Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2023 01:48
Static task
static1
Behavioral task
behavioral1
Sample
TGX.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
TGX.exe
Resource
win10v2004-20230220-en
General
-
Target
TGX.exe
-
Size
19.0MB
-
MD5
f11e3a4b0b3dfbeeda1093a3d23103a9
-
SHA1
249ac84328d018b6c1f8bdc158210d73d1dfa895
-
SHA256
e57f065b20a5bcc1b515ca93b86f221783ddf5880f660f552b5a9735fce540a7
-
SHA512
baedf5d8da21ec93d007d51f750d6c3edcee28d8a01f1c549e1adb7268da48d6df1d9467f1506dc72fb7d1b01b1142bb8ab174b7122a101de8bc8e86dc423990
-
SSDEEP
393216:vpoJ0krl5Tb9KaS4d2OfGJxZ8AB1SNjmJ4Uoy7Tk15HZKU:vpohLb9KaIOoD8Aom1V7T7U
Malware Config
Extracted
njrat
im523
HacKed
browser-bangladesh.at.ply.gg:14018
675f4fe6228789d2c44bb51781f399e5
-
reg_key
675f4fe6228789d2c44bb51781f399e5
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
serverHost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\675f4fe6228789d2c44bb51781f399e5.exe serverHost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\675f4fe6228789d2c44bb51781f399e5.exe serverHost.exe -
Executes dropped EXE 5 IoCs
Processes:
TGX_Laucher.exeTGX_LLaucher.exeTGX_LLaucher.exeserverHost.exepid process 920 TGX_Laucher.exe 616 TGX_LLaucher.exe 828 TGX_LLaucher.exe 1260 1952 serverHost.exe -
Loads dropped DLL 7 IoCs
Processes:
TGX.exeTGX_LLaucher.exeTGX_Laucher.exepid process 2016 TGX.exe 2016 TGX.exe 2016 TGX.exe 2016 TGX.exe 828 TGX_LLaucher.exe 1260 920 TGX_Laucher.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI6162\python311.dll upx \Users\Admin\AppData\Local\Temp\_MEI6162\python311.dll upx behavioral1/memory/828-182-0x000007FEF5930000-0x000007FEF5F19000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
serverHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\675f4fe6228789d2c44bb51781f399e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\serverHost.exe\" .." serverHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\675f4fe6228789d2c44bb51781f399e5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\serverHost.exe\" .." serverHost.exe -
Detects Pyinstaller 7 IoCs
Processes:
resource yara_rule \UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe pyinstaller C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe pyinstaller C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe pyinstaller C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe pyinstaller C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe pyinstaller \UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe pyinstaller \UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
serverHost.exepid process 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe 1952 serverHost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
serverHost.exepid process 1952 serverHost.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
serverHost.exedescription pid process Token: SeDebugPrivilege 1952 serverHost.exe Token: 33 1952 serverHost.exe Token: SeIncBasePriorityPrivilege 1952 serverHost.exe Token: 33 1952 serverHost.exe Token: SeIncBasePriorityPrivilege 1952 serverHost.exe Token: 33 1952 serverHost.exe Token: SeIncBasePriorityPrivilege 1952 serverHost.exe Token: 33 1952 serverHost.exe Token: SeIncBasePriorityPrivilege 1952 serverHost.exe Token: 33 1952 serverHost.exe Token: SeIncBasePriorityPrivilege 1952 serverHost.exe Token: 33 1952 serverHost.exe Token: SeIncBasePriorityPrivilege 1952 serverHost.exe Token: 33 1952 serverHost.exe Token: SeIncBasePriorityPrivilege 1952 serverHost.exe Token: 33 1952 serverHost.exe Token: SeIncBasePriorityPrivilege 1952 serverHost.exe Token: 33 1952 serverHost.exe Token: SeIncBasePriorityPrivilege 1952 serverHost.exe Token: 33 1952 serverHost.exe Token: SeIncBasePriorityPrivilege 1952 serverHost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
TGX.exeTGX_LLaucher.exeTGX_Laucher.exeserverHost.exedescription pid process target process PID 2016 wrote to memory of 920 2016 TGX.exe TGX_Laucher.exe PID 2016 wrote to memory of 920 2016 TGX.exe TGX_Laucher.exe PID 2016 wrote to memory of 920 2016 TGX.exe TGX_Laucher.exe PID 2016 wrote to memory of 920 2016 TGX.exe TGX_Laucher.exe PID 2016 wrote to memory of 616 2016 TGX.exe TGX_LLaucher.exe PID 2016 wrote to memory of 616 2016 TGX.exe TGX_LLaucher.exe PID 2016 wrote to memory of 616 2016 TGX.exe TGX_LLaucher.exe PID 2016 wrote to memory of 616 2016 TGX.exe TGX_LLaucher.exe PID 616 wrote to memory of 828 616 TGX_LLaucher.exe TGX_LLaucher.exe PID 616 wrote to memory of 828 616 TGX_LLaucher.exe TGX_LLaucher.exe PID 616 wrote to memory of 828 616 TGX_LLaucher.exe TGX_LLaucher.exe PID 920 wrote to memory of 1952 920 TGX_Laucher.exe serverHost.exe PID 920 wrote to memory of 1952 920 TGX_Laucher.exe serverHost.exe PID 920 wrote to memory of 1952 920 TGX_Laucher.exe serverHost.exe PID 920 wrote to memory of 1952 920 TGX_Laucher.exe serverHost.exe PID 1952 wrote to memory of 1828 1952 serverHost.exe netsh.exe PID 1952 wrote to memory of 1828 1952 serverHost.exe netsh.exe PID 1952 wrote to memory of 1828 1952 serverHost.exe netsh.exe PID 1952 wrote to memory of 1828 1952 serverHost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TGX.exe"C:\Users\Admin\AppData\Local\Temp\TGX.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exe"C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\serverHost.exe"C:\Users\Admin\AppData\Roaming\serverHost.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\serverHost.exe" "serverHost.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe"C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe"C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exeFilesize
18.9MB
MD5aa465d840eb98e6e3553fe6d667b5821
SHA19911f9faad6e7d9545f4036d2d244ff22d9264ce
SHA256f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123
SHA512fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4
-
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exeFilesize
18.9MB
MD5aa465d840eb98e6e3553fe6d667b5821
SHA19911f9faad6e7d9545f4036d2d244ff22d9264ce
SHA256f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123
SHA512fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4
-
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exeFilesize
18.9MB
MD5aa465d840eb98e6e3553fe6d667b5821
SHA19911f9faad6e7d9545f4036d2d244ff22d9264ce
SHA256f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123
SHA512fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4
-
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exeFilesize
18.9MB
MD5aa465d840eb98e6e3553fe6d667b5821
SHA19911f9faad6e7d9545f4036d2d244ff22d9264ce
SHA256f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123
SHA512fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4
-
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exeFilesize
37KB
MD5e7b4f2beaa2c2679eee8692abea22321
SHA1de3d91c9b5e0bbcb94da37924dbe7aa797de9db5
SHA25663db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e
SHA51247580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b
-
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exeFilesize
37KB
MD5e7b4f2beaa2c2679eee8692abea22321
SHA1de3d91c9b5e0bbcb94da37924dbe7aa797de9db5
SHA25663db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e
SHA51247580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b
-
C:\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exeFilesize
37KB
MD5e7b4f2beaa2c2679eee8692abea22321
SHA1de3d91c9b5e0bbcb94da37924dbe7aa797de9db5
SHA25663db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e
SHA51247580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b
-
C:\Users\Admin\AppData\Local\Temp\_MEI6162\python311.dllFilesize
1.6MB
MD5109e26bea83e7cd897d296c803502722
SHA1d6c7fce09407b993207f5522fa6db0fd1aad8b22
SHA2564834d101c620e32e059ba73cf13f53252c48b9326b9342cb1aa9da0a5b329e24
SHA512b553a151d1fa81e578da83793eed8aa14862a91772cec16caef00b196c33b2f905beb7342c2d876306b068573be1ce543fac653d1177a1605e27a54ee1354cda
-
C:\Users\Admin\AppData\Roaming\serverHost.exeFilesize
37KB
MD5e7b4f2beaa2c2679eee8692abea22321
SHA1de3d91c9b5e0bbcb94da37924dbe7aa797de9db5
SHA25663db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e
SHA51247580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b
-
C:\Users\Admin\AppData\Roaming\serverHost.exeFilesize
37KB
MD5e7b4f2beaa2c2679eee8692abea22321
SHA1de3d91c9b5e0bbcb94da37924dbe7aa797de9db5
SHA25663db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e
SHA51247580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b
-
\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exeFilesize
18.9MB
MD5aa465d840eb98e6e3553fe6d667b5821
SHA19911f9faad6e7d9545f4036d2d244ff22d9264ce
SHA256f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123
SHA512fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4
-
\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exeFilesize
18.9MB
MD5aa465d840eb98e6e3553fe6d667b5821
SHA19911f9faad6e7d9545f4036d2d244ff22d9264ce
SHA256f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123
SHA512fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4
-
\UsersAdmin\AppData\Roaming\Microsoft\TGX_LLaucher.exeFilesize
18.9MB
MD5aa465d840eb98e6e3553fe6d667b5821
SHA19911f9faad6e7d9545f4036d2d244ff22d9264ce
SHA256f29266ff16b2ee0f068a829cb9c80045b23d102f6a0407f798828cfcefab9123
SHA512fe4e25123705d72532d6b1d6d43fb4956278f8405b76a3114926fe6b0d3471d93daf2a2213a26f4fa1906e6aa2023b362e2c575120f1c25081e962e8a75e43a4
-
\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exeFilesize
37KB
MD5e7b4f2beaa2c2679eee8692abea22321
SHA1de3d91c9b5e0bbcb94da37924dbe7aa797de9db5
SHA25663db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e
SHA51247580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b
-
\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exeFilesize
37KB
MD5e7b4f2beaa2c2679eee8692abea22321
SHA1de3d91c9b5e0bbcb94da37924dbe7aa797de9db5
SHA25663db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e
SHA51247580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b
-
\UsersAdmin\AppData\Roaming\Microsoft\TGX_Laucher.exeFilesize
37KB
MD5e7b4f2beaa2c2679eee8692abea22321
SHA1de3d91c9b5e0bbcb94da37924dbe7aa797de9db5
SHA25663db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e
SHA51247580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b
-
\Users\Admin\AppData\Local\Temp\_MEI6162\python311.dllFilesize
1.6MB
MD5109e26bea83e7cd897d296c803502722
SHA1d6c7fce09407b993207f5522fa6db0fd1aad8b22
SHA2564834d101c620e32e059ba73cf13f53252c48b9326b9342cb1aa9da0a5b329e24
SHA512b553a151d1fa81e578da83793eed8aa14862a91772cec16caef00b196c33b2f905beb7342c2d876306b068573be1ce543fac653d1177a1605e27a54ee1354cda
-
\Users\Admin\AppData\Roaming\serverHost.exeFilesize
37KB
MD5e7b4f2beaa2c2679eee8692abea22321
SHA1de3d91c9b5e0bbcb94da37924dbe7aa797de9db5
SHA25663db0a3e5e2aea770d9278502bb06c9fcf1c64b15c27819c72d5a73660f8b99e
SHA51247580a4087c49d7b9bac9d11bff3f6d9b91e1e387723ec1c5c407d33c529f951e9b6edff3c80982804f86a020791e106f71214b272a8c548d6dab458a1206a2b
-
memory/828-182-0x000007FEF5930000-0x000007FEF5F19000-memory.dmpFilesize
5.9MB
-
memory/920-181-0x0000000000AD0000-0x0000000000B10000-memory.dmpFilesize
256KB
-
memory/1952-192-0x00000000003C0000-0x0000000000400000-memory.dmpFilesize
256KB
-
memory/1952-295-0x00000000003C0000-0x0000000000400000-memory.dmpFilesize
256KB
-
memory/1952-296-0x00000000003C0000-0x0000000000400000-memory.dmpFilesize
256KB