Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 23:02
Behavioral task
behavioral1
Sample
EZTEAM.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
EZTEAM.exe
Resource
win10v2004-20240412-en
General
-
Target
EZTEAM.exe
-
Size
5.9MB
-
MD5
9d9bb89529a2435d2b5c5a9362785caa
-
SHA1
ae868f80124ba020e0ae01965eeeb20be3d89e64
-
SHA256
959ea1ded73c315d26c1a689ffb2b5bf95f07d8c2c8c22e7a7e9a14caefe21bd
-
SHA512
8805d074769a469861d4c6224d9cc108088bc8fcda1f053903fd1a967779c37052eef8d0c6f069ddf6043e26e1b2ac59fbd61fe778f473630c7cdac4c8960502
-
SSDEEP
98304:zX2y/8OeQogVFSauDHL1cvCnlSLWQBzH+lU21shPxc2cm1VL0q0n44nj:b2YVFSNDHL7nlMWm+U9c2FF0qnWj
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
returns-vary.gl.at.ply.gg:26628
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
EZTEAM.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation EZTEAM.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 5068 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 5068 svchost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe Token: 33 5068 svchost.exe Token: SeIncBasePriorityPrivilege 5068 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
EZTEAM.exedescription pid process target process PID 872 wrote to memory of 5068 872 EZTEAM.exe svchost.exe PID 872 wrote to memory of 5068 872 EZTEAM.exe svchost.exe PID 872 wrote to memory of 5068 872 EZTEAM.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EZTEAM.exe"C:\Users\Admin\AppData\Local\Temp\EZTEAM.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
43KB
MD5a820989c753829c1d5e14d49e1fdd4d0
SHA1584542275a5b58b148aed49837f0e3055ae88080
SHA256fc6030ba36b3b189df03112a78feb8908e8f8797b72d344832e9acbcb6815166
SHA512799af03ad5fedfb6d7e2bc5e1ed83914015c150860c7afa23f9c2a8e6da7de7ccdacbafbe4fbc00047a77d1e398fc534a08f495575de3ede8d97fb48f74dd1f7
-
memory/872-7-0x0000000000400000-0x00000000009E4000-memory.dmpFilesize
5.9MB
-
memory/5068-9-0x0000000000590000-0x00000000005A2000-memory.dmpFilesize
72KB
-
memory/5068-10-0x0000000073E50000-0x0000000074600000-memory.dmpFilesize
7.7MB
-
memory/5068-11-0x0000000005310000-0x00000000053AC000-memory.dmpFilesize
624KB
-
memory/5068-12-0x0000000005DB0000-0x0000000006354000-memory.dmpFilesize
5.6MB
-
memory/5068-13-0x0000000005970000-0x0000000005A02000-memory.dmpFilesize
584KB
-
memory/5068-14-0x0000000005820000-0x000000000582A000-memory.dmpFilesize
40KB
-
memory/5068-15-0x0000000073E50000-0x0000000074600000-memory.dmpFilesize
7.7MB
-
memory/5068-16-0x0000000006700000-0x0000000006766000-memory.dmpFilesize
408KB
-
memory/5068-17-0x0000000006C80000-0x0000000006C98000-memory.dmpFilesize
96KB