Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-02-2024 14:56
Static task
static1
Behavioral task
behavioral1
Sample
DeltaX.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DeltaX.exe
Resource
win10v2004-20240221-en
General
-
Target
DeltaX.exe
-
Size
13.3MB
-
MD5
a0d656f1bd9867e9f387c37a8fe3ecf4
-
SHA1
c2e70f63757ad80f2f796ad7c60579ce5ead712f
-
SHA256
84f6b85e0e19306dcf3be51ccad790a4ceb8541f1c51a606df7464b7097c35a9
-
SHA512
b614a16d83dccc51ee7f36b19e298f2e0f58319f8de72a19e30766126d04fad9701f9c47efed00d1f27117b9e833c53c28e3bf3f4121040ab9e5a82968a0bd4b
-
SSDEEP
393216:sWzvW/5NIHHZhcW7CuvEPHM9LhqvPs3jEg/:sCvW/5NIHHRE09Lhqc3jE
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
kisel228.zapto.org:25565
742480850a3c457758da290ee11e533c
-
reg_key
742480850a3c457758da290ee11e533c
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2040 netsh.exe 2020 netsh.exe 1592 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\742480850a3c457758da290ee11e533cWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\742480850a3c457758da290ee11e533cWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 5 IoCs
pid Process 2292 Lol.exe 2584 creal.exe 1624 creal.exe 2708 server.exe 1200 Process not Found -
Loads dropped DLL 7 IoCs
pid Process 2184 DeltaX.exe 2184 DeltaX.exe 2184 DeltaX.exe 2584 creal.exe 1624 creal.exe 2292 Lol.exe 2292 Lol.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf server.exe File created C:\autorun.inf server.exe File opened for modification C:\autorun.inf server.exe File created F:\autorun.inf server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File created C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Explower.exe server.exe File created C:\Program Files (x86)\Explower.exe server.exe -
Detects Pyinstaller 6 IoCs
resource yara_rule behavioral1/files/0x000b000000015c87-17.dat pyinstaller behavioral1/files/0x000b000000015c87-19.dat pyinstaller behavioral1/files/0x000b000000015c87-20.dat pyinstaller behavioral1/files/0x000b000000015c87-94.dat pyinstaller behavioral1/files/0x000b000000015c87-93.dat pyinstaller behavioral1/files/0x000b000000015c87-143.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe 2708 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2708 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe Token: 33 2708 server.exe Token: SeIncBasePriorityPrivilege 2708 server.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2292 2184 DeltaX.exe 28 PID 2184 wrote to memory of 2292 2184 DeltaX.exe 28 PID 2184 wrote to memory of 2292 2184 DeltaX.exe 28 PID 2184 wrote to memory of 2292 2184 DeltaX.exe 28 PID 2184 wrote to memory of 2584 2184 DeltaX.exe 29 PID 2184 wrote to memory of 2584 2184 DeltaX.exe 29 PID 2184 wrote to memory of 2584 2184 DeltaX.exe 29 PID 2184 wrote to memory of 2584 2184 DeltaX.exe 29 PID 2584 wrote to memory of 1624 2584 creal.exe 30 PID 2584 wrote to memory of 1624 2584 creal.exe 30 PID 2584 wrote to memory of 1624 2584 creal.exe 30 PID 2292 wrote to memory of 2708 2292 Lol.exe 31 PID 2292 wrote to memory of 2708 2292 Lol.exe 31 PID 2292 wrote to memory of 2708 2292 Lol.exe 31 PID 2292 wrote to memory of 2708 2292 Lol.exe 31 PID 2708 wrote to memory of 1592 2708 server.exe 33 PID 2708 wrote to memory of 1592 2708 server.exe 33 PID 2708 wrote to memory of 1592 2708 server.exe 33 PID 2708 wrote to memory of 1592 2708 server.exe 33 PID 2708 wrote to memory of 2020 2708 server.exe 37 PID 2708 wrote to memory of 2020 2708 server.exe 37 PID 2708 wrote to memory of 2020 2708 server.exe 37 PID 2708 wrote to memory of 2020 2708 server.exe 37 PID 2708 wrote to memory of 2040 2708 server.exe 36 PID 2708 wrote to memory of 2040 2708 server.exe 36 PID 2708 wrote to memory of 2040 2708 server.exe 36 PID 2708 wrote to memory of 2040 2708 server.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\DeltaX.exe"C:\Users\Admin\AppData\Local\Temp\DeltaX.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\AppData\Local\Temp\Lol.exe"C:\Users\Admin\AppData\Local\Temp\Lol.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:1592
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:2040
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"4⤵
- Modifies Windows Firewall
PID:2020
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\creal.exe"C:\Users\Admin\AppData\Local\Temp\creal.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\creal.exe"C:\Users\Admin\AppData\Local\Temp\creal.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5da5cef5e2037fdca3ee02aec1f8f69fd
SHA15fd240e44e6f0f0736bf7d81a64b795e50afbfc2
SHA256b21116ed96e06d6919b638d3cb5742efaf9f18d694dc83dbd7d21ed5cfafb9ae
SHA512d49323abc61fb3dad9432354c2f68a1c711eef9819814ff942383387cefc197062e15d5b2f2e42c8cbf7c71969dcabd970c78457ba63d598a44d7ccc0fdfcf14
-
Filesize
3.4MB
MD50df71ea36d67889f82cd0fa20df0e88b
SHA1e51db4859ea6342a7e7b9457d4906d9f827a8241
SHA2567ef378cc36bfe4645ace34415d28536bb37b696575c6ebd152fb0394fcbecea9
SHA5126f540c79c86a003f4ea70405947c1206c8f2bd571c6463827e85cb15208bfc4b188496a9c415367dbbfe8d68f54b54ca52dd373a4f03b93fad856d64b744433a
-
Filesize
3.6MB
MD5a577ee4f874c77abee0dd8d851d63fed
SHA121b7948183e9145c655ada94c8a4e076608cbe2d
SHA256868cecb88e236d1dc17a44aea585a22eaaee65c2b94b4f4091f97c517e3a72b1
SHA512fa11e3e3802a824a457d40966e99d62a650b294f2959cb0cc5560cb34dcd347ad839a4fd6501cfab094a95e7d0ebd1079fbbcacabe602478208fa11348c02032
-
Filesize
2.4MB
MD5dc3314572c4e35d5c67ace9f63c6fc0c
SHA1cd03bb0ccc7b54d99b17e60e6fc1000bb210e9c6
SHA256014bbc2302e50792f9a4462d33437dccb9e1bb881b4662990f3ea6274432b37d
SHA5128ecbc75a49e44ab80d4a300b25e7edec316f074428a4e87011bf287506c9a1afc20c7bdd37692e0e1ad7d1836ef6301d344e8832f124c204526d31f619f40599
-
Filesize
5B
MD58fc22f973bec7f0525710dcf02f05edf
SHA1418f88fe2c59f8d9579994aec4034d785e8ac00c
SHA256ba0e21ceb11b1ec62709b0141373ce65de5a156b822c9b6d3c3f9ed9ab224a46
SHA512ac280118b4b0ee9643ecc464bfc91682ccccd530efa81dcc3d9471044305d59de661f865560206f089822299cb431dbad9f81a16ad667251375746d406f2b44d
-
Filesize
93KB
MD59e4d9908815be3e2244c857863ec309a
SHA1e0dc0c88151069986c7104d12fa3223ad1fe07bb
SHA256a976cc4bb39183a99f5341cda18b789d1c345eaf37221c71291b823eb457c6be
SHA512795bebd046b5c147fed8726a7f772d2e5900be31e1f1a81d4052619d4325e1f51445193319ad93e37d17c70d4ac0ff01d2ebbe6ac2d85c4feb91dbfe992d8b9b
-
Filesize
1.2MB
MD511343d52a814181586f690c508f55f7e
SHA149af301e29cb6e10d2feb39a196b4fb1534ebeb6
SHA256a137d746379ad62e23e1653377d7874ebfbc8fe3461eba193fbdb482dc2c5c57
SHA512ada2553df7b0016e8ed3890867a666713e8c53e181414226225ebfdad55455686282939ceba8a4d2a5eb77e6d97ea44f21ca52525135725706a69af2beb16d76
-
Filesize
9.8MB
MD5c42ce1daab954c914ac45c4c2c76a987
SHA18b658eb881999ca434ce9fd719958b87d87acc78
SHA2569be4820a80961afba1782c514dcc5ef82fe604154949e3002784bae2c3dde826
SHA51209ff3485a87aaa39dd013b8f6fc8e6844300d40acfe8b442fb8a940e1a0654cd5fc4fc41d12759c28ca36f8f85742d5de2239d452f152924ad0157f4e68e7973
-
Filesize
3.6MB
MD5d9b8dfa15afa11e9d5126329f3d67da5
SHA154064f76458e441777da96f466046babc6584d4c
SHA256be225fbfa62dc4ddc1ed8043b3584ddd015a6e784d4d789d7b2c480bc6f5ded0
SHA5121079e9db19fa6be808b90cb28f88eb85a55e2d6bde9230183cde3c00e1abcf0d31d3eb210bd5b66dafd436ce5ccc84e17b10922632b2c8a77f9019f6aea4dcef
-
Filesize
2.3MB
MD5fb735be885ccfd879036b74445cff875
SHA195d9ece7c90dd8896a9f714a44545d6cb0dd1845
SHA25615c730b600aafb39c7681afca3e56b73e38bcae0e050d0970a925a530abca71e
SHA51242417b337912de8b7b91490e82aa44c75b9ebbf62571f1f44aca008ccaa3d02a169823a2570d67e0fd26f7d6a02e2eab18fceb6db26528e9ba4406d7bd410e90