Overview

overview

10

Static

static

10

Fixer.exe

windows7-x64

Fixer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2024 21:14

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Fixer.exe

  • Size

    43KB

  • MD5

    e947d466ee6ac91e0a4b135ab4eef44d

  • SHA1

    eb91b570a8e029ee687eb7d8ddf06dd6c21a36d8

  • SHA256

    602dbf0a589f145df09cd667836acd3ab2100e44793344fd1bb1147d9c3d4343

  • SHA512

    9d7807137a503bd38c21eb129a8838d959b2c5c9c6153a57175af3b8d7b00d9567fbbbf330bf215ce3f54bd01a9a61c6cdbfb94a0e090393774901f015bbd96b

  • SSDEEP

    384:0rZyZ7lwZ28bk8yi6p8lOXBEBxdfZazoIij+ZsNO3PlpJKkkjh/TzF7pWn//gre7:0FmGvbk5ioEEenyuXQ/oC/+L

Score
10/10
modiloadernjrathackedaspackv2bootkitpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

listing-trackbacks.gl.at.ply.gg:15337

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • ModiLoader Second Stage 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fixer.exe
    "C:\Users\Admin\AppData\Local\Temp\Fixer.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
      2⤵
      • Creates scheduled task(s)
      PID:2336
    • C:\Users\Admin\AppData\Local\Temp\.exe
      "C:\Users\Admin\AppData\Local\Temp\.exe"
      2⤵
      • Executes dropped EXE
      PID:2612
    • C:\Users\Admin\AppData\Local\Temp\.exe
      "C:\Users\Admin\AppData\Local\Temp\.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2828
    • C:\Users\Admin\AppData\Local\Temp\.exe
      "C:\Users\Admin\AppData\Local\Temp\.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1304
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {E9D671EE-9F79-418E-90DA-0FA9A114513F} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Local\Temp\Server.exe
      C:\Users\Admin\AppData\Local\Temp/Server.exe
      2⤵
      • Executes dropped EXE
      PID:2876
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    PID:2764
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2856
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2232

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      3
      T1547

      Registry Run Keys / Startup Folder

      2
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Modify Registry

      3
      T1112

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Server.exe
        Filesize

        43KB

        MD5

        e947d466ee6ac91e0a4b135ab4eef44d

        SHA1

        eb91b570a8e029ee687eb7d8ddf06dd6c21a36d8

        SHA256

        602dbf0a589f145df09cd667836acd3ab2100e44793344fd1bb1147d9c3d4343

        SHA512

        9d7807137a503bd38c21eb129a8838d959b2c5c9c6153a57175af3b8d7b00d9567fbbbf330bf215ce3f54bd01a9a61c6cdbfb94a0e090393774901f015bbd96b

        Download Submit
      • \Users\Admin\AppData\Local\Temp\.exe
        Filesize

        699KB

        MD5

        81dd862410af80c9d2717af912778332

        SHA1

        8f1df476f58441db5973ccfdc211c8680808ffe1

        SHA256

        60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f

        SHA512

        8dd014b91fb1e2122d2e4da444db78dd551513c500d447bb1e94ceb7f2f8d45223a8a706e2156102f8c8850d2bb02ae6b8ea0c9282abd7baaa2c84130112af15

        Download Submit
      • \Users\Admin\AppData\Local\Temp\.exe
        Filesize

        2.4MB

        MD5

        9729d33f5cc788e9c1930bcc968acffa

        SHA1

        68c662875f7b805dd6f246919d406c8d92158073

        SHA256

        3711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae

        SHA512

        af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f

        Download Submit
      • \Users\Admin\AppData\Local\Temp\.exe
        Filesize

        436KB

        MD5

        a9d32c2ea6c4957e4bfef9fb0dabd8d8

        SHA1

        5dac99e3da8846602382c57a3fc24ccc4613ea20

        SHA256

        d167d7de10c0a15976d2877b5ce0bae62f1c9825e07880c58a1a3e01d2126144

        SHA512

        b88f6707dda39ea2c509e6ae050339c054648fa0dd5d5385b53bb75f7f3a3feacdf69f580796701d7cc45e779456da4205f466352779ab0a0616581c7615b31e

        Download Submit
      • memory/756-7-0x0000000001D90000-0x0000000001D9A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/756-2-0x0000000074E70000-0x000000007555E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/756-6-0x0000000074E70000-0x000000007555E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/756-38-0x0000000074E70000-0x000000007555E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/756-14-0x0000000006B40000-0x0000000006C85000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/756-1-0x00000000003D0000-0x00000000003E2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/756-5-0x0000000074E7E000-0x0000000074E7F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/756-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmp
        Filesize

        4KB

        Download
      • memory/756-27-0x0000000006B40000-0x0000000006C85000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1304-36-0x0000000000400000-0x0000000000474000-memory.dmp
        Filesize

        464KB

        Download
      • memory/1304-37-0x0000000000400000-0x0000000000474000-memory.dmp
        Filesize

        464KB

        Download
      • memory/2612-17-0x0000000000400000-0x0000000000545000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2612-15-0x0000000000400000-0x0000000000545000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2828-28-0x0000000000400000-0x0000000000671000-memory.dmp
        Filesize

        2.4MB

        Download
      • memory/2828-29-0x0000000000400000-0x0000000000671000-memory.dmp
        Filesize

        2.4MB

        Download
      • memory/2876-26-0x00000000010B0000-0x00000000010C2000-memory.dmp
        Filesize

        72KB

        Download