Analysis
-
max time kernel
4294230s -
max time network
189s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
20-03-2022 01:32
Static task
static1
Behavioral task
behavioral1
Sample
cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
Resource
win10v2004-en-20220113
General
-
Target
cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe
-
Size
10.8MB
-
MD5
4f54150e61b5df07ad6323b964da1a98
-
SHA1
ee32dab0f4489e567ac2da159e1beb68c617c6bd
-
SHA256
cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b
-
SHA512
d4dcc1eaf227030cc94007fc26c839d7d234e050d97dac7aa515f2ab7ecb04db66997381576cbb6287bfd9e2188d65a8cd238a07daa1c9759f582c05c9ef7c1a
Malware Config
Extracted
njrat
im523
Zombie
116.127.220.82:1
0f089c174b52a60dc1803fc49b6449e2
-
reg_key
0f089c174b52a60dc1803fc49b6449e2
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs
-
Drops startup file 2 IoCs
Processes:
cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f089c174b52a60dc1803fc49b6449e2.exe cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f089c174b52a60dc1803fc49b6449e2.exe cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\0f089c174b52a60dc1803fc49b6449e2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe\" .." cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0f089c174b52a60dc1803fc49b6449e2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe\" .." cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exedescription pid process Token: SeDebugPrivilege 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: 33 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: SeIncBasePriorityPrivilege 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: 33 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: SeIncBasePriorityPrivilege 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: 33 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: SeIncBasePriorityPrivilege 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: 33 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: SeIncBasePriorityPrivilege 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: 33 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: SeIncBasePriorityPrivilege 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: 33 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: SeIncBasePriorityPrivilege 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: 33 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: SeIncBasePriorityPrivilege 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: 33 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe Token: SeIncBasePriorityPrivilege 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exedescription pid process target process PID 1928 wrote to memory of 1824 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe netsh.exe PID 1928 wrote to memory of 1824 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe netsh.exe PID 1928 wrote to memory of 1824 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe netsh.exe PID 1928 wrote to memory of 1824 1928 cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe"C:\Users\Admin\AppData\Local\Temp\cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe" "cd4805c3292fed3286bc47c43a1384eb633236c720dd2082bc4e897d2788c52b.exe" ENABLE2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1824-59-0x0000000076361000-0x0000000076363000-memory.dmpFilesize
8KB
-
memory/1928-54-0x00000000746A0000-0x0000000074D8E000-memory.dmpFilesize
6.9MB
-
memory/1928-55-0x0000000001380000-0x0000000001E5A000-memory.dmpFilesize
10.9MB
-
memory/1928-56-0x0000000008990000-0x0000000008F08000-memory.dmpFilesize
5.5MB
-
memory/1928-57-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/1928-58-0x0000000000420000-0x0000000000430000-memory.dmpFilesize
64KB