Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-05-2024 14:44
Behavioral task
behavioral1
Sample
Cheat.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Cheat.exe
Resource
win10v2004-20240426-en
General
-
Target
Cheat.exe
-
Size
65KB
-
MD5
596bb1dd5ae0ac50a9218910d193d4cf
-
SHA1
377563b67e5601266d711345f78df4a7d95cad27
-
SHA256
2018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d
-
SHA512
b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299
-
SSDEEP
1536:fj+u2LoN36tcQviFw1A+HIBnvbLfLteF3nLrB9z3nUaF9b6S9vM:fj+uIoN36tcQviFC9oBnnfWl9zkaF9bC
Malware Config
Extracted
njrat
Platinum
njRat
127.0.0.1:21679
HDAudio.exe
-
reg_key
HDAudio.exe
-
splitter
|Ghost|
Signatures
-
Drops startup file 3 IoCs
Processes:
HDAudio.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe HDAudio.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.exe HDAudio.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudio.url HDAudio.exe -
Executes dropped EXE 4 IoCs
Processes:
HDAudio.exeHDAudio.exeHDAudio.exeHDAudio.exepid process 2568 HDAudio.exe 2460 HDAudio.exe 2628 HDAudio.exe 1544 HDAudio.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
HDAudio.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .." HDAudio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HDAudio.exe = "\"C:\\Windows\\HDAudio.exe\" .." HDAudio.exe -
Drops file in Windows directory 2 IoCs
Processes:
Cheat.exeHDAudio.exedescription ioc process File created C:\Windows\HDAudio.exe Cheat.exe File opened for modification C:\Windows\HDAudio.exe HDAudio.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
HDAudio.exedescription pid process Token: SeDebugPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe Token: 33 2568 HDAudio.exe Token: SeIncBasePriorityPrivilege 2568 HDAudio.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Cheat.exeHDAudio.exetaskeng.exedescription pid process target process PID 2916 wrote to memory of 2568 2916 Cheat.exe HDAudio.exe PID 2916 wrote to memory of 2568 2916 Cheat.exe HDAudio.exe PID 2916 wrote to memory of 2568 2916 Cheat.exe HDAudio.exe PID 2916 wrote to memory of 2568 2916 Cheat.exe HDAudio.exe PID 2568 wrote to memory of 2576 2568 HDAudio.exe schtasks.exe PID 2568 wrote to memory of 2576 2568 HDAudio.exe schtasks.exe PID 2568 wrote to memory of 2576 2568 HDAudio.exe schtasks.exe PID 2568 wrote to memory of 2576 2568 HDAudio.exe schtasks.exe PID 2568 wrote to memory of 2388 2568 HDAudio.exe schtasks.exe PID 2568 wrote to memory of 2388 2568 HDAudio.exe schtasks.exe PID 2568 wrote to memory of 2388 2568 HDAudio.exe schtasks.exe PID 2568 wrote to memory of 2388 2568 HDAudio.exe schtasks.exe PID 2384 wrote to memory of 2460 2384 taskeng.exe HDAudio.exe PID 2384 wrote to memory of 2460 2384 taskeng.exe HDAudio.exe PID 2384 wrote to memory of 2460 2384 taskeng.exe HDAudio.exe PID 2384 wrote to memory of 2460 2384 taskeng.exe HDAudio.exe PID 2384 wrote to memory of 2628 2384 taskeng.exe HDAudio.exe PID 2384 wrote to memory of 2628 2384 taskeng.exe HDAudio.exe PID 2384 wrote to memory of 2628 2384 taskeng.exe HDAudio.exe PID 2384 wrote to memory of 2628 2384 taskeng.exe HDAudio.exe PID 2384 wrote to memory of 1544 2384 taskeng.exe HDAudio.exe PID 2384 wrote to memory of 1544 2384 taskeng.exe HDAudio.exe PID 2384 wrote to memory of 1544 2384 taskeng.exe HDAudio.exe PID 2384 wrote to memory of 1544 2384 taskeng.exe HDAudio.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cheat.exe"C:\Users\Admin\AppData\Local\Temp\Cheat.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\HDAudio.exe"C:\Windows\HDAudio.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn "RealtekHDAudio" /f3⤵PID:2576
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "RealtekHDAudio" /tr C:\Windows\HDAudio.exe3⤵
- Creates scheduled task(s)
PID:2388
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B1F4211E-5EE2-4C0F-BF7B-85AD5A1086CB} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\HDAudio.exeC:\Windows\HDAudio.exe2⤵
- Executes dropped EXE
PID:2460
-
-
C:\Windows\HDAudio.exeC:\Windows\HDAudio.exe2⤵
- Executes dropped EXE
PID:2628
-
-
C:\Windows\HDAudio.exeC:\Windows\HDAudio.exe2⤵
- Executes dropped EXE
PID:1544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5596bb1dd5ae0ac50a9218910d193d4cf
SHA1377563b67e5601266d711345f78df4a7d95cad27
SHA2562018fc40b0faeb1ddd7406ec68677a55164633ee245966a07688329459f6da7d
SHA512b543f966b174f59384e0579935ae194bff479576007ef966c7bf1a3e3f256e9686383c21f5c239df9e28970106f7770b09fbb498400b7a26cc981a37a9555299