Analysis
-
max time kernel
143s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-09-2021 22:12
Static task
static1
Behavioral task
behavioral1
Sample
9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe
Resource
win7v20210408
0 signatures
0 seconds
General
-
Target
9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe
-
Size
167KB
-
MD5
0bcb7b5e42fc664c49a25df679fd3e62
-
SHA1
c1287a05d381069a06bcf716657ce1a38d9fd95e
-
SHA256
9f6fdc5e19242853318ccf433ca5288f4869fc045fde761b931a8bc8b8ac70d7
-
SHA512
d7929e9faa699e305f1b9502d8c6bd69cf3a66729517d9c511c621479a22bde06ec3bfca542cd3dee5548c8ebf0e3454d3cab29828c6117847e9c9536cf924be
Malware Config
Extracted
Family
njrat
C2
62.33.159.162:5674
Mutex
26c50014115b430
Attributes
-
reg_key
26c50014115b430
-
splitter
@!#&^%$
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3304 created 632 3304 WerFault.exe 9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exedescription pid process target process PID 632 set thread context of 2788 632 9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3304 632 WerFault.exe 9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe 3304 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
WerFault.exeRegSvcs.exedescription pid process Token: SeRestorePrivilege 3304 WerFault.exe Token: SeBackupPrivilege 3304 WerFault.exe Token: SeDebugPrivilege 3304 WerFault.exe Token: SeDebugPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe Token: 33 2788 RegSvcs.exe Token: SeIncBasePriorityPrivilege 2788 RegSvcs.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exedescription pid process target process PID 632 wrote to memory of 2788 632 9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe RegSvcs.exe PID 632 wrote to memory of 2788 632 9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe RegSvcs.exe PID 632 wrote to memory of 2788 632 9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe RegSvcs.exe PID 632 wrote to memory of 2788 632 9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe RegSvcs.exe PID 632 wrote to memory of 2788 632 9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe"C:\Users\Admin\AppData\Local\Temp\9f6fdc5e19242853318ccf433ca5288f4869fc045fde7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 2682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2788-114-0x0000000000140000-0x000000000014C000-memory.dmpFilesize
48KB
-
memory/2788-119-0x0000000000146A6E-mapping.dmp
-
memory/2788-120-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/2788-122-0x0000000004950000-0x0000000004951000-memory.dmpFilesize
4KB
-
memory/2788-123-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB
-
memory/2788-124-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/2788-125-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/2788-126-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB