179-EFD82C3C39BB} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
PID:1196
- C:\ProgramData\winmgr107.exe
  C:\ProgramData\winmgr107.exe
  2⤵
  PID:604
- C:\ProgramData\winmgr107.exe
  C:\ProgramData\winmgr107.exe
  2⤵
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\10740a8c625f468cf2bb1f1e80b3bdd97685ef6475ed7bdf1b51c48beaef4112.exe.txt

Filesize
992B

MD5
c8cf7247d4cfc99a7582a42d13df4c08

SHA1
317f5588af0b3b6374c436fb00084c522fd78a83

SHA256
78bd99781e971622f1573bccf2ae9cdd7a7498cf81c1875afc65913e1083b1d0

SHA512
5dd86b7ba388e5d2ad61b1c69589f42c36eec23a04b3cece0941133e0cf0e8a6f1f3aa2242d87af72db725b4b96032dadae72b3be98af3cfce5786ad8c08c357

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
4.9MB

MD5
1be02a0e61e743387892358b1ac0c1fc

SHA1
46c7c26bf0e0c20f359669ccda46bc626423485d

SHA256
6093af9a20c7e67273ba5fa54f5775c41445df6a991b90e15be879816bf7e8f9

SHA512
be7f8aa684635cd414614bfa32c03173982f58a9ede860bf4e1613ce4b084824dc297aebd7465b3a7c8e3786a2cee071d88de28ad3e75b411e9ad8952387fe1f

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
4.6MB

MD5
adf35f36740433b9c9ebd57bf953cd01

SHA1
a927d01de1610e5d4100b36c85b5762af7158f30

SHA256
8e0a756df8c34105ad9e52321264e3a673cc0677b7a7e45f8bf0e11f73eb9dc5

SHA512
19f739d8b48aea5b9e2cab428e7902e04bc55ebb934abd51ac1efffc10faa8d91249803a5305c93e5cae5d3d92965f2f53d042b23461d64bb192f28c411bb51a

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
4.4MB

MD5
5ae5df3086b27d387a2eced63178cf21

SHA1
29e8d6b238c4fef97777081bf2f40d4037147283

SHA256
00724ad3680782266f6683cae9f97ebd69e5ecd2ebc79ed124ddf5c2faa848ba

SHA512
26eb4b6f249fad3bfddf80df3f67e3f6f531eef05dec4b11716c1bb5195774f83e3f4dfe273242bd097fb80bc2c7a24bd05899fad64aee5cc58c7a0616319e68

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
1.4MB

MD5
714fc8439ef3a70cb9947edfc540a1eb

SHA1
dbcf044f680631fdb498f608b36b23b7f32f7a73

SHA256
90abc3b1454a825706bce7b51b8621510931ef085224f80f3b7b3b6796f30830

SHA512
b375adf96528493178cfcd5d3cf492d319d7f3c94fe9c4dd666041de2dd4e89af3b9911e3031048787e6d92b9a3e2f2516a3b535cbbb8ce3938522496d4a2c75

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
1.9MB

MD5
bb9565ba82eeddf3c3c021c612534f47

SHA1
30ebf0cf5bf599319de56390a3ab254744048bd5

SHA256
40c03e249274841186038e66172835837921ee753750b2c27043f0fdde4b3452

SHA512
e2f94e6af5d5d09e308b147a71c79d57e499edf28fcbcb781356c2ceba037157e7c6ddda3a9f83ac69dad9d21dc12ea7f7edbc345fc69c7212c1168766466488

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
406KB

MD5
868dca2ce00b9ae7fc3acd5093a4a2e0

SHA1
a93ee5ac5531e04afe5d1cc00b8c23dd8315a7fc

SHA256
b939d8e997b3fe5d5d3b53d32c235f251a65ae50766a7df9e90a7b9b04f77c34

SHA512
49ffddd44588ea2613a119ba7d76e3284a880c24f69c2e9db13e49dfb1e37bae43f5cfe88f2f2e37fb8921cfe0b581f28e56e3dfb3f40a0870c48f88d5f61f69

Download Submit
C:\ProgramData\winmgr107.exe

Filesize
627KB

MD5
e4c0234db20667f9b1df6c9c1fceda92

SHA1
89ea62cb936bcb93487112f36dfc93924ff77e42

SHA256
c8579fc18463e5c33b7516b29e9b26337ce39a762c76b8113426c32f6df4c3ec

SHA512
76417cb2c87eedac9d86cf7fe7208517576a6a04addc1a9cd3f975fa1934ff2c9cb4b569d5ce4c353ecabcf69f3278b14cbe9ff34dafba4fd7f2c658f10d0922

Download Submit
\ProgramData\winmgr107.exe

Filesize
4.8MB

MD5
114aaf68235b61937ba9424bac7d6d73

SHA1
40112d791669b977b36801bf40c36a33e3b983dc

SHA256
2033818ebccfe677e12837ea411b8797dc6645d864a44a338717259f23ac5022

SHA512
eb16c4c1ad6b6f12044eeaf6da7d2b1ab072543e3c5488e5c8e70c6dd61e938fa2306ee044502246f5b42826c5eada249fcd10fe366a81b11a0a8576df8eb916

Download Submit
memory/1588-29-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1588-28-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1588-27-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/1588-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1588-24-0x0000000000090000-0x000000000009C000-memory.dmp

Filesize
48KB

Download
memory/2304-5-0x0000000002690000-0x0000000002790000-memory.dmp

Filesize
1024KB

Download
memory/2304-4-0x0000000002690000-0x0000000002790000-memory.dmp

Filesize
1024KB

Download