njrat | e249cfa785ad8d169e8d1df6694af48edf299ad2e261d6bd511dabe1d1612431

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Maple.sfx.exe
Size

49.9MB
MD5

14f12462e11fa31d767d0c5c595275d7
SHA1

f1856059d89103e0f4945596fc676d9e7324b617
SHA256

e249cfa785ad8d169e8d1df6694af48edf299ad2e261d6bd511dabe1d1612431
SHA512

6a8ba912609f58c2dba80a56962529ccde435ec1564497fadc3b6a5e28c5c06cd054e725d0e42a891fdee6d378b041cb3d71890622a7d569cacfac3f452b7c1f
SSDEEP

1572864:NKc6lOyrjq1zExjMkfCfYFvWExN+ZJupU485C/:NP6lOscE9Mkfnb1pUTC/

Score

10^/10

njrat umbral xworm hacked discovery evasion execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1260642804414156891/hKfLDYiwORnJS0u7NEs9WPwqTyOYiJyHsbqndD7MezE-rhVSLHFDRhBZ_hNqb3v9ZoeE

Extracted

Family

xworm

Version

5.0

testarosa.duckdns.org:7110

Mutex

5ZpeoOe6AtQfr6wU

Attributes

Install_directory
%AppData%
install_file
Ondrive.exe

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

147.185.221.20:49236

Mutex

6a8a3b6e5450a823d542e748a454aa4c

Attributes

reg_key
6a8a3b6e5450a823d542e748a454aa4c
splitter
|'|'|

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4ad-33.dat	family_umbral
behavioral1/memory/2712-35-0x0000000000E20000-0x0000000000E60000-memory.dmp	family_umbral

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4e3-75.dat	family_xworm
behavioral1/memory/2744-95-0x00000000002C0000-0x00000000002D0000-memory.dmp	family_xworm
behavioral1/memory/1112-237-0x00000000012F0000-0x0000000001300000-memory.dmp	family_xworm
behavioral1/memory/2440-239-0x0000000000370000-0x0000000000380000-memory.dmp	family_xworm

Njrat family
njrat
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1964	powershell.exe
2868	powershell.exe
2488	powershell.exe
1904	powershell.exe
1364	powershell.exe
2248	powershell.exe
2192	powershell.exe
1680	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Maple.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1708	netsh.exe

Executes dropped EXE 10 IoCs

pid	Process
2224	loader.exe
2836	Server.exe
2712	Maple.exe
2976	loader.exe
668	Server.exe
2744	conhost.exe
1748	loader.exe
2096	server.exe
1112	Ondrive.exe
2440	Ondrive.exe

Loads dropped DLL 8 IoCs

pid	Process
1712	Maple.sfx.exe
1712	Maple.sfx.exe
1712	Maple.sfx.exe
1712	Maple.sfx.exe
2224	loader.exe
2976	loader.exe
1748	loader.exe
668	Server.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6a8a3b6e5450a823d542e748a454aa4c = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maple.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1100	cmd.exe
776	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2576	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
776	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2296	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2744	conhost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1364	powershell.exe
2712	Maple.exe
2248	powershell.exe
2192	powershell.exe
1680	powershell.exe
1964	powershell.exe
1904	powershell.exe
2868	powershell.exe
3052	powershell.exe
2488	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	conhost.exe
Token: SeDebugPrivilege	2712	Maple.exe
Token: SeIncreaseQuotaPrivilege	1524	wmic.exe
Token: SeSecurityPrivilege	1524	wmic.exe
Token: SeTakeOwnershipPrivilege	1524	wmic.exe
Token: SeLoadDriverPrivilege	1524	wmic.exe
Token: SeSystemProfilePrivilege	1524	wmic.exe
Token: SeSystemtimePrivilege	1524	wmic.exe
Token: SeProfSingleProcessPrivilege	1524	wmic.exe
Token: SeIncBasePriorityPrivilege	1524	wmic.exe
Token: SeCreatePagefilePrivilege	1524	wmic.exe
Token: SeBackupPrivilege	1524	wmic.exe
Token: SeRestorePrivilege	1524	wmic.exe
Token: SeShutdownPrivilege	1524	wmic.exe
Token: SeDebugPrivilege	1524	wmic.exe
Token: SeSystemEnvironmentPrivilege	1524	wmic.exe
Token: SeRemoteShutdownPrivilege	1524	wmic.exe
Token: SeUndockPrivilege	1524	wmic.exe
Token: SeManageVolumePrivilege	1524	wmic.exe
Token: 33	1524	wmic.exe
Token: 34	1524	wmic.exe
Token: 35	1524	wmic.exe
Token: SeIncreaseQuotaPrivilege	1524	wmic.exe
Token: SeSecurityPrivilege	1524	wmic.exe
Token: SeTakeOwnershipPrivilege	1524	wmic.exe
Token: SeLoadDriverPrivilege	1524	wmic.exe
Token: SeSystemProfilePrivilege	1524	wmic.exe
Token: SeSystemtimePrivilege	1524	wmic.exe
Token: SeProfSingleProcessPrivilege	1524	wmic.exe
Token: SeIncBasePriorityPrivilege	1524	wmic.exe
Token: SeCreatePagefilePrivilege	1524	wmic.exe
Token: SeBackupPrivilege	1524	wmic.exe
Token: SeRestorePrivilege	1524	wmic.exe
Token: SeShutdownPrivilege	1524	wmic.exe
Token: SeDebugPrivilege	1524	wmic.exe
Token: SeSystemEnvironmentPrivilege	1524	wmic.exe
Token: SeRemoteShutdownPrivilege	1524	wmic.exe
Token: SeUndockPrivilege	1524	wmic.exe
Token: SeManageVolumePrivilege	1524	wmic.exe
Token: 33	1524	wmic.exe
Token: 34	1524	wmic.exe
Token: 35	1524	wmic.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeIncreaseQuotaPrivilege	1476	wmic.exe
Token: SeSecurityPrivilege	1476	wmic.exe
Token: SeTakeOwnershipPrivilege	1476	wmic.exe
Token: SeLoadDriverPrivilege	1476	wmic.exe
Token: SeSystemProfilePrivilege	1476	wmic.exe
Token: SeSystemtimePrivilege	1476	wmic.exe
Token: SeProfSingleProcessPrivilege	1476	wmic.exe
Token: SeIncBasePriorityPrivilege	1476	wmic.exe
Token: SeCreatePagefilePrivilege	1476	wmic.exe
Token: SeBackupPrivilege	1476	wmic.exe
Token: SeRestorePrivilege	1476	wmic.exe
Token: SeShutdownPrivilege	1476	wmic.exe
Token: SeDebugPrivilege	1476	wmic.exe
Token: SeSystemEnvironmentPrivilege	1476	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2224	1712	Maple.sfx.exe	30
PID 1712 wrote to memory of 2224	1712	Maple.sfx.exe	30
PID 1712 wrote to memory of 2224	1712	Maple.sfx.exe	30
PID 1712 wrote to memory of 2224	1712	Maple.sfx.exe	30
PID 2224 wrote to memory of 2836	2224	loader.exe	31
PID 2224 wrote to memory of 2836	2224	loader.exe	31
PID 2224 wrote to memory of 2836	2224	loader.exe	31
PID 2224 wrote to memory of 2712	2224	loader.exe	32
PID 2224 wrote to memory of 2712	2224	loader.exe	32
PID 2224 wrote to memory of 2712	2224	loader.exe	32
PID 2224 wrote to memory of 2976	2224	loader.exe	33
PID 2224 wrote to memory of 2976	2224	loader.exe	33
PID 2224 wrote to memory of 2976	2224	loader.exe	33
PID 2836 wrote to memory of 668	2836	Server.exe	35
PID 2836 wrote to memory of 668	2836	Server.exe	35
PID 2836 wrote to memory of 668	2836	Server.exe	35
PID 2836 wrote to memory of 668	2836	Server.exe	35
PID 2836 wrote to memory of 2744	2836	Server.exe	36
PID 2836 wrote to memory of 2744	2836	Server.exe	36
PID 2836 wrote to memory of 2744	2836	Server.exe	36
PID 2976 wrote to memory of 1748	2976	loader.exe	37
PID 2976 wrote to memory of 1748	2976	loader.exe	37
PID 2976 wrote to memory of 1748	2976	loader.exe	37
PID 2744 wrote to memory of 1364	2744	conhost.exe	39
PID 2744 wrote to memory of 1364	2744	conhost.exe	39
PID 2744 wrote to memory of 1364	2744	conhost.exe	39
PID 2712 wrote to memory of 1524	2712	Maple.exe	41
PID 2712 wrote to memory of 1524	2712	Maple.exe	41
PID 2712 wrote to memory of 1524	2712	Maple.exe	41
PID 2712 wrote to memory of 2268	2712	Maple.exe	44
PID 2712 wrote to memory of 2268	2712	Maple.exe	44
PID 2712 wrote to memory of 2268	2712	Maple.exe	44
PID 2712 wrote to memory of 2248	2712	Maple.exe	46
PID 2712 wrote to memory of 2248	2712	Maple.exe	46
PID 2712 wrote to memory of 2248	2712	Maple.exe	46
PID 2744 wrote to memory of 2192	2744	conhost.exe	48
PID 2744 wrote to memory of 2192	2744	conhost.exe	48
PID 2744 wrote to memory of 2192	2744	conhost.exe	48
PID 2744 wrote to memory of 1680	2744	conhost.exe	50
PID 2744 wrote to memory of 1680	2744	conhost.exe	50
PID 2744 wrote to memory of 1680	2744	conhost.exe	50
PID 2712 wrote to memory of 1964	2712	Maple.exe	52
PID 2712 wrote to memory of 1964	2712	Maple.exe	52
PID 2712 wrote to memory of 1964	2712	Maple.exe	52
PID 2744 wrote to memory of 1904	2744	conhost.exe	54
PID 2744 wrote to memory of 1904	2744	conhost.exe	54
PID 2744 wrote to memory of 1904	2744	conhost.exe	54
PID 2712 wrote to memory of 2868	2712	Maple.exe	56
PID 2712 wrote to memory of 2868	2712	Maple.exe	56
PID 2712 wrote to memory of 2868	2712	Maple.exe	56
PID 2712 wrote to memory of 3052	2712	Maple.exe	58
PID 2712 wrote to memory of 3052	2712	Maple.exe	58
PID 2712 wrote to memory of 3052	2712	Maple.exe	58
PID 2744 wrote to memory of 2296	2744	conhost.exe	60
PID 2744 wrote to memory of 2296	2744	conhost.exe	60
PID 2744 wrote to memory of 2296	2744	conhost.exe	60
PID 2712 wrote to memory of 1476	2712	Maple.exe	62
PID 2712 wrote to memory of 1476	2712	Maple.exe	62
PID 2712 wrote to memory of 1476	2712	Maple.exe	62
PID 2712 wrote to memory of 1380	2712	Maple.exe	64
PID 2712 wrote to memory of 1380	2712	Maple.exe	64
PID 2712 wrote to memory of 1380	2712	Maple.exe	64
PID 2712 wrote to memory of 1272	2712	Maple.exe	66
PID 2712 wrote to memory of 1272	2712	Maple.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2268	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Maple.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Maple.sfx.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Roaming\loader.exe
  "C:\Users\Admin\AppData\Roaming\loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:668
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2096
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1708
  - - C:\Users\Admin\AppData\Roaming\conhost.exe
      "C:\Users\Admin\AppData\Roaming\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Ondrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Ondrive.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Ondrive" /tr "C:\Users\Admin\AppData\Roaming\Ondrive.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2296
- - C:\Users\Admin\AppData\Local\Temp\Maple.exe
    "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1524
  - - C:\Windows\system32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Maple.exe"
      4⤵
      Views/modifies file attributes
      PID:2268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maple.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2868
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3052
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1476
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:1380
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:1272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2488
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2576
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Maple.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1100
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:776
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2976_133787164475210000\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1748

C:\Windows\system32\taskeng.exe
taskeng.exe {152D45DE-0A81-4C97-BCB8-B786A541B241} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
PID:1756
- C:\Users\Admin\AppData\Roaming\Ondrive.exe
  C:\Users\Admin\AppData\Roaming\Ondrive.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Users\Admin\AppData\Roaming\Ondrive.exe
  C:\Users\Admin\AppData\Roaming\Ondrive.exe
  2⤵
  - Executes dropped EXE
  PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Maple.exe

Filesize
227KB

MD5
550b445ad1a44d1f23f7155fae400db6

SHA1
cb006a53156285fdef3a0b33a4a08f534cd3bab7

SHA256
d223b3918e8bc3bab1d23fdc2e306be1c6587d3ab8f324fc377e37585387884e

SHA512
909f31f24672ffc5542ac42f344eb6020bcdfdfac9ac13d5672fe7ed22e686b06385d15709f1f83b576b1dade591ad40eb429ef076d07f4597235cd95a679fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
71KB

MD5
f9b08bd21b40a938122b479095b7c70c

SHA1
eb925e3927b83c20d8d24bdab2e587c10d6ac8cd

SHA256
c96cde2e96021c266a202286d644ceb28543d6347e21006d72b29b8a72c505e8

SHA512
fcc5784936b7f85a550883c472b99b5edfa7e5c6fd3872fd806b81c2ce1f195ca34342b230a89456066885579fe55aea46d91074ac08af192fbd04ea158473ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2976_133787164475210000\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VV3Q303OMJRK2LF4MUEA.temp

Filesize
7KB

MD5
22772e2c46093a04accf2aae42d2c104

SHA1
64233ea5d0f73ab35c2c7a79849da4147c990903

SHA256
934aeba6356a277c881df275f9e9454edc44e82e144e8cb2e0f35e8f591d7b92

SHA512
7715293013974520b81092534dd219ba5647341c38d5d3b35139557d855dfea03337afde37f8f0c60e0eee335da423d79fbff328e27dfb1c4e46b2bb36af2594

Download Submit
C:\Users\Admin\AppData\Roaming\Server.exe

Filesize
23KB

MD5
32fe01ccb93b0233503d0aaaa451f7b2

SHA1
58e5a63142150e8fb175dbb4dedea2ce405d7db0

SHA256
6988ee719a54c93a89303dcff277c62ae4890274cc45f074bc7effde315fbf43

SHA512
76945f23a49d594e325d80ffc0570341044ac0b97bd889c92f90bc56d3cdff5c1b29178be4f157c8c1bb9ce7cc311765309f2e6f7b08b24e7acf983ea67635a6

Download Submit
C:\Users\Admin\AppData\Roaming\conhost.exe

Filesize
37KB

MD5
b37dd1a1f0507baf993471ae1b7a314c

SHA1
9aff9d71492ffff8d51f8e8d67f5770755899882

SHA256
e58e8918a443c0061add029f8f211f6551a130202195cc2b9b529ea72553e0bc

SHA512
ac76d5b10540eb292341f30c7abfd81f03be65f6655c814aba6ac6a0ecf4f0f2c34c3b8e63ceef8c4579f98b7459e51b9fdd30d601c6d1930860ab7c154da460

Download Submit
\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
5.3MB

MD5
e630d72436e3dc1be7763de7f75b7adf

SHA1
40e07b22ab8b69e6827f90e20aeac35757899a23

SHA256
59818142f41895d3cadf7bee0124b392af3473060f00b9548daa3a224223993e

SHA512
82f0be15e2736447fae7d9a313a8a81a2c6e6ca617539ff8bf3fa0d2fe93d96e68afea6964e96e9dd671ba4090ddbc8a759c9b68f10e24a7fb847fe2c9825a83

Download Submit
\Users\Admin\AppData\Local\Temp\onefile_2976_133787164475210000\loader.exe

Filesize
8.5MB

MD5
7e528c7d750373f489ed3983d28a5279

SHA1
805d666d7c3f98b0f2f21f8ded1ebc801bb87028

SHA256
7b025b56f3cec113e0569dfa37fa593f64d15c42116d321452500c03df105b8e

SHA512
40b4809678c6b17fcd389038464d32752058e60ed446d941698fee561641e740652bd305e2a6fe80cdd6171807fe6fbc22b99e4eaccd4c699acaca39b7328ca3

Download Submit
\Users\Admin\AppData\Roaming\loader.exe

Filesize
5.4MB

MD5
916f7dea6831485387d70b0891455e65

SHA1
176e995cc2584d7c9703b2beee0994dcc4be91d5

SHA256
c47e49026afb1d2c8708f1e36510ad862eb288c7ac48e9c4bebfbd051475fbc2

SHA512
ba5c40e6416a53c88f5b5d7e0ce346956ef6bd0aebed355df8070ebb71dda78125945fe1cdca87caa29a2b5d98c437bafd228396a516c91f764256e54556f0e4

Download Submit
memory/1112-237-0x00000000012F0000-0x0000000001300000-memory.dmp

Filesize
64KB

Download
memory/1364-164-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/1364-163-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2224-57-0x000007FEF5BC0000-0x000007FEF65AC000-memory.dmp

Filesize
9.9MB

Download
memory/2224-24-0x0000000000E30000-0x0000000001390000-memory.dmp

Filesize
5.4MB

Download
memory/2224-23-0x000007FEF5BC3000-0x000007FEF5BC4000-memory.dmp

Filesize
4KB

Download
memory/2248-170-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2248-172-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/2440-239-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2488-222-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2712-35-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/2744-95-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/2836-36-0x0000000000F60000-0x0000000000F78000-memory.dmp

Filesize
96KB

Download