njrat | bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

max time kernel
110s
max time network
166s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
13-01-2025 14:41

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

njrat xworm [email protected]discovery persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

ms-pupils.gl.at.ply.gg:42890

Mutex

206zDqrlQGtyKuTY

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

[email protected]

sayrich.ddns.net:7777

Mutex

Yandex. Update

Attributes

reg_key
Yandex. Update
splitter
|Hassan|

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x002e0000000461b0-54.dat	family_xworm
behavioral3/memory/5448-64-0x0000000000780000-0x000000000078E000-memory.dmp	family_xworm

Njrat family
njrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	pghsefyjhsef.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 7 IoCs

pid	Process
792	pghsefyjhsef.exe
5528	Gxtuum.exe
4312	njrat.exe
2688	hell9o.exe
5448	XClient.exe
4044	Steam.Upgreyd.exe
2308	IATInfect2008_64.exe

Modifies system executable filetype association 2 TTPs 16 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	hell9o.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
61	raw.githubusercontent.com
62	raw.githubusercontent.com
66	raw.githubusercontent.com
67	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	pghsefyjhsef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam.Upgreyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pghsefyjhsef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njrat.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.docx\OpenWithList	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\Version	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AAEC1DAE-CC06-4DA4-B762-56A76FD4B2FF}\TypeLib	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0269-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xdp	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0363-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0386-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpeg\PersistentHandler	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0055-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0171-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\drwatson.exe	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\AppXqmt9n48kdgabchqtfjw3a4n5as0gk0vt\Shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E73304-E1D6-4330-914C-F5F514E3486C}\VersionIndependentProgID	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3BE786A0-0366-4F5C-9434-25CF162E475E}\ExtendedErrors	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0352-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.snd\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\acrobat2018\shell\open\ddeexec	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\winhlp32.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020821-0000-0000-C000-000000000046}\DataFormats\GetSet	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0183-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0248-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020906-0000-0000-C000-000000000046}\Insertable	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{227B1F3B-C276-4DE0-9FAA-C0AD42ADDCF0}\Implemented Categories	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0188-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.psc1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.rgs\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CATFile	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CID\e3c725ce-598f-41e7-bc32-a72777d63ba2\Host	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0206-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0334-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020811-0000-0000-C000-000000000046}\AuxUserType\3	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64818D10-4F9B-11CF-86EA-00AA00B929E8}\InprocHandler32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{770FDC97-76E7-4067-B14C-2DDB3A7517F2}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0318-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A249E9F6-5B28-4ED1-8AF0-C9B9C5195486}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0070-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0386-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0276-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0029-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0201-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0031-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{79176FB0-B7F2-11CE-97EF-00AA006D2776}\Control	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C282417B-2662-44B8-8A94-3BFF61C50900}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0055-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpe\OpenWithProgids	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlsx\ShellEx	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2934520114-3201407646-466687995-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0170-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithProgids	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F8FD03A6-DDD9-4C1B-84EE-58159476A0D7}	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4024	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	4363463463464363463463463.exe
Token: SeDebugPrivilege	1964	4363463463464363463463463.exe
Token: SeDebugPrivilege	6124	4363463463464363463463463.exe
Token: SeDebugPrivilege	5448	XClient.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
792	pghsefyjhsef.exe
5528	Gxtuum.exe
2688	hell9o.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 792	1964	4363463463464363463463463.exe	100
PID 1964 wrote to memory of 792	1964	4363463463464363463463463.exe	100
PID 1964 wrote to memory of 792	1964	4363463463464363463463463.exe	100
PID 792 wrote to memory of 5528	792	pghsefyjhsef.exe	103
PID 792 wrote to memory of 5528	792	pghsefyjhsef.exe	103
PID 792 wrote to memory of 5528	792	pghsefyjhsef.exe	103
PID 6124 wrote to memory of 4312	6124	4363463463464363463463463.exe	104
PID 6124 wrote to memory of 4312	6124	4363463463464363463463463.exe	104
PID 6124 wrote to memory of 4312	6124	4363463463464363463463463.exe	104
PID 6124 wrote to memory of 2688	6124	4363463463464363463463463.exe	105
PID 6124 wrote to memory of 2688	6124	4363463463464363463463463.exe	105
PID 2688 wrote to memory of 464	2688	hell9o.exe	106
PID 2688 wrote to memory of 464	2688	hell9o.exe	106
PID 464 wrote to memory of 3092	464	cmd.exe	108
PID 464 wrote to memory of 3092	464	cmd.exe	108
PID 1764 wrote to memory of 5448	1764	4363463463464363463463463.exe	109
PID 1764 wrote to memory of 5448	1764	4363463463464363463463463.exe	109
PID 1764 wrote to memory of 4044	1764	4363463463464363463463463.exe	110
PID 1764 wrote to memory of 4044	1764	4363463463464363463463463.exe	110
PID 1764 wrote to memory of 4044	1764	4363463463464363463463463.exe	110
PID 6124 wrote to memory of 2308	6124	4363463463464363463463463.exe	111
PID 6124 wrote to memory of 2308	6124	4363463463464363463463463.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5448
- C:\Users\Admin\AppData\Local\Temp\Files\Steam.Upgreyd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Steam.Upgreyd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4868

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe
  "C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
    "C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5528

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6124
- C:\Users\Admin\Desktop\Files\njrat.exe
  "C:\Users\Admin\Desktop\Files\njrat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4312
- C:\Users\Admin\Desktop\Files\hell9o.exe
  "C:\Users\Admin\Desktop\Files\hell9o.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\system32\reg.exe
      reg DELETE HKEY_CLASSES_ROOT /f
      4⤵
      Modifies system executable filetype association
      Modifies registry class
      PID:3092
  - - C:\Windows\system32\reg.exe
      reg DELETE HKEY_CURRENT_USER /f
      4⤵
      PID:5108
  - - C:\Windows\system32\reg.exe
      reg DELETE HKEY_LOCAL_MACHINE /f
      4⤵
      PID:2216
  - - C:\Windows\system32\reg.exe
      reg DELETE HKEY_USERS /f
      4⤵
      PID:4032
  - - C:\Windows\system32\reg.exe
      reg DELETE HKEY_CURRENT_CONFIG /f
      4⤵
      PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD
    3⤵
    PID:4676
- C:\Users\Admin\Desktop\Files\IATInfect2008_64.exe
  "C:\Users\Admin\Desktop\Files\IATInfect2008_64.exe"
  2⤵
  - Executes dropped EXE
  PID:2308

C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe"
1⤵
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Files\Steam.Upgreyd.exe

Filesize
43KB

MD5
f0aabba97f470b9a61755d9dfa2a3ff8

SHA1
059523a98fca16f9211881c2bc3d8257f6cba0ed

SHA256
3a3303bb8761484ee722c492b61c43793b64926e42bb3c90112765ae1cfe3406

SHA512
5e1b52211cdfefaedc405825ba58dade787de82d1cfe789236c6b75b9273fe6896c44151dc775397438c269ea0a8edab7b9abfccab777a22f988e3843d634825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
34KB

MD5
9ccc3000c7dcdec24959db69279f595e

SHA1
01950d30d19f67b5add82f6d60f6982f060418f1

SHA256
0c0aa0570872f28a905c4c6bafc9b7c2400da7b412b73ca03bcbb15242a17550

SHA512
f5b40ee47264ebeb69935b102a4777877965f464501c50d84d2e5e4ebd9db344c07bb67b5a2f5171ae1e335fdee3e62d8914bec8a1f38dee3019bb7732a6f656

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD

Filesize
159B

MD5
e26bcceba32f987399a0decf331f0697

SHA1
64540b56c5ff6dbb963faa50a85159c62edf7365

SHA256
0fd1b221f5a865fd9d796857f51724ad6460d409e2cffe8cfaef091daa689d05

SHA512
d96236da499970dfd6702150a5140e947547e50e3ec6b5ee3d7923ddcc637a01a9e747ecac0b81d4268cbe1a7788c63d5b4ec1373fc46318d8a5d676f510d508

Download Submit
C:\Users\Admin\Desktop\Files\IATInfect2008_64.exe

Filesize
128KB

MD5
9d0543fe47a390f1e4c7c81bb3326637

SHA1
197c81881acd0ffc7d9219e4a9df1688714ea70e

SHA256
58be2f77908a38e2ab7120837ba4985d3ba6b3dbe43e872ae039c69cdbc947dd

SHA512
e92518aed9f662f3786e091a611ca13ab837b5eb14bada98910328b0d1b9de163f53c1afa7e57a7e9f9b3e44af46e8afaa1f4e804b20f37e6329d329c521570b

Download Submit
C:\Users\Admin\Desktop\Files\hell9o.exe

Filesize
172KB

MD5
2e933118fecbaf64bbd76514c47a2164

SHA1
a70a1673c4c7d0c0c12bc42bc676a1e9a09edc21

SHA256
5268359ebc3f9e709c8eee1fa9d3e7c579b3e4563fabb9c394abe0fe2e39137f

SHA512
c34672e55625462d16051cd725c96d634e459d61a9552f858f0b234d5eedf67594ca336f4fd695e3046c4e0485d4fa4497b6c604ee4144c49a6c1c0838628bdb

Download Submit
C:\Users\Admin\Desktop\Files\njrat.exe

Filesize
37KB

MD5
4699bec8cd50aa7f2cecf0df8f0c26a0

SHA1
c7c6c85fc26189cf4c68d45b5f8009a7a456497d

SHA256
d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d

SHA512
5701a107e8af1c89574274c8b585ddd87ae88332284fc18090bbcccf5d11b65486ccf70450d4451fec7c75474a62518dd3c5e2bedda98487085276ac51d7ac0e

Download Submit
C:\Users\Admin\Desktop\Files\pghsefyjhsef.exe

Filesize
429KB

MD5
e21a937337ce24864bb9ca1b866c4b6e

SHA1
3fdfacb32c866f5684bceaab35cea6725f76182f

SHA256
55db20b6ddab0de6b84f4200fbde54b719709d7c50f0bdd808369dbb73deef70

SHA512
9fb59ecc82984dcc854a31ae2e871f88fd679a162ee912eb92879576397fa29eddc2ec2787f7645aa72c4dc641456980f6b897302650f0d10466dea50506f533

Download Submit
memory/1764-5-0x0000000074F70000-0x0000000075721000-memory.dmp

Filesize
7.7MB

Download
memory/1764-2-0x0000000004D80000-0x0000000004E1C000-memory.dmp

Filesize
624KB

Download
memory/1764-1-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/1764-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

Filesize
4KB

Download
memory/1764-4-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

Filesize
4KB

Download
memory/1764-3-0x0000000074F70000-0x0000000075721000-memory.dmp

Filesize
7.7MB

Download
memory/1964-7-0x0000000074F70000-0x0000000075721000-memory.dmp

Filesize
7.7MB

Download
memory/1964-6-0x0000000074F70000-0x0000000075721000-memory.dmp

Filesize
7.7MB

Download
memory/1964-91-0x0000000074F70000-0x0000000075721000-memory.dmp

Filesize
7.7MB

Download
memory/4044-76-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/4044-77-0x0000000005510000-0x0000000005AB6000-memory.dmp

Filesize
5.6MB

Download
memory/4044-78-0x0000000005000000-0x0000000005092000-memory.dmp

Filesize
584KB

Download
memory/4044-98-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

Filesize
40KB

Download
memory/5448-64-0x0000000000780000-0x000000000078E000-memory.dmp

Filesize
56KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads