njrat | 967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe
Size

3.3MB
MD5

ba6175cafa451ca127dd1a0eb7445c17
SHA1

ea43f9ae304088845a206e1c88b05e960095a0a7
SHA256

967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca
SHA512

76aa98e40af1c1ccfc78b4cf27e6380cb782d3fcd1431e0dc69f579a9e4d6faf215dfd4a5b450508755ab5fd1a504ec5b960ef0c88ef2c081d24e20b93da2ea1
SSDEEP

98304:ruP01RFhp4FHtioUyJhfUY0B67Xy4nPur:ruP01RF4ttikrsYC6mKu

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe

Drops startup file 3 IoCs

Processes:

Antimalware Service Executable.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.exe	Antimalware Service Executable.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.exe	Antimalware Service Executable.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antimalware Service Executable.url	Antimalware Service Executable.exe

Executes dropped EXE 2 IoCs

Processes:

explorer.exeAntimalware Service Executable.exe

pid process

2464 explorer.exe
5112 Antimalware Service Executable.exe

pid	process
2464	explorer.exe
5112	Antimalware Service Executable.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Antimalware Service Executable.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable.exe = "\"C:\\ProgramData\\Antimalware Service Executable.exe\" .."	Antimalware Service Executable.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antimalware Service Executable.exe = "\"C:\\ProgramData\\Antimalware Service Executable.exe\" .."	Antimalware Service Executable.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

14 2.tcp.eu.ngrok.io
36 2.tcp.eu.ngrok.io
50 2.tcp.eu.ngrok.io

flow	ioc
14	2.tcp.eu.ngrok.io
36	2.tcp.eu.ngrok.io
50	2.tcp.eu.ngrok.io

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe

pid	process
4224	967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe
4224	967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exetaskkill.exeschtasks.exetaskkill.exeschtasks.exeschtasks.exeschtasks.exeexplorer.exeschtasks.exeschtasks.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeAntimalware Service Executable.exetaskkill.exeschtasks.exeschtasks.exetaskkill.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exetaskkill.exeschtasks.exeschtasks.exetaskkill.exeschtasks.exeschtasks.exeschtasks.execmd.exeschtasks.exechoice.exetaskkill.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exetaskkill.exetaskkill.exeschtasks.exetaskkill.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Antimalware Service Executable.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Kills process with taskkill 17 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5032	taskkill.exe
4712	taskkill.exe
2184	taskkill.exe
1140	taskkill.exe
4576	taskkill.exe
1496	taskkill.exe
316	taskkill.exe
1620	taskkill.exe
3348	taskkill.exe
4316	taskkill.exe
1908	taskkill.exe
1980	taskkill.exe
732	taskkill.exe
2916	taskkill.exe
2956	taskkill.exe
2160	taskkill.exe
4496	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2140	schtasks.exe
5000	schtasks.exe
3464	schtasks.exe
3788	schtasks.exe
3492	schtasks.exe
1220	schtasks.exe
4308	schtasks.exe
4936	schtasks.exe
3848	schtasks.exe
5048	schtasks.exe
3108	schtasks.exe
688	schtasks.exe
4608	schtasks.exe
4752	schtasks.exe
1424	schtasks.exe
1168	schtasks.exe
4716	schtasks.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

Antimalware Service Executable.exe

description	pid	process
Token: SeDebugPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe
Token: 33	5112	Antimalware Service Executable.exe
Token: SeIncBasePriorityPrivilege	5112	Antimalware Service Executable.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exeexplorer.execmd.exeAntimalware Service Executable.exe

description	pid	process	target process
PID 4224 wrote to memory of 2464	4224	967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe	explorer.exe
PID 4224 wrote to memory of 2464	4224	967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe	explorer.exe
PID 4224 wrote to memory of 2464	4224	967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe	explorer.exe
PID 2464 wrote to memory of 5112	2464	explorer.exe	Antimalware Service Executable.exe
PID 2464 wrote to memory of 5112	2464	explorer.exe	Antimalware Service Executable.exe
PID 2464 wrote to memory of 5112	2464	explorer.exe	Antimalware Service Executable.exe
PID 2464 wrote to memory of 1192	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 1192	2464	explorer.exe	cmd.exe
PID 2464 wrote to memory of 1192	2464	explorer.exe	cmd.exe
PID 1192 wrote to memory of 4364	1192	cmd.exe	choice.exe
PID 1192 wrote to memory of 4364	1192	cmd.exe	choice.exe
PID 1192 wrote to memory of 4364	1192	cmd.exe	choice.exe
PID 5112 wrote to memory of 2956	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 2956	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 2956	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 1508	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 1508	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 1508	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 4752	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 4752	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 4752	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 3348	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 3348	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 3348	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 4472	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 4472	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 4472	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 2140	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 2140	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 2140	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 732	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 732	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 732	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 2028	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 2028	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 2028	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 5048	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 5048	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 5048	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 2160	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 2160	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 2160	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 4792	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 4792	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 4792	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 1424	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 1424	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 1424	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 2184	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 2184	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 2184	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 2280	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 2280	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 2280	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 1168	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 1168	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 1168	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 1140	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 1140	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 1140	5112	Antimalware Service Executable.exe	taskkill.exe
PID 5112 wrote to memory of 1648	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 1648	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 1648	5112	Antimalware Service Executable.exe	schtasks.exe
PID 5112 wrote to memory of 3108	5112	Antimalware Service Executable.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe
"C:\Users\Admin\AppData\Local\Temp\967cfad648485100bbecca628e70cf15abf0369371df977a4c02b44a44baddca.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\ProgramData\Antimalware Service Executable.exe
    "C:\ProgramData\Antimalware Service Executable.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2956
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1508
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4752
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3348
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4472
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2140
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:732
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2028
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5048
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2160
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4792
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2184
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2280
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1168
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1140
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1648
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4316
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4032
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4576
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2108
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:688
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2916
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4408
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3492
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1496
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3600
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4608
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5032
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:716
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5000
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4496
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1228
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1220
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1908
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2696
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4308
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4712
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1460
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4936
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1980
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4012
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3848
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:316
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3656
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3464
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Antimalware Service Executable
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1620
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "Antimalware Service Executable" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3588
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Antimalware Service Executable" /tr C:\ProgramData\Antimalware Service Executable.exe
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\explorer.exe

Filesize
61KB

MD5
aa3c8889c0ae8542da2abc015b313cb9

SHA1
a24ba54c5a9bd75d9078b52901dabd8ff34670e9

SHA256
05592d1382c385a80e5d1e7b37d2bf14bcd5297afab013175637b878d15902a6

SHA512
a09e64cd5ee95d10bc3c04cf4e5ac2c3638162b6d027bbd534adda0902e303e66b623182ab609496af0bf9e5bbbe0dbb147a94a1533283ce8472c8b0653d17a1

Download Submit
memory/2464-17-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/2464-15-0x00000000750A2000-0x00000000750A3000-memory.dmp

Filesize
4KB

Download
memory/2464-16-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/2464-31-0x00000000750A0000-0x0000000075651000-memory.dmp

Filesize
5.7MB

Download
memory/4224-2-0x00007FF6DFDB0000-0x00007FF6E0C81000-memory.dmp

Filesize
14.8MB

Download
memory/4224-4-0x00007FF6DFDB0000-0x00007FF6E0C81000-memory.dmp

Filesize
14.8MB

Download
memory/4224-5-0x00007FFF5B150000-0x00007FFF5B160000-memory.dmp

Filesize
64KB

Download
memory/4224-1-0x00007FF6DFDB0000-0x00007FF6E0C81000-memory.dmp

Filesize
14.8MB

Download
memory/4224-3-0x00007FF3FF330000-0x00007FF3FF701000-memory.dmp

Filesize
3.8MB

Download
memory/4224-0-0x00007FF6DFDB0000-0x00007FF6E0C81000-memory.dmp

Filesize
14.8MB

Download
memory/4224-20-0x00007FF6DFDB0000-0x00007FF6E0C81000-memory.dmp

Filesize
14.8MB

Download
memory/4224-21-0x00007FF3FF330000-0x00007FF3FF701000-memory.dmp

Filesize
3.8MB

Download
memory/4224-32-0x00007FF6DFDB0000-0x00007FF6E0C81000-memory.dmp

Filesize
14.8MB

Download