njrat | hxxps://samples[.]vx-underground[.]org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar[.]2020[.]02[.]7z

Analysis

max time kernel
235s
max time network
230s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.02.7z

Score

10^/10

njrat roby discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Botnet

roby

Mutex

4bda69d82f2ad26800386604df9bc3de

Attributes

reg_key
4bda69d82f2ad26800386604df9bc3de

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4068	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Backdoor.MSIL.Agent (1).exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4bda69d82f2ad26800386604df9bc3de.exe	System32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4bda69d82f2ad26800386604df9bc3de.exe	System32.exe

Executes dropped EXE 2 IoCs

pid	Process
2892	Backdoor.MSIL.Agent (1).exe
1484	System32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4bda69d82f2ad26800386604df9bc3de = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .."	System32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4bda69d82f2ad26800386604df9bc3de = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System32.exe\" .."	System32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Backdoor.MSIL.Agent (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4432	msedge.exe
4432	msedge.exe
452	msedge.exe
452	msedge.exe
3456	identity_helper.exe
3456	identity_helper.exe
2200	msedge.exe
2200	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1612	7zFM.exe
664	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1612	7zFM.exe
Token: 35	1612	7zFM.exe
Token: SeSecurityPrivilege	1612	7zFM.exe
Token: SeDebugPrivilege	1484	System32.exe
Token: 33	1484	System32.exe
Token: SeIncBasePriorityPrivilege	1484	System32.exe
Token: 33	1484	System32.exe
Token: SeIncBasePriorityPrivilege	1484	System32.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
1612	7zFM.exe
1612	7zFM.exe
452	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
664	OpenWith.exe
664	OpenWith.exe
664	OpenWith.exe
664	OpenWith.exe
664	OpenWith.exe
664	OpenWith.exe
664	OpenWith.exe
664	OpenWith.exe
664	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 3424	452	msedge.exe	83
PID 452 wrote to memory of 3424	452	msedge.exe	83
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 2900	452	msedge.exe	84
PID 452 wrote to memory of 4432	452	msedge.exe	85
PID 452 wrote to memory of 4432	452	msedge.exe	85
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86
PID 452 wrote to memory of 4496	452	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2020.02.7z
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9de8c46f8,0x7ff9de8c4708,0x7ff9de8c4718
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,12364185168108465452,813265909917158177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2428

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Bazaar.2020.02.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:664

C:\Users\Admin\Desktop\Backdoor.MSIL.Agent (1).exe
"C:\Users\Admin\Desktop\Backdoor.MSIL.Agent (1).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892
- C:\Users\Admin\AppData\Local\Temp\System32.exe
  "C:\Users\Admin\AppData\Local\Temp\System32.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\System32.exe" "System32.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\39abfee6-321b-4497-97dc-ee932f088cf4.tmp

Filesize
6KB

MD5
206c13c040090a87db9dd22fec2aad3d

SHA1
5e1820a67ce51e9b9699997e56f02914ed851adb

SHA256
02528d02f14b3d141c8e00e1f49ca4e595b45cb7c092f259a583a698eaec8563

SHA512
a3531cd2b2559662406c3d2804bbf88cdb2f8c6bd16a2b9be49b8c7ee1fafb9b5e72093c2d07a8659699c2488e5076a7f50c7acf73e80d9ba8b60afd93b94688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
194B

MD5
c753a51b344f5e0b7614e6b335efce1a

SHA1
ecab6c44f7f65a04b594d3c1f5ccc151e1fbbea5

SHA256
b9be628c5d1925240917e40326ded59765a86dfc8580b59d2e51f9925f3fc494

SHA512
c579bb93537ef2b84bf17b99354eaf60da7719432451d916f15084675ab7fa9c5b24c8e370108b0fec1244d2a8ff44e1ace16fca9abf18c5a12f91f8801a68c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
19e233d73c6a7f09aae2775d32db844d

SHA1
b809f19d86844f84e16517c31aa6bc046e69a351

SHA256
5527e18ff38fe188b8943aa82db99aeafde24bcb83603eb2567de5a1749aa003

SHA512
bca052e0538693d1aecec0115c9519cf8ee5470c01f2c2c0f53ff9cde7c41be959c2d11f3cd63f5f08039a984b45ee805968e403b9d4b3017cfae092d8f1635e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80848f8841c34fec88d0156bac26c8e9

SHA1
991b07e15221ec07e5dc7c749dde15b7259ce8bc

SHA256
a9174550cba75103d9b749729aa05f1fd04f5c3a27d88009d967d813d747820b

SHA512
742b7017db0c7e3c14c4726ce68128958fe5fb443d89be0af1574591b9f2a0cfeb29cdb82fe22770cf7dfefab551898f74d66da4f199324cc6df40722d1f3dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
77f8b4fb7f14803054fed0f22ae53e58

SHA1
c7af30d0942d892ee185e09f9d0ae36464ac3f53

SHA256
3242255d6d886605218077a839804955f15e35a84325fc17c97e95d5e60722e8

SHA512
04d4a5a9a4906f31f252a651acd6e4a85bb49fe86253cb59fd1cc54c3b0776b7e10a888676aa333b501619a32a74800bbad42b62a9588487a10f2a2aace89a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
db517eb1ec5098748fbd4a929c1c5ee3

SHA1
76f8809ce253db448d983f61736b37e23ca46115

SHA256
167ad2e0fb427c28c2d57abcaea92d4e1da70fac333b2cc8ac846d3d0105cff9

SHA512
5c00c7808c105f9735a2225973ca106443f669024ff1507a5393e351cc35bae2c371043b0d40c2036b3128d5bf8f4e492c384492c3d3445c14a547d3a889556a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a3438e082a1c8e25beae1deee123bc26

SHA1
ff8ce2a3dda7ae0a3ee11d06ed272aac6bc45361

SHA256
a9815ed2db39da43df01370c808e87ca871fdb976a99479004d56ca9c127ad24

SHA512
971b6f8fa522dd7e39ffc1f37a84eb103d95179cf8e4728007e19c577dc6acc31ad594141889ecc47e9ef3a63431e2dd064892843e3e62f177ebd528800c8d1f

Download Submit
C:\Users\Admin\Desktop\Backdoor.MSIL.Agent (1).exe

Filesize
32KB

MD5
08636ca8d5d28006ddf067c6d251613b

SHA1
cde8d41c71fda0d09ab8653231b4c9edb9e0afed

SHA256
fbb4863016dfcfc7f11e3d41896c2f42efd1c376d5c85f7b9bcd0d244e260b99

SHA512
c95076961ff333e17c62955089bc23166a54e05726f4e568dd917a6de02dda29533488538169abb6b33de1e242582e0440b7186aa7070e4386424e11d9701b9c

Download Submit
C:\Users\Admin\Desktop\Mal\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.vho-1b9dfd1fe17d3783b2ab4a6d583be6fca9ba164d2a1cd6814c710774ec9bd031

Filesize
166KB

MD5
103f84a7f18492bb17b68cede3a8c53d

SHA1
ed4e3c82883ef862df0a86f858d30fae4bda8cf3

SHA256
1b9dfd1fe17d3783b2ab4a6d583be6fca9ba164d2a1cd6814c710774ec9bd031

SHA512
7bf42382e4c9cdeae9e364a16945366eaebd5ea1859a09d8b8dff5d79593812a07e0037aa54464ae3ec25990b259d87c3c8462391986dbfaff961377972fb512

Download Submit
C:\Users\Admin\Desktop\Mal\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.vho-23d7cd4b0535b40662dc211b4ae28c4b5383c66b4b686064bd391a259da80d48

Filesize
164KB

MD5
708ef2feaf6fc35f33486111d9c0f97b

SHA1
9d91bfe8fd44ff1d75551807017e634c2b7580d1

SHA256
23d7cd4b0535b40662dc211b4ae28c4b5383c66b4b686064bd391a259da80d48

SHA512
35db49ab278f1c78d7193e8c75d07fd9d66bab62a7f140b451f03b9fe49138525d92ffe08cd155ae4b6ceec4eca91f2253fba71ddf1af5cb6f701d9b3899d04f

Download Submit
C:\Users\Admin\Desktop\Mal\bazaar.2020.02\HEUR-Trojan-Ransom.Win32.Sodin.vho-578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1

Filesize
164KB

MD5
722e15d85827d3ac13e56e8108688012

SHA1
cab935a24d7d0ea7e8d93851f7ea94ab9bccfc34

SHA256
578e1b00157447f99716b646af6b0c33d0f6c32257a19376d6cc9d003ff0fba1

SHA512
59e24cf313db4413f44f16a8276d072f43402e718c25e1d00e81ddc69a1937473cfd1902c320bc9175d75a0d43a53ab3e971b8447ec1cf9cf9aa3aa536464273

Download Submit
C:\Users\Admin\Desktop\Mal\bazaar.2020.02\HEUR-Trojan.Win32.Generic-94e8fa6dac6e1a9e76dabf84a2478626eb9cba660c3a9dbe525caa7271fcdef6

Filesize
25KB

MD5
2dff234d815257b3cec6c671f59adbd8

SHA1
9e61b93827619f545e56e0dce967166105d9659d

SHA256
94e8fa6dac6e1a9e76dabf84a2478626eb9cba660c3a9dbe525caa7271fcdef6

SHA512
5ea83782bcc35aa3e9abd355017a88deded529d8f95fcc854f9bc7f3be12d72cb318e77172c9af87358432ec5f1f93e32d52b759b42ad88257569700d28ee154

Download Submit
C:\Users\Admin\Downloads\Bazaar.2020.02.7z

Filesize
6.3MB

MD5
a2fc1e0d85da197a26203e22bdd1b5a2

SHA1
4c2f2158f440347a0f722cd81eb806e28481b868

SHA256
7559e6ca8b77400f88bf4e67208a1c32570a670068eccae9e3d226cc5471bd47

SHA512
6781742683061f15e74d6a62b16102dde83cafe1aa6f349e1ecec305dd3a72ea043709a19ec435a749e506efb4d93e82ea5ee620bfe60024a5782550eb7f8745

Download Submit