Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02-09-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
newbithere20054rfds.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
newbithere20054rfds.exe
Resource
win10v2004-20220812-en
General
-
Target
newbithere20054rfds.exe
-
Size
300.0MB
-
MD5
9edb373bba31ed74e5635c8ba1ccbc24
-
SHA1
7826110d94ad641b3cbed3eaa1c4e1ab5e329e26
-
SHA256
cd39b649045c4556c08be586b301d1dc8536e63d14888a4e6a55636776a8e235
-
SHA512
90c56b8545767b8b3b3292ebc71d4683b6ff0c2e0fc1135159357707bfb462878c8044eced0f6138e7771d3db3c6e8a1b363d7663fd3e5e50f46254f22ee54e4
-
SSDEEP
24576:KQWUrKeG3ggoqRwkqbQsH50RPoE+G3ttsP2V4MM9obzQLAmLGAs4DyAunLw+6aI9:K2KtBCR3qP+JeO+/m6yDL9aITLUp
Malware Config
Extracted
bitrat
1.38
newbithere.duckdns.org:2005
-
communication_password
827ccb0eea8a706c4c34a16891f84e7b
-
tor_process
tor
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
pojhg.exepid process 972 pojhg.exe -
Processes:
resource yara_rule behavioral1/memory/892-60-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/892-62-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/892-63-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/892-65-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/892-66-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/892-69-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/892-70-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/892-71-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/892-72-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
RegAsm.exepid process 892 RegAsm.exe 892 RegAsm.exe 892 RegAsm.exe 892 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
newbithere20054rfds.exedescription pid process target process PID 1900 set thread context of 892 1900 newbithere20054rfds.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 892 RegAsm.exe Token: SeShutdownPrivilege 892 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 892 RegAsm.exe 892 RegAsm.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
newbithere20054rfds.execmd.exetaskeng.exedescription pid process target process PID 1900 wrote to memory of 1784 1900 newbithere20054rfds.exe cmd.exe PID 1900 wrote to memory of 1784 1900 newbithere20054rfds.exe cmd.exe PID 1900 wrote to memory of 1784 1900 newbithere20054rfds.exe cmd.exe PID 1900 wrote to memory of 1784 1900 newbithere20054rfds.exe cmd.exe PID 1784 wrote to memory of 1372 1784 cmd.exe schtasks.exe PID 1784 wrote to memory of 1372 1784 cmd.exe schtasks.exe PID 1784 wrote to memory of 1372 1784 cmd.exe schtasks.exe PID 1784 wrote to memory of 1372 1784 cmd.exe schtasks.exe PID 1900 wrote to memory of 468 1900 newbithere20054rfds.exe cmd.exe PID 1900 wrote to memory of 468 1900 newbithere20054rfds.exe cmd.exe PID 1900 wrote to memory of 468 1900 newbithere20054rfds.exe cmd.exe PID 1900 wrote to memory of 468 1900 newbithere20054rfds.exe cmd.exe PID 1900 wrote to memory of 892 1900 newbithere20054rfds.exe RegAsm.exe PID 1900 wrote to memory of 892 1900 newbithere20054rfds.exe RegAsm.exe PID 1900 wrote to memory of 892 1900 newbithere20054rfds.exe RegAsm.exe PID 1900 wrote to memory of 892 1900 newbithere20054rfds.exe RegAsm.exe PID 1900 wrote to memory of 892 1900 newbithere20054rfds.exe RegAsm.exe PID 1900 wrote to memory of 892 1900 newbithere20054rfds.exe RegAsm.exe PID 1900 wrote to memory of 892 1900 newbithere20054rfds.exe RegAsm.exe PID 1900 wrote to memory of 892 1900 newbithere20054rfds.exe RegAsm.exe PID 1900 wrote to memory of 892 1900 newbithere20054rfds.exe RegAsm.exe PID 1900 wrote to memory of 892 1900 newbithere20054rfds.exe RegAsm.exe PID 1900 wrote to memory of 892 1900 newbithere20054rfds.exe RegAsm.exe PID 588 wrote to memory of 972 588 taskeng.exe pojhg.exe PID 588 wrote to memory of 972 588 taskeng.exe pojhg.exe PID 588 wrote to memory of 972 588 taskeng.exe pojhg.exe PID 588 wrote to memory of 972 588 taskeng.exe pojhg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\newbithere20054rfds.exe"C:\Users\Admin\AppData\Local\Temp\newbithere20054rfds.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\pojhg.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Roaming\pojhg.exe'" /f3⤵
- Creates scheduled task(s)
PID:1372 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\newbithere20054rfds.exe" "C:\Users\Admin\AppData\Roaming\pojhg.exe"2⤵PID:468
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:892
-
C:\Windows\system32\taskeng.exetaskeng.exe {DB426783-242E-4BB6-B905-8EB5FEA65739} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Users\Admin\AppData\Roaming\pojhg.exeC:\Users\Admin\AppData\Roaming\pojhg.exe2⤵
- Executes dropped EXE
PID:972
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\pojhg.exeFilesize
236.0MB
MD5915edeb4da1231124dd4b48713a4909b
SHA191a1a296d8e1afcdd966d62469d5b3575077c63a
SHA256f9b5c73e6aeb0c92e4911a4ab7286ce5b6fe133a2d7c02fd6f5f66e2606fd426
SHA5128670adba615416068b996950d1ab2648fa08cf5955864bf2fbcb9a82468353da4048387a3483e772120c03114a62f475c2651ffd28ac1913638bd76f4bae7457
-
C:\Users\Admin\AppData\Roaming\pojhg.exeFilesize
240.2MB
MD5b9cbb1e767466614af72cd7018f2fb67
SHA157606cb1ea053900b3a06d33b8d486485b06e23f
SHA256d4014d31a86c0d1c1a6208cce6b536222ef12bde9c87b01627b89ca01db4c6fe
SHA5129ff5381ba50d8fa93f4958aa2e99bfaf6ef5d53f4fc6dab2e21b098c78d8046fe34c0d87ed5e5429c3af4d625a0ec6972836bfea3990741240fd1827178555bc
-
memory/468-58-0x0000000000000000-mapping.dmp
-
memory/892-65-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/892-69-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/892-59-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/892-60-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/892-62-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/892-63-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/892-64-0x00000000007E2730-mapping.dmp
-
memory/892-72-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/892-66-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/892-71-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/892-70-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/972-74-0x0000000000000000-mapping.dmp
-
memory/972-76-0x0000000000300000-0x0000000000492000-memory.dmpFilesize
1.6MB
-
memory/1372-57-0x0000000000000000-mapping.dmp
-
memory/1784-56-0x0000000000000000-mapping.dmp
-
memory/1900-54-0x0000000000870000-0x0000000000A02000-memory.dmpFilesize
1.6MB
-
memory/1900-55-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB