Analysis
-
max time kernel
114s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10-07-2020 05:15
Static task
static1
Behavioral task
behavioral1
Sample
nxxt.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
nxxt.exe
-
Size
338KB
-
MD5
5a68d27a6d644b88a59ae764acaad552
-
SHA1
24f135bf0c8e0db609a39fc2a5b68e644ed1ce7c
-
SHA256
1a4ea9c422e80abe0f0abd7cbc73e3070b0345d2e9ab5ff57840230240f10f47
-
SHA512
191b216e498e1ea68d4f61b506ea08e9f4852461bb9324febbd527a16dc4eb610f43a1457e8f2482874f6b634aaadad46c20baf2944871c40f894226e3f59783
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
nxxt.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.exe.lnk nxxt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
nxxt.exedescription pid process Token: SeDebugPrivilege 2536 nxxt.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
nxxt.exepid process 2536 nxxt.exe 2536 nxxt.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
nxxt.exedescription pid process target process PID 2536 set thread context of 2688 2536 nxxt.exe sdhost.exe -
Executes dropped EXE 1 IoCs
Processes:
sdhost.exepid process 2688 sdhost.exe -
NetWire RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2688-0-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral2/memory/2688-4-0x0000000000400000-0x0000000000433000-memory.dmp netwire -
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier cmd.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
nxxt.exedescription pid process target process PID 2536 wrote to memory of 2688 2536 nxxt.exe sdhost.exe PID 2536 wrote to memory of 2688 2536 nxxt.exe sdhost.exe PID 2536 wrote to memory of 2688 2536 nxxt.exe sdhost.exe PID 2536 wrote to memory of 2688 2536 nxxt.exe sdhost.exe PID 2536 wrote to memory of 2688 2536 nxxt.exe sdhost.exe PID 2536 wrote to memory of 2688 2536 nxxt.exe sdhost.exe PID 2536 wrote to memory of 2688 2536 nxxt.exe sdhost.exe PID 2536 wrote to memory of 2688 2536 nxxt.exe sdhost.exe PID 2536 wrote to memory of 2688 2536 nxxt.exe sdhost.exe PID 2536 wrote to memory of 2688 2536 nxxt.exe sdhost.exe PID 2536 wrote to memory of 2688 2536 nxxt.exe sdhost.exe PID 2536 wrote to memory of 3744 2536 nxxt.exe cmd.exe PID 2536 wrote to memory of 3744 2536 nxxt.exe cmd.exe PID 2536 wrote to memory of 3744 2536 nxxt.exe cmd.exe PID 2536 wrote to memory of 3908 2536 nxxt.exe cmd.exe PID 2536 wrote to memory of 3908 2536 nxxt.exe cmd.exe PID 2536 wrote to memory of 3908 2536 nxxt.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nxxt.exe"C:\Users\Admin\AppData\Local\Temp\nxxt.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\sdhost.exe"C:\Users\Admin\AppData\Local\Temp\sdhost.exe"2⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/nxxt.exe" "%temp%\FolderN\name.exe" /Y2⤵PID:3744
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier2⤵
- NTFS ADS
PID:3908