Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 13:20
Behavioral task
behavioral1
Sample
SharkHack.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
150 seconds
General
-
Target
SharkHack.exe
-
Size
3.9MB
-
MD5
1132637cde57bdbd23fd05694713fb94
-
SHA1
1625fe2acadbc9c8a400c69e1ca7e8afd97b56eb
-
SHA256
5cdc56dfe73c53516cb619f44147b0f8535ab68575a8071008ad59599d5c1cb6
-
SHA512
65bd5fdb631b33964038b972d71a4d17fa8290b3a2052fd88097e66e7a3af6fa0a7f8e1cde0ebe5867c6b5e8e923f1f6143f6f9d2dc4a0770fb785238d1f130f
-
SSDEEP
49152:SFnCO88whwjbAlR/6QhDEvebZVLRbjgQjzK5ppnrLn6XBSOvdsW:9hTbDzhfgQSp9LSBnvdsW
Score
10/10
Malware Config
Extracted
Family
njrat
Version
Platinum
Botnet
HacKed
C2
127.0.0.1:7777
Mutex
sharkhack.exe
Attributes
-
reg_key
sharkhack.exe
-
splitter
|Ghost|
Signatures
-
Njrat family
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sharkhack.exe sharkhack.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sharkhack.exe sharkhack.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sharkhack.url sharkhack.exe -
Executes dropped EXE 3 IoCs
pid Process 2740 SharkHack1.exe 2952 virus.exe 592 sharkhack.exe -
Loads dropped DLL 4 IoCs
pid Process 1692 SharkHack.exe 1692 SharkHack.exe 1692 SharkHack.exe 2952 virus.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\sharkhack.exe = "\"C:\\ProgramData\\sharkhack.exe\" .." sharkhack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sharkhack.exe = "\"C:\\ProgramData\\sharkhack.exe\" .." sharkhack.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language virus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sharkhack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SharkHack.exe -
Kills process with taskkill 4 IoCs
pid Process 2848 TASKKILL.exe 2628 TASKKILL.exe 2112 TASKKILL.exe 2064 TASKKILL.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe 2952 virus.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeDebugPrivilege 2952 virus.exe Token: SeDebugPrivilege 2628 TASKKILL.exe Token: SeDebugPrivilege 2848 TASKKILL.exe Token: SeDebugPrivilege 592 sharkhack.exe Token: SeDebugPrivilege 2112 TASKKILL.exe Token: SeDebugPrivilege 2064 TASKKILL.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe Token: 33 592 sharkhack.exe Token: SeIncBasePriorityPrivilege 592 sharkhack.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1692 wrote to memory of 2740 1692 SharkHack.exe 30 PID 1692 wrote to memory of 2740 1692 SharkHack.exe 30 PID 1692 wrote to memory of 2740 1692 SharkHack.exe 30 PID 1692 wrote to memory of 2740 1692 SharkHack.exe 30 PID 1692 wrote to memory of 2952 1692 SharkHack.exe 31 PID 1692 wrote to memory of 2952 1692 SharkHack.exe 31 PID 1692 wrote to memory of 2952 1692 SharkHack.exe 31 PID 1692 wrote to memory of 2952 1692 SharkHack.exe 31 PID 2952 wrote to memory of 2848 2952 virus.exe 32 PID 2952 wrote to memory of 2848 2952 virus.exe 32 PID 2952 wrote to memory of 2848 2952 virus.exe 32 PID 2952 wrote to memory of 2848 2952 virus.exe 32 PID 2952 wrote to memory of 2628 2952 virus.exe 33 PID 2952 wrote to memory of 2628 2952 virus.exe 33 PID 2952 wrote to memory of 2628 2952 virus.exe 33 PID 2952 wrote to memory of 2628 2952 virus.exe 33 PID 2952 wrote to memory of 592 2952 virus.exe 37 PID 2952 wrote to memory of 592 2952 virus.exe 37 PID 2952 wrote to memory of 592 2952 virus.exe 37 PID 2952 wrote to memory of 592 2952 virus.exe 37 PID 592 wrote to memory of 2112 592 sharkhack.exe 38 PID 592 wrote to memory of 2112 592 sharkhack.exe 38 PID 592 wrote to memory of 2112 592 sharkhack.exe 38 PID 592 wrote to memory of 2112 592 sharkhack.exe 38 PID 592 wrote to memory of 2064 592 sharkhack.exe 39 PID 592 wrote to memory of 2064 592 sharkhack.exe 39 PID 592 wrote to memory of 2064 592 sharkhack.exe 39 PID 592 wrote to memory of 2064 592 sharkhack.exe 39
Processes
-
C:\Users\Admin\AppData\Local\Temp\SharkHack.exe"C:\Users\Admin\AppData\Local\Temp\SharkHack.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\SharkHack1.exe"C:\Users\Admin\AppData\Local\Temp\SharkHack1.exe"2⤵
- Executes dropped EXE
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\virus.exe"C:\Users\Admin\AppData\Local\Temp\virus.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\ProgramData\sharkhack.exe"C:\ProgramData\sharkhack.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2112
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD57751bb858985d66226a941ace018c503
SHA1362db42327e8d1816ad81d5a091cefca22369905
SHA256e657bb5a0896c58b62b928e59f68273182ee37105fb1068687dde462193e7fe4
SHA5120bb79e1bf67853ef5138ede1d90080181432b77ba02577d186013524ad5b1fc269e0a796bc367706a309bb4217881312c94afaac6c7ce6b4013af18d438e0d87
-
Filesize
65KB
MD5fc84d53be6875a39382eea9adb353c67
SHA1a96e17f51749b8fd32d913bf925e733149628c43
SHA2567a65e04266f22e0d68e02c6b557d22ba08c3b89d64eb5296a91e2c45e72e4203
SHA5122b63bf65d9aa0922a163c4aaf0d8751d366020661695a255d78b8988e55308f0f0eac75c1781f878ae57c10b1bb1eb42b18559a8c85a464effcfab14c65ac8b1