Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 23:02
Behavioral task
behavioral1
Sample
EZTEAM.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
EZTEAM.exe
Resource
win10v2004-20240412-en
General
-
Target
EZTEAM.exe
-
Size
5.9MB
-
MD5
9d9bb89529a2435d2b5c5a9362785caa
-
SHA1
ae868f80124ba020e0ae01965eeeb20be3d89e64
-
SHA256
959ea1ded73c315d26c1a689ffb2b5bf95f07d8c2c8c22e7a7e9a14caefe21bd
-
SHA512
8805d074769a469861d4c6224d9cc108088bc8fcda1f053903fd1a967779c37052eef8d0c6f069ddf6043e26e1b2ac59fbd61fe778f473630c7cdac4c8960502
-
SSDEEP
98304:zX2y/8OeQogVFSauDHL1cvCnlSLWQBzH+lU21shPxc2cm1VL0q0n44nj:b2YVFSNDHL7nlMWm+U9c2FF0qnWj
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
returns-vary.gl.at.ply.gg:26628
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2104 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
EZTEAM.exepid process 1988 EZTEAM.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 2104 svchost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe Token: 33 2104 svchost.exe Token: SeIncBasePriorityPrivilege 2104 svchost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
EZTEAM.exedescription pid process target process PID 1988 wrote to memory of 2104 1988 EZTEAM.exe svchost.exe PID 1988 wrote to memory of 2104 1988 EZTEAM.exe svchost.exe PID 1988 wrote to memory of 2104 1988 EZTEAM.exe svchost.exe PID 1988 wrote to memory of 2104 1988 EZTEAM.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EZTEAM.exe"C:\Users\Admin\AppData\Local\Temp\EZTEAM.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
43KB
MD5a820989c753829c1d5e14d49e1fdd4d0
SHA1584542275a5b58b148aed49837f0e3055ae88080
SHA256fc6030ba36b3b189df03112a78feb8908e8f8797b72d344832e9acbcb6815166
SHA512799af03ad5fedfb6d7e2bc5e1ed83914015c150860c7afa23f9c2a8e6da7de7ccdacbafbe4fbc00047a77d1e398fc534a08f495575de3ede8d97fb48f74dd1f7
-
memory/1988-6-0x0000000000400000-0x00000000009E4000-memory.dmpFilesize
5.9MB
-
memory/2104-8-0x0000000000120000-0x0000000000132000-memory.dmpFilesize
72KB
-
memory/2104-9-0x00000000742B0000-0x000000007499E000-memory.dmpFilesize
6.9MB
-
memory/2104-10-0x00000000046D0000-0x0000000004710000-memory.dmpFilesize
256KB
-
memory/2104-11-0x00000000046D0000-0x0000000004710000-memory.dmpFilesize
256KB
-
memory/2104-12-0x00000000742B0000-0x000000007499E000-memory.dmpFilesize
6.9MB
-
memory/2104-14-0x00000000046D0000-0x0000000004710000-memory.dmpFilesize
256KB
-
memory/2104-13-0x00000000046D0000-0x0000000004710000-memory.dmpFilesize
256KB
-
memory/2104-15-0x00000000046D0000-0x0000000004710000-memory.dmpFilesize
256KB