Overview

overview

10

Static

static

3

PROTECTOR ....0.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22-10-2024 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PROTECTOR FREEE V2.0.exe

  • Size

    935KB

  • MD5

    67aeb6a710e8a683cf7e6d71e2a9fb08

  • SHA1

    d48b94c93c08d83271775f436ae1007a3f98cfd0

  • SHA256

    cf9d4ea03b78e714309ae2f55d416bb7bdacccac19cef39b9fc1fb7b4218dae8

  • SHA512

    26c6c4d26b0b10c35605b93fb31d635c1bc51034c93ab99b8e9f33dc3fea038060ed083e71eda7a476798b5649f35cfa2d57e1a60c959ec18c43a315efc4910f

  • SSDEEP

    24576:pdGDyyUEuzp/rnemeg9Hm8b0tHZWTkQ4:5nMQMK0XD/

Score
10/10
njratxwormتم الاختراق بواسطه احمد السيسيdiscoveryevasionpersistenceprivilege_escalationrattrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

تم الاختراق بواسطه احمد السيسي

C2

hakim32.ddns.net:2000

yyorqqp.ddns.net:4444
Mutex

dc8e2dde5f4470426aa15187e5670a34

Attributes
  • reg_key

    dc8e2dde5f4470426aa15187e5670a34

  • splitter

    |'|'|

Extracted

Family

xworm

Version

5.0

C2

yyorqqp.ddns.net:8888

Mutex

dXDhpVyLJZXEOquV

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PROTECTOR FREEE V2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\PROTECTOR FREEE V2.0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\WindowsSystem32.exe
      "C:\Users\Admin\AppData\Local\WindowsSystem32.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\WindowsSystem32.exe" "WindowsSystem32.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        • Event Triggered Execution: Netsh Helper DLL
        • System Location Discovery: System Language Discovery
        PID:3156
    • C:\Users\Admin\AppData\Local\Windows Explorer.exe
      "C:\Users\Admin\AppData\Local\Windows Explorer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:192
      • C:\Windows\SYSTEM32\cmd.exe
        cmd.exe /c copy "C:\Users\Admin\AppData\Local\Windows Explorer.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Explorer.exe"
        3⤵
        • Drops startup file
        PID:2232
    • C:\Users\Admin\AppData\Local\PROTECTOR FREEE V2.0.exe
      "C:\Users\Admin\AppData\Local\PROTECTOR FREEE V2.0.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\PROTECTOR FREEE V2.0.exe
    Filesize

    674KB

    MD5

    279749be495849b266f781e7498ba2fd

    SHA1

    f64091a6e1b3bb3caa6481b1abd0a42f40b3c9ca

    SHA256

    0f53c62f376c24e7ebfd9a3dd0ad0eb7ef807d69c6ef1c907c13910cbb1f341b

    SHA512

    bc0e9a6cd72084bd14c76f4a941bc9f087bca552789186ab56fd20d66a9fe1e616900f3b6f0295ddece640bd0caf2da1a2ac30521e5fdff8144e6c64ece452da

    Download Submit

  • C:\Users\Admin\AppData\Local\Windows Explorer.exe
    Filesize

    91KB

    MD5

    c146e2119211d96accb8248a8255a0ba

    SHA1

    6e442c34fcbdd3d6c55ec478346993516818176d

    SHA256

    a22f7a9ae55c2ea75e67ad9b0b6b990a63ebef87556cb8fdf19225e1daf891b5

    SHA512

    58ebff4e41f900a11f0a2a7249124c47af341fa037f1b0acdfad2d01d91074adec753a3f419ad4a2a0a7c0dadee8a4555b060329af55554e4d8082b3a7d0ad4e

    Download Submit

  • C:\Users\Admin\AppData\Local\WindowsSystem32.exe
    Filesize

    93KB

    MD5

    651c94b5b6efef88ac35e3fa8338c190

    SHA1

    efad5ce670d3b91a6ffd66c205682891de829a27

    SHA256

    c35d81ae8e575dced5db1c7284bd9c893406ebea0304908d84bb86535259deb7

    SHA512

    44410b13107dceb471bdbfbd4249af021ecc314058b4f11b37ea85cfc67f806781d466f3cfe6f10eac3c9ed9a38e564210c7104c5e68f63482b9c52756cdc3bb

    Download Submit

  • memory/192-20-0x00007FF820570000-0x00007FF820F5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/192-31-0x00007FF820570000-0x00007FF820F5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/192-17-0x0000022BEEC40000-0x0000022BEEC4C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/192-19-0x0000022BEEFC0000-0x0000022BEEFCE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2768-25-0x00000000051F0000-0x0000000005282000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2768-22-0x0000000000810000-0x00000000008BE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/2768-23-0x0000000005150000-0x00000000051EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2768-24-0x00000000056F0000-0x0000000005BEE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2768-26-0x00000000050F0000-0x00000000050FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2768-28-0x00000000053B0000-0x0000000005406000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3012-0-0x00007FF820573000-0x00007FF820574000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3012-1-0x00000000002A0000-0x0000000000390000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4624-21-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4624-32-0x0000000002690000-0x00000000026A0000-memory.dmp

    Filesize

    64KB

    Download