Analysis
-
max time kernel
34s -
max time network
112s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10-07-2020 05:15
Static task
static1
Behavioral task
behavioral1
Sample
nxxt.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
nxxt.exe
-
Size
338KB
-
MD5
5a68d27a6d644b88a59ae764acaad552
-
SHA1
24f135bf0c8e0db609a39fc2a5b68e644ed1ce7c
-
SHA256
1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47
-
SHA512
191b216e498e1ea68d4f61b506ea08e9f4852461bb9324febbd527a16dc4eb610f43a1457e8f2482874f6b634aaadad46c20baf2944871c40f894226e3f59783
Malware Config
Signatures
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nxxt.exedescription pid process Token: SeDebugPrivilege 272 nxxt.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
nxxt.exedescription pid process target process PID 272 wrote to memory of 1116 272 nxxt.exe sdhost.exe PID 272 wrote to memory of 1116 272 nxxt.exe sdhost.exe PID 272 wrote to memory of 1116 272 nxxt.exe sdhost.exe PID 272 wrote to memory of 1116 272 nxxt.exe sdhost.exe PID 272 wrote to memory of 1116 272 nxxt.exe sdhost.exe PID 272 wrote to memory of 1116 272 nxxt.exe sdhost.exe PID 272 wrote to memory of 1116 272 nxxt.exe sdhost.exe PID 272 wrote to memory of 1116 272 nxxt.exe sdhost.exe PID 272 wrote to memory of 1116 272 nxxt.exe sdhost.exe PID 272 wrote to memory of 1116 272 nxxt.exe sdhost.exe PID 272 wrote to memory of 1116 272 nxxt.exe sdhost.exe PID 272 wrote to memory of 1116 272 nxxt.exe sdhost.exe PID 272 wrote to memory of 1512 272 nxxt.exe cmd.exe PID 272 wrote to memory of 1512 272 nxxt.exe cmd.exe PID 272 wrote to memory of 1512 272 nxxt.exe cmd.exe PID 272 wrote to memory of 1512 272 nxxt.exe cmd.exe PID 272 wrote to memory of 1776 272 nxxt.exe cmd.exe PID 272 wrote to memory of 1776 272 nxxt.exe cmd.exe PID 272 wrote to memory of 1776 272 nxxt.exe cmd.exe PID 272 wrote to memory of 1776 272 nxxt.exe cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
sdhost.exepid process 1116 sdhost.exe -
Drops startup file 1 IoCs
Processes:
nxxt.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk nxxt.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
nxxt.exepid process 272 nxxt.exe 272 nxxt.exe -
Loads dropped DLL 3 IoCs
Processes:
nxxt.exepid process 272 nxxt.exe 272 nxxt.exe 272 nxxt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nxxt.exedescription pid process target process PID 272 set thread context of 1116 272 nxxt.exe sdhost.exe -
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1116-1-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/1116-4-0x0000000000400000-0x0000000000433000-memory.dmp netwire
Processes
-
C:\Users\Admin\AppData\Local\Temp\nxxt.exe"C:\Users\Admin\AppData\Local\Temp\nxxt.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:272 -
C:\Users\Admin\AppData\Local\Temp\sdhost.exe"C:\Users\Admin\AppData\Local\Temp\sdhost.exe"2⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/nxxt.exe" "%temp%\FolderN\name.exe" /Y2⤵PID:1512
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
PID:1776