Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
-
submitted
04/03/2025, 03:44
General
-
Target
Pyslock.exe
-
Size
21.6MB
-
MD5
a0ffac14736ead083c36a978369b87ba
-
SHA1
8da2f697b7b65ebdf21b94c1d1f0185d1d48f3e5
-
SHA256
7dd25fd3fbb87266948a407b91285c4b07bb46f9bf26f3c1a7d2a5ed4ce9cd3b
-
SHA512
29c5cc95e51f7ef17b0df944207d6fa3e8d94f9e84bb0b6026d8a7f131e6c7287b78aac18e50f521fd064b2832a64cecc54bce83507d4cd6bd4b718347f78aeb
-
SSDEEP
393216:k6f15y6xVG+dvbs5u+5vFA3MLwCbe6q5WpsealMvjm3AjjyXHm2dj+sasBC:1FGmsQ+50MLbbe0seeB3AjjF2BksBC
Malware Config
Extracted
xworm
5.0
1VeDwfujGeaxOsgJ
-
install_file
USB.exe
Extracted
njrat
im523
MjRm MULTI
data-center.gotdns.ch:5552
0f11a0ab2753081a6848acab26509810
-
reg_key
0f11a0ab2753081a6848acab26509810
-
splitter
|'|'|
Signatures
-
Detect Xworm Payload 2 IoCs
-
Njrat family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pyslock.exe"C:\Users\Admin\AppData\Local\Temp\Pyslock.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\CaliYox FiveM.exe"C:\Users\Admin\AppData\Roaming\CaliYox FiveM.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Tasks.exe"C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Tasks.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Host Process for Windows Tasks.exe" "Host Process for Windows Tasks.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Windows SmartScreen.exe"C:\Users\Admin\AppData\Local\Temp\Windows SmartScreen.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
36KB
MD5fcdc6964b1b17dedc0d928b488cd1b30
SHA13ac527fee49be0310a25487e07d93272a41c2ecb
SHA2563becdc468b40f9c01dcd0e06752afad251741d4294e563b0ec42bf0852a12451
SHA512b98b8a390e72fc5464be85efeebb969e72791f38db36b8273ba9638dc0e83bcf1087eaed8f4658e5a07b76f1115c1efea00156107607fe91eb4c70624ab157d9
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
32KB
MD5c51af2c2a47ba5716ba57939bbe28b5d
SHA13e7294cba2e81cec02b5c18db9c8e6b6fdea60a6
SHA25652055979386ff9f81bceaa8a2a2e2be3f0f78e74097bf34b7c7aa8bd0cd01033
SHA5120f0e9dcd7eb85820e4be8a19cc471b8599c1b69e2750b528e88e8fd508bd994a382f4fdd10850f74966732c6e46a48ec92c9155c1bb516a2e94de70494ade28a
-
Filesize
37.2MB
MD58cf1928b5da5ddd02dbfb2128e548547
SHA1b0a9acd8f07ee39a6c4e6fa2b620dce61cda1351
SHA256a3195171c49c7e11962fd7d4b220da141710ba6005515eed71efb55bfd699de1
SHA512c9ea29fa9d8d40628fe9b9c6aa15ca3e073f6ed692897e56a1858bb89557d30f3b964b3107c357de34d71a9ac58037463bb462d6e7b900e58cc7c00c320b1d33
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
56KB