Analysis
-
max time kernel
162s -
max time network
181s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-01-2022 16:00
Static task
static1
Behavioral task
behavioral1
Sample
17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe
-
Size
150KB
-
MD5
acd58bb34bb275de1570917624ade609
-
SHA1
6def2bdaca8e08d3fd4363da008e6395cb0db49f
-
SHA256
17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd
-
SHA512
79f51605b85b497240d8187697008a2f2dc4bd0f498c721825726e560de7189a8fcc818d10f2daf807c05dcc5be5f7b2de62cfe72d4ed6acb4586d8075b72d3e
Malware Config
Extracted
Family
njrat
Version
0.6.4
Botnet
HacKed
C2
moh-2014.linkpc.net:55
Mutex
8e3bc91142bd8d798a10a1667ae4d2be
Attributes
-
reg_key
8e3bc91142bd8d798a10a1667ae4d2be
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exepid process 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exedescription pid process Token: SeDebugPrivilege 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exedescription pid process target process PID 2708 wrote to memory of 3356 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe netsh.exe PID 2708 wrote to memory of 3356 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe netsh.exe PID 2708 wrote to memory of 3356 2708 17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe"C:\Users\Admin\AppData\Local\Temp\17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe" "17fc7c0ec5e91b170860f2e59b3074fdab456198a6047b8260e1c846ed5885cd.exe" ENABLE2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2708-115-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/2708-116-0x0000000004A70000-0x0000000004F6E000-memory.dmpFilesize
5.0MB
-
memory/2708-117-0x0000000004900000-0x0000000004992000-memory.dmpFilesize
584KB
-
memory/2708-118-0x0000000004F70000-0x000000000500C000-memory.dmpFilesize
624KB
-
memory/2708-119-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/2708-120-0x0000000004A20000-0x0000000004A2A000-memory.dmpFilesize
40KB
-
memory/2708-121-0x00000000051A0000-0x00000000051AE000-memory.dmpFilesize
56KB
-
memory/2708-122-0x00000000051C0000-0x00000000051CE000-memory.dmpFilesize
56KB
-
memory/2708-123-0x0000000005083000-0x0000000005085000-memory.dmpFilesize
8KB