Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
24-02-2024 02:16
Behavioral task
behavioral1
Sample
05e8c507d40aa6d05720a1f6bdf7f52e.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
05e8c507d40aa6d05720a1f6bdf7f52e.exe
Resource
win10v2004-20240221-en
General
-
Target
05e8c507d40aa6d05720a1f6bdf7f52e.exe
-
Size
3.4MB
-
MD5
05e8c507d40aa6d05720a1f6bdf7f52e
-
SHA1
0d065c8aa7f5399a32eea3185b865770bfc26fd8
-
SHA256
ffceb132ec57dd0f810dc46054662db58a25cfc0e7960d2d865a0bc60fb1c405
-
SHA512
9178b7678d4432a3fa813ee9cc5cdb0c60bdba8b69a4c6ab15932973a964f8d6066e82c432f8799830f8121df4ddea12c6cd2061db197f5763355de6479b89c2
-
SSDEEP
49152:HJTIYbGQdAjED+aE0LaiIve+mbrErGEVV1BCjBysTt0jUiwg:HJThbGQdAjED+aE0LaitrErrT14
Malware Config
Extracted
njrat
0.7d
HacKed
pcpanel.hackcrack.io:32544
Windows Explorer
-
reg_key
Windows Explorer
-
splitter
|'|'|
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 5 IoCs
resource yara_rule behavioral1/memory/764-0-0x0000000000360000-0x00000000006D6000-memory.dmp family_zgrat_v1 behavioral1/files/0x000c000000015cce-16.dat family_zgrat_v1 behavioral1/files/0x000c000000015cce-15.dat family_zgrat_v1 behavioral1/files/0x000c000000015cce-17.dat family_zgrat_v1 behavioral1/memory/2556-21-0x0000000001260000-0x0000000001556000-memory.dmp family_zgrat_v1 -
AgentTesla payload 6 IoCs
resource yara_rule behavioral1/memory/764-0-0x0000000000360000-0x00000000006D6000-memory.dmp family_agenttesla behavioral1/files/0x000c000000015cce-16.dat family_agenttesla behavioral1/files/0x000c000000015cce-15.dat family_agenttesla behavioral1/files/0x000c000000015cce-17.dat family_agenttesla behavioral1/memory/2556-21-0x0000000001260000-0x0000000001556000-memory.dmp family_agenttesla behavioral1/memory/2556-43-0x0000000005020000-0x0000000005216000-memory.dmp family_agenttesla -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2128 netsh.exe -
Executes dropped EXE 6 IoCs
pid Process 2380 Setup.exe 2544 Setup.exe 2556 KeywordKing .exe 2588 svchost.exe 2036 explorer.exe 672 explorer.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS KeywordKing .exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer KeywordKing .exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion KeywordKing .exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 2588 svchost.exe Token: SeDebugPrivilege 672 explorer.exe Token: 33 672 explorer.exe Token: SeIncBasePriorityPrivilege 672 explorer.exe Token: 33 672 explorer.exe Token: SeIncBasePriorityPrivilege 672 explorer.exe Token: 33 672 explorer.exe Token: SeIncBasePriorityPrivilege 672 explorer.exe Token: 33 672 explorer.exe Token: SeIncBasePriorityPrivilege 672 explorer.exe Token: 33 672 explorer.exe Token: SeIncBasePriorityPrivilege 672 explorer.exe Token: 33 672 explorer.exe Token: SeIncBasePriorityPrivilege 672 explorer.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 764 wrote to memory of 2380 764 05e8c507d40aa6d05720a1f6bdf7f52e.exe 28 PID 764 wrote to memory of 2380 764 05e8c507d40aa6d05720a1f6bdf7f52e.exe 28 PID 764 wrote to memory of 2380 764 05e8c507d40aa6d05720a1f6bdf7f52e.exe 28 PID 764 wrote to memory of 2544 764 05e8c507d40aa6d05720a1f6bdf7f52e.exe 29 PID 764 wrote to memory of 2544 764 05e8c507d40aa6d05720a1f6bdf7f52e.exe 29 PID 764 wrote to memory of 2544 764 05e8c507d40aa6d05720a1f6bdf7f52e.exe 29 PID 764 wrote to memory of 2556 764 05e8c507d40aa6d05720a1f6bdf7f52e.exe 30 PID 764 wrote to memory of 2556 764 05e8c507d40aa6d05720a1f6bdf7f52e.exe 30 PID 764 wrote to memory of 2556 764 05e8c507d40aa6d05720a1f6bdf7f52e.exe 30 PID 764 wrote to memory of 2556 764 05e8c507d40aa6d05720a1f6bdf7f52e.exe 30 PID 2380 wrote to memory of 2588 2380 Setup.exe 31 PID 2380 wrote to memory of 2588 2380 Setup.exe 31 PID 2380 wrote to memory of 2588 2380 Setup.exe 31 PID 2588 wrote to memory of 2036 2588 svchost.exe 34 PID 2588 wrote to memory of 2036 2588 svchost.exe 34 PID 2588 wrote to memory of 2036 2588 svchost.exe 34 PID 2036 wrote to memory of 672 2036 explorer.exe 35 PID 2036 wrote to memory of 672 2036 explorer.exe 35 PID 2036 wrote to memory of 672 2036 explorer.exe 35 PID 672 wrote to memory of 2128 672 explorer.exe 36 PID 672 wrote to memory of 2128 672 explorer.exe 36 PID 672 wrote to memory of 2128 672 explorer.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe"C:\Users\Admin\AppData\Local\Temp\05e8c507d40aa6d05720a1f6bdf7f52e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE6⤵
- Modifies Windows Firewall
PID:2128
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
PID:2544
-
-
C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe"C:\Users\Admin\AppData\Local\Temp\KeywordKing .exe"2⤵
- Executes dropped EXE
- Enumerates system info in registry
PID:2556
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD5da3725bb70ed56821687eaf2cba15c78
SHA1f557e7e8693d969735d32f99c8f42d5ba01d1fae
SHA256e3e6d51994bc22985115fbe9a4a3e05da5a28cd3e516847d64eba894158b37d9
SHA512588b3d9037bf45c63d70d8f1ca60fe37f580f794fa440201ce6af2c2ebfc7bfe87de9d0439a93499db01254d643214a0a3b18442b06c573588a12b27fb0a8613
-
Filesize
2.9MB
MD56e916f0cd1ac95cc15fabd7bb03f63e4
SHA1db7798128559847181b9d1f5c12630ddd98b7cb4
SHA2564c7bf38fa20dde78f0ef32674d6f8c3e4f2f34404e569f5dcf8be148797d77b3
SHA512fb5b3a2f81261ae8baa559d0394bad394d61dc5587d5b1a80adcde576f8ff9f0ce110d6c3c92dd02a8fb71ff18c63962451755c6b90039afb827df4732e05800
-
Filesize
2.9MB
MD51fcf21d204fe08aa3e82cd5c7f6935b9
SHA16c40be116f8b7a63d5d6365b4e13b1e523bd3002
SHA2568dc48ac87178f7ad37d1cd9a79a3ce686ac8ca6e7b3ad3ee75bdc306c0a6c6aa
SHA5123eed29657fc7074a8bb76f2dedabef77fe9dd0438fe9bda15854a525726d38f64490229017222540eb59d15616987a672537b7510f693c65617bfd23afe1d7df
-
Filesize
461KB
MD5ee76425b767c9ab812a53c133b8363f8
SHA11daa4700a5f1849eb7e810986ac24bd58786da61
SHA256f962e1a60673963b7c2fa51a0663260df63771dfbd7423af67c2d142f7245747
SHA512004d1b4acc7084ba8c520d94032c19342228ed6346321b04641450f87a32f78a92212e3940e4cf0790af2e5640c6001e7c805dc99cf8f9a146d752b5ee117c3b
-
Filesize
162KB
MD5a9b0d84f4872b4352371e33a973cfdda
SHA16a2f976500c939987ed0427a5c7c88103e79471a
SHA256937c2943f9773d84a1ad3540115abe9447c74085a08f1c5f5ec19c5d6145b1bb
SHA512f56ef1f698c8bfd8e047f19b1e5da6dc1fb8f07e441bc2efebda2beb6f63725e385ee28946baa0841cad007288fd8524c799504708bce880e2358bdac2505662
-
Filesize
325KB
MD5f36e535fdc82208fca08acfa44f790c6
SHA1a3cc1aa7d614094faebada2aed1e6c519bd18c94
SHA25651efbe235b492c7e99c480915c7eeecf85f5ee6d540189ee5aa54fe9f0fafcdc
SHA512631db5246159e045ed6911867f25991ae8824951e608c2fef25bc48482271aeb3ad26f1c98a04b4cbbf431ce20ef027cacb4bf0b3d85e048885da2b709f3a9af