Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-09-2024 01:20
Behavioral task
behavioral1
Sample
BO2 Destiny CRAK By Nice Tutorial.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
MetroFramework.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
PS3Lib.dll
Resource
win10v2004-20240802-en
General
-
Target
BO2 Destiny CRAK By Nice Tutorial.exe
-
Size
290KB
-
MD5
0334d91acae1fd486041114e1412a5c5
-
SHA1
913f48c32a9ee734475638e0830f038cfa0abd9f
-
SHA256
f5d807a8dd24d15bb164528e7141f2daa80f3464e3e1f3b5088ec5829cc40f99
-
SHA512
227b3a1ef30f00d065c042d5a11c5f8c4a0f27aab4dda452a52dcd7e90b5d91584642abac0fbcdf0bdc3111cd86e4cb7f2f95e383fdbcb5699ac3747459ef192
-
SSDEEP
3072:fWqRgWra/a47L75pOOwaUOdFy8apU2sA7Po83QOM/JLt2hEdNCMJqkase0m2jobT:fm1CvxsA7PBmpt28NCxktM2job
Malware Config
Extracted
njrat
im523
HacKed
GoogleChromeServer.ddns.net:7777
fffdfaa66ba1e7c60e37f984374eb2b4
-
reg_key
fffdfaa66ba1e7c60e37f984374eb2b4
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4468 netsh.exe -
Drops startup file 2 IoCs
Processes:
BO2 Destiny CRAK By Nice Tutorial.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fffdfaa66ba1e7c60e37f984374eb2b4.exe BO2 Destiny CRAK By Nice Tutorial.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fffdfaa66ba1e7c60e37f984374eb2b4.exe BO2 Destiny CRAK By Nice Tutorial.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
BO2 Destiny CRAK By Nice Tutorial.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fffdfaa66ba1e7c60e37f984374eb2b4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\BO2 Destiny CRAK By Nice Tutorial.exe\" .." BO2 Destiny CRAK By Nice Tutorial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fffdfaa66ba1e7c60e37f984374eb2b4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\BO2 Destiny CRAK By Nice Tutorial.exe\" .." BO2 Destiny CRAK By Nice Tutorial.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
BO2 Destiny CRAK By Nice Tutorial.exedescription ioc process File opened for modification C:\autorun.inf BO2 Destiny CRAK By Nice Tutorial.exe File created D:\autorun.inf BO2 Destiny CRAK By Nice Tutorial.exe File created F:\autorun.inf BO2 Destiny CRAK By Nice Tutorial.exe File opened for modification F:\autorun.inf BO2 Destiny CRAK By Nice Tutorial.exe File created C:\autorun.inf BO2 Destiny CRAK By Nice Tutorial.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BO2 Destiny CRAK By Nice Tutorial.exepid process 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe 1400 BO2 Destiny CRAK By Nice Tutorial.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
BO2 Destiny CRAK By Nice Tutorial.exepid process 1400 BO2 Destiny CRAK By Nice Tutorial.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
BO2 Destiny CRAK By Nice Tutorial.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeDebugPrivilege 2604 taskmgr.exe Token: SeSystemProfilePrivilege 2604 taskmgr.exe Token: SeCreateGlobalPrivilege 2604 taskmgr.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 2604 taskmgr.exe Token: SeIncBasePriorityPrivilege 2604 taskmgr.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: 33 1400 BO2 Destiny CRAK By Nice Tutorial.exe Token: SeIncBasePriorityPrivilege 1400 BO2 Destiny CRAK By Nice Tutorial.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
Processes:
taskmgr.exepid process 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe -
Suspicious use of SendNotifyMessage 50 IoCs
Processes:
taskmgr.exepid process 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe 2604 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
BO2 Destiny CRAK By Nice Tutorial.exedescription pid process target process PID 1400 wrote to memory of 4468 1400 BO2 Destiny CRAK By Nice Tutorial.exe netsh.exe PID 1400 wrote to memory of 4468 1400 BO2 Destiny CRAK By Nice Tutorial.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe"C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\BO2 Destiny CRAK By Nice Tutorial.exe" "BO2 Destiny CRAK By Nice Tutorial.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4468
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2808
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2604
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
290KB
MD50334d91acae1fd486041114e1412a5c5
SHA1913f48c32a9ee734475638e0830f038cfa0abd9f
SHA256f5d807a8dd24d15bb164528e7141f2daa80f3464e3e1f3b5088ec5829cc40f99
SHA512227b3a1ef30f00d065c042d5a11c5f8c4a0f27aab4dda452a52dcd7e90b5d91584642abac0fbcdf0bdc3111cd86e4cb7f2f95e383fdbcb5699ac3747459ef192