njrat | 7471944a136673044e47c277341a4b31d46434a433e902cb2d2bd19b1a79b845

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NewClient.exe
Size

141KB
MD5

a5e6869cc1b826c71ef68e6ab6196606
SHA1

0185672daadea373d19fa721ec644562eba3a82e
SHA256

7471944a136673044e47c277341a4b31d46434a433e902cb2d2bd19b1a79b845
SHA512

ba558d98bcaffc4d096d8238fdb5bd30deec836f5d650eec0bf205a3f3984ee770bff921f615aa937bc85bd0376f05076178b2cd774cf27dcedb6b133447564d
SSDEEP

3072:dUJ8T2SXZyrgoBJtbN/3MCK2kevEwl/6GJHSj7ZnC3Bx0Tcnsn+Mm4:R/JdSI5ebW+z0os+X4

Score

10^/10

njrat hacked persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

127.0.0.1:10095

Mutex

discord.exe

Attributes

reg_key
discord.exe
splitter
|Ghost|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Deletes itself 1 IoCs

pid	Process
2028	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	discord.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.exe	discord.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discord.url	discord.exe

Executes dropped EXE 3 IoCs

pid	Process
2516	discord.exe
1184	discord.exe
324	discord.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord.exe\" .."	discord.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\discord.exe\" .."	discord.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	0.tcp.eu.ngrok.io
21	0.tcp.eu.ngrok.io
35	0.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 41 IoCs

evasion

pid	Process
2004	taskkill.exe
1960	taskkill.exe
1468	taskkill.exe
2884	taskkill.exe
2888	taskkill.exe
2648	taskkill.exe
2532	taskkill.exe
1592	taskkill.exe
1932	taskkill.exe
820	taskkill.exe
1256	taskkill.exe
1980	taskkill.exe
2436	taskkill.exe
1640	taskkill.exe
2080	taskkill.exe
2504	taskkill.exe
540	taskkill.exe
352	taskkill.exe
1560	taskkill.exe
1664	taskkill.exe
2856	taskkill.exe
2800	taskkill.exe
1892	taskkill.exe
2148	taskkill.exe
1416	taskkill.exe
1004	taskkill.exe
1456	taskkill.exe
1352	taskkill.exe
3044	taskkill.exe
2528	taskkill.exe
2176	taskkill.exe
1572	taskkill.exe
2300	taskkill.exe
2860	taskkill.exe
448	taskkill.exe
876	taskkill.exe
2880	taskkill.exe
2424	taskkill.exe
1476	taskkill.exe
2868	taskkill.exe
2756	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 41 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1872	schtasks.exe
1916	schtasks.exe
2476	schtasks.exe
2848	schtasks.exe
2592	schtasks.exe
2792	schtasks.exe
3056	schtasks.exe
1656	schtasks.exe
2404	schtasks.exe
2812	schtasks.exe
1296	schtasks.exe
1864	schtasks.exe
2780	schtasks.exe
2316	schtasks.exe
2360	schtasks.exe
2380	schtasks.exe
2420	schtasks.exe
2668	schtasks.exe
1956	schtasks.exe
2396	schtasks.exe
3040	schtasks.exe
2108	schtasks.exe
1712	schtasks.exe
1876	schtasks.exe
3064	schtasks.exe
2864	schtasks.exe
940	schtasks.exe
2512	schtasks.exe
2472	schtasks.exe
2824	schtasks.exe
1304	schtasks.exe
2484	schtasks.exe
2256	schtasks.exe
1432	schtasks.exe
1412	schtasks.exe
1016	schtasks.exe
992	schtasks.exe
1036	schtasks.exe
316	schtasks.exe
2328	schtasks.exe
2412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe
2516	discord.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe
Token: 33	2516	discord.exe
Token: SeIncBasePriorityPrivilege	2516	discord.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2516	2388	NewClient.exe	30
PID 2388 wrote to memory of 2516	2388	NewClient.exe	30
PID 2388 wrote to memory of 2516	2388	NewClient.exe	30
PID 2388 wrote to memory of 2028	2388	NewClient.exe	31
PID 2388 wrote to memory of 2028	2388	NewClient.exe	31
PID 2388 wrote to memory of 2028	2388	NewClient.exe	31
PID 2028 wrote to memory of 2412	2028	cmd.exe	33
PID 2028 wrote to memory of 2412	2028	cmd.exe	33
PID 2028 wrote to memory of 2412	2028	cmd.exe	33
PID 2516 wrote to memory of 2756	2516	discord.exe	35
PID 2516 wrote to memory of 2756	2516	discord.exe	35
PID 2516 wrote to memory of 2756	2516	discord.exe	35
PID 2516 wrote to memory of 2716	2516	discord.exe	37
PID 2516 wrote to memory of 2716	2516	discord.exe	37
PID 2516 wrote to memory of 2716	2516	discord.exe	37
PID 2516 wrote to memory of 2792	2516	discord.exe	39
PID 2516 wrote to memory of 2792	2516	discord.exe	39
PID 2516 wrote to memory of 2792	2516	discord.exe	39
PID 2516 wrote to memory of 2884	2516	discord.exe	41
PID 2516 wrote to memory of 2884	2516	discord.exe	41
PID 2516 wrote to memory of 2884	2516	discord.exe	41
PID 2516 wrote to memory of 2608	2516	discord.exe	43
PID 2516 wrote to memory of 2608	2516	discord.exe	43
PID 2516 wrote to memory of 2608	2516	discord.exe	43
PID 2516 wrote to memory of 2668	2516	discord.exe	45
PID 2516 wrote to memory of 2668	2516	discord.exe	45
PID 2516 wrote to memory of 2668	2516	discord.exe	45
PID 2516 wrote to memory of 2004	2516	discord.exe	47
PID 2516 wrote to memory of 2004	2516	discord.exe	47
PID 2516 wrote to memory of 2004	2516	discord.exe	47
PID 2516 wrote to memory of 2352	2516	discord.exe	49
PID 2516 wrote to memory of 2352	2516	discord.exe	49
PID 2516 wrote to memory of 2352	2516	discord.exe	49
PID 2516 wrote to memory of 316	2516	discord.exe	51
PID 2516 wrote to memory of 316	2516	discord.exe	51
PID 2516 wrote to memory of 316	2516	discord.exe	51
PID 2516 wrote to memory of 2856	2516	discord.exe	53
PID 2516 wrote to memory of 2856	2516	discord.exe	53
PID 2516 wrote to memory of 2856	2516	discord.exe	53
PID 2516 wrote to memory of 532	2516	discord.exe	55
PID 2516 wrote to memory of 532	2516	discord.exe	55
PID 2516 wrote to memory of 532	2516	discord.exe	55
PID 2516 wrote to memory of 1956	2516	discord.exe	57
PID 2516 wrote to memory of 1956	2516	discord.exe	57
PID 2516 wrote to memory of 1956	2516	discord.exe	57
PID 2516 wrote to memory of 2504	2516	discord.exe	59
PID 2516 wrote to memory of 2504	2516	discord.exe	59
PID 2516 wrote to memory of 2504	2516	discord.exe	59
PID 2516 wrote to memory of 1056	2516	discord.exe	61
PID 2516 wrote to memory of 1056	2516	discord.exe	61
PID 2516 wrote to memory of 1056	2516	discord.exe	61
PID 2516 wrote to memory of 2824	2516	discord.exe	63
PID 2516 wrote to memory of 2824	2516	discord.exe	63
PID 2516 wrote to memory of 2824	2516	discord.exe	63
PID 2516 wrote to memory of 2436	2516	discord.exe	65
PID 2516 wrote to memory of 2436	2516	discord.exe	65
PID 2516 wrote to memory of 2436	2516	discord.exe	65
PID 2516 wrote to memory of 1744	2516	discord.exe	67
PID 2516 wrote to memory of 1744	2516	discord.exe	67
PID 2516 wrote to memory of 1744	2516	discord.exe	67
PID 2516 wrote to memory of 1016	2516	discord.exe	69
PID 2516 wrote to memory of 1016	2516	discord.exe	69
PID 2516 wrote to memory of 1016	2516	discord.exe	69
PID 2516 wrote to memory of 3044	2516	discord.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NewClient.exe
"C:\Users\Admin\AppData\Local\Temp\NewClient.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Roaming\discord.exe
  "C:\Users\Admin\AppData\Roaming\discord.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2756
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2716
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2792
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2884
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2608
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2668
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2004
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2352
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:316
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2856
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:532
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1956
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2504
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1056
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2824
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2436
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1744
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1016
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:3044
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2304
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2108
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2532
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2164
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1864
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2800
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3000
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1304
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1892
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1140
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1916
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:876
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2120
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2484
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2148
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2236
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:992
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1960
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2132
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2476
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1640
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1200
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2396
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2880
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2640
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1712
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2888
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2720
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3064
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:540
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2740
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2848
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1416
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:684
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2864
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1980
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1144
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3056
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2080
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1372
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1656
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1572
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2940
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2780
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1468
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1252
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:940
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1592
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2976
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2360
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2300
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1632
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2512
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:352
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2728
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2316
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1932
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2680
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2328
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:820
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:400
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1876
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2860
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2804
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2592
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1560
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1408
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1036
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1004
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2016
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2472
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:448
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1284
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1432
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2424
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2184
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2380
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1256
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1928
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2404
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1664
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2772
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2412
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2648
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3028
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2812
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1456
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:388
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1412
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1352
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:3016
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3040
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2176
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2784
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2256
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:1476
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1832
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1296
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2528
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:2392
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2420
- - C:\Windows\system32\taskkill.exe
    taskkill /f im discord.exe
    3⤵
    - Kills process with taskkill
    PID:2868
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    PID:1704
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\discord.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\NewClient.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    PID:2412

C:\Windows\system32\taskeng.exe
taskeng.exe {393092D5-572F-4D72-A5AD-AEC6BB9AA0A8} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
1⤵
PID:2192
- C:\Users\Admin\AppData\Roaming\discord.exe
  C:\Users\Admin\AppData\Roaming\discord.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Users\Admin\AppData\Roaming\discord.exe
  C:\Users\Admin\AppData\Roaming\discord.exe
  2⤵
  - Executes dropped EXE
  PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\discord.exe

Filesize
141KB

MD5
a5e6869cc1b826c71ef68e6ab6196606

SHA1
0185672daadea373d19fa721ec644562eba3a82e

SHA256
7471944a136673044e47c277341a4b31d46434a433e902cb2d2bd19b1a79b845

SHA512
ba558d98bcaffc4d096d8238fdb5bd30deec836f5d650eec0bf205a3f3984ee770bff921f615aa937bc85bd0376f05076178b2cd774cf27dcedb6b133447564d

Download Submit
memory/2388-0-0x000007FEF5DCE000-0x000007FEF5DCF000-memory.dmp

Filesize
4KB

Download
memory/2388-1-0x00000000006A0000-0x00000000006CE000-memory.dmp

Filesize
184KB

Download
memory/2388-2-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2388-10-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2516-9-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2516-8-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download
memory/2516-14-0x000007FEF5B10000-0x000007FEF64AD000-memory.dmp

Filesize
9.6MB

Download