Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 10:35
Static task
static1
Behavioral task
behavioral1
Sample
8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe
-
Size
919KB
-
MD5
396b59946e1211f68e52677de66ccbc6
-
SHA1
fd051f956b1a6764945464666395b077f2ea5462
-
SHA256
8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969
-
SHA512
65030131559f23b61503da19e5725527847247d349022441f07dfdb47a58085484f2825624a6a9feb8bbfe0048a46bd37afe73cd409262bcbbfdd9df538a4712
Malware Config
Extracted
Family
njrat
Version
0.7d
Botnet
fourth#4
C2
soft98.linkpc.net:5550
Mutex
10e93180d6481ad63a77c2b255d40864
Attributes
-
reg_key
10e93180d6481ad63a77c2b255d40864
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 1 IoCs
Processes:
8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Host Process for Windows Services.url 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exedescription pid process target process PID 1424 set thread context of 3680 1424 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe Token: 33 3680 RegAsm.exe Token: SeIncBasePriorityPrivilege 3680 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exepid process 1424 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe 1424 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe 1424 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exepid process 1424 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe 1424 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe 1424 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exeRegAsm.exedescription pid process target process PID 1424 wrote to memory of 3680 1424 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe RegAsm.exe PID 1424 wrote to memory of 3680 1424 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe RegAsm.exe PID 1424 wrote to memory of 3680 1424 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe RegAsm.exe PID 1424 wrote to memory of 3680 1424 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe RegAsm.exe PID 1424 wrote to memory of 3680 1424 8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe RegAsm.exe PID 3680 wrote to memory of 976 3680 RegAsm.exe netsh.exe PID 3680 wrote to memory of 976 3680 RegAsm.exe netsh.exe PID 3680 wrote to memory of 976 3680 RegAsm.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe"C:\Users\Admin\AppData\Local\Temp\8097383fc8d67a40c647b8e892fc7a28a68dc82fa16f51303ae99a5e82c61969.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/976-138-0x0000000000000000-mapping.dmp
-
memory/3680-130-0x0000000000000000-mapping.dmp
-
memory/3680-131-0x00000000005A0000-0x00000000005AC000-memory.dmpFilesize
48KB
-
memory/3680-136-0x0000000073E80000-0x0000000074431000-memory.dmpFilesize
5.7MB
-
memory/3680-137-0x0000000073E80000-0x0000000074431000-memory.dmpFilesize
5.7MB