Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 18:41
Behavioral task
behavioral1
Sample
crack.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
crack.exe
Resource
win10v2004-20241007-en
General
-
Target
crack.exe
-
Size
7.9MB
-
MD5
5c176f78c411c199ca2ec02c5b402810
-
SHA1
a268ccc95b620b1078602c6d6d3447ff3d8874ed
-
SHA256
8287887f1bf68c8328323d6d2ff0c28e94d43f5668c78dd33f2f0ca651c21338
-
SHA512
ae33004a339422c90f9ea52111804c323499b9cc516584cc54545245c6a8022d80c92ac206ba30dfa07acc932f8ab792164acd1eaff2670092c4a84fd1f88554
-
SSDEEP
196608:kivKUcQItzA1HeT39Iigwh1ncKOVVtk7KsUnijQFv4F:HDcvC1+TtIiFv0VQhgW/
Malware Config
Extracted
njrat
0.7d
HacKed
7cpanel.hackcrack.io:46143
Windows Explorer
-
reg_key
Windows Explorer
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2136 netsh.exe -
Executes dropped EXE 7 IoCs
pid Process 2760 Setup.exe 2692 Setup.exe 2824 DudeCracker V5 .exe 1332 svchost.exe 2148 DudeCracker V5 .exe 2224 explorer.exe 320 explorer.exe -
Loads dropped DLL 4 IoCs
pid Process 3068 crack.exe 2856 Process not Found 2824 DudeCracker V5 .exe 2148 DudeCracker V5 .exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." explorer.exe -
Detects Pyinstaller 1 IoCs
resource yara_rule behavioral1/files/0x0008000000016a66-24.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe Token: 33 320 explorer.exe Token: SeIncBasePriorityPrivilege 320 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2760 3068 crack.exe 30 PID 3068 wrote to memory of 2760 3068 crack.exe 30 PID 3068 wrote to memory of 2760 3068 crack.exe 30 PID 3068 wrote to memory of 2692 3068 crack.exe 31 PID 3068 wrote to memory of 2692 3068 crack.exe 31 PID 3068 wrote to memory of 2692 3068 crack.exe 31 PID 3068 wrote to memory of 2824 3068 crack.exe 32 PID 3068 wrote to memory of 2824 3068 crack.exe 32 PID 3068 wrote to memory of 2824 3068 crack.exe 32 PID 2692 wrote to memory of 1332 2692 Setup.exe 34 PID 2692 wrote to memory of 1332 2692 Setup.exe 34 PID 2692 wrote to memory of 1332 2692 Setup.exe 34 PID 2824 wrote to memory of 2148 2824 DudeCracker V5 .exe 35 PID 2824 wrote to memory of 2148 2824 DudeCracker V5 .exe 35 PID 2824 wrote to memory of 2148 2824 DudeCracker V5 .exe 35 PID 1332 wrote to memory of 2224 1332 svchost.exe 36 PID 1332 wrote to memory of 2224 1332 svchost.exe 36 PID 1332 wrote to memory of 2224 1332 svchost.exe 36 PID 2224 wrote to memory of 320 2224 explorer.exe 37 PID 2224 wrote to memory of 320 2224 explorer.exe 37 PID 2224 wrote to memory of 320 2224 explorer.exe 37 PID 320 wrote to memory of 2136 320 explorer.exe 38 PID 320 wrote to memory of 2136 320 explorer.exe 38 PID 320 wrote to memory of 2136 320 explorer.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\crack.exe"C:\Users\Admin\AppData\Local\Temp\crack.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2760
-
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2136
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe"C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe"C:\Users\Admin\AppData\Local\Temp\DudeCracker V5 .exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
375KB
MD58e4f8329f0837d6a3801dd96973a05fe
SHA17309226e370a33000c08653504f2ac5786944b2b
SHA2560d8f6fc81065fc6f20ea5b9de9a85fbfffe2deb1f2055f1b304b5b0f3e99407d
SHA5129df93293a5fec2a2fca0838f43b24af8347f229884fab4338f7804ef0050b0aba02235ae2368ffef7dd42640420b42f69eaf974f5107bdab0bf0a8c9b39671cc
-
Filesize
6.6MB
MD5d521654d889666a0bc753320f071ef60
SHA15fd9b90c5d0527e53c199f94bad540c1e0985db6
SHA25621700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2
SHA5127a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3
-
Filesize
355KB
MD5c8d3f1f2d0fb683a5a378f734bd2ef85
SHA110b9e8b4a3f9ce416b360751e031b85345e6d461
SHA256a3f037fb54904ef8b1d53e587036c18c6d32bb10a3044d57f9b9eb3aa8dab1c5
SHA51243badeacbf59ff4e7f1d0e19a622b935567c196cb63ac50df687167c67cd881fc372230111137ce9adb1b794c6b0828adceb156c5d6a45e49d658f793aa19ee1
-
Filesize
252KB
MD5e5d01a5a8cc5c5ca9a5329459814c91a
SHA100ec50ab1cdab87816ec0f3e77fa8ad00ea9c067
SHA256612bbbf476228032ebab743100c98dae7f01a1dc854298cd8ece588351acb3c6
SHA5122d0d0d964e9100b0586043b16f91532e0f81347ef3697dee7ab0cd90469e6c118ac58e630d9a7fe0a84f5c275440813aeede0e0c44cacf316f59cb760081ab07
-
Filesize
7.4MB
MD5e3e2fad51a4d21b9632fda09172195fc
SHA1b878a6f45b40e99f0d8bce2e34d87e0a9718cce1
SHA256cb390e5d5db3e7812632d3d0b7b1aabf93d3637c2c5fd680dc9efcabcdab7a6f
SHA51289f6c1e836bb8dfac4715128f1b31fdd0d301b943a07b9795321e7b79a48d705fd2adc4e2a48a38b4b3379b861eea788684753da347bbf190bbd98d7a1a0a140