Analysis
-
max time kernel
152s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
pdf.exe
Resource
win7-20221111-en
General
-
Target
pdf.exe
-
Size
102KB
-
MD5
b04423987d7a01ca1bf5b1f8f2b77b0c
-
SHA1
6468823f6da30059a2750cf2b4599fdb8e450f05
-
SHA256
8edcf97df9e24756e8700a4496dd92d3677fc835925a90d1c48914e369b7f651
-
SHA512
c709012177a1d05939e92218111a0e08520166179de4353cc576e88e609fdbf556a99afa3175193a4b7d5d5b38f6688458d0e2e50f549e6f159b46f78bc1b295
-
SSDEEP
1536:TcTbDj6OLC73ybzlr6kI+KEBXiI40n6aDnOae98fAaMGSSpvvKet2Hbq86Dm:TcX6OWqzlUUBSpE6aDOOvvNtP86Dm
Malware Config
Extracted
njrat
0.6.4
nEwHacKed
slowburn.linkpc.net:6760
a5e14c6feeac7389fad3a06801dddd4f
-
reg_key
a5e14c6feeac7389fad3a06801dddd4f
-
splitter
|'|'|
Extracted
pony
http://slow1234.serveftp.com/duos/gate.php
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\reader\\adobe.exe,explorer.exe" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
njratbin.exepid process 668 njratbin.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Processes:
resource yara_rule behavioral1/memory/1288-61-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1288-63-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1288-64-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1288-70-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1288-74-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1288-78-0x0000000000400000-0x000000000041D000-memory.dmp upx behavioral1/memory/1288-80-0x0000000000400000-0x000000000041D000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
pdf.exepid process 1788 pdf.exe 1788 pdf.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts pdf.exe -
Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs
Processes:
pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pdf.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
pdf.exedescription pid process target process PID 1788 set thread context of 1288 1788 pdf.exe pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
pdf.exenjratbin.exepid process 1788 pdf.exe 668 njratbin.exe 668 njratbin.exe 668 njratbin.exe 668 njratbin.exe 668 njratbin.exe 668 njratbin.exe 668 njratbin.exe 668 njratbin.exe 668 njratbin.exe 668 njratbin.exe 668 njratbin.exe 668 njratbin.exe 668 njratbin.exe 668 njratbin.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
pdf.exepdf.exenjratbin.exedescription pid process Token: SeDebugPrivilege 1788 pdf.exe Token: SeImpersonatePrivilege 1288 pdf.exe Token: SeTcbPrivilege 1288 pdf.exe Token: SeChangeNotifyPrivilege 1288 pdf.exe Token: SeCreateTokenPrivilege 1288 pdf.exe Token: SeBackupPrivilege 1288 pdf.exe Token: SeRestorePrivilege 1288 pdf.exe Token: SeIncreaseQuotaPrivilege 1288 pdf.exe Token: SeAssignPrimaryTokenPrivilege 1288 pdf.exe Token: SeImpersonatePrivilege 1288 pdf.exe Token: SeTcbPrivilege 1288 pdf.exe Token: SeChangeNotifyPrivilege 1288 pdf.exe Token: SeCreateTokenPrivilege 1288 pdf.exe Token: SeBackupPrivilege 1288 pdf.exe Token: SeRestorePrivilege 1288 pdf.exe Token: SeIncreaseQuotaPrivilege 1288 pdf.exe Token: SeAssignPrimaryTokenPrivilege 1288 pdf.exe Token: SeImpersonatePrivilege 1288 pdf.exe Token: SeTcbPrivilege 1288 pdf.exe Token: SeChangeNotifyPrivilege 1288 pdf.exe Token: SeCreateTokenPrivilege 1288 pdf.exe Token: SeBackupPrivilege 1288 pdf.exe Token: SeRestorePrivilege 1288 pdf.exe Token: SeIncreaseQuotaPrivilege 1288 pdf.exe Token: SeAssignPrimaryTokenPrivilege 1288 pdf.exe Token: SeImpersonatePrivilege 1288 pdf.exe Token: SeTcbPrivilege 1288 pdf.exe Token: SeChangeNotifyPrivilege 1288 pdf.exe Token: SeCreateTokenPrivilege 1288 pdf.exe Token: SeBackupPrivilege 1288 pdf.exe Token: SeRestorePrivilege 1288 pdf.exe Token: SeIncreaseQuotaPrivilege 1288 pdf.exe Token: SeAssignPrimaryTokenPrivilege 1288 pdf.exe Token: SeDebugPrivilege 668 njratbin.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
pdf.execmd.exenjratbin.exedescription pid process target process PID 1788 wrote to memory of 268 1788 pdf.exe cmd.exe PID 1788 wrote to memory of 268 1788 pdf.exe cmd.exe PID 1788 wrote to memory of 268 1788 pdf.exe cmd.exe PID 1788 wrote to memory of 268 1788 pdf.exe cmd.exe PID 268 wrote to memory of 1904 268 cmd.exe reg.exe PID 268 wrote to memory of 1904 268 cmd.exe reg.exe PID 268 wrote to memory of 1904 268 cmd.exe reg.exe PID 268 wrote to memory of 1904 268 cmd.exe reg.exe PID 1788 wrote to memory of 1288 1788 pdf.exe pdf.exe PID 1788 wrote to memory of 1288 1788 pdf.exe pdf.exe PID 1788 wrote to memory of 1288 1788 pdf.exe pdf.exe PID 1788 wrote to memory of 1288 1788 pdf.exe pdf.exe PID 1788 wrote to memory of 1288 1788 pdf.exe pdf.exe PID 1788 wrote to memory of 1288 1788 pdf.exe pdf.exe PID 1788 wrote to memory of 1288 1788 pdf.exe pdf.exe PID 1788 wrote to memory of 1288 1788 pdf.exe pdf.exe PID 1788 wrote to memory of 668 1788 pdf.exe njratbin.exe PID 1788 wrote to memory of 668 1788 pdf.exe njratbin.exe PID 1788 wrote to memory of 668 1788 pdf.exe njratbin.exe PID 1788 wrote to memory of 668 1788 pdf.exe njratbin.exe PID 668 wrote to memory of 1508 668 njratbin.exe netsh.exe PID 668 wrote to memory of 1508 668 njratbin.exe netsh.exe PID 668 wrote to memory of 1508 668 njratbin.exe netsh.exe PID 668 wrote to memory of 1508 668 njratbin.exe netsh.exe -
outlook_win_path 1 IoCs
Processes:
pdf.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pdf.exe"C:\Users\Admin\AppData\Local\Temp\pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\reader\adobe.exe,explorer.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v shell /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\reader\adobe.exe,explorer.exe"3⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Local\Temp\pdf.exe"C:\Users\Admin\AppData\Local\Temp\pdf.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\njratbin.exe"C:\Users\Admin\AppData\Local\Temp\njratbin.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\njratbin.exe" "njratbin.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\njratbin.exeFilesize
29KB
MD5007a4bd3c704a1ddd7d1b04ee9d91c27
SHA160843e7a18316d258afba4690a5ecc62c1045795
SHA2564442506b3211c38811543e2aad5bf276d075734f7967d83a2b3117bc4bad044a
SHA512e9678f517dbfd58ea51e93576988660d6447b479a61b478a91de7edf6057825a7a8e08d7a147514c6c9d5c2ef11e469de9ee729db2f95ef96c72eeb7e98a4838
-
C:\Users\Admin\AppData\Local\Temp\njratbin.exeFilesize
29KB
MD5007a4bd3c704a1ddd7d1b04ee9d91c27
SHA160843e7a18316d258afba4690a5ecc62c1045795
SHA2564442506b3211c38811543e2aad5bf276d075734f7967d83a2b3117bc4bad044a
SHA512e9678f517dbfd58ea51e93576988660d6447b479a61b478a91de7edf6057825a7a8e08d7a147514c6c9d5c2ef11e469de9ee729db2f95ef96c72eeb7e98a4838
-
\Users\Admin\AppData\Local\Temp\njratbin.exeFilesize
29KB
MD5007a4bd3c704a1ddd7d1b04ee9d91c27
SHA160843e7a18316d258afba4690a5ecc62c1045795
SHA2564442506b3211c38811543e2aad5bf276d075734f7967d83a2b3117bc4bad044a
SHA512e9678f517dbfd58ea51e93576988660d6447b479a61b478a91de7edf6057825a7a8e08d7a147514c6c9d5c2ef11e469de9ee729db2f95ef96c72eeb7e98a4838
-
\Users\Admin\AppData\Roaming\reader\adobe.exeFilesize
102KB
MD5b04423987d7a01ca1bf5b1f8f2b77b0c
SHA16468823f6da30059a2750cf2b4599fdb8e450f05
SHA2568edcf97df9e24756e8700a4496dd92d3677fc835925a90d1c48914e369b7f651
SHA512c709012177a1d05939e92218111a0e08520166179de4353cc576e88e609fdbf556a99afa3175193a4b7d5d5b38f6688458d0e2e50f549e6f159b46f78bc1b295
-
memory/268-58-0x0000000000000000-mapping.dmp
-
memory/668-81-0x0000000074E00000-0x00000000753AB000-memory.dmpFilesize
5.7MB
-
memory/668-77-0x0000000074E00000-0x00000000753AB000-memory.dmpFilesize
5.7MB
-
memory/668-68-0x0000000000000000-mapping.dmp
-
memory/1288-74-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1288-64-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1288-65-0x000000000041AEC0-mapping.dmp
-
memory/1288-63-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1288-61-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1288-60-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1288-70-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1288-80-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1288-78-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1508-76-0x0000000000000000-mapping.dmp
-
memory/1788-71-0x0000000074E00000-0x00000000753AB000-memory.dmpFilesize
5.7MB
-
memory/1788-56-0x0000000074E00000-0x00000000753AB000-memory.dmpFilesize
5.7MB
-
memory/1788-54-0x00000000760D1000-0x00000000760D3000-memory.dmpFilesize
8KB
-
memory/1788-55-0x0000000074E00000-0x00000000753AB000-memory.dmpFilesize
5.7MB
-
memory/1904-59-0x0000000000000000-mapping.dmp