Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-02-2024 20:15
Static task
static1
Behavioral task
behavioral1
Sample
ApplicationSetup 14.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ApplicationSetup 14.exe
Resource
win10v2004-20240221-en
General
-
Target
ApplicationSetup 14.exe
-
Size
13.2MB
-
MD5
c79c74015c9ce0892b5f57a483096167
-
SHA1
676b9e4572ff8824f4ebb624b20a5d590fefb3ce
-
SHA256
b01a6d6530594581e3e4f0907b71f036a2ce0252d0995effcfab25013a9917aa
-
SHA512
2d6c95ae1b0e1eda39c71eb70d4c773cd8b3aea16d5829489de4eb4d9641c9f9508645c2caccb9bf7bc70321a11746fa2bbae7876c34e35e3639da65b5fd3aa6
-
SSDEEP
196608:KkKVS0/N8DiKplRTEIT9966UUGsc0laGV5XgvucmQBDniJTB5VPBBSe+0JlFRtAc:OS+QRrXTzisc0zVJw2OgZBZ+0Jsaas
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
kisel228.zapto.org:25565
742480850a3c457758da290ee11e533c
-
reg_key
742480850a3c457758da290ee11e533c
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2000 netsh.exe 2472 netsh.exe 2172 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\742480850a3c457758da290ee11e533cWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\742480850a3c457758da290ee11e533cWindows Update.exe server.exe -
Executes dropped EXE 4 IoCs
pid Process 2504 Lol.exe 2664 creal.exe 836 creal.exe 2760 server.exe -
Loads dropped DLL 13 IoCs
pid Process 2700 ApplicationSetup 14.exe 2700 ApplicationSetup 14.exe 2504 Lol.exe 2504 Lol.exe 2504 Lol.exe 2700 ApplicationSetup 14.exe 2664 creal.exe 836 creal.exe 2504 Lol.exe 2504 Lol.exe 2760 server.exe 2760 server.exe 2760 server.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf server.exe File created F:\autorun.inf server.exe File opened for modification F:\autorun.inf server.exe File created C:\autorun.inf server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Detects Pyinstaller 5 IoCs
resource yara_rule behavioral1/files/0x00040000000130fc-17.dat pyinstaller behavioral1/files/0x00040000000130fc-19.dat pyinstaller behavioral1/files/0x00040000000130fc-20.dat pyinstaller behavioral1/files/0x00040000000130fc-93.dat pyinstaller behavioral1/files/0x00040000000130fc-92.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2760 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2504 2700 ApplicationSetup 14.exe 28 PID 2700 wrote to memory of 2504 2700 ApplicationSetup 14.exe 28 PID 2700 wrote to memory of 2504 2700 ApplicationSetup 14.exe 28 PID 2700 wrote to memory of 2504 2700 ApplicationSetup 14.exe 28 PID 2700 wrote to memory of 2504 2700 ApplicationSetup 14.exe 28 PID 2700 wrote to memory of 2504 2700 ApplicationSetup 14.exe 28 PID 2700 wrote to memory of 2504 2700 ApplicationSetup 14.exe 28 PID 2700 wrote to memory of 2664 2700 ApplicationSetup 14.exe 29 PID 2700 wrote to memory of 2664 2700 ApplicationSetup 14.exe 29 PID 2700 wrote to memory of 2664 2700 ApplicationSetup 14.exe 29 PID 2700 wrote to memory of 2664 2700 ApplicationSetup 14.exe 29 PID 2664 wrote to memory of 836 2664 creal.exe 30 PID 2664 wrote to memory of 836 2664 creal.exe 30 PID 2664 wrote to memory of 836 2664 creal.exe 30 PID 2504 wrote to memory of 2760 2504 Lol.exe 31 PID 2504 wrote to memory of 2760 2504 Lol.exe 31 PID 2504 wrote to memory of 2760 2504 Lol.exe 31 PID 2504 wrote to memory of 2760 2504 Lol.exe 31 PID 2504 wrote to memory of 2760 2504 Lol.exe 31 PID 2504 wrote to memory of 2760 2504 Lol.exe 31 PID 2504 wrote to memory of 2760 2504 Lol.exe 31 PID 2760 wrote to memory of 2000 2760 server.exe 32 PID 2760 wrote to memory of 2000 2760 server.exe 32 PID 2760 wrote to memory of 2000 2760 server.exe 32 PID 2760 wrote to memory of 2000 2760 server.exe 32 PID 2760 wrote to memory of 2000 2760 server.exe 32 PID 2760 wrote to memory of 2000 2760 server.exe 32 PID 2760 wrote to memory of 2000 2760 server.exe 32 PID 2760 wrote to memory of 2472 2760 server.exe 34 PID 2760 wrote to memory of 2472 2760 server.exe 34 PID 2760 wrote to memory of 2472 2760 server.exe 34 PID 2760 wrote to memory of 2472 2760 server.exe 34 PID 2760 wrote to memory of 2472 2760 server.exe 34 PID 2760 wrote to memory of 2472 2760 server.exe 34 PID 2760 wrote to memory of 2472 2760 server.exe 34 PID 2760 wrote to memory of 2172 2760 server.exe 35 PID 2760 wrote to memory of 2172 2760 server.exe 35 PID 2760 wrote to memory of 2172 2760 server.exe 35 PID 2760 wrote to memory of 2172 2760 server.exe 35 PID 2760 wrote to memory of 2172 2760 server.exe 35 PID 2760 wrote to memory of 2172 2760 server.exe 35 PID 2760 wrote to memory of 2172 2760 server.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\ApplicationSetup 14.exe"C:\Users\Admin\AppData\Local\Temp\ApplicationSetup 14.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\Lol.exe"C:\Users\Admin\AppData\Local\Temp\Lol.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:2000
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"4⤵
- Modifies Windows Firewall
PID:2472
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:2172
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\creal.exe"C:\Users\Admin\AppData\Local\Temp\creal.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\creal.exe"C:\Users\Admin\AppData\Local\Temp\creal.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:836
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD582c9700ca6b352383ff1b8c3b806cd5b
SHA122f3ef05a1f5ff8eb54394647a560aeb983545c5
SHA2565405e8f79d0f62cb60e3deea5465ddb76afc8ad730b4482f1efaa87f5e1e8380
SHA512c4c713e2cd89ae43c14320f1e4f59e2179b1dcbd969d11700456507921421e7c3b873546688078c5ac7df6ee9713347d8829cb3885c57ddd442dfc422c8de37a
-
Filesize
4.3MB
MD5f181dad51052f633d5672bb256f4cd4c
SHA10e1d1fbde72460a818ba1f16f813382e97fbc61a
SHA256f518a8705eb051fd8e98d0c14b599587d04a7ac9c1aed3868d0bdd75b5591f86
SHA512a802853a553742dd8655a1d00c4550ad86ef04a6f68a973740cd514009650d4fc0e54efd04ea9967b2228f4b4fe94ba9ee40a7aa99a6c2b711960c113744d0be
-
Filesize
4.1MB
MD5e713b4ecadae22ff5a07bb7238a24f86
SHA1a533d8d0eb1897b9e75096685e2bdb864f99c6a3
SHA25616302b9903f6f97604ab5e03490d85547817ba94fe58536466cc09b4b53262b1
SHA5123261b2a2af3153f9dc05065c457859f48833baa72fd879819fed002b4b9097bdb3c8a50ef958d04dac756f057f20ef9c2cd1437089e9f9be3b02b92b0a819a52
-
Filesize
2.8MB
MD5c05b8261f12744400e1f5d4346836d9a
SHA1efcae12a817cd532afc2287905fa416e785500f3
SHA2562b939ff023c28713104523aa5b14ce1f695045a56a998c71524a9189bc8a0372
SHA512be95235c58f315e3ef62e27a847212ddf02ca75fd78dd1f05e4a0a9f97bde08fc7530075eb9009eafd9a027feb7f0dd2af9704d16dac0eec8b1dc681f7a8ff51
-
Filesize
5B
MD5cac4598fdc0f92181616d12833eb6ca1
SHA180a7b7a46a0e8e674b782b9eb569e5430a69c84b
SHA256275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440
SHA51201a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713
-
Filesize
93KB
MD59e4d9908815be3e2244c857863ec309a
SHA1e0dc0c88151069986c7104d12fa3223ad1fe07bb
SHA256a976cc4bb39183a99f5341cda18b789d1c345eaf37221c71291b823eb457c6be
SHA512795bebd046b5c147fed8726a7f772d2e5900be31e1f1a81d4052619d4325e1f51445193319ad93e37d17c70d4ac0ff01d2ebbe6ac2d85c4feb91dbfe992d8b9b
-
Filesize
1.1MB
MD5b849e8201f088c4aef9ca325c5c7f2cd
SHA130c1e0944524b28410bb9f4ebde61e5bcc994c4f
SHA256ca76e97fd82201a8ef84eaceeb064684c48fdd7f0e3bba00ff064747e603065e
SHA512660c41680e350dc75c18500c77679de30148bb79c3464172f080c23df5371e9ca20b4560dc5f2fd4ec7d220b37652a5ebe2c557e409908fe317b03dabab81337
-
Filesize
4.2MB
MD56d14b9491e3881897e21681d7a0a62b8
SHA15fde4f378f63db74d3a184c8fdcb58e8e62f2caa
SHA2562d9f4a041f9218d30763053530f52d2ca6eee4f3f9ffa249155bd744f07282de
SHA512cf570a4a92f605f6e0699a3379d6675dc387770665c895a28662e766a7d39d67b8d46fab304c0c6128599dad32b8401f09819b25b22c799d75feff282dd0a51d
-
Filesize
2.9MB
MD599b60bbd0085286bb2cedf7ba86657d3
SHA16b2f024cbc0956fcd8dbe933aaeb379a48971011
SHA256a6d08e096ae0d2c0741043fed5aa5760f094764f630d61f026177439c21a2536
SHA51208827ec621e1db940de3a83ca81cf05ab3fa26878fc29a624a5783c22d633ffc51748c80ca4f9512d4f2d42c643d17fac492b794f638a212924701f6c7598934