Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-10-2024 02:21
Static task
static1
Behavioral task
behavioral1
Sample
b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223.exe
Resource
win10v2004-20241007-en
General
-
Target
b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223.exe
-
Size
39KB
-
MD5
5a6e0971a54847d4cecc16bf7fa44bca
-
SHA1
b0b5d4f2cfe7a64addb17796ba41353c57a57f91
-
SHA256
b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223
-
SHA512
90362f72a78c257eba31a9bc5089d02db626a985f78d5ec8f97dadd743ef4c2b9fc434f318faea27d0e41e03cddeec94536f5bcd29a1ff77f14fe2d44a8b823e
-
SSDEEP
768:VvAl92nMe/UYPlfk4l3QYp6LxybXDIAfjP/m/NyE3NSTM8udmmBDnu:i4DzPlfk4JQm6L47BfbIyzM8udmmFu
Malware Config
Extracted
njrat
Platinum
uzbek
127.0.0.1:14026
yzbekt.exe
-
reg_key
yzbekt.exe
-
splitter
|Ghost|
Signatures
-
Deletes itself 1 IoCs
pid Process 2864 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2244 yzbekt.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\yzbekt.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\yzbekt.exe\" .." yzbekt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yzbekt.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\yzbekt.exe\" .." yzbekt.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 2 0.tcp.eu.ngrok.io 6 0.tcp.eu.ngrok.io 36 0.tcp.eu.ngrok.io 65 0.tcp.eu.ngrok.io 68 0.tcp.eu.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe 2244 yzbekt.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe Token: 33 2244 yzbekt.exe Token: SeIncBasePriorityPrivilege 2244 yzbekt.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2244 2868 b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223.exe 30 PID 2868 wrote to memory of 2244 2868 b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223.exe 30 PID 2868 wrote to memory of 2244 2868 b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223.exe 30 PID 2868 wrote to memory of 2864 2868 b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223.exe 31 PID 2868 wrote to memory of 2864 2868 b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223.exe 31 PID 2868 wrote to memory of 2864 2868 b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223.exe 31 PID 2864 wrote to memory of 2912 2864 cmd.exe 33 PID 2864 wrote to memory of 2912 2864 cmd.exe 33 PID 2864 wrote to memory of 2912 2864 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223.exe"C:\Users\Admin\AppData\Local\Temp\b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Roaming\yzbekt.exe"C:\Users\Admin\AppData\Roaming\yzbekt.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 53⤵PID:2912
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD55a6e0971a54847d4cecc16bf7fa44bca
SHA1b0b5d4f2cfe7a64addb17796ba41353c57a57f91
SHA256b44b1273d8b923127c0f5279cb143abf156cda0b03d083f8424c54ec4bbb7223
SHA51290362f72a78c257eba31a9bc5089d02db626a985f78d5ec8f97dadd743ef4c2b9fc434f318faea27d0e41e03cddeec94536f5bcd29a1ff77f14fe2d44a8b823e