Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 15:32
Behavioral task
behavioral1
Sample
253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
Resource
win10v2004-20240508-en
General
-
Target
253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe
-
Size
9.0MB
-
MD5
8e575057308494a02213dd094240048f
-
SHA1
e14cb5b49926f48417fd3b3ce55282c20f0e2f41
-
SHA256
253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4
-
SHA512
e50a74e824d4e1050893b4d19f63ce4298a0679d982d42b3a49e74fb6fa1664f29e26e24738263aca364a3bffa9659caa98149147a3bb1d2ca37f42a531db3ea
-
SSDEEP
196608:Y0jlDwGcsAgejtcGfcY3gtAXSdyowjcOSP9FtCNb:1k3meBcGfdrSNm47CNb
Malware Config
Extracted
njrat
0.7d
HacKed
icpanel.hackcrack.io:40544
Windows Explorer
-
reg_key
Windows Explorer
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 412 netsh.exe -
Executes dropped EXE 7 IoCs
Processes:
Setup.exeSetup.execheck .exesvchost.execheck .exeexplorer.exeexplorer.exepid process 2548 Setup.exe 2648 Setup.exe 1036 check .exe 2404 svchost.exe 2732 check .exe 1428 explorer.exe 2372 explorer.exe -
Loads dropped DLL 4 IoCs
Processes:
253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.execheck .execheck .exepid process 2972 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe 2688 1036 check .exe 2732 check .exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Setup.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." explorer.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\check .exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
explorer.exedescription pid process Token: SeDebugPrivilege 2372 explorer.exe Token: 33 2372 explorer.exe Token: SeIncBasePriorityPrivilege 2372 explorer.exe Token: 33 2372 explorer.exe Token: SeIncBasePriorityPrivilege 2372 explorer.exe Token: 33 2372 explorer.exe Token: SeIncBasePriorityPrivilege 2372 explorer.exe Token: 33 2372 explorer.exe Token: SeIncBasePriorityPrivilege 2372 explorer.exe Token: 33 2372 explorer.exe Token: SeIncBasePriorityPrivilege 2372 explorer.exe Token: 33 2372 explorer.exe Token: SeIncBasePriorityPrivilege 2372 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exeSetup.execheck .exesvchost.exeexplorer.exeexplorer.exedescription pid process target process PID 2972 wrote to memory of 2548 2972 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe Setup.exe PID 2972 wrote to memory of 2548 2972 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe Setup.exe PID 2972 wrote to memory of 2548 2972 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe Setup.exe PID 2972 wrote to memory of 2648 2972 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe Setup.exe PID 2972 wrote to memory of 2648 2972 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe Setup.exe PID 2972 wrote to memory of 2648 2972 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe Setup.exe PID 2972 wrote to memory of 1036 2972 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe check .exe PID 2972 wrote to memory of 1036 2972 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe check .exe PID 2972 wrote to memory of 1036 2972 253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe check .exe PID 2548 wrote to memory of 2404 2548 Setup.exe svchost.exe PID 2548 wrote to memory of 2404 2548 Setup.exe svchost.exe PID 2548 wrote to memory of 2404 2548 Setup.exe svchost.exe PID 1036 wrote to memory of 2732 1036 check .exe check .exe PID 1036 wrote to memory of 2732 1036 check .exe check .exe PID 1036 wrote to memory of 2732 1036 check .exe check .exe PID 2404 wrote to memory of 1428 2404 svchost.exe explorer.exe PID 2404 wrote to memory of 1428 2404 svchost.exe explorer.exe PID 2404 wrote to memory of 1428 2404 svchost.exe explorer.exe PID 1428 wrote to memory of 2372 1428 explorer.exe explorer.exe PID 1428 wrote to memory of 2372 1428 explorer.exe explorer.exe PID 1428 wrote to memory of 2372 1428 explorer.exe explorer.exe PID 2372 wrote to memory of 412 2372 explorer.exe netsh.exe PID 2372 wrote to memory of 412 2372 explorer.exe netsh.exe PID 2372 wrote to memory of 412 2372 explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe"C:\Users\Admin\AppData\Local\Temp\253dc3c343cc4d87556dfd992f69f345d0ad0fe932dce42a4231f0533c75a0a4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE6⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\check .exe"C:\Users\Admin\AppData\Local\Temp\check .exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\check .exe"C:\Users\Admin\AppData\Local\Temp\check .exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
375KB
MD58e4f8329f0837d6a3801dd96973a05fe
SHA17309226e370a33000c08653504f2ac5786944b2b
SHA2560d8f6fc81065fc6f20ea5b9de9a85fbfffe2deb1f2055f1b304b5b0f3e99407d
SHA5129df93293a5fec2a2fca0838f43b24af8347f229884fab4338f7804ef0050b0aba02235ae2368ffef7dd42640420b42f69eaf974f5107bdab0bf0a8c9b39671cc
-
C:\Users\Admin\AppData\Local\Temp\_MEI10362\python311.dllFilesize
5.5MB
MD558e01abc9c9b5c885635180ed104fe95
SHA11c2f7216b125539d63bd111a7aba615c69deb8ba
SHA256de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837
SHA512cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
163KB
MD5c833287873afe73c333638e4d187c666
SHA14aa5686878ed71c4d27996449854e63107165b98
SHA256a9a387bafca70c8bce39473ee63df9fb439d15ba83b6b26e84f91fc920c1f39f
SHA512a949d0d6143405f3bb98589e67856a5971a8b23d35536b13ad3aae4b51c53de256315d8deaf609f49e8fe9ccf39e59e95b0cecef2619d5d08f3059a9254ae006
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
252KB
MD5e5d01a5a8cc5c5ca9a5329459814c91a
SHA100ec50ab1cdab87816ec0f3e77fa8ad00ea9c067
SHA256612bbbf476228032ebab743100c98dae7f01a1dc854298cd8ece588351acb3c6
SHA5122d0d0d964e9100b0586043b16f91532e0f81347ef3697dee7ab0cd90469e6c118ac58e630d9a7fe0a84f5c275440813aeede0e0c44cacf316f59cb760081ab07
-
\Users\Admin\AppData\Local\Temp\check .exeFilesize
8.6MB
MD5d74eb99109dc495ab735264ba68edb06
SHA1a7b5b1471c2e8f46d3e3d5340435d8a148fd285d
SHA25626789e493fb9cc881d40e0eed7609fd390eb76196c91c4fc7be9ac7cbb11b41a
SHA512b715d226c70edfa5b413e7989a0f56ee4c5765b16f273f04bdfd6afb11fd1ba02638aa08d5f47e340eabab0397a3f300618cbcb2d49a921734b3bcfd09e0f643
-
memory/1428-90-0x00000000004D0000-0x00000000004DC000-memory.dmpFilesize
48KB
-
memory/2548-16-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmpFilesize
9.6MB
-
memory/2548-26-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmpFilesize
9.6MB
-
memory/2548-11-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmpFilesize
9.6MB
-
memory/2548-34-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmpFilesize
9.6MB
-
memory/2972-27-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmpFilesize
9.6MB
-
memory/2972-0-0x000007FEF5DAE000-0x000007FEF5DAF000-memory.dmpFilesize
4KB
-
memory/2972-3-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmpFilesize
9.6MB
-
memory/2972-1-0x000007FEF5AF0000-0x000007FEF648D000-memory.dmpFilesize
9.6MB