njrat | 0cb0967013154e7b7b77ebb1eaef5540c4c9e8d5c5cdf48470e102551fee9b50

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/11/2024, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe
Size

533KB
MD5

9dd417d204ae1284bd84604b69c2d166
SHA1

9291654d54e587061cecf41513e361a3e70ae3db
SHA256

0cb0967013154e7b7b77ebb1eaef5540c4c9e8d5c5cdf48470e102551fee9b50
SHA512

8c898e5b0459aea7c92fb2958ad5dcb5fd244e31ebddae82e9916ce09ab16650cb9ff05603419d90c1993bf36affe6cbca00c78cfb91a54e87efa7a18fb4b045
SSDEEP

12288:Autr2CcB3L0q4pcAN3QiLb8Jy4lspfblqadl5deLY:Akr69b4p7QabOLepDlb5F

Score

10^/10

njrat hacked discovery evasion persistence privilege_escalation trojan upx

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

surebox.ddns.net:5552

Mutex

96da6daf5c20026edbb7f9fbf43bfe30

Attributes

reg_key
96da6daf5c20026edbb7f9fbf43bfe30
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1268	netsh.exe

Executes dropped EXE 17 IoCs

pid	Process
2332	M.exe
380	M.exe
2696	FB_DDA2.tmp.exe
2164	M.exe
2684	M.exe
1708	server.exe
2892	server.exe
2384	FB_1C38.tmp.exe
2984	M.exe
2664	M.exe
1700	server.exe
2300	server.exe
2400	FB_3AB0.tmp.exe
1528	M.exe
2460	M.exe
3016	server.exe
2600	server.exe

Loads dropped DLL 44 IoCs

pid	Process
2644	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe
2644	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe
2332	M.exe
2332	M.exe
380	M.exe
380	M.exe
380	M.exe
2696	FB_DDA2.tmp.exe
2696	FB_DDA2.tmp.exe
2696	FB_DDA2.tmp.exe
2164	M.exe
2164	M.exe
2684	M.exe
2684	M.exe
2684	M.exe
1708	server.exe
1708	server.exe
2892	server.exe
2892	server.exe
2892	server.exe
2384	FB_1C38.tmp.exe
2384	FB_1C38.tmp.exe
2384	FB_1C38.tmp.exe
2984	M.exe
2984	M.exe
2664	M.exe
2664	M.exe
2664	M.exe
1700	server.exe
1700	server.exe
2300	server.exe
2300	server.exe
2300	server.exe
2400	FB_3AB0.tmp.exe
2400	FB_3AB0.tmp.exe
2400	FB_3AB0.tmp.exe
1528	M.exe
1528	M.exe
2460	M.exe
2460	M.exe
2460	M.exe
3016	server.exe
3016	server.exe
2600	server.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\96da6daf5c20026edbb7f9fbf43bfe30 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	FB_DDA2.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	FB_1C38.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	FB_3AB0.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\96da6daf5c20026edbb7f9fbf43bfe30 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 380	2332	M.exe	32
PID 2164 set thread context of 2684	2164	M.exe	35
PID 1708 set thread context of 2892	1708	server.exe	37
PID 2984 set thread context of 2664	2984	M.exe	40
PID 1700 set thread context of 2300	1700	server.exe	42
PID 1528 set thread context of 2460	1528	M.exe	45
PID 3016 set thread context of 2600	3016	server.exe	47

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001950c-4.dat	upx
behavioral1/memory/2644-6-0x0000000000210000-0x000000000026C000-memory.dmp	upx
behavioral1/memory/2332-51-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2164-122-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2984-196-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1708-203-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/2984-230-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1700-245-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1700-276-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/1528-329-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/3016-337-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral1/memory/3016-366-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_1C38.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_3AB0.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB_DDA2.tmp.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2332	M.exe
2332	M.exe
2164	M.exe
2164	M.exe
1708	server.exe
1708	server.exe
2984	M.exe
2984	M.exe
1700	server.exe
1700	server.exe
1528	M.exe
1528	M.exe
3016	server.exe
3016	server.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe
Token: 33	2600	server.exe
Token: SeIncBasePriorityPrivilege	2600	server.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2332	M.exe
2332	M.exe
2164	M.exe
2164	M.exe
1708	server.exe
1708	server.exe
2984	M.exe
2984	M.exe
1700	server.exe
1700	server.exe
1528	M.exe
1528	M.exe
3016	server.exe
3016	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2332	2644	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2332	2644	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2332	2644	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2332	2644	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2332	2644	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2332	2644	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe	31
PID 2644 wrote to memory of 2332	2644	9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe	31
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 2332 wrote to memory of 380	2332	M.exe	32
PID 380 wrote to memory of 2696	380	M.exe	33
PID 380 wrote to memory of 2696	380	M.exe	33
PID 380 wrote to memory of 2696	380	M.exe	33
PID 380 wrote to memory of 2696	380	M.exe	33
PID 380 wrote to memory of 2696	380	M.exe	33
PID 380 wrote to memory of 2696	380	M.exe	33
PID 380 wrote to memory of 2696	380	M.exe	33
PID 2696 wrote to memory of 2164	2696	FB_DDA2.tmp.exe	34
PID 2696 wrote to memory of 2164	2696	FB_DDA2.tmp.exe	34
PID 2696 wrote to memory of 2164	2696	FB_DDA2.tmp.exe	34
PID 2696 wrote to memory of 2164	2696	FB_DDA2.tmp.exe	34
PID 2696 wrote to memory of 2164	2696	FB_DDA2.tmp.exe	34
PID 2696 wrote to memory of 2164	2696	FB_DDA2.tmp.exe	34
PID 2696 wrote to memory of 2164	2696	FB_DDA2.tmp.exe	34
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2164 wrote to memory of 2684	2164	M.exe	35
PID 2684 wrote to memory of 1708	2684	M.exe	36
PID 2684 wrote to memory of 1708	2684	M.exe	36
PID 2684 wrote to memory of 1708	2684	M.exe	36
PID 2684 wrote to memory of 1708	2684	M.exe	36
PID 2684 wrote to memory of 1708	2684	M.exe	36
PID 2684 wrote to memory of 1708	2684	M.exe	36
PID 2684 wrote to memory of 1708	2684	M.exe	36
PID 1708 wrote to memory of 2892	1708	server.exe	37
PID 1708 wrote to memory of 2892	1708	server.exe	37

C:\Users\Admin\AppData\Local\Temp\9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9dd417d204ae1284bd84604b69c2d166_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Users\Admin\AppData\Local\Temp\FB_DDA2.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_DDA2.tmp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\FB_1C38.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FB_1C38.tmp.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\M.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\M.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\M.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\M.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\FB_3AB0.tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FB_3AB0.tmp.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\M.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\M.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\M.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\M.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        19⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CSIDL_

Filesize
67KB

MD5
b285a30da59bc109e8250e16810d8a22

SHA1
97ab0b288e4b390e63a4adedd39c7f0e03bcd669

SHA256
2f7f3225955c6cf3d39b01601e7bc50475f1bc3914c93d8ea2a4ad743e544715

SHA512
3c65940452d11098a25c131e3c34e36a03b4620717a70da47a7847c050c6e1bd64e48d7844eee89852a2ff1a3929f1201388b0f1931124fdfc13bcf076062d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB_DDA2.tmp.exe

Filesize
268KB

MD5
3a20b6a658471d2eee1b0e6cd2ecd71f

SHA1
2c44c7a6d62c3dfa6bb3d4dfcc3e5d58343cfbcb

SHA256
806a6f2869a960febc62965716326795fc2762bed485276398e0404159dfd2f9

SHA512
86fdbd05b76e933142ef8e7258f2902fdd857ac08314b75336a88c272afd7ca0c2423979d1cdede98072f5cfdb00f35ceaf31bbe990ff2bbc01973c736ba6334

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.ex_

Filesize
331KB

MD5
2d0867020d6352c827c75cbec33a0acc

SHA1
241fbe04597034c5232f29ae8c065c84e30bedc0

SHA256
6d9c9c4ac589447ac5503c03429d42a8b486ec05d3f8808b6d1f9a5d0856b4eb

SHA512
36bbf283f63fad86f99311641453147a770538b94e032c4081eca4e57e88075cc9b89ab6c858f0abe006cc14842fb90a42caadbfe0f22b6370688cd083fd08dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\M.exe.config

Filesize
86B

MD5
62c7953dce8d6e76823e125d2be15183

SHA1
3ca6f709fd2d7179d96813ba1e32710b22bf4992

SHA256
9c0d7f71f9765f388abf9e4fd6b80925ad506a7ad39ab36301364f3d4f5db464

SHA512
a5e85549fc18e71d114c091bdd67f094153a46ed1c49c2b1068d43b5366cb5d26ee8cf316c86bf717c619808814bacc3daef4f7082628175e97fcfadc68a7a24

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

Filesize
140KB

MD5
bc9932d562808f046db8cf2d225b317e

SHA1
50827e282cb74b846b8ef79ccd3f5887e3a941f2

SHA256
49a50d91166a62cb0c1454d015af0b5b98ea86702c9e88c21f6e5775517571b7

SHA512
d46153b9d0260a076fd6247de14325b2f76d7537139677af927427fab23852258634b525a1e3e31e19456a04a5c58527ac351f44b475c2eb984294b30b0efa22

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\M.exe

Filesize
104KB

MD5
42ccd69a3be9618d329de0ea0fde3a81

SHA1
47e9897f303496eb9cd5883f9cdb283b6eee65d3

SHA256
14137fcc8697e967b251fd0fafbdf79af8db4c1a67f2eafe53756e3ad80a9bef

SHA512
33d95b20ce606441c89dbc575c8e884196a19db056ffd9d54a5e0c57f3928b0d064b6270e4abf033046606e0456156faba3f3a8e6a353e924a7461e61e46bfae

Download Submit
memory/380-47-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/380-73-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/380-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/380-34-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/380-40-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/380-37-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/380-27-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/380-43-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/380-56-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/380-52-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/380-35-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/380-41-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/380-55-0x0000000000230000-0x000000000028C000-memory.dmp

Filesize
368KB

Download
memory/380-32-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/380-72-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/380-29-0x0000000000400000-0x0000000002020000-memory.dmp

Filesize
28.1MB

Download
memory/380-25-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/1528-329-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1700-245-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1700-250-0x0000000001F70000-0x0000000001FCC000-memory.dmp

Filesize
368KB

Download
memory/1700-276-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1708-203-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1708-141-0x00000000003A0000-0x00000000003FC000-memory.dmp

Filesize
368KB

Download
memory/2164-96-0x0000000001E40000-0x0000000001E9C000-memory.dmp

Filesize
368KB

Download
memory/2164-122-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2300-279-0x0000000002020000-0x000000000207C000-memory.dmp

Filesize
368KB

Download
memory/2332-51-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2332-24-0x00000000008E0000-0x000000000093C000-memory.dmp

Filesize
368KB

Download
memory/2332-21-0x0000000000270000-0x0000000000275000-memory.dmp

Filesize
20KB

Download
memory/2400-300-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2460-333-0x0000000002E00000-0x0000000002E5C000-memory.dmp

Filesize
368KB

Download
memory/2644-6-0x0000000000210000-0x000000000026C000-memory.dmp

Filesize
368KB

Download
memory/2664-241-0x00000000052C0000-0x000000000531C000-memory.dmp

Filesize
368KB

Download
memory/2684-98-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/2684-120-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2684-102-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/2684-113-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/2684-117-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/2684-104-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/2684-106-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/2684-116-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/2684-110-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/2684-100-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/2684-108-0x0000000000400000-0x00000000008B0000-memory.dmp

Filesize
4.7MB

Download
memory/2696-80-0x00000000002B0000-0x000000000030C000-memory.dmp

Filesize
368KB

Download
memory/2696-81-0x00000000002B0000-0x000000000030C000-memory.dmp

Filesize
368KB

Download
memory/2892-170-0x0000000002020000-0x000000000207C000-memory.dmp

Filesize
368KB

Download
memory/2984-230-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2984-222-0x0000000001E50000-0x0000000001EAC000-memory.dmp

Filesize
368KB

Download
memory/2984-196-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3016-337-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3016-339-0x00000000002C0000-0x000000000031C000-memory.dmp

Filesize
368KB

Download
memory/3016-366-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download