Analysis
-
max time kernel
59s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 23:09
Static task
static1
Behavioral task
behavioral1
Sample
stub.exe_xor-packed.exe
Resource
win10v2004-20231130-en
General
-
Target
stub.exe_xor-packed.exe
-
Size
60KB
-
MD5
f70109842c9126e15d1761576c307db3
-
SHA1
de3c99dbf7d5459a6e1ac4509d24cfe5504a3a99
-
SHA256
484e1d434e1896d2a44909d531a91b5083a1ebad3f726d5fd3b3a3105f8c3111
-
SHA512
ad35e7ffde96b5c9648fda4f89640a8bc5d1f88dd8caea0638d050e041268c23271ecb67ad165a2ba34b26475dac01996fe1bd4cf1b30f54a33d4d95a946a04d
-
SSDEEP
768:svW9wNRqQ9XIdHZ4fc/kexyGW2j+VwD+deiwqJf2tmEMotwJymFQypKwhafuxmsU:79w+MO45ex7V+mDsJ52cEJmmdiXYuOF
Malware Config
Extracted
njrat
Platinum
HacKed
127.0.0.1:9017
Client.exe
-
reg_key
Client.exe
-
splitter
|Ghost|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
stub.exe_xor-packed.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation stub.exe_xor-packed.exe -
Drops startup file 3 IoCs
Processes:
Client.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe Client.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url Client.exe -
Executes dropped EXE 2 IoCs
Processes:
Client.exeClient.exepid process 1432 Client.exe 3092 Client.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Client.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Client.exe\" .." Client.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Client.exe\" .." Client.exe -
Drops file in System32 directory 1 IoCs
Processes:
stub.exe_xor-packed.exedescription ioc process File created C:\windows\system32\fq5tjb.exe stub.exe_xor-packed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 996 schtasks.exe 5100 schtasks.exe -
Kills process with taskkill 8 IoCs
Processes:
TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exetaskkill.exeTASKKILL.exeTASKKILL.exetaskkill.exepid process 2008 TASKKILL.exe 4300 TASKKILL.exe 2332 TASKKILL.exe 4548 TASKKILL.exe 4788 taskkill.exe 1744 TASKKILL.exe 3136 TASKKILL.exe 888 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
stub.exe_xor-packed.exeClient.exeClient.exepid process 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 3216 stub.exe_xor-packed.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 1432 Client.exe 3092 Client.exe 3092 Client.exe 3092 Client.exe 3092 Client.exe 3092 Client.exe 3092 Client.exe 3092 Client.exe 3092 Client.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
stub.exe_xor-packed.exeTASKKILL.exeTASKKILL.exeClient.exeTASKKILL.exeTASKKILL.exeClient.exeTASKKILL.exeTASKKILL.exedescription pid process Token: SeDebugPrivilege 3216 stub.exe_xor-packed.exe Token: SeDebugPrivilege 2008 TASKKILL.exe Token: SeDebugPrivilege 4300 TASKKILL.exe Token: SeDebugPrivilege 1432 Client.exe Token: SeDebugPrivilege 4548 TASKKILL.exe Token: SeDebugPrivilege 2332 TASKKILL.exe Token: 33 1432 Client.exe Token: SeIncBasePriorityPrivilege 1432 Client.exe Token: 33 1432 Client.exe Token: SeIncBasePriorityPrivilege 1432 Client.exe Token: 33 1432 Client.exe Token: SeIncBasePriorityPrivilege 1432 Client.exe Token: SeDebugPrivilege 3092 Client.exe Token: SeDebugPrivilege 1744 TASKKILL.exe Token: SeDebugPrivilege 3136 TASKKILL.exe Token: 33 1432 Client.exe Token: SeIncBasePriorityPrivilege 1432 Client.exe Token: 33 1432 Client.exe Token: SeIncBasePriorityPrivilege 1432 Client.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
stub.exe_xor-packed.exeClient.exeClient.exedescription pid process target process PID 3216 wrote to memory of 2008 3216 stub.exe_xor-packed.exe TASKKILL.exe PID 3216 wrote to memory of 2008 3216 stub.exe_xor-packed.exe TASKKILL.exe PID 3216 wrote to memory of 4300 3216 stub.exe_xor-packed.exe TASKKILL.exe PID 3216 wrote to memory of 4300 3216 stub.exe_xor-packed.exe TASKKILL.exe PID 3216 wrote to memory of 1432 3216 stub.exe_xor-packed.exe Client.exe PID 3216 wrote to memory of 1432 3216 stub.exe_xor-packed.exe Client.exe PID 1432 wrote to memory of 2332 1432 Client.exe TASKKILL.exe PID 1432 wrote to memory of 2332 1432 Client.exe TASKKILL.exe PID 1432 wrote to memory of 4548 1432 Client.exe TASKKILL.exe PID 1432 wrote to memory of 4548 1432 Client.exe TASKKILL.exe PID 1432 wrote to memory of 4788 1432 Client.exe taskkill.exe PID 1432 wrote to memory of 4788 1432 Client.exe taskkill.exe PID 1432 wrote to memory of 2648 1432 Client.exe schtasks.exe PID 1432 wrote to memory of 2648 1432 Client.exe schtasks.exe PID 1432 wrote to memory of 996 1432 Client.exe schtasks.exe PID 1432 wrote to memory of 996 1432 Client.exe schtasks.exe PID 3092 wrote to memory of 1744 3092 Client.exe TASKKILL.exe PID 3092 wrote to memory of 1744 3092 Client.exe TASKKILL.exe PID 3092 wrote to memory of 3136 3092 Client.exe TASKKILL.exe PID 3092 wrote to memory of 3136 3092 Client.exe TASKKILL.exe PID 1432 wrote to memory of 888 1432 Client.exe taskkill.exe PID 1432 wrote to memory of 888 1432 Client.exe taskkill.exe PID 1432 wrote to memory of 380 1432 Client.exe schtasks.exe PID 1432 wrote to memory of 380 1432 Client.exe schtasks.exe PID 1432 wrote to memory of 5100 1432 Client.exe schtasks.exe PID 1432 wrote to memory of 5100 1432 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\stub.exe_xor-packed.exe"C:\Users\Admin\AppData\Local\Temp\stub.exe_xor-packed.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4300 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM wscript.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\SYSTEM32\taskkill.exetaskkill /f im Wireshark.exe3⤵
- Kills process with taskkill
PID:4788 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f3⤵PID:2648
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\Client.exe3⤵
- Creates scheduled task(s)
PID:996 -
C:\Windows\SYSTEM32\taskkill.exetaskkill /f im Wireshark.exe3⤵
- Kills process with taskkill
PID:888 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f3⤵PID:380
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Roaming\Client.exe3⤵
- Creates scheduled task(s)
PID:5100
-
C:\Users\Admin\AppData\Roaming\Client.exeC:\Users\Admin\AppData\Roaming\Client.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\system32\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\system32\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
MD5f70109842c9126e15d1761576c307db3
SHA1de3c99dbf7d5459a6e1ac4509d24cfe5504a3a99
SHA256484e1d434e1896d2a44909d531a91b5083a1ebad3f726d5fd3b3a3105f8c3111
SHA512ad35e7ffde96b5c9648fda4f89640a8bc5d1f88dd8caea0638d050e041268c23271ecb67ad165a2ba34b26475dac01996fe1bd4cf1b30f54a33d4d95a946a04d
-
Filesize
60KB
MD5f70109842c9126e15d1761576c307db3
SHA1de3c99dbf7d5459a6e1ac4509d24cfe5504a3a99
SHA256484e1d434e1896d2a44909d531a91b5083a1ebad3f726d5fd3b3a3105f8c3111
SHA512ad35e7ffde96b5c9648fda4f89640a8bc5d1f88dd8caea0638d050e041268c23271ecb67ad165a2ba34b26475dac01996fe1bd4cf1b30f54a33d4d95a946a04d
-
Filesize
60KB
MD5f70109842c9126e15d1761576c307db3
SHA1de3c99dbf7d5459a6e1ac4509d24cfe5504a3a99
SHA256484e1d434e1896d2a44909d531a91b5083a1ebad3f726d5fd3b3a3105f8c3111
SHA512ad35e7ffde96b5c9648fda4f89640a8bc5d1f88dd8caea0638d050e041268c23271ecb67ad165a2ba34b26475dac01996fe1bd4cf1b30f54a33d4d95a946a04d
-
Filesize
60KB
MD5f70109842c9126e15d1761576c307db3
SHA1de3c99dbf7d5459a6e1ac4509d24cfe5504a3a99
SHA256484e1d434e1896d2a44909d531a91b5083a1ebad3f726d5fd3b3a3105f8c3111
SHA512ad35e7ffde96b5c9648fda4f89640a8bc5d1f88dd8caea0638d050e041268c23271ecb67ad165a2ba34b26475dac01996fe1bd4cf1b30f54a33d4d95a946a04d