Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system -
submitted
06-07-2023 01:00
Static task
static1
Behavioral task
behavioral1
Sample
60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe
Resource
win7-20230703-en
General
-
Target
60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe
-
Size
99KB
-
MD5
01a15ebeb25b4396bf1f943a9ff2f240
-
SHA1
45464e9c127300244902f3628b3b11e34c0e8530
-
SHA256
60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498
-
SHA512
18645b8a88275d4ea01c0878900c0e3a4983495a30f818fa1641e4f74c6ac3547d07d3268ba9540847b18671cbcb06f0a73a9544988710a0b67e982863b13578
-
SSDEEP
1536:8WxWs7X4DWTjujzDwuKT3CePS7PoZK2K3r2gGHAfT+qFHuVp6ryQy38a:pveWTjuj/KT3COS7PoM6ghvOV8r28a
Malware Config
Extracted
njrat
0.7d
HACKER
hakim32.ddns.net:2000
numbers-characterization.at.ply.gg:45038
ba79c07aec28b61ac839eeb4fafa3141
-
reg_key
ba79c07aec28b61ac839eeb4fafa3141
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 2260 netsh.exe 2972 netsh.exe 2256 netsh.exe -
Drops startup file 4 IoCs
Processes:
1 (1).exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe 1 (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe 1 (1).exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba79c07aec28b61ac839eeb4fafa3141Windows Update.exe 1 (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba79c07aec28b61ac839eeb4fafa3141Windows Update.exe 1 (1).exe -
Executes dropped EXE 2 IoCs
Processes:
3421.exe1 (1).exepid process 2436 3421.exe 3064 1 (1).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1 (1).exepid process 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe 3064 1 (1).exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
1 (1).exepid process 3064 1 (1).exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
1 (1).exedescription pid process Token: SeDebugPrivilege 3064 1 (1).exe Token: 33 3064 1 (1).exe Token: SeIncBasePriorityPrivilege 3064 1 (1).exe Token: 33 3064 1 (1).exe Token: SeIncBasePriorityPrivilege 3064 1 (1).exe Token: 33 3064 1 (1).exe Token: SeIncBasePriorityPrivilege 3064 1 (1).exe Token: 33 3064 1 (1).exe Token: SeIncBasePriorityPrivilege 3064 1 (1).exe Token: 33 3064 1 (1).exe Token: SeIncBasePriorityPrivilege 3064 1 (1).exe Token: 33 3064 1 (1).exe Token: SeIncBasePriorityPrivilege 3064 1 (1).exe Token: 33 3064 1 (1).exe Token: SeIncBasePriorityPrivilege 3064 1 (1).exe Token: 33 3064 1 (1).exe Token: SeIncBasePriorityPrivilege 3064 1 (1).exe Token: 33 3064 1 (1).exe Token: SeIncBasePriorityPrivilege 3064 1 (1).exe Token: 33 3064 1 (1).exe Token: SeIncBasePriorityPrivilege 3064 1 (1).exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe3421.execmd.exe1 (1).exedescription pid process target process PID 2364 wrote to memory of 2436 2364 60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe 3421.exe PID 2364 wrote to memory of 2436 2364 60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe 3421.exe PID 2364 wrote to memory of 2436 2364 60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe 3421.exe PID 2364 wrote to memory of 2436 2364 60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe 3421.exe PID 2364 wrote to memory of 3064 2364 60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe 1 (1).exe PID 2364 wrote to memory of 3064 2364 60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe 1 (1).exe PID 2364 wrote to memory of 3064 2364 60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe 1 (1).exe PID 2364 wrote to memory of 3064 2364 60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe 1 (1).exe PID 2436 wrote to memory of 432 2436 3421.exe cmd.exe PID 2436 wrote to memory of 432 2436 3421.exe cmd.exe PID 2436 wrote to memory of 432 2436 3421.exe cmd.exe PID 2436 wrote to memory of 432 2436 3421.exe cmd.exe PID 432 wrote to memory of 1920 432 cmd.exe mode.com PID 432 wrote to memory of 1920 432 cmd.exe mode.com PID 432 wrote to memory of 1920 432 cmd.exe mode.com PID 432 wrote to memory of 3044 432 cmd.exe chcp.com PID 432 wrote to memory of 3044 432 cmd.exe chcp.com PID 432 wrote to memory of 3044 432 cmd.exe chcp.com PID 3064 wrote to memory of 2972 3064 1 (1).exe netsh.exe PID 3064 wrote to memory of 2972 3064 1 (1).exe netsh.exe PID 3064 wrote to memory of 2972 3064 1 (1).exe netsh.exe PID 3064 wrote to memory of 2972 3064 1 (1).exe netsh.exe PID 3064 wrote to memory of 2256 3064 1 (1).exe netsh.exe PID 3064 wrote to memory of 2256 3064 1 (1).exe netsh.exe PID 3064 wrote to memory of 2256 3064 1 (1).exe netsh.exe PID 3064 wrote to memory of 2256 3064 1 (1).exe netsh.exe PID 3064 wrote to memory of 2260 3064 1 (1).exe netsh.exe PID 3064 wrote to memory of 2260 3064 1 (1).exe netsh.exe PID 3064 wrote to memory of 2260 3064 1 (1).exe netsh.exe PID 3064 wrote to memory of 2260 3064 1 (1).exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe"C:\Users\Admin\AppData\Local\Temp\60e7f5996d69fb22c55c4b6e25cb881ab49a46f3714a42d35dc6f3a66f853498.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3421.exe"C:\Users\Admin\AppData\Local\Temp\3421.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\510E.tmp\510F.tmp\5110.bat C:\Users\Admin\AppData\Local\Temp\3421.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode 90,254⤵
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Users\Admin\AppData\Local\Temp\1 (1).exe"C:\Users\Admin\AppData\Local\Temp\1 (1).exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\1 (1).exe" "1 (1).exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Local\Temp\1 (1).exe"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\1 (1).exe" "1 (1).exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1 (1).exeFilesize
93KB
MD557b8df6044bbfa7706f1b900216d1da0
SHA1a21f6e715a41e61820ebb3e428242f848e0cd4c9
SHA2568a429aab8c6fb77e858386f53694c6239f7088ed58ac73c25bb2969cbf87cb3a
SHA512a4670d23fe66c7ce53ccc79342b9927e7f08e62401d105116517d7e75741eae852eec1d4b4c11ea8a1e5213ed6ddc2dd74e0fe8ac45ece46f5e12bac8f6e5ee0
-
C:\Users\Admin\AppData\Local\Temp\1 (1).exeFilesize
93KB
MD557b8df6044bbfa7706f1b900216d1da0
SHA1a21f6e715a41e61820ebb3e428242f848e0cd4c9
SHA2568a429aab8c6fb77e858386f53694c6239f7088ed58ac73c25bb2969cbf87cb3a
SHA512a4670d23fe66c7ce53ccc79342b9927e7f08e62401d105116517d7e75741eae852eec1d4b4c11ea8a1e5213ed6ddc2dd74e0fe8ac45ece46f5e12bac8f6e5ee0
-
C:\Users\Admin\AppData\Local\Temp\1 (1).exeFilesize
93KB
MD557b8df6044bbfa7706f1b900216d1da0
SHA1a21f6e715a41e61820ebb3e428242f848e0cd4c9
SHA2568a429aab8c6fb77e858386f53694c6239f7088ed58ac73c25bb2969cbf87cb3a
SHA512a4670d23fe66c7ce53ccc79342b9927e7f08e62401d105116517d7e75741eae852eec1d4b4c11ea8a1e5213ed6ddc2dd74e0fe8ac45ece46f5e12bac8f6e5ee0
-
C:\Users\Admin\AppData\Local\Temp\3421.exeFilesize
94KB
MD5de02aa6b60fe9b3102998de3c29bf1bd
SHA158bbe21b42de1e8bf0ac685d32a240b4fd2a2457
SHA256ec75b4225e99c2a575d591277e77163686f1738451ae35fdc24ad34be2610813
SHA512ed93896e62ced577e5471ce4a598eb4a1d8fbc9a292796a3fe053bcfe87224fbb2ae0186a9a1179085b5072ee54e23655b35eecf802a121dd35792e10d188284
-
C:\Users\Admin\AppData\Local\Temp\510E.tmp\510F.tmp\5110.batFilesize
6KB
MD518f90870a2ad04c6531f4e1116097df7
SHA19309c2f6ad92b12ede683a6718bc02e34accc95f
SHA256fa8379e93e5db4925ece29af0534741c9579a8e5d88535fcc39aed841fa3d195
SHA512404f7a6ab4518b6489b4f11d26a8911e903dfbf89160d1eb26d726f60da6a2542c6ed5429b6ccb127182fffeec04c429d9657ef8a781f90ce9a3663f728d09b4
-
memory/2364-54-0x0000000000BD0000-0x0000000000BF0000-memory.dmpFilesize
128KB
-
memory/3064-71-0x0000000001E80000-0x0000000001EC0000-memory.dmpFilesize
256KB
-
memory/3064-75-0x0000000001E80000-0x0000000001EC0000-memory.dmpFilesize
256KB