Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-07-2021 19:02
Static task
static1
Behavioral task
behavioral1
Sample
PBHACK.exe
Resource
win7v20210410
General
-
Target
PBHACK.exe
-
Size
1.3MB
-
MD5
a5ed586c6aa4674092bb6bd521affddd
-
SHA1
cd0034fafdcab582fa4b12ff2c5bbdceeca62533
-
SHA256
c2bea2d868e82aacc04296992cd63a14383592c225b868eaf0609299557c55a2
-
SHA512
f1b54ed8f3031dd36c01bd16580f673f004c9f68c8749e5c20b12b2cf65e780140aeddbe2a2d20f6ca787759bf3563a3cbe2d37f02937dbc46ab2615932d8a24
Malware Config
Extracted
njrat
0.7d
PBHACK
zetsubranco.duckdns.org:1177
043f16f4cc1323e18d4d845c634e9302
-
reg_key
043f16f4cc1323e18d4d845c634e9302
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 3656 System.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
System.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\043f16f4cc1323e18d4d845c634e9302.exe System.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\043f16f4cc1323e18d4d845c634e9302.exe System.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\System.exe agile_net C:\Users\Admin\System.exe agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\043f16f4cc1323e18d4d845c634e9302 = "\"C:\\Users\\Admin\\System.exe\" .." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\043f16f4cc1323e18d4d845c634e9302 = "\"C:\\Users\\Admin\\System.exe\" .." System.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
System.exedescription pid process Token: SeDebugPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe Token: 33 3656 System.exe Token: SeIncBasePriorityPrivilege 3656 System.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
PBHACK.exeSystem.exedescription pid process target process PID 3716 wrote to memory of 3656 3716 PBHACK.exe System.exe PID 3716 wrote to memory of 3656 3716 PBHACK.exe System.exe PID 3716 wrote to memory of 3656 3716 PBHACK.exe System.exe PID 3656 wrote to memory of 928 3656 System.exe netsh.exe PID 3656 wrote to memory of 928 3656 System.exe netsh.exe PID 3656 wrote to memory of 928 3656 System.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PBHACK.exe"C:\Users\Admin\AppData\Local\Temp\PBHACK.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\System.exe"C:\Users\Admin\System.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\System.exe" "System.exe" ENABLE3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\System.exeMD5
a5ed586c6aa4674092bb6bd521affddd
SHA1cd0034fafdcab582fa4b12ff2c5bbdceeca62533
SHA256c2bea2d868e82aacc04296992cd63a14383592c225b868eaf0609299557c55a2
SHA512f1b54ed8f3031dd36c01bd16580f673f004c9f68c8749e5c20b12b2cf65e780140aeddbe2a2d20f6ca787759bf3563a3cbe2d37f02937dbc46ab2615932d8a24
-
C:\Users\Admin\System.exeMD5
a5ed586c6aa4674092bb6bd521affddd
SHA1cd0034fafdcab582fa4b12ff2c5bbdceeca62533
SHA256c2bea2d868e82aacc04296992cd63a14383592c225b868eaf0609299557c55a2
SHA512f1b54ed8f3031dd36c01bd16580f673f004c9f68c8749e5c20b12b2cf65e780140aeddbe2a2d20f6ca787759bf3563a3cbe2d37f02937dbc46ab2615932d8a24
-
memory/928-131-0x0000000000000000-mapping.dmp
-
memory/3656-121-0x0000000000000000-mapping.dmp
-
memory/3656-130-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/3656-132-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/3716-114-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/3716-116-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/3716-117-0x00000000052B0000-0x00000000052B1000-memory.dmpFilesize
4KB
-
memory/3716-118-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/3716-119-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/3716-120-0x0000000005030000-0x0000000005036000-memory.dmpFilesize
24KB