Analysis
-
max time kernel
26s -
max time network
28s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2023 07:00
Static task
static1
Behavioral task
behavioral1
Sample
nixware crack.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
nixware crack.dll
Resource
win10v2004-20230220-en
General
-
Target
nixware crack.dll
-
Size
131KB
-
MD5
9e2a655b74dd710c229750deadccd76f
-
SHA1
171596d21b5ba58aed4ece7f23bd5ee0b50a853d
-
SHA256
6caf2e1e6496de3efe605e8789bd5fd2b00649974292b4b2e850d4524c103eec
-
SHA512
65a34dd2ca72e161189bca733eb24a7c0b0ee22c3b39b65c78db995c5cc4dea1cd693630c9c984965be86d81ff4968291f5ebd76e180df421d074c6267b70169
-
SSDEEP
3072:G24KYnxDl1SlpejXNEFJUFew/UWjKoamC3uDz6iksXQl4BounDFtnUWO2fiL:T4NnRl4leG7iUVmC3w6uBDn4k6L
Malware Config
Extracted
njrat
<- NjRAT 0.7d Horror Edition ->
Victim
mYs7erY2-20549.portmap.host:20549
c7ecaeb62dbc9789b90e03340b3fcb9e
-
reg_key
c7ecaeb62dbc9789b90e03340b3fcb9e
-
splitter
Y262SUCZ4UJJ
Signatures
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
~ZYA4C0.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation ~ZYA4C0.tmp -
Drops startup file 2 IoCs
Processes:
dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c7ecaeb62dbc9789b90e03340b3fcb9e.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c7ecaeb62dbc9789b90e03340b3fcb9e.exe dllhost.exe -
Executes dropped EXE 2 IoCs
Processes:
~ZYA4C0.tmpdllhost.exepid process 4700 ~ZYA4C0.tmp 3264 dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dllhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c7ecaeb62dbc9789b90e03340b3fcb9e = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c7ecaeb62dbc9789b90e03340b3fcb9e = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid process 1828 sc.exe 4296 sc.exe 5064 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE5451A1-ABFE-BF4F-EAFE-0000D47C9A46} rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
~ZYA4C0.tmppid process 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp 4700 ~ZYA4C0.tmp -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
~ZYA4C0.tmpdllhost.exepowershell.exedescription pid process Token: SeDebugPrivilege 4700 ~ZYA4C0.tmp Token: SeDebugPrivilege 3264 dllhost.exe Token: SeDebugPrivilege 3076 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
rundll32.exerundll32.exe~ZYA4C0.tmpdllhost.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2868 wrote to memory of 788 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 788 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 788 2868 rundll32.exe rundll32.exe PID 788 wrote to memory of 4700 788 rundll32.exe ~ZYA4C0.tmp PID 788 wrote to memory of 4700 788 rundll32.exe ~ZYA4C0.tmp PID 4700 wrote to memory of 3264 4700 ~ZYA4C0.tmp dllhost.exe PID 4700 wrote to memory of 3264 4700 ~ZYA4C0.tmp dllhost.exe PID 3264 wrote to memory of 5012 3264 dllhost.exe attrib.exe PID 3264 wrote to memory of 5012 3264 dllhost.exe attrib.exe PID 3264 wrote to memory of 3928 3264 dllhost.exe cmd.exe PID 3264 wrote to memory of 3928 3264 dllhost.exe cmd.exe PID 3928 wrote to memory of 3076 3928 cmd.exe powershell.exe PID 3928 wrote to memory of 3076 3928 cmd.exe powershell.exe PID 3264 wrote to memory of 2792 3264 dllhost.exe cmd.exe PID 3264 wrote to memory of 2792 3264 dllhost.exe cmd.exe PID 2792 wrote to memory of 1828 2792 cmd.exe sc.exe PID 2792 wrote to memory of 1828 2792 cmd.exe sc.exe PID 3264 wrote to memory of 4604 3264 dllhost.exe cmd.exe PID 3264 wrote to memory of 4604 3264 dllhost.exe cmd.exe PID 4604 wrote to memory of 4296 4604 cmd.exe sc.exe PID 4604 wrote to memory of 4296 4604 cmd.exe sc.exe PID 3264 wrote to memory of 1128 3264 dllhost.exe cmd.exe PID 3264 wrote to memory of 1128 3264 dllhost.exe cmd.exe PID 1128 wrote to memory of 5064 1128 cmd.exe sc.exe PID 1128 wrote to memory of 5064 1128 cmd.exe sc.exe PID 3264 wrote to memory of 4404 3264 dllhost.exe schtasks.exe PID 3264 wrote to memory of 4404 3264 dllhost.exe schtasks.exe PID 3264 wrote to memory of 1368 3264 dllhost.exe schtasks.exe PID 3264 wrote to memory of 1368 3264 dllhost.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\nixware crack.dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\nixware crack.dll",#12⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\~ZYA4C0.tmpC:\Users\Admin\AppData\Local\Temp\~ZYA4C0.tmp3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"5⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\cmd.execmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc query windefend5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc query windefend6⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop windefend5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop windefend6⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\cmd.execmd /c sc delete windefend5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete windefend6⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn CleanSweepCheck /f5⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Roaming\dllhost.exe5⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_la2tum5z.kpj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\~ZYA4C0.tmpFilesize
32KB
MD597ad4704dac3a3e05dab32f5952e5122
SHA1fe121757efc0e1898ee2b07d243ba8b17b446989
SHA25686a9b3365ad9eb2e912253ffea5b42fe427c9a9bed310812ae66a07c233eef9d
SHA512bf11f0341eb6bf7c45b4e00db44c3d124bfaba86ece487d341a805b3c24f841b8334424c3c242fd1d6763aa55572f42290b341b1bfd03204d3a4ec8bb6092b8a
-
C:\Users\Admin\AppData\Local\Temp\~ZYA4C0.tmpFilesize
32KB
MD597ad4704dac3a3e05dab32f5952e5122
SHA1fe121757efc0e1898ee2b07d243ba8b17b446989
SHA25686a9b3365ad9eb2e912253ffea5b42fe427c9a9bed310812ae66a07c233eef9d
SHA512bf11f0341eb6bf7c45b4e00db44c3d124bfaba86ece487d341a805b3c24f841b8334424c3c242fd1d6763aa55572f42290b341b1bfd03204d3a4ec8bb6092b8a
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
32KB
MD597ad4704dac3a3e05dab32f5952e5122
SHA1fe121757efc0e1898ee2b07d243ba8b17b446989
SHA25686a9b3365ad9eb2e912253ffea5b42fe427c9a9bed310812ae66a07c233eef9d
SHA512bf11f0341eb6bf7c45b4e00db44c3d124bfaba86ece487d341a805b3c24f841b8334424c3c242fd1d6763aa55572f42290b341b1bfd03204d3a4ec8bb6092b8a
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
32KB
MD597ad4704dac3a3e05dab32f5952e5122
SHA1fe121757efc0e1898ee2b07d243ba8b17b446989
SHA25686a9b3365ad9eb2e912253ffea5b42fe427c9a9bed310812ae66a07c233eef9d
SHA512bf11f0341eb6bf7c45b4e00db44c3d124bfaba86ece487d341a805b3c24f841b8334424c3c242fd1d6763aa55572f42290b341b1bfd03204d3a4ec8bb6092b8a
-
C:\Users\Admin\AppData\Roaming\dllhost.exeFilesize
32KB
MD597ad4704dac3a3e05dab32f5952e5122
SHA1fe121757efc0e1898ee2b07d243ba8b17b446989
SHA25686a9b3365ad9eb2e912253ffea5b42fe427c9a9bed310812ae66a07c233eef9d
SHA512bf11f0341eb6bf7c45b4e00db44c3d124bfaba86ece487d341a805b3c24f841b8334424c3c242fd1d6763aa55572f42290b341b1bfd03204d3a4ec8bb6092b8a
-
memory/788-143-0x0000000011000000-0x0000000011083000-memory.dmpFilesize
524KB
-
memory/788-133-0x0000000011000000-0x0000000011083000-memory.dmpFilesize
524KB
-
memory/3076-164-0x000001BD77EA0000-0x000001BD77EC2000-memory.dmpFilesize
136KB
-
memory/3076-165-0x000001BD77D60000-0x000001BD77D70000-memory.dmpFilesize
64KB
-
memory/3076-167-0x000001BD77D60000-0x000001BD77D70000-memory.dmpFilesize
64KB
-
memory/3076-166-0x000001BD77D60000-0x000001BD77D70000-memory.dmpFilesize
64KB
-
memory/3264-153-0x0000000001290000-0x00000000012A4000-memory.dmpFilesize
80KB
-
memory/3264-154-0x00000000009F0000-0x0000000000A00000-memory.dmpFilesize
64KB
-
memory/3264-171-0x000000001C8F0000-0x000000001C98C000-memory.dmpFilesize
624KB
-
memory/3264-172-0x00000000009F0000-0x0000000000A00000-memory.dmpFilesize
64KB
-
memory/3264-173-0x000000001B700000-0x000000001B708000-memory.dmpFilesize
32KB
-
memory/3264-174-0x00000000009F0000-0x0000000000A00000-memory.dmpFilesize
64KB
-
memory/4700-139-0x0000000001680000-0x0000000001690000-memory.dmpFilesize
64KB
-
memory/4700-138-0x0000000000E90000-0x0000000000E98000-memory.dmpFilesize
32KB
-
memory/4700-142-0x000000001BDA0000-0x000000001BE46000-memory.dmpFilesize
664KB
-
memory/4700-140-0x000000001C350000-0x000000001C81E000-memory.dmpFilesize
4.8MB
-
memory/4700-141-0x0000000001730000-0x0000000001744000-memory.dmpFilesize
80KB