Analysis
-
max time kernel
169s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 16:16
Static task
static1
Behavioral task
behavioral1
Sample
NAMUJS_ETRANSFER_RECEIPT.exe
Resource
win7-20220812-en
General
-
Target
NAMUJS_ETRANSFER_RECEIPT.exe
-
Size
300.0MB
-
MD5
aa16895db009a8b646bb9c51f9b51c58
-
SHA1
014b372bc0620fb1173679abb7c189d0464ce208
-
SHA256
72656944adc7c9dabbc263d8a1c7f79ff6d0b6a3b06a11f88b741977c5e4f751
-
SHA512
4411e718c124059044ab7fbe54f3fefa76c9d5cd2263c4214c70a498d681f87f2804aef0e8c94b630fadf9470d5e804702349ab21fafa512a368d90424d8e29b
-
SSDEEP
24576:GzEo/IReVjVaXcqqza/KkJVWpcpr8lCGyi2FBGbZLipIjJ7Fb5DIoN3EtO:GziCYXKzyKkJM8r8lXyEGpIjJ73jtEt
Malware Config
Extracted
bitrat
1.38
bitrat9300.duckdns.org:9300
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
tor_process
tor
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
olkij.exepid process 1796 olkij.exe -
Processes:
resource yara_rule behavioral2/memory/3632-138-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3632-140-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3632-139-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3632-141-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3632-142-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral2/memory/3632-146-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
RegAsm.exepid process 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe 3632 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NAMUJS_ETRANSFER_RECEIPT.exedescription pid process target process PID 3060 set thread context of 3632 3060 NAMUJS_ETRANSFER_RECEIPT.exe RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeShutdownPrivilege 3632 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RegAsm.exepid process 3632 RegAsm.exe 3632 RegAsm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
NAMUJS_ETRANSFER_RECEIPT.execmd.exedescription pid process target process PID 3060 wrote to memory of 100 3060 NAMUJS_ETRANSFER_RECEIPT.exe cmd.exe PID 3060 wrote to memory of 100 3060 NAMUJS_ETRANSFER_RECEIPT.exe cmd.exe PID 3060 wrote to memory of 100 3060 NAMUJS_ETRANSFER_RECEIPT.exe cmd.exe PID 3060 wrote to memory of 4360 3060 NAMUJS_ETRANSFER_RECEIPT.exe cmd.exe PID 3060 wrote to memory of 4360 3060 NAMUJS_ETRANSFER_RECEIPT.exe cmd.exe PID 3060 wrote to memory of 4360 3060 NAMUJS_ETRANSFER_RECEIPT.exe cmd.exe PID 100 wrote to memory of 2160 100 cmd.exe schtasks.exe PID 100 wrote to memory of 2160 100 cmd.exe schtasks.exe PID 100 wrote to memory of 2160 100 cmd.exe schtasks.exe PID 3060 wrote to memory of 3632 3060 NAMUJS_ETRANSFER_RECEIPT.exe RegAsm.exe PID 3060 wrote to memory of 3632 3060 NAMUJS_ETRANSFER_RECEIPT.exe RegAsm.exe PID 3060 wrote to memory of 3632 3060 NAMUJS_ETRANSFER_RECEIPT.exe RegAsm.exe PID 3060 wrote to memory of 3632 3060 NAMUJS_ETRANSFER_RECEIPT.exe RegAsm.exe PID 3060 wrote to memory of 3632 3060 NAMUJS_ETRANSFER_RECEIPT.exe RegAsm.exe PID 3060 wrote to memory of 3632 3060 NAMUJS_ETRANSFER_RECEIPT.exe RegAsm.exe PID 3060 wrote to memory of 3632 3060 NAMUJS_ETRANSFER_RECEIPT.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NAMUJS_ETRANSFER_RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\NAMUJS_ETRANSFER_RECEIPT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Local\Temp\olkij.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafdfnasia" /tr "'C:\Users\Admin\AppData\Local\Temp\olkij.exe'" /f3⤵
- Creates scheduled task(s)
PID:2160 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\NAMUJS_ETRANSFER_RECEIPT.exe" "C:\Users\Admin\AppData\Local\Temp\olkij.exe"2⤵PID:4360
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3632
-
C:\Users\Admin\AppData\Local\Temp\olkij.exeC:\Users\Admin\AppData\Local\Temp\olkij.exe1⤵
- Executes dropped EXE
PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
181.5MB
MD5a09a01b8cd91bd6d10f14fb159fcbcd7
SHA14e4934a29acece461f9b3d0db46c3b54482cb4ab
SHA2565ccc5cc643e5f43bb66ee7e6f1381ce264a18795de3f1a865b93c7d49054feac
SHA51224f453d2e0b5c001e4d8cb02f484958d26335b83a6bb7d17e2fe4397743463d4c253db91907bb6aa9a1bffb04445c5acb189e3f8781ae360310c912713f267cf
-
Filesize
183.2MB
MD5111358be8f76c390e14ba0c6dcd47eb5
SHA196a0709eecce93c41ca8cb9748940b6d39a3499e
SHA256ae9bf7aa2f837bc18db280c65954667e647c8d84c8b68594cbf732c0d8283b0e
SHA512a880ad6c2854e0f0fbed2c6bd6d8f4516e7871a66fcd4ab4b2bd07f60d3751ef69e3a72125d2b9b3275ecc05b1cdf4d866980e865048ea11f1c543f905b39ecd