Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 03:36
Behavioral task
behavioral1
Sample
d2f88089c3d5494c19db88bed2ff3fab.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
d2f88089c3d5494c19db88bed2ff3fab.exe
Resource
win10v2004-20240508-en
General
-
Target
d2f88089c3d5494c19db88bed2ff3fab.exe
-
Size
9.5MB
-
MD5
d2f88089c3d5494c19db88bed2ff3fab
-
SHA1
6b4dccd3aedd879ac396e077411c22187f29a4fe
-
SHA256
365e01b07587c756e5fb6244134dc503907fca97402f977724acda871f38a563
-
SHA512
1d001d453eb7c97bec2a6562dda086420ecbbf432b57c90e31178d23f65df33272eeffcbda5c4b03507bf93f381d99a683c40491a898c0ee2cee949483d8c262
-
SSDEEP
196608:O8sRcBDzf4LBIP6dL2Vmd6+DlulOToPVIn+LH/+z3+07MmQZwS1rlzy:eszf490qL2Vmd6mlFTodIn+LH/+zy+SP
Malware Config
Extracted
njrat
0.7d
HacKed
gcpanel.hackcrack.io:15508
Windows Explorer
-
reg_key
Windows Explorer
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2160 netsh.exe -
Executes dropped EXE 7 IoCs
Processes:
Setup.exeSetup.exephone_gen .exephone_gen .exesvchost.exeexplorer.exeexplorer.exepid process 2632 Setup.exe 1228 Setup.exe 2740 phone_gen .exe 2468 phone_gen .exe 2828 svchost.exe 588 explorer.exe 1800 explorer.exe -
Loads dropped DLL 4 IoCs
Processes:
d2f88089c3d5494c19db88bed2ff3fab.exephone_gen .exephone_gen .exepid process 1412 d2f88089c3d5494c19db88bed2ff3fab.exe 2764 2740 phone_gen .exe 2468 phone_gen .exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Setup.exeSetup.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." explorer.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\phone_gen .exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
svchost.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2828 svchost.exe Token: SeDebugPrivilege 1800 explorer.exe Token: 33 1800 explorer.exe Token: SeIncBasePriorityPrivilege 1800 explorer.exe Token: 33 1800 explorer.exe Token: SeIncBasePriorityPrivilege 1800 explorer.exe Token: 33 1800 explorer.exe Token: SeIncBasePriorityPrivilege 1800 explorer.exe Token: 33 1800 explorer.exe Token: SeIncBasePriorityPrivilege 1800 explorer.exe Token: 33 1800 explorer.exe Token: SeIncBasePriorityPrivilege 1800 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
d2f88089c3d5494c19db88bed2ff3fab.exephone_gen .exeSetup.exesvchost.exeexplorer.exeexplorer.exedescription pid process target process PID 1412 wrote to memory of 2632 1412 d2f88089c3d5494c19db88bed2ff3fab.exe Setup.exe PID 1412 wrote to memory of 2632 1412 d2f88089c3d5494c19db88bed2ff3fab.exe Setup.exe PID 1412 wrote to memory of 2632 1412 d2f88089c3d5494c19db88bed2ff3fab.exe Setup.exe PID 1412 wrote to memory of 1228 1412 d2f88089c3d5494c19db88bed2ff3fab.exe Setup.exe PID 1412 wrote to memory of 1228 1412 d2f88089c3d5494c19db88bed2ff3fab.exe Setup.exe PID 1412 wrote to memory of 1228 1412 d2f88089c3d5494c19db88bed2ff3fab.exe Setup.exe PID 1412 wrote to memory of 2740 1412 d2f88089c3d5494c19db88bed2ff3fab.exe phone_gen .exe PID 1412 wrote to memory of 2740 1412 d2f88089c3d5494c19db88bed2ff3fab.exe phone_gen .exe PID 1412 wrote to memory of 2740 1412 d2f88089c3d5494c19db88bed2ff3fab.exe phone_gen .exe PID 2740 wrote to memory of 2468 2740 phone_gen .exe phone_gen .exe PID 2740 wrote to memory of 2468 2740 phone_gen .exe phone_gen .exe PID 2740 wrote to memory of 2468 2740 phone_gen .exe phone_gen .exe PID 1228 wrote to memory of 2828 1228 Setup.exe svchost.exe PID 1228 wrote to memory of 2828 1228 Setup.exe svchost.exe PID 1228 wrote to memory of 2828 1228 Setup.exe svchost.exe PID 2828 wrote to memory of 588 2828 svchost.exe explorer.exe PID 2828 wrote to memory of 588 2828 svchost.exe explorer.exe PID 2828 wrote to memory of 588 2828 svchost.exe explorer.exe PID 588 wrote to memory of 1800 588 explorer.exe explorer.exe PID 588 wrote to memory of 1800 588 explorer.exe explorer.exe PID 588 wrote to memory of 1800 588 explorer.exe explorer.exe PID 1800 wrote to memory of 2160 1800 explorer.exe netsh.exe PID 1800 wrote to memory of 2160 1800 explorer.exe netsh.exe PID 1800 wrote to memory of 2160 1800 explorer.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2f88089c3d5494c19db88bed2ff3fab.exe"C:\Users\Admin\AppData\Local\Temp\d2f88089c3d5494c19db88bed2ff3fab.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Users\Admin\AppData\Local\Temp\phone_gen .exe"C:\Users\Admin\AppData\Local\Temp\phone_gen .exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\phone_gen .exe"C:\Users\Admin\AppData\Local\Temp\phone_gen .exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Setup.exeFilesize
461KB
MD5ee76425b767c9ab812a53c133b8363f8
SHA11daa4700a5f1849eb7e810986ac24bd58786da61
SHA256f962e1a60673963b7c2fa51a0663260df63771dfbd7423af67c2d142f7245747
SHA512004d1b4acc7084ba8c520d94032c19342228ed6346321b04641450f87a32f78a92212e3940e4cf0790af2e5640c6001e7c805dc99cf8f9a146d752b5ee117c3b
-
C:\Users\Admin\AppData\Local\Temp\_MEI27402\python310.dllFilesize
4.2MB
MD57e45e4d723e4775f6e26628315f370ad
SHA176a8104c5d073c6f7619872426d440bcabd18bb9
SHA2567cc15b7440710f8fecaa67396b83436b3b2962e3757482dfbaf926ee74f86882
SHA5124e11316ebbf6af953dcf991148cca98a155d48d4f8b5ee068f2bc7a56aa14c8a7661d52ecce9bc3c4aa5495868503b81010d81c4fe3a15fa789f13ce081c82fb
-
C:\Users\Admin\AppData\Local\Temp\phone_gen .exeFilesize
9.0MB
MD51f8257c97c37478f9c1293416ccbf03c
SHA1512be8e084e2a8f42d5c71a7ef802de7a136b2cb
SHA25615c590d3c6be2c0451b892b8e37f16d8d8051e31afa857aec0debf6165268d54
SHA5121c4a4d7d5a87a1ec1ff4a0ea0757e5013ea6760617925ac679e00994a70312df0079eddc5bdf4d3427045adbe49f6e2237f38fec32071518753794ec1821fb28
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exeFilesize
238KB
MD5e5346953e507542ef5f87d1ed1510d64
SHA1d3ac56ed0c1fb65ca1d786d740cc653e7bb0315c
SHA2566b359ae1c40430addcdf18d1832e7551e99aac978ea90bed1567edb2e378576f
SHA512a03a9d9a4529c9997298708dcfb887dca5ea90419f30f01980bbedc9a9929581c0526667c4648c66a58582a22049c62eff75a19134730f0e50b6c7ceb368c265
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exeFilesize
325KB
MD5f36e535fdc82208fca08acfa44f790c6
SHA1a3cc1aa7d614094faebada2aed1e6c519bd18c94
SHA25651efbe235b492c7e99c480915c7eeecf85f5ee6d540189ee5aa54fe9f0fafcdc
SHA512631db5246159e045ed6911867f25991ae8824951e608c2fef25bc48482271aeb3ad26f1c98a04b4cbbf431ce20ef027cacb4bf0b3d85e048885da2b709f3a9af
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.zipFilesize
275KB
MD5d64c44bbca049d3f19402c195840c33f
SHA1cd7b0eff352490ad82953ee5cb1314d1a5e6311d
SHA256f6533a93d1fe59bfe49976a24c0c828ade9981d5e94d7882f2460b533c8c3843
SHA512de7a1e074ee5dc56e1f01112a5f613dcd2ce1dfd1d7e72d464b46789e750eb286f79d5c4d801984239a4505314ab0221d1bb62d08ddc7961c34cd466b558780b
-
memory/588-108-0x0000000000590000-0x000000000059C000-memory.dmpFilesize
48KB
-
memory/1228-25-0x00000000004D0000-0x00000000004FA000-memory.dmpFilesize
168KB
-
memory/1412-1-0x0000000001000000-0x0000000001988000-memory.dmpFilesize
9.5MB
-
memory/1412-0-0x000007FEF5983000-0x000007FEF5984000-memory.dmpFilesize
4KB
-
memory/2632-60-0x000007FEF5980000-0x000007FEF636C000-memory.dmpFilesize
9.9MB
-
memory/2632-61-0x000007FEF5980000-0x000007FEF636C000-memory.dmpFilesize
9.9MB
-
memory/2632-16-0x00000000012D0000-0x0000000001348000-memory.dmpFilesize
480KB
-
memory/2828-67-0x00000000002C0000-0x00000000002C8000-memory.dmpFilesize
32KB
-
memory/2828-66-0x0000000000BF0000-0x0000000000C46000-memory.dmpFilesize
344KB