Resubmissions

08-09-2022 17:44

220908-wblklafbe7 3

07-09-2022 00:27

220907-arqnlaafh7 1

05-09-2022 16:52

220905-vdthjsehd3 3

05-09-2022 16:42

220905-t7p7jsegc2 7

05-09-2022 16:37

220905-t49f1sefh3 3

31-08-2022 06:37

220831-hdwlpabhc7 1

31-08-2022 06:32

220831-haw32sabhk 10

31-08-2022 05:40

220831-gcy5rahffl 10

Analysis

  • max time kernel
    115s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    31-08-2022 06:37

General

  • Target

    http://20.7.14.99/server/

Score
1/10

Malware Config

Signatures

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://20.7.14.99/server/
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1976 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1272
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\njrat.mp4"
      2⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:564

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\1evexod\imagestore.dat
    Filesize

    34KB

    MD5

    56e55c8119ca9f71297506e9a5ac730f

    SHA1

    bcebe05b564919153eb5d59f9c032f71f4835f52

    SHA256

    39724f61abe5f29f8fc7a22e7b5b4ece7eb34557da36f752b39aef7ea9d10540

    SHA512

    182d91a5f6e2d2e156c1ea20d9bece9da1213142be0fedc676bd102a64580140e55fe7555c1c480ffe9718ac603640fc4d1da7767987744bef3ab188c0ac3cd8

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5U4ZPOH5.txt
    Filesize

    601B

    MD5

    50aaaa526777974d94d3ba968c1ac1e3

    SHA1

    d81d104134c1198ffb7bb6046df874b6dd186d75

    SHA256

    c800f2b70c925686734bb72dd73388adfdc0c9d89619dad9f695df4ab55849c4

    SHA512

    9f6e73b55283492cd0af25f87562a25d87d7d58ea144aa6a0b27397c5d4eff89f39a02f39c89c2bf5df3169606a85401a138f3dba35389d0edd44c36ed693f63

  • C:\Users\Admin\Downloads\njrat.mp4.yvf7e9v.partial
    Filesize

    42KB

    MD5

    1814573dd0c6f90c941b786a3271e33e

    SHA1

    4d5b9efdacaa0b54ff44b537b57a864575f0a6c9

    SHA256

    f856403c55eec0fe9eb24472b76e7d9b620c5299bc14142af2f20f0e68af4103

    SHA512

    8c2213ab7251b66217ac45f93490b2db7330366c90aa8c896cbf9494c27038e4c8c4c1354b2cef49089df0a1c12af0120e706b2999c8bc853267c2b19f3acfa7

  • memory/564-56-0x0000000000000000-mapping.dmp
  • memory/564-57-0x000007FEFB761000-0x000007FEFB763000-memory.dmp
    Filesize

    8KB