Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 21:14
Behavioral task
behavioral1
Sample
Fixer.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Fixer.exe
Resource
win10v2004-20240508-en
Errors
General
-
Target
Fixer.exe
-
Size
43KB
-
MD5
e947d466ee6ac91e0a4b135ab4eef44d
-
SHA1
eb91b570a8e029ee687eb7d8ddf06dd6c21a36d8
-
SHA256
602dbf0a589f145df09cd667836acd3ab2100e44793344fd1bb1147d9c3d4343
-
SHA512
9d7807137a503bd38c21eb129a8838d959b2c5c9c6153a57175af3b8d7b00d9567fbbbf330bf215ce3f54bd01a9a61c6cdbfb94a0e090393774901f015bbd96b
-
SSDEEP
384:0rZyZ7lwZ28bk8yi6p8lOXBEBxdfZazoIij+ZsNO3PlpJKkkjh/TzF7pWn//gre7:0FmGvbk5ioEEenyuXQ/oC/+L
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
listing-trackbacks.gl.at.ply.gg:15337
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\.exe" .exe -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2612-17-0x0000000000400000-0x0000000000545000-memory.dmp modiloader_stage2 -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\.exe aspack_v212_v242 -
Drops startup file 2 IoCs
Processes:
Fixer.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Fixer.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe Fixer.exe -
Executes dropped EXE 4 IoCs
Processes:
.exe.exeServer.exe.exepid process 2612 .exe 2828 .exe 2876 Server.exe 1304 .exe -
Loads dropped DLL 3 IoCs
Processes:
Fixer.exepid process 756 Fixer.exe 756 Fixer.exe 756 Fixer.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Fixer.exe.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Fixer.exe\" .." Fixer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Fixer.exe\" .." Fixer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\AppData\\Local\\Temp\\.exe" .exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
.exedescription ioc process File opened for modification \??\PhysicalDrive0 .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
.exepid process 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Fixer.exepid process 756 Fixer.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
Fixer.exe.exedescription pid process Token: SeDebugPrivilege 756 Fixer.exe Token: 33 756 Fixer.exe Token: SeIncBasePriorityPrivilege 756 Fixer.exe Token: 33 756 Fixer.exe Token: SeIncBasePriorityPrivilege 756 Fixer.exe Token: 33 756 Fixer.exe Token: SeIncBasePriorityPrivilege 756 Fixer.exe Token: 33 756 Fixer.exe Token: SeIncBasePriorityPrivilege 756 Fixer.exe Token: 33 756 Fixer.exe Token: SeIncBasePriorityPrivilege 756 Fixer.exe Token: 33 756 Fixer.exe Token: SeIncBasePriorityPrivilege 756 Fixer.exe Token: 33 756 Fixer.exe Token: SeIncBasePriorityPrivilege 756 Fixer.exe Token: 33 756 Fixer.exe Token: SeIncBasePriorityPrivilege 756 Fixer.exe Token: 33 756 Fixer.exe Token: SeIncBasePriorityPrivilege 756 Fixer.exe Token: SeShutdownPrivilege 1304 .exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
.exepid process 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe 1304 .exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
.exepid process 2828 .exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Fixer.exetaskeng.exedescription pid process target process PID 756 wrote to memory of 2336 756 Fixer.exe schtasks.exe PID 756 wrote to memory of 2336 756 Fixer.exe schtasks.exe PID 756 wrote to memory of 2336 756 Fixer.exe schtasks.exe PID 756 wrote to memory of 2336 756 Fixer.exe schtasks.exe PID 756 wrote to memory of 2612 756 Fixer.exe .exe PID 756 wrote to memory of 2612 756 Fixer.exe .exe PID 756 wrote to memory of 2612 756 Fixer.exe .exe PID 756 wrote to memory of 2612 756 Fixer.exe .exe PID 756 wrote to memory of 2828 756 Fixer.exe .exe PID 756 wrote to memory of 2828 756 Fixer.exe .exe PID 756 wrote to memory of 2828 756 Fixer.exe .exe PID 756 wrote to memory of 2828 756 Fixer.exe .exe PID 3000 wrote to memory of 2876 3000 taskeng.exe Server.exe PID 3000 wrote to memory of 2876 3000 taskeng.exe Server.exe PID 3000 wrote to memory of 2876 3000 taskeng.exe Server.exe PID 3000 wrote to memory of 2876 3000 taskeng.exe Server.exe PID 756 wrote to memory of 1304 756 Fixer.exe .exe PID 756 wrote to memory of 1304 756 Fixer.exe .exe PID 756 wrote to memory of 1304 756 Fixer.exe .exe PID 756 wrote to memory of 1304 756 Fixer.exe .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fixer.exe"C:\Users\Admin\AppData\Local\Temp\Fixer.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\.exe"C:\Users\Admin\AppData\Local\Temp\.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\taskeng.exetaskeng.exe {E9D671EE-9F79-418E-90DA-0FA9A114513F} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exeC:\Users\Admin\AppData\Local\Temp/Server.exe2⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
43KB
MD5e947d466ee6ac91e0a4b135ab4eef44d
SHA1eb91b570a8e029ee687eb7d8ddf06dd6c21a36d8
SHA256602dbf0a589f145df09cd667836acd3ab2100e44793344fd1bb1147d9c3d4343
SHA5129d7807137a503bd38c21eb129a8838d959b2c5c9c6153a57175af3b8d7b00d9567fbbbf330bf215ce3f54bd01a9a61c6cdbfb94a0e090393774901f015bbd96b
-
\Users\Admin\AppData\Local\Temp\.exeFilesize
699KB
MD581dd862410af80c9d2717af912778332
SHA18f1df476f58441db5973ccfdc211c8680808ffe1
SHA25660e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f
SHA5128dd014b91fb1e2122d2e4da444db78dd551513c500d447bb1e94ceb7f2f8d45223a8a706e2156102f8c8850d2bb02ae6b8ea0c9282abd7baaa2c84130112af15
-
\Users\Admin\AppData\Local\Temp\.exeFilesize
2.4MB
MD59729d33f5cc788e9c1930bcc968acffa
SHA168c662875f7b805dd6f246919d406c8d92158073
SHA2563711a334cb3c6e2a92461067f2d7db2946e9b139f1517b214bc929ba42a86aae
SHA512af12beee6da79e5498eb292eb4a122667bf5dcdf840def97a5476adb31e0701a2aa0585b4266547bb4307c3524c7f9733dbf32f2a87c87b33fadb4bb1ecd0c3f
-
\Users\Admin\AppData\Local\Temp\.exeFilesize
436KB
MD5a9d32c2ea6c4957e4bfef9fb0dabd8d8
SHA15dac99e3da8846602382c57a3fc24ccc4613ea20
SHA256d167d7de10c0a15976d2877b5ce0bae62f1c9825e07880c58a1a3e01d2126144
SHA512b88f6707dda39ea2c509e6ae050339c054648fa0dd5d5385b53bb75f7f3a3feacdf69f580796701d7cc45e779456da4205f466352779ab0a0616581c7615b31e
-
memory/756-7-0x0000000001D90000-0x0000000001D9A000-memory.dmpFilesize
40KB
-
memory/756-2-0x0000000074E70000-0x000000007555E000-memory.dmpFilesize
6.9MB
-
memory/756-6-0x0000000074E70000-0x000000007555E000-memory.dmpFilesize
6.9MB
-
memory/756-38-0x0000000074E70000-0x000000007555E000-memory.dmpFilesize
6.9MB
-
memory/756-14-0x0000000006B40000-0x0000000006C85000-memory.dmpFilesize
1.3MB
-
memory/756-1-0x00000000003D0000-0x00000000003E2000-memory.dmpFilesize
72KB
-
memory/756-5-0x0000000074E7E000-0x0000000074E7F000-memory.dmpFilesize
4KB
-
memory/756-0-0x0000000074E7E000-0x0000000074E7F000-memory.dmpFilesize
4KB
-
memory/756-27-0x0000000006B40000-0x0000000006C85000-memory.dmpFilesize
1.3MB
-
memory/1304-36-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1304-37-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/2612-17-0x0000000000400000-0x0000000000545000-memory.dmpFilesize
1.3MB
-
memory/2612-15-0x0000000000400000-0x0000000000545000-memory.dmpFilesize
1.3MB
-
memory/2828-28-0x0000000000400000-0x0000000000671000-memory.dmpFilesize
2.4MB
-
memory/2828-29-0x0000000000400000-0x0000000000671000-memory.dmpFilesize
2.4MB
-
memory/2876-26-0x00000000010B0000-0x00000000010C2000-memory.dmpFilesize
72KB