Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2023 07:44
Behavioral task
behavioral1
Sample
ba36c9b8fec0735647e7984eb.exe
Resource
win7-20230621-en
General
-
Target
ba36c9b8fec0735647e7984eb.exe
-
Size
106KB
-
MD5
ba36c9b8fec0735647e7984eb772aab3
-
SHA1
91a2d15a954439e122daa782078e1e6c573de2a3
-
SHA256
035c9d1fee3d2358a7fac27279dffdda55d3508e1503d91cb2fb4babf5319d12
-
SHA512
a8779f8d586e752466e7311c2988bdb44fda6df520d77d1c6f90004de27890ea06f60a185a326ccd41afa9c14361bc7d8d4dab05578f922815866f017136c7fe
-
SSDEEP
1536:e1+4dMS6ZueRX9mHUxOM1GeYjP1aed/y4Y3Gv:e10S6ZmUcvbjAed/nu
Malware Config
Extracted
njrat
0.7d
Infected
hakim32.ddns.net:2000
2.tcp.eu.ngrok.io:16032
f0c8ea6d55ad279af54a02e293c5fcbd
-
reg_key
f0c8ea6d55ad279af54a02e293c5fcbd
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ba36c9b8fec0735647e7984eb.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3259792829-1422303781-2047321929-1000\Control Panel\International\Geo\Nation ba36c9b8fec0735647e7984eb.exe -
Drops startup file 6 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f0c8ea6d55ad279af54a02e293c5fcbdWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f0c8ea6d55ad279af54a02e293c5fcbdWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3132 server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 10 IoCs
Processes:
svchost.exeserver.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{77056F66-E86F-4FE3-95A0-EEFD65BDB41A}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{8883446E-9FE3-4DC7-8F5E-923AF3C85AAF}.catalogItem svchost.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{38D768CA-78A6-4F81-B0AA-E225571A26BF}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2A9413E8-B2B5-4B33-A543-928FC19852BB}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{1C450278-AAFE-4E04-AFD9-A06C25C654E4}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{4F69DF68-9F41-4226-B060-07875FEB3B6D}.catalogItem svchost.exe File created C:\Windows\SysWOW64\Explower.exe server.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{433D9285-F369-47A1-AB77-6304D96909F1}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{F7825210-EB87-4C98-8751-CE3DEDAE8D81}.catalogItem svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe 3132 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 3132 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe Token: 33 3132 server.exe Token: SeIncBasePriorityPrivilege 3132 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ba36c9b8fec0735647e7984eb.exeserver.exedescription pid process target process PID 2520 wrote to memory of 3132 2520 ba36c9b8fec0735647e7984eb.exe server.exe PID 2520 wrote to memory of 3132 2520 ba36c9b8fec0735647e7984eb.exe server.exe PID 2520 wrote to memory of 3132 2520 ba36c9b8fec0735647e7984eb.exe server.exe PID 3132 wrote to memory of 4864 3132 server.exe netsh.exe PID 3132 wrote to memory of 4864 3132 server.exe netsh.exe PID 3132 wrote to memory of 4864 3132 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba36c9b8fec0735647e7984eb.exe"C:\Users\Admin\AppData\Local\Temp\ba36c9b8fec0735647e7984eb.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
106KB
MD5ba36c9b8fec0735647e7984eb772aab3
SHA191a2d15a954439e122daa782078e1e6c573de2a3
SHA256035c9d1fee3d2358a7fac27279dffdda55d3508e1503d91cb2fb4babf5319d12
SHA512a8779f8d586e752466e7311c2988bdb44fda6df520d77d1c6f90004de27890ea06f60a185a326ccd41afa9c14361bc7d8d4dab05578f922815866f017136c7fe
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
106KB
MD5ba36c9b8fec0735647e7984eb772aab3
SHA191a2d15a954439e122daa782078e1e6c573de2a3
SHA256035c9d1fee3d2358a7fac27279dffdda55d3508e1503d91cb2fb4babf5319d12
SHA512a8779f8d586e752466e7311c2988bdb44fda6df520d77d1c6f90004de27890ea06f60a185a326ccd41afa9c14361bc7d8d4dab05578f922815866f017136c7fe
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
106KB
MD5ba36c9b8fec0735647e7984eb772aab3
SHA191a2d15a954439e122daa782078e1e6c573de2a3
SHA256035c9d1fee3d2358a7fac27279dffdda55d3508e1503d91cb2fb4babf5319d12
SHA512a8779f8d586e752466e7311c2988bdb44fda6df520d77d1c6f90004de27890ea06f60a185a326ccd41afa9c14361bc7d8d4dab05578f922815866f017136c7fe
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD54d853d9c7197ee7fa81c6535b1f7d655
SHA1eac3d866e991967b385f3dd22da25e410d8f7f49
SHA2565abdb6175f820f0ac3d8647fbb1f7a0bcc91757a782a8a145570944ca6a00c96
SHA512dc5a09d8586eb9f591f6e00187817c19f693e9328a1b2e5838c61c0b234e9608eecc45bbf7f4a90912e9a456d0ab469ed2503bafb4988b276cec8d5f0b18fda7
-
memory/2520-134-0x0000000001720000-0x0000000001730000-memory.dmpFilesize
64KB
-
memory/3132-146-0x0000000000E80000-0x0000000000E90000-memory.dmpFilesize
64KB
-
memory/3132-171-0x0000000000E80000-0x0000000000E90000-memory.dmpFilesize
64KB