Analysis
-
max time kernel
162s -
max time network
92s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 15:31
Static task
static1
Behavioral task
behavioral1
Sample
6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe
Resource
win10v2004-20221111-en
General
-
Target
6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe
-
Size
851KB
-
MD5
82f01d8c0b2d91ea436408cd47552a9b
-
SHA1
cf91ce41e81fae3447cc222379c39b24996b5c85
-
SHA256
6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58
-
SHA512
0111b9623b48e651918b7c445fd2c76d705f2349e853293dd585abab1f57008d44b70cadfcad55946eec87257edd9267c43003dcf6989feeeb62acdc44f1aa09
-
SSDEEP
24576:t9WOR12VcEw33nqhjisQiKLUvzD445D7vcUj:t9WObyGLLDKDH
Malware Config
Extracted
njrat
0.7d
HacKed
earnwhilehome.ddns.net:5552
3db166ddf8eda41ea0294b2b337cfbe9
-
reg_key
3db166ddf8eda41ea0294b2b337cfbe9
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Fusebux-Instant-Money.exeMoney-To-Your-Fusebux-Account-Instantly.exesvchost.exepid process 572 Fusebux-Instant-Money.exe 588 Money-To-Your-Fusebux-Account-Instantly.exe 1444 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db166ddf8eda41ea0294b2b337cfbe9.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3db166ddf8eda41ea0294b2b337cfbe9.exe svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exepid process 948 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe 948 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\3db166ddf8eda41ea0294b2b337cfbe9 = "\"C:\\Users\\Admin\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3db166ddf8eda41ea0294b2b337cfbe9 = "\"C:\\Users\\Admin\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 1444 svchost.exe Token: 33 1444 svchost.exe Token: SeIncBasePriorityPrivilege 1444 svchost.exe Token: 33 1444 svchost.exe Token: SeIncBasePriorityPrivilege 1444 svchost.exe Token: 33 1444 svchost.exe Token: SeIncBasePriorityPrivilege 1444 svchost.exe Token: 33 1444 svchost.exe Token: SeIncBasePriorityPrivilege 1444 svchost.exe Token: 33 1444 svchost.exe Token: SeIncBasePriorityPrivilege 1444 svchost.exe Token: 33 1444 svchost.exe Token: SeIncBasePriorityPrivilege 1444 svchost.exe Token: 33 1444 svchost.exe Token: SeIncBasePriorityPrivilege 1444 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exeMoney-To-Your-Fusebux-Account-Instantly.exesvchost.exedescription pid process target process PID 948 wrote to memory of 572 948 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Fusebux-Instant-Money.exe PID 948 wrote to memory of 572 948 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Fusebux-Instant-Money.exe PID 948 wrote to memory of 572 948 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Fusebux-Instant-Money.exe PID 948 wrote to memory of 572 948 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Fusebux-Instant-Money.exe PID 948 wrote to memory of 588 948 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Money-To-Your-Fusebux-Account-Instantly.exe PID 948 wrote to memory of 588 948 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Money-To-Your-Fusebux-Account-Instantly.exe PID 948 wrote to memory of 588 948 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Money-To-Your-Fusebux-Account-Instantly.exe PID 948 wrote to memory of 588 948 6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe Money-To-Your-Fusebux-Account-Instantly.exe PID 588 wrote to memory of 1444 588 Money-To-Your-Fusebux-Account-Instantly.exe svchost.exe PID 588 wrote to memory of 1444 588 Money-To-Your-Fusebux-Account-Instantly.exe svchost.exe PID 588 wrote to memory of 1444 588 Money-To-Your-Fusebux-Account-Instantly.exe svchost.exe PID 1444 wrote to memory of 1064 1444 svchost.exe netsh.exe PID 1444 wrote to memory of 1064 1444 svchost.exe netsh.exe PID 1444 wrote to memory of 1064 1444 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe"C:\Users\Admin\AppData\Local\Temp\6021565a6ce591d4ba96e91548ffc32049a14fc6475a9ea21dc620cd8aad0c58.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exe"C:\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exe"C:\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\svchost.exe"C:\Users\Admin\svchost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\svchost.exe" "svchost.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exeFilesize
169KB
MD5a1ffe51d09de133a85d71b33d1c19f18
SHA12245c4b5d4f1d7652e651d6b1118798b46da8ef1
SHA2561de72fd0059f708be4bc5c6e4cee135f4abf825806cab4cff0fd6cade44efedb
SHA5120f6b9a9f8bd3503c6fe70e399691b63c8e044dac55dcffa22696ddcfea30d460c8e1211156a3a4dc02538b2eb7d8464b4a19fb09abb5b268b728ceb09c4bcf38
-
C:\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exeFilesize
169KB
MD5a1ffe51d09de133a85d71b33d1c19f18
SHA12245c4b5d4f1d7652e651d6b1118798b46da8ef1
SHA2561de72fd0059f708be4bc5c6e4cee135f4abf825806cab4cff0fd6cade44efedb
SHA5120f6b9a9f8bd3503c6fe70e399691b63c8e044dac55dcffa22696ddcfea30d460c8e1211156a3a4dc02538b2eb7d8464b4a19fb09abb5b268b728ceb09c4bcf38
-
C:\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exeFilesize
360KB
MD58fa430d15200fa6144308a89e197b592
SHA1715be47225e20e324c5647a6b89fbeba462ef7e2
SHA256e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3
SHA51277b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490
-
C:\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exeFilesize
360KB
MD58fa430d15200fa6144308a89e197b592
SHA1715be47225e20e324c5647a6b89fbeba462ef7e2
SHA256e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3
SHA51277b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490
-
C:\Users\Admin\svchost.exeFilesize
360KB
MD58fa430d15200fa6144308a89e197b592
SHA1715be47225e20e324c5647a6b89fbeba462ef7e2
SHA256e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3
SHA51277b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490
-
C:\Users\Admin\svchost.exeFilesize
360KB
MD58fa430d15200fa6144308a89e197b592
SHA1715be47225e20e324c5647a6b89fbeba462ef7e2
SHA256e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3
SHA51277b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490
-
\Users\Admin\AppData\Local\Temp\Fusebux-Instant-Money.exeFilesize
169KB
MD5a1ffe51d09de133a85d71b33d1c19f18
SHA12245c4b5d4f1d7652e651d6b1118798b46da8ef1
SHA2561de72fd0059f708be4bc5c6e4cee135f4abf825806cab4cff0fd6cade44efedb
SHA5120f6b9a9f8bd3503c6fe70e399691b63c8e044dac55dcffa22696ddcfea30d460c8e1211156a3a4dc02538b2eb7d8464b4a19fb09abb5b268b728ceb09c4bcf38
-
\Users\Admin\AppData\Local\Temp\Money-To-Your-Fusebux-Account-Instantly.exeFilesize
360KB
MD58fa430d15200fa6144308a89e197b592
SHA1715be47225e20e324c5647a6b89fbeba462ef7e2
SHA256e3f6501aaa3be057e71652fdf93468152af66cfe1b5a8a2f9160a574718d5fd3
SHA51277b205f2d997c9f3fad307077d1b5d46bd7d687bf6059f0ee5ce897c9ba972dc3fc35c17e3db9a362dc6b9c48da7028134291d65cb77fcf0a42c72adf72a8490
-
memory/572-64-0x0000000000990000-0x00000000009C2000-memory.dmpFilesize
200KB
-
memory/572-57-0x0000000000000000-mapping.dmp
-
memory/588-61-0x0000000000000000-mapping.dmp
-
memory/588-67-0x0000000000160000-0x00000000001C0000-memory.dmpFilesize
384KB
-
memory/588-68-0x00000000002B0000-0x00000000002B8000-memory.dmpFilesize
32KB
-
memory/588-69-0x0000000000440000-0x000000000044C000-memory.dmpFilesize
48KB
-
memory/948-54-0x0000000075A31000-0x0000000075A33000-memory.dmpFilesize
8KB
-
memory/948-65-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/948-55-0x0000000074170000-0x000000007471B000-memory.dmpFilesize
5.7MB
-
memory/1064-74-0x0000000000000000-mapping.dmp
-
memory/1064-75-0x000007FEFB641000-0x000007FEFB643000-memory.dmpFilesize
8KB
-
memory/1444-70-0x0000000000000000-mapping.dmp
-
memory/1444-73-0x0000000001310000-0x0000000001370000-memory.dmpFilesize
384KB