Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
24-08-2023 13:16
Behavioral task
behavioral1
Sample
440C7BE71CBF8CCDEA42449F4B0FA4AEEF078B59B17FC.exe
Resource
win7-20230712-en
General
-
Target
440C7BE71CBF8CCDEA42449F4B0FA4AEEF078B59B17FC.exe
-
Size
31KB
-
MD5
14874a9249876def878e006ca55ef5e5
-
SHA1
82839c360cee6b8cee93297231d7f98d976fb65f
-
SHA256
440c7be71cbf8ccdea42449f4b0fa4aeef078b59b17fc95851ba0544ab1a577a
-
SHA512
70f441ec37dc3bb32a84d8c838225aa67ac4205907ee87bd377e4f1cbdcb256d61182ee2a6dcee28f1910dddbbebc12c4c476a7f206e335a1d9c4a855198bac9
-
SSDEEP
768:oN8p5d5rLmzxBuJJKye8nu4LPv67QmIDUu0tibSj:zvKO+4jwQVkLj
Malware Config
Extracted
njrat
0.7d
system
147.50.253.241:6522
e4d8b898672502b9751c26f7a748bd76
-
reg_key
e4d8b898672502b9751c26f7a748bd76
-
splitter
Y262SUCZ4UJJ
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 2632 system.exe -
Loads dropped DLL 1 IoCs
Processes:
440C7BE71CBF8CCDEA42449F4B0FA4AEEF078B59B17FC.exepid process 2192 440C7BE71CBF8CCDEA42449F4B0FA4AEEF078B59B17FC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
system.exedescription pid process Token: SeDebugPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe Token: 33 2632 system.exe Token: SeIncBasePriorityPrivilege 2632 system.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
440C7BE71CBF8CCDEA42449F4B0FA4AEEF078B59B17FC.exesystem.exedescription pid process target process PID 2192 wrote to memory of 2632 2192 440C7BE71CBF8CCDEA42449F4B0FA4AEEF078B59B17FC.exe system.exe PID 2192 wrote to memory of 2632 2192 440C7BE71CBF8CCDEA42449F4B0FA4AEEF078B59B17FC.exe system.exe PID 2192 wrote to memory of 2632 2192 440C7BE71CBF8CCDEA42449F4B0FA4AEEF078B59B17FC.exe system.exe PID 2192 wrote to memory of 2632 2192 440C7BE71CBF8CCDEA42449F4B0FA4AEEF078B59B17FC.exe system.exe PID 2632 wrote to memory of 2072 2632 system.exe netsh.exe PID 2632 wrote to memory of 2072 2632 system.exe netsh.exe PID 2632 wrote to memory of 2072 2632 system.exe netsh.exe PID 2632 wrote to memory of 2072 2632 system.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\440C7BE71CBF8CCDEA42449F4B0FA4AEEF078B59B17FC.exe"C:\Users\Admin\AppData\Local\Temp\440C7BE71CBF8CCDEA42449F4B0FA4AEEF078B59B17FC.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\system.exe"C:\Users\Admin\AppData\Local\Temp\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\system.exe" "system.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
31KB
MD514874a9249876def878e006ca55ef5e5
SHA182839c360cee6b8cee93297231d7f98d976fb65f
SHA256440c7be71cbf8ccdea42449f4b0fa4aeef078b59b17fc95851ba0544ab1a577a
SHA51270f441ec37dc3bb32a84d8c838225aa67ac4205907ee87bd377e4f1cbdcb256d61182ee2a6dcee28f1910dddbbebc12c4c476a7f206e335a1d9c4a855198bac9
-
C:\Users\Admin\AppData\Local\Temp\system.exeFilesize
31KB
MD514874a9249876def878e006ca55ef5e5
SHA182839c360cee6b8cee93297231d7f98d976fb65f
SHA256440c7be71cbf8ccdea42449f4b0fa4aeef078b59b17fc95851ba0544ab1a577a
SHA51270f441ec37dc3bb32a84d8c838225aa67ac4205907ee87bd377e4f1cbdcb256d61182ee2a6dcee28f1910dddbbebc12c4c476a7f206e335a1d9c4a855198bac9
-
\Users\Admin\AppData\Local\Temp\system.exeFilesize
31KB
MD514874a9249876def878e006ca55ef5e5
SHA182839c360cee6b8cee93297231d7f98d976fb65f
SHA256440c7be71cbf8ccdea42449f4b0fa4aeef078b59b17fc95851ba0544ab1a577a
SHA51270f441ec37dc3bb32a84d8c838225aa67ac4205907ee87bd377e4f1cbdcb256d61182ee2a6dcee28f1910dddbbebc12c4c476a7f206e335a1d9c4a855198bac9
-
memory/2192-0-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/2192-2-0x0000000002330000-0x0000000002370000-memory.dmpFilesize
256KB
-
memory/2192-1-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/2192-11-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/2632-12-0x00000000001F0000-0x0000000000230000-memory.dmpFilesize
256KB
-
memory/2632-10-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/2632-13-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/2632-14-0x0000000074110000-0x00000000746BB000-memory.dmpFilesize
5.7MB
-
memory/2632-15-0x00000000001F0000-0x0000000000230000-memory.dmpFilesize
256KB