Analysis
-
max time kernel
465s -
max time network
462s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-02-2024 05:06
Behavioral task
behavioral1
Sample
alekeseke.zip
Resource
win7-20240221-en
General
-
Target
alekeseke.zip
-
Size
62KB
-
MD5
9a790984db998c15e089ca5156d80e67
-
SHA1
034deacf3152e7602166d8018845920d55054123
-
SHA256
4693578ea4ae9212aa51d50c21adac0f6dcd9a7014d974d2e0425328b84e9149
-
SHA512
5c8d9e30c5e7c363ed484de1dfcede4cfbf9a4cbdb8dce145642f7ab6c5131a29c5c1d0bf8c0ef35a0663f0064c90c1a8c1c04565720343ac64a19697b97e83c
-
SSDEEP
1536:A/Ay3X7c4UKBAM9Q0+eVXx/1PLyFrb7sh:A/AWX7c4UU96chRAsh
Malware Config
Extracted
njrat
Platinum
HacKed
127.0.0.1:12607
Client.exe
-
reg_key
Client.exe
-
splitter
|Ghost|
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe NOT A VIRUS.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url NOT A VIRUS.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe NOT A VIRUS.exe -
Executes dropped EXE 1 IoCs
pid Process 1708 NOT A VIRUS.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Desktop\\NOT A VIRUS.exe\" .." NOT A VIRUS.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\Desktop\\NOT A VIRUS.exe\" .." NOT A VIRUS.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 20 0.tcp.eu.ngrok.io 33 0.tcp.eu.ngrok.io 46 0.tcp.eu.ngrok.io 59 0.tcp.eu.ngrok.io 3 0.tcp.eu.ngrok.io -
Kills process with taskkill 2 IoCs
pid Process 2092 TASKKILL.exe 2124 TASKKILL.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe 1708 NOT A VIRUS.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2012 7zG.exe Token: 35 2012 7zG.exe Token: SeSecurityPrivilege 2012 7zG.exe Token: SeSecurityPrivilege 2012 7zG.exe Token: SeDebugPrivilege 1708 NOT A VIRUS.exe Token: SeDebugPrivilege 2092 TASKKILL.exe Token: SeDebugPrivilege 2124 TASKKILL.exe Token: SeDebugPrivilege 420 taskmgr.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: SeDebugPrivilege 920 taskmgr.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe Token: SeIncBasePriorityPrivilege 1708 NOT A VIRUS.exe Token: 33 1708 NOT A VIRUS.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 2012 7zG.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 420 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe 920 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2092 1708 NOT A VIRUS.exe 37 PID 1708 wrote to memory of 2092 1708 NOT A VIRUS.exe 37 PID 1708 wrote to memory of 2092 1708 NOT A VIRUS.exe 37 PID 1708 wrote to memory of 2092 1708 NOT A VIRUS.exe 37 PID 1708 wrote to memory of 2124 1708 NOT A VIRUS.exe 39 PID 1708 wrote to memory of 2124 1708 NOT A VIRUS.exe 39 PID 1708 wrote to memory of 2124 1708 NOT A VIRUS.exe 39 PID 1708 wrote to memory of 2124 1708 NOT A VIRUS.exe 39
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\alekeseke.zip1⤵PID:1976
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵PID:3064
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap14468:76:7zEvent327471⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2012
-
C:\Users\Admin\Desktop\NOT A VIRUS.exe"C:\Users\Admin\Desktop\NOT A VIRUS.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:420
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:1864
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD5e431cae2c2e7c1d50e2264102d898310
SHA17eae6955815fda22dd9ed02302d5f0ca4596854f
SHA256ff86000c39c061650d004894837d8f618d0724ce3b2a2ef24072c784b2ceb67f
SHA51274be155fefe642006b7df93aeef53ba34cb950d6172d40782de768ef7437061491b63e7950ef1038d8dbec70e60fa900ce212fd804fb9cb555f337176d99cb1c