Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
114s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10/07/2020, 05:15
Static task
static1
Behavioral task
behavioral1
Sample
nxxt.exe
Resource
win7v200430
0 signatures
0 seconds
General
-
Target
nxxt.exe
-
Size
338KB
-
MD5
5a68d27a6d644b88a59ae764acaad552
-
SHA1
24f135bf0c8e0db609a39fc2a5b68e644ed1ce7c
-
SHA256
1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47
-
SHA512
191b216e498e1ea68d4f61b506ea08e9f4852461bb9324febbd527a16dc4eb610f43a1457e8f2482874f6b634aaadad46c20baf2944871c40f894226e3f59783
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk nxxt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2536 nxxt.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2536 nxxt.exe 2536 nxxt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2536 set thread context of 2688 2536 nxxt.exe 68 -
Executes dropped EXE 1 IoCs
pid Process 2688 sdhost.exe -
NetWire RAT payload 2 IoCs
resource yara_rule behavioral2/memory/2688-0-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2688-4-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2688 2536 nxxt.exe 68 PID 2536 wrote to memory of 2688 2536 nxxt.exe 68 PID 2536 wrote to memory of 2688 2536 nxxt.exe 68 PID 2536 wrote to memory of 2688 2536 nxxt.exe 68 PID 2536 wrote to memory of 2688 2536 nxxt.exe 68 PID 2536 wrote to memory of 2688 2536 nxxt.exe 68 PID 2536 wrote to memory of 2688 2536 nxxt.exe 68 PID 2536 wrote to memory of 2688 2536 nxxt.exe 68 PID 2536 wrote to memory of 2688 2536 nxxt.exe 68 PID 2536 wrote to memory of 2688 2536 nxxt.exe 68 PID 2536 wrote to memory of 2688 2536 nxxt.exe 68 PID 2536 wrote to memory of 3744 2536 nxxt.exe 69 PID 2536 wrote to memory of 3744 2536 nxxt.exe 69 PID 2536 wrote to memory of 3744 2536 nxxt.exe 69 PID 2536 wrote to memory of 3908 2536 nxxt.exe 71 PID 2536 wrote to memory of 3908 2536 nxxt.exe 71 PID 2536 wrote to memory of 3908 2536 nxxt.exe 71
Processes
-
C:\Users\Admin\AppData\Local\Temp\nxxt.exe"C:\Users\Admin\AppData\Local\Temp\nxxt.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\sdhost.exe"C:\Users\Admin\AppData\Local\Temp\sdhost.exe"2⤵
- Executes dropped EXE
PID:2688
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/nxxt.exe" "%temp%\FolderN\name.exe" /Y2⤵PID:3744
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
PID:3908
-