njrat | 8f74d8dcb94fe2599559dee63511ed67eb75fa47cb8b75104002c4baca0e460e

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GorkerPrivate.exe
Size

895KB
MD5

533cfcfdbce621d1a75048ed80c82113
SHA1

b840f235522f8775e0f590d65580fc511c63762e
SHA256

8f74d8dcb94fe2599559dee63511ed67eb75fa47cb8b75104002c4baca0e460e
SHA512

c2742323604eaf97df952e6082b20e747fb19c227670eccab58a2a329a24239577af1bb1454fb29b23cb7f0108a9eee9592deb51b462aa7dfbaba4bb6ec61668
SSDEEP

6144:qt5IG6wZ9AI57tN0rBe6TM05wiBRju4h4/aOnzJRQuMIwy5zn98psF16TrG8PsTu:fYAI+rBjpOUREzLw2f1WrG8HXXQG

Score

10^/10

njrat hacked defense_evasion evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

9cpanel.hackcrack.io:3489

Mutex

Windows Explorer

Attributes

reg_key
Windows Explorer
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1852	powershell.exe
3832	powershell.exe
1748	powershell.exe
4436	powershell.exe
1112	powershell.exe
4960	powershell.exe
4908	powershell.exe
3576	powershell.exe
1112	powershell.exe
4960	powershell.exe
4908	powershell.exe
3576	powershell.exe
1852	powershell.exe
3832	powershell.exe
1748	powershell.exe
4436	powershell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2388	netsh.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	version.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	GorkerPrivate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Setup.exe

Executes dropped EXE 8 IoCs

pid	Process
1788	Setup.exe
4064	Setup.exe
3976	Gorker Private .exe
3276	svchost.exe
3492	svchost.exe
1604	explorer.exe
3280	version.exe
1016	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ."	explorer.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3472	cmd.exe
3396	cmd.exe
2724	cmd.exe
2952	cmd.exe
852	cmd.exe
3820	cmd.exe
832	cmd.exe
4448	cmd.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	Setup.exe
File opened for modification	C:\Windows\assembly	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File created	C:\Windows\assembly\Desktop.ini	Setup.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4780	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	3492	svchost.exe
Token: SeDebugPrivilege	3276	svchost.exe
Token: SeDebugPrivilege	1604	explorer.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe
Token: 33	1016	explorer.exe
Token: SeIncBasePriorityPrivilege	1016	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1604	explorer.exe
1604	explorer.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 1788	4188	GorkerPrivate.exe	82
PID 4188 wrote to memory of 1788	4188	GorkerPrivate.exe	82
PID 4188 wrote to memory of 4064	4188	GorkerPrivate.exe	83
PID 4188 wrote to memory of 4064	4188	GorkerPrivate.exe	83
PID 4188 wrote to memory of 3976	4188	GorkerPrivate.exe	84
PID 4188 wrote to memory of 3976	4188	GorkerPrivate.exe	84
PID 4064 wrote to memory of 3276	4064	Setup.exe	88
PID 4064 wrote to memory of 3276	4064	Setup.exe	88
PID 1788 wrote to memory of 3492	1788	Setup.exe	89
PID 1788 wrote to memory of 3492	1788	Setup.exe	89
PID 3492 wrote to memory of 1604	3492	svchost.exe	97
PID 3492 wrote to memory of 1604	3492	svchost.exe	97
PID 1604 wrote to memory of 3680	1604	explorer.exe	98
PID 1604 wrote to memory of 3680	1604	explorer.exe	98
PID 3280 wrote to memory of 3472	3280	version.exe	101
PID 3280 wrote to memory of 3472	3280	version.exe	101
PID 3280 wrote to memory of 3396	3280	version.exe	102
PID 3280 wrote to memory of 3396	3280	version.exe	102
PID 3280 wrote to memory of 2724	3280	version.exe	105
PID 3280 wrote to memory of 2724	3280	version.exe	105
PID 3280 wrote to memory of 2952	3280	version.exe	107
PID 3280 wrote to memory of 2952	3280	version.exe	107
PID 3280 wrote to memory of 852	3280	version.exe	108
PID 3280 wrote to memory of 852	3280	version.exe	108
PID 3280 wrote to memory of 3820	3280	version.exe	111
PID 3280 wrote to memory of 3820	3280	version.exe	111
PID 3280 wrote to memory of 832	3280	version.exe	113
PID 3280 wrote to memory of 832	3280	version.exe	113
PID 3280 wrote to memory of 4448	3280	version.exe	115
PID 3280 wrote to memory of 4448	3280	version.exe	115
PID 3472 wrote to memory of 1748	3472	cmd.exe	119
PID 3472 wrote to memory of 1748	3472	cmd.exe	119
PID 3396 wrote to memory of 4436	3396	cmd.exe	120
PID 3396 wrote to memory of 4436	3396	cmd.exe	120
PID 2952 wrote to memory of 1112	2952	cmd.exe	121
PID 2952 wrote to memory of 1112	2952	cmd.exe	121
PID 2724 wrote to memory of 4960	2724	cmd.exe	122
PID 2724 wrote to memory of 4960	2724	cmd.exe	122
PID 3820 wrote to memory of 4908	3820	cmd.exe	123
PID 3820 wrote to memory of 4908	3820	cmd.exe	123
PID 832 wrote to memory of 1852	832	cmd.exe	125
PID 832 wrote to memory of 1852	832	cmd.exe	125
PID 4448 wrote to memory of 3576	4448	cmd.exe	126
PID 4448 wrote to memory of 3576	4448	cmd.exe	126
PID 852 wrote to memory of 3832	852	cmd.exe	127
PID 852 wrote to memory of 3832	852	cmd.exe	127
PID 1604 wrote to memory of 1016	1604	explorer.exe	129
PID 1604 wrote to memory of 1016	1604	explorer.exe	129
PID 1016 wrote to memory of 2388	1016	explorer.exe	130
PID 1016 wrote to memory of 2388	1016	explorer.exe	130

C:\Users\Admin\AppData\Local\Temp\GorkerPrivate.exe
"C:\Users\Admin\AppData\Local\Temp\GorkerPrivate.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1604
    - - \??\c:\windows\system32\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\m2hedfcw.inf
        5⤵
        
        PID:3680
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Windows\SYSTEM32\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2388
- C:\Users\Admin\AppData\Local\Temp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3276
- C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe
  "C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe"
  2⤵
  - Executes dropped EXE
  PID:3976

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3832
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4908
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
  2⤵
  - Hide Artifacts: Hidden Window
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3576

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Setup.exe.log

Filesize
408B

MD5
70f08e6585ed9994d97a4c71472fccd8

SHA1
3f44494d4747c87fb8b94bb153c3a3d717f9fd63

SHA256
87fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa

SHA512
d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\explorer.exe.log

Filesize
676B

MD5
79d206410500f74a6f755f82d514c459

SHA1
67782eff101d316ad1eb79ee76dc4095f5994db3

SHA256
697be2be7b14b3ef2953b93cc2d380b350c19e2ef41399ab289fe1c8e2281f36

SHA512
72848557148090200726fbfa30c008e54067d79e804ef604c78ee4fdc0c77d3da6c60abedb5c05e4943eb768d737873db585619b2559a1b6d1e6b917d216d822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\svchost.exe.log

Filesize
588B

MD5
2f142977932b7837fa1cc70278e53361

SHA1
0a3212d221079671bfdeee176ad841e6f15904fc

SHA256
961ca2c0e803a7201adb3b656ed3abafc259d6d376e8ade66f0afff10a564820

SHA512
a25e45e41933902bcc0ea38b4daa64e96cbcd8900b446e1326cffb8c91eb1886b1e90686190bdba30d7014490001a732f91f2869bb9987c0213a8d798c7b3421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe

Filesize
401KB

MD5
55128e0a30d438cb5e4d85beb4d61d4f

SHA1
aa99199ae8d2e1471cb9ec3c8fc1c6cfb355c914

SHA256
2a2e49592f82336a9d1a01fd190bc44e98b3caf17c05c046f06e8d4549d2930b

SHA512
60fedb8c75623fdefd173dae60a1952520699e42acd58b1075303f3d93abad03a1235f19327cfc6204053a29e16ba6a4de14f3e6fc99667a5d0ac75afd283bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
477KB

MD5
0e6c9432cba1614fccc232f201028c72

SHA1
6082cf9489faa785c066195f108548e705a6d407

SHA256
c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8

SHA512
c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acbwjepc.rvi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\m2hedfcw.inf

Filesize
619B

MD5
6f1420f2133f3e08fd8cdea0e1f5fe27

SHA1
3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

SHA256
aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

SHA512
d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe

Filesize
357KB

MD5
cff755ff758e9e71d0af34017a8e9d8e

SHA1
8d401767360e61261cee79a18e061d9a0dc95724

SHA256
c4b3fdf0d7a1dc296560d0ca1f09ce89f3acbcab445fe5fcf5fe908ed3844be2

SHA512
a752a4ed0229cb7ee5a8b0768254f1acb89b1da876a7594952c75cffdb7b7990a45a335332144ae0ff06e0e0dd5e033a89fa29ed2355e2084bcc249e41a73052

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe

Filesize
339KB

MD5
301e8d9a2445dd999ce816c17d8dbbb3

SHA1
b91163babeb738bd4d0f577ac764cee17fffe564

SHA256
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb

SHA512
4941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zip

Filesize
280KB

MD5
d50bda974f146ea6bbb0b9e1c8e684a2

SHA1
57a02d7b65069ea50c23d711215d385e1b626031

SHA256
9e2cd9a87cf779501dcb29702283bc083d1d2342d449f18c16dcf8458c9bdfa5

SHA512
e245805e24c565a7ea41947b28713f38ea15da4571bed59b998a5125bae67be17239aa531bd51581be693156490b74af27c93336aa79660cda28ccd5afe0d7b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe

Filesize
84KB

MD5
15ee95bc8e2e65416f2a30cf05ef9c2e

SHA1
107ca99d3414642450dec196febcd787ac8d7596

SHA256
c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

SHA512
ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

Download Submit
memory/1112-172-0x0000021B1E0A0000-0x0000021B1E1EE000-memory.dmp

Filesize
1.3MB

Download
memory/1604-82-0x00000000015E0000-0x00000000015E8000-memory.dmp

Filesize
32KB

Download
memory/1604-85-0x0000000001620000-0x000000000162C000-memory.dmp

Filesize
48KB

Download
memory/1748-178-0x0000025599F40000-0x000002559A08E000-memory.dmp

Filesize
1.3MB

Download
memory/1788-33-0x0000000001790000-0x00000000017BC000-memory.dmp

Filesize
176KB

Download
memory/1788-54-0x00007FFA8AA60000-0x00007FFA8B401000-memory.dmp

Filesize
9.6MB

Download
memory/1788-32-0x00007FFA8AA60000-0x00007FFA8B401000-memory.dmp

Filesize
9.6MB

Download
memory/1788-37-0x00007FFA8AA60000-0x00007FFA8B401000-memory.dmp

Filesize
9.6MB

Download
memory/1788-40-0x00007FFA8AA60000-0x00007FFA8B401000-memory.dmp

Filesize
9.6MB

Download
memory/1852-181-0x0000022C49140000-0x0000022C4928E000-memory.dmp

Filesize
1.3MB

Download
memory/3492-53-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/3576-168-0x00000217F6000000-0x00000217F614E000-memory.dmp

Filesize
1.3MB

Download
memory/3832-184-0x000001D6FE200000-0x000001D6FE34E000-memory.dmp

Filesize
1.3MB

Download
memory/3976-38-0x0000000000430000-0x000000000049A000-memory.dmp

Filesize
424KB

Download
memory/4064-44-0x00007FFA8AA60000-0x00007FFA8B401000-memory.dmp

Filesize
9.6MB

Download
memory/4064-55-0x00007FFA8AA60000-0x00007FFA8B401000-memory.dmp

Filesize
9.6MB

Download
memory/4064-48-0x00007FFA8AA60000-0x00007FFA8B401000-memory.dmp

Filesize
9.6MB

Download
memory/4064-47-0x00007FFA8AA60000-0x00007FFA8B401000-memory.dmp

Filesize
9.6MB

Download
memory/4188-0-0x00007FFA8AD15000-0x00007FFA8AD16000-memory.dmp

Filesize
4KB

Download
memory/4188-6-0x00007FFA8AA60000-0x00007FFA8B401000-memory.dmp

Filesize
9.6MB

Download
memory/4188-4-0x000000001C150000-0x000000001C1EC000-memory.dmp

Filesize
624KB

Download
memory/4188-2-0x00007FFA8AA60000-0x00007FFA8B401000-memory.dmp

Filesize
9.6MB

Download
memory/4188-36-0x00007FFA8AA60000-0x00007FFA8B401000-memory.dmp

Filesize
9.6MB

Download
memory/4188-3-0x000000001BBE0000-0x000000001C0AE000-memory.dmp

Filesize
4.8MB

Download
memory/4188-1-0x000000001B600000-0x000000001B6A6000-memory.dmp

Filesize
664KB

Download
memory/4436-169-0x000001D2D41A0000-0x000001D2D42EE000-memory.dmp

Filesize
1.3MB

Download
memory/4436-92-0x000001D2D4070000-0x000001D2D4092000-memory.dmp

Filesize
136KB

Download
memory/4908-175-0x000001D2FEBD0000-0x000001D2FED1E000-memory.dmp

Filesize
1.3MB

Download
memory/4960-162-0x000001AE40A20000-0x000001AE40B6E000-memory.dmp

Filesize
1.3MB

Download