njrat | 967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe
Size

3.3MB
MD5

ba6175cafa451ca127dd1a0eb7445c17
SHA1

ea43f9ae304088845a206e1c88b05e960095a0a7
SHA256

967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca
SHA512

76aa98e40af1c1ccfc78b4cf27e6380cb782d3fcd1431e0dc69f579a9e4d6faf215dfd4a5b450508755ab5fd1a504ec5b960ef0c88ef2c081d24e20b93da2ea1
SSDEEP

98304:ruP01RFhp4FHtioUyJhfUY0B67Xy4nPur:ruP01RF4ttikrsYC6mKu

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 3 IoCs

Processes:

Antimalware Service Executable.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.url	Antimalware Service Executable.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.exe	Antimalware Service Executable.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.exe	Antimalware Service Executable.exe

Executes dropped EXE 2 IoCs

Processes:

explorer.exeAntimalware Service Executable.exe

pid process

2400 explorer.exe
2796 Antimalware Service Executable.exe
Loads dropped DLL 1 IoCs

Processes:

explorer.exe

pid process

2400 explorer.exe

pid	process
2400	explorer.exe
2796	Antimalware Service Executable.exe

pid	process
2400	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Antimalware Service Executable.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable.exe = "\"C:\\ProgramData\\Antimalware Service Executable.exe\" .."	Antimalware Service Executable.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable.exe = "\"C:\\ProgramData\\Antimalware Service Executable.exe\" .."	Antimalware Service Executable.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

2 2.tcp.eu.ngrok.io
9 2.tcp.eu.ngrok.io
22 2.tcp.eu.ngrok.io

flow	ioc
2	2.tcp.eu.ngrok.io
9	2.tcp.eu.ngrok.io
22	2.tcp.eu.ngrok.io

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe

pid	process
2524	967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe
2524	967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exeschtasks.exeschtasks.exeexplorer.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exetaskkill.exetaskkill.exeschtasks.exetaskkill.exeschtasks.exeschtasks.exetaskkill.exetaskkill.exeschtasks.exeschtasks.execmd.exechoice.exetaskkill.exeschtasks.exeschtasks.exeschtasks.exetaskkill.exetaskkill.exeschtasks.exetaskkill.exeschtasks.exeschtasks.exeschtasks.exetaskkill.exetaskkill.exeschtasks.exeschtasks.exeschtasks.exetaskkill.exetaskkill.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exetaskkill.exeschtasks.exeschtasks.exeschtasks.exeAntimalware Service Executable.exeschtasks.exetaskkill.exeschtasks.exeschtasks.exetaskkill.exetaskkill.exeschtasks.exeschtasks.exetaskkill.exetaskkill.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Antimalware Service Executable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Kills process with taskkill 19 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2952	taskkill.exe
900	taskkill.exe
1000	taskkill.exe
304	taskkill.exe
2876	taskkill.exe
2280	taskkill.exe
2908	taskkill.exe
748	taskkill.exe
2504	taskkill.exe
2708	taskkill.exe
2716	taskkill.exe
1132	taskkill.exe
1044	taskkill.exe
2552	taskkill.exe
2012	taskkill.exe
1304	taskkill.exe
1704	taskkill.exe
2260	taskkill.exe
2180	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3016	schtasks.exe
2104	schtasks.exe
2900	schtasks.exe
3068	schtasks.exe
1752	schtasks.exe
1232	schtasks.exe
2208	schtasks.exe
2596	schtasks.exe
2960	schtasks.exe
3060	schtasks.exe
1544	schtasks.exe
2864	schtasks.exe
2512	schtasks.exe
1844	schtasks.exe
1048	schtasks.exe
2508	schtasks.exe
1996	schtasks.exe
2368	schtasks.exe
2352	schtasks.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Antimalware Service Executable.exe

description	pid	process
Token: SeDebugPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe
Token: 33	2796	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	2796	Antimalware Service Executable.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exeexplorer.execmd.exeAntimalware Service Executable.exe

description	pid	process	target process
PID 2524 wrote to memory of 2400	2524	967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe	explorer.exe
PID 2524 wrote to memory of 2400	2524	967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe	explorer.exe
PID 2524 wrote to memory of 2400	2524	967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe	explorer.exe
PID 2524 wrote to memory of 2400	2524	967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe	explorer.exe
PID 2400 wrote to memory of 2796	2400	explorer.exe	Antimalware Service Executable.exe
PID 2400 wrote to memory of 2796	2400	explorer.exe	Antimalware Service Executable.exe
PID 2400 wrote to memory of 2796	2400	explorer.exe	Antimalware Service Executable.exe
PID 2400 wrote to memory of 2796	2400	explorer.exe	Antimalware Service Executable.exe
PID 2400 wrote to memory of 2972	2400	explorer.exe	cmd.exe
PID 2400 wrote to memory of 2972	2400	explorer.exe	cmd.exe
PID 2400 wrote to memory of 2972	2400	explorer.exe	cmd.exe
PID 2400 wrote to memory of 2972	2400	explorer.exe	cmd.exe
PID 2972 wrote to memory of 2940	2972	cmd.exe	choice.exe
PID 2972 wrote to memory of 2940	2972	cmd.exe	choice.exe
PID 2972 wrote to memory of 2940	2972	cmd.exe	choice.exe
PID 2972 wrote to memory of 2940	2972	cmd.exe	choice.exe
PID 2796 wrote to memory of 2716	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2716	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2716	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2716	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2032	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 2032	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 2032	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 2032	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1996	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1996	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1996	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1996	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 2504	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2504	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2504	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2504	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 3008	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 3008	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 3008	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 3008	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 3068	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 3068	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 3068	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 3068	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 2952	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2952	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2952	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2952	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 1124	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1124	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1124	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1124	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1752	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1752	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1752	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1752	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 2708	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2708	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2708	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 2708	2796	Antimalware Service Executable.exe	taskkill.exe
PID 2796 wrote to memory of 296	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 296	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 296	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 296	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1844	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1844	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1844	2796	Antimalware Service Executable.exe	schtasks.exe
PID 2796 wrote to memory of 1844	2796	Antimalware Service Executable.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe
"C:\Users\Admin\AppData\Local\Temp\967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\ProgramData\Antimalware Service Executable.exe
    "C:\ProgramData\Antimalware Service Executable.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2716
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2032
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1996
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2504
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3008
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3068
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2952
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1124
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2708
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:296
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1844
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1704
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2648
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2368
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1132
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2060
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2352
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1044
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1496
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:900
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1976
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1000
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2344
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:304
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1720
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1544
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2260
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2428
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1232
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2876
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2992
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2960
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2180
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2100
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2552
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2720
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2280
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:988
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2512
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2908
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:748
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1804
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2012
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2104
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1304
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1080
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe

Filesize
61KB

MD5
aa3c8889c0ae8542da2abc015b313cb9

SHA1
a24ba54c5a9bd75d9078b52901dabd8ff34670e9

SHA256
05592d1382c385a80e5d1e7b37d2bf14bcd5297afab013175637b878d15902a6

SHA512
a09e64cd5ee95d10bc3c04cf4e5ac2c3638162b6d027bbd534adda0902e303e66b623182ab609496af0bf9e5bbbe0dbb147a94a1533283ce8472c8b0653d17a1

Download Submit
memory/2400-17-0x00000000779D0000-0x00000000779DA000-memory.dmp

Filesize
40KB

Download
memory/2524-2-0x000000013F2C0000-0x0000000140191000-memory.dmp

Filesize
14.8MB

Download
memory/2524-0-0x000000013F2C0000-0x0000000140191000-memory.dmp

Filesize
14.8MB

Download
memory/2524-1-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2524-3-0x000000013F2C0000-0x0000000140191000-memory.dmp

Filesize
14.8MB

Download
memory/2524-4-0x000000013F2C0000-0x0000000140191000-memory.dmp

Filesize
14.8MB

Download
memory/2524-5-0x00000000779D0000-0x00000000779E0000-memory.dmp

Filesize
64KB

Download
memory/2524-20-0x000000013F2C0000-0x0000000140191000-memory.dmp

Filesize
14.8MB

Download
memory/2524-21-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2524-30-0x000000013F2C0000-0x0000000140191000-memory.dmp

Filesize
14.8MB

Download
memory/2796-29-0x00000000779D0000-0x00000000779DA000-memory.dmp

Filesize
40KB

Download
memory/2796-34-0x00000000779D0000-0x00000000779DA000-memory.dmp

Filesize
40KB

Download