Analysis
-
max time kernel
10s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-12-2024 13:25
General
-
Target
SharkHack.exe
-
Size
3.9MB
-
MD5
1132637cde57bdbd23fd05694713fb94
-
SHA1
1625fe2acadbc9c8a400c69e1ca7e8afd97b56eb
-
SHA256
5cdc56dfe73c53516cb619f44147b0f8535ab68575a8071008ad59599d5c1cb6
-
SHA512
65bd5fdb631b33964038b972d71a4d17fa8290b3a2052fd88097e66e7a3af6fa0a7f8e1cde0ebe5867c6b5e8e923f1f6143f6f9d2dc4a0770fb785238d1f130f
-
SSDEEP
49152:SFnCO88whwjbAlR/6QhDEvebZVLRbjgQjzK5ppnrLn6XBSOvdsW:9hTbDzhfgQSp9LSBnvdsW
Malware Config
Signatures
-
Njrat family
-
Executes dropped EXE 2 IoCs
pid Process 4056 SharkHack1.exe 5008 virus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language virus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TASKKILL.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SharkHack.exe -
Kills process with taskkill 2 IoCs
pid Process 1608 TASKKILL.exe 236 TASKKILL.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe 5008 virus.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5008 virus.exe Token: SeDebugPrivilege 236 TASKKILL.exe Token: SeDebugPrivilege 1608 TASKKILL.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1900 wrote to memory of 4056 1900 SharkHack.exe 77 PID 1900 wrote to memory of 4056 1900 SharkHack.exe 77 PID 1900 wrote to memory of 5008 1900 SharkHack.exe 78 PID 1900 wrote to memory of 5008 1900 SharkHack.exe 78 PID 1900 wrote to memory of 5008 1900 SharkHack.exe 78 PID 5008 wrote to memory of 236 5008 virus.exe 79 PID 5008 wrote to memory of 236 5008 virus.exe 79 PID 5008 wrote to memory of 236 5008 virus.exe 79 PID 5008 wrote to memory of 1608 5008 virus.exe 80 PID 5008 wrote to memory of 1608 5008 virus.exe 80 PID 5008 wrote to memory of 1608 5008 virus.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\SharkHack.exe"C:\Users\Admin\AppData\Local\Temp\SharkHack.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\SharkHack1.exe"C:\Users\Admin\AppData\Local\Temp\SharkHack1.exe"2⤵
- Executes dropped EXE
PID:4056
-
-
C:\Users\Admin\AppData\Local\Temp\virus.exe"C:\Users\Admin\AppData\Local\Temp\virus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:236
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD57751bb858985d66226a941ace018c503
SHA1362db42327e8d1816ad81d5a091cefca22369905
SHA256e657bb5a0896c58b62b928e59f68273182ee37105fb1068687dde462193e7fe4
SHA5120bb79e1bf67853ef5138ede1d90080181432b77ba02577d186013524ad5b1fc269e0a796bc367706a309bb4217881312c94afaac6c7ce6b4013af18d438e0d87
-
Filesize
65KB
MD5fc84d53be6875a39382eea9adb353c67
SHA1a96e17f51749b8fd32d913bf925e733149628c43
SHA2567a65e04266f22e0d68e02c6b557d22ba08c3b89d64eb5296a91e2c45e72e4203
SHA5122b63bf65d9aa0922a163c4aaf0d8751d366020661695a255d78b8988e55308f0f0eac75c1781f878ae57c10b1bb1eb42b18559a8c85a464effcfab14c65ac8b1