Analysis
-
max time kernel
17s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
06-06-2023 07:00
Static task
static1
Behavioral task
behavioral1
Sample
nixware crack.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
nixware crack.dll
Resource
win10v2004-20230220-en
General
-
Target
nixware crack.dll
-
Size
131KB
-
MD5
9e2a655b74dd710c229750deadccd76f
-
SHA1
171596d21b5ba58aed4ece7f23bd5ee0b50a853d
-
SHA256
6caf2e1e6496de3efe605e8789bd5fd2b00649974292b4b2e850d4524c103eec
-
SHA512
65a34dd2ca72e161189bca733eb24a7c0b0ee22c3b39b65c78db995c5cc4dea1cd693630c9c984965be86d81ff4968291f5ebd76e180df421d074c6267b70169
-
SSDEEP
3072:G24KYnxDl1SlpejXNEFJUFew/UWjKoamC3uDz6iksXQl4BounDFtnUWO2fiL:T4NnRl4leG7iUVmC3w6uBDn4k6L
Malware Config
Extracted
njrat
<- NjRAT 0.7d Horror Edition ->
Victim
mYs7erY2-20549.portmap.host:20549
c7ecaeb62dbc9789b90e03340b3fcb9e
-
reg_key
c7ecaeb62dbc9789b90e03340b3fcb9e
-
splitter
Y262SUCZ4UJJ
Signatures
-
Stops running service(s) 3 TTPs
-
Drops startup file 2 IoCs
Processes:
dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c7ecaeb62dbc9789b90e03340b3fcb9e.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c7ecaeb62dbc9789b90e03340b3fcb9e.exe dllhost.exe -
Executes dropped EXE 2 IoCs
Processes:
~ZY1E2C.tmpdllhost.exepid process 916 ~ZY1E2C.tmp 980 dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1704 rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dllhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\c7ecaeb62dbc9789b90e03340b3fcb9e = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c7ecaeb62dbc9789b90e03340b3fcb9e = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1252 sc.exe 688 sc.exe 1948 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE5451A1-ABFE-BF4F-EAFE-0000D47C9A46} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
~ZY1E2C.tmppid process 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp 916 ~ZY1E2C.tmp -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
~ZY1E2C.tmpdllhost.exepowershell.exedescription pid process Token: SeDebugPrivilege 916 ~ZY1E2C.tmp Token: SeDebugPrivilege 980 dllhost.exe Token: SeDebugPrivilege 868 powershell.exe -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
rundll32.exerundll32.exe~ZY1E2C.tmpdllhost.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1448 wrote to memory of 1704 1448 rundll32.exe rundll32.exe PID 1448 wrote to memory of 1704 1448 rundll32.exe rundll32.exe PID 1448 wrote to memory of 1704 1448 rundll32.exe rundll32.exe PID 1448 wrote to memory of 1704 1448 rundll32.exe rundll32.exe PID 1448 wrote to memory of 1704 1448 rundll32.exe rundll32.exe PID 1448 wrote to memory of 1704 1448 rundll32.exe rundll32.exe PID 1448 wrote to memory of 1704 1448 rundll32.exe rundll32.exe PID 1704 wrote to memory of 916 1704 rundll32.exe ~ZY1E2C.tmp PID 1704 wrote to memory of 916 1704 rundll32.exe ~ZY1E2C.tmp PID 1704 wrote to memory of 916 1704 rundll32.exe ~ZY1E2C.tmp PID 1704 wrote to memory of 916 1704 rundll32.exe ~ZY1E2C.tmp PID 916 wrote to memory of 980 916 ~ZY1E2C.tmp dllhost.exe PID 916 wrote to memory of 980 916 ~ZY1E2C.tmp dllhost.exe PID 916 wrote to memory of 980 916 ~ZY1E2C.tmp dllhost.exe PID 980 wrote to memory of 1928 980 dllhost.exe attrib.exe PID 980 wrote to memory of 1928 980 dllhost.exe attrib.exe PID 980 wrote to memory of 1928 980 dllhost.exe attrib.exe PID 980 wrote to memory of 828 980 dllhost.exe cmd.exe PID 980 wrote to memory of 828 980 dllhost.exe cmd.exe PID 980 wrote to memory of 828 980 dllhost.exe cmd.exe PID 828 wrote to memory of 868 828 cmd.exe powershell.exe PID 828 wrote to memory of 868 828 cmd.exe powershell.exe PID 828 wrote to memory of 868 828 cmd.exe powershell.exe PID 980 wrote to memory of 1984 980 dllhost.exe cmd.exe PID 980 wrote to memory of 1984 980 dllhost.exe cmd.exe PID 980 wrote to memory of 1984 980 dllhost.exe cmd.exe PID 1984 wrote to memory of 1948 1984 cmd.exe sc.exe PID 1984 wrote to memory of 1948 1984 cmd.exe sc.exe PID 1984 wrote to memory of 1948 1984 cmd.exe sc.exe PID 980 wrote to memory of 1968 980 dllhost.exe cmd.exe PID 980 wrote to memory of 1968 980 dllhost.exe cmd.exe PID 980 wrote to memory of 1968 980 dllhost.exe cmd.exe PID 1968 wrote to memory of 1252 1968 cmd.exe sc.exe PID 1968 wrote to memory of 1252 1968 cmd.exe sc.exe PID 1968 wrote to memory of 1252 1968 cmd.exe sc.exe PID 980 wrote to memory of 1444 980 dllhost.exe cmd.exe PID 980 wrote to memory of 1444 980 dllhost.exe cmd.exe PID 980 wrote to memory of 1444 980 dllhost.exe cmd.exe PID 1444 wrote to memory of 688 1444 cmd.exe sc.exe PID 1444 wrote to memory of 688 1444 cmd.exe sc.exe PID 1444 wrote to memory of 688 1444 cmd.exe sc.exe PID 980 wrote to memory of 1616 980 dllhost.exe schtasks.exe PID 980 wrote to memory of 1616 980 dllhost.exe schtasks.exe PID 980 wrote to memory of 1616 980 dllhost.exe schtasks.exe PID 980 wrote to memory of 1792 980 dllhost.exe schtasks.exe PID 980 wrote to memory of 1792 980 dllhost.exe schtasks.exe PID 980 wrote to memory of 1792 980 dllhost.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\nixware crack.dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\nixware crack.dll",#12⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~ZY1E2C.tmpC:\Users\Admin\AppData\Local\Temp\~ZY1E2C.tmp3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"5⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.execmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc query windefend5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc query windefend6⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.execmd /c sc stop windefend5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop windefend6⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.execmd /c sc delete windefend5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete windefend6⤵
- Launches sc.exe
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn CleanSweepCheck /f5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\dllhost.exe5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\~ZY1E2C.tmpFilesize
32KB
MD597ad4704dac3a3e05dab32f5952e5122
SHA1fe121757efc0e1898ee2b07d243ba8b17b446989
SHA25686a9b3365ad9eb2e912253ffea5b42fe427c9a9bed310812ae66a07c233eef9d
SHA512bf11f0341eb6bf7c45b4e00db44c3d124bfaba86ece487d341a805b3c24f841b8334424c3c242fd1d6763aa55572f42290b341b1bfd03204d3a4ec8bb6092b8a
-
C:\Users\Admin\AppData\Local\Temp\~ZY1E2C.tmpFilesize
32KB
MD597ad4704dac3a3e05dab32f5952e5122
SHA1fe121757efc0e1898ee2b07d243ba8b17b446989
SHA25686a9b3365ad9eb2e912253ffea5b42fe427c9a9bed310812ae66a07c233eef9d
SHA512bf11f0341eb6bf7c45b4e00db44c3d124bfaba86ece487d341a805b3c24f841b8334424c3c242fd1d6763aa55572f42290b341b1bfd03204d3a4ec8bb6092b8a
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
32KB
MD597ad4704dac3a3e05dab32f5952e5122
SHA1fe121757efc0e1898ee2b07d243ba8b17b446989
SHA25686a9b3365ad9eb2e912253ffea5b42fe427c9a9bed310812ae66a07c233eef9d
SHA512bf11f0341eb6bf7c45b4e00db44c3d124bfaba86ece487d341a805b3c24f841b8334424c3c242fd1d6763aa55572f42290b341b1bfd03204d3a4ec8bb6092b8a
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
32KB
MD597ad4704dac3a3e05dab32f5952e5122
SHA1fe121757efc0e1898ee2b07d243ba8b17b446989
SHA25686a9b3365ad9eb2e912253ffea5b42fe427c9a9bed310812ae66a07c233eef9d
SHA512bf11f0341eb6bf7c45b4e00db44c3d124bfaba86ece487d341a805b3c24f841b8334424c3c242fd1d6763aa55572f42290b341b1bfd03204d3a4ec8bb6092b8a
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
32KB
MD597ad4704dac3a3e05dab32f5952e5122
SHA1fe121757efc0e1898ee2b07d243ba8b17b446989
SHA25686a9b3365ad9eb2e912253ffea5b42fe427c9a9bed310812ae66a07c233eef9d
SHA512bf11f0341eb6bf7c45b4e00db44c3d124bfaba86ece487d341a805b3c24f841b8334424c3c242fd1d6763aa55572f42290b341b1bfd03204d3a4ec8bb6092b8a
-
\Users\Admin\AppData\Local\Temp\~ZY1E2C.tmpFilesize
32KB
MD597ad4704dac3a3e05dab32f5952e5122
SHA1fe121757efc0e1898ee2b07d243ba8b17b446989
SHA25686a9b3365ad9eb2e912253ffea5b42fe427c9a9bed310812ae66a07c233eef9d
SHA512bf11f0341eb6bf7c45b4e00db44c3d124bfaba86ece487d341a805b3c24f841b8334424c3c242fd1d6763aa55572f42290b341b1bfd03204d3a4ec8bb6092b8a
-
memory/868-76-0x000000001B210000-0x000000001B4F2000-memory.dmpFilesize
2.9MB
-
memory/868-77-0x00000000026A0000-0x00000000026A8000-memory.dmpFilesize
32KB
-
memory/868-79-0x00000000026F0000-0x0000000002770000-memory.dmpFilesize
512KB
-
memory/868-78-0x00000000026F0000-0x0000000002770000-memory.dmpFilesize
512KB
-
memory/868-80-0x00000000026F0000-0x0000000002770000-memory.dmpFilesize
512KB
-
memory/868-81-0x00000000026FB000-0x0000000002732000-memory.dmpFilesize
220KB
-
memory/916-62-0x0000000001FD0000-0x0000000002050000-memory.dmpFilesize
512KB
-
memory/916-60-0x0000000000190000-0x00000000001A4000-memory.dmpFilesize
80KB
-
memory/916-59-0x0000000000130000-0x0000000000138000-memory.dmpFilesize
32KB
-
memory/980-68-0x00000000002E0000-0x00000000002E8000-memory.dmpFilesize
32KB
-
memory/980-69-0x0000000001F00000-0x0000000001F80000-memory.dmpFilesize
512KB
-
memory/1704-61-0x0000000011000000-0x0000000011083000-memory.dmpFilesize
524KB