Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2023 07:40
Behavioral task
behavioral1
Sample
11374849012dfeed18493578007f0c53.exe
Resource
win7-20231023-en
General
-
Target
11374849012dfeed18493578007f0c53.exe
-
Size
93KB
-
MD5
11374849012dfeed18493578007f0c53
-
SHA1
367d9ee8bbd2c911c8d9b51fa6f1b664e90036c2
-
SHA256
16607e62e5e61fd70634ebde62a145329a23d3d31867c2e86554b5f9ad313063
-
SHA512
46c9a2d2cef8771be3d6b22c88834a3e53de5c7b7751dff39e01566c01621a36225629dfba3fcdc5e1157fa49ee181ff05cd796b1825706e8a7a00a229721d6c
-
SSDEEP
768:oY37yTnkpjTMpALPGMtsas88EtNXhU9f1mxCXxrjEtCdnl2pi1Rz4Rk3vsGdp0gM:Ly7kVbPGHz88EbE1pjEwzGi1dDbD0gS
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
5.tcp.eu.ngrok.io:13940
d31f5482257e7847270785c2b6a88c7b
-
reg_key
d31f5482257e7847270785c2b6a88c7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 1712 netsh.exe 3120 netsh.exe 3392 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11374849012dfeed18493578007f0c53.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Control Panel\International\Geo\Nation 11374849012dfeed18493578007f0c53.exe -
Drops startup file 6 IoCs
Processes:
server.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d31f5482257e7847270785c2b6a88c7bWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d31f5482257e7847270785c2b6a88c7bWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 4996 server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe 4996 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 4996 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe Token: 33 4996 server.exe Token: SeIncBasePriorityPrivilege 4996 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11374849012dfeed18493578007f0c53.exeserver.exedescription pid process target process PID 1216 wrote to memory of 4996 1216 11374849012dfeed18493578007f0c53.exe server.exe PID 1216 wrote to memory of 4996 1216 11374849012dfeed18493578007f0c53.exe server.exe PID 1216 wrote to memory of 4996 1216 11374849012dfeed18493578007f0c53.exe server.exe PID 4996 wrote to memory of 1712 4996 server.exe netsh.exe PID 4996 wrote to memory of 1712 4996 server.exe netsh.exe PID 4996 wrote to memory of 1712 4996 server.exe netsh.exe PID 4996 wrote to memory of 3120 4996 server.exe netsh.exe PID 4996 wrote to memory of 3120 4996 server.exe netsh.exe PID 4996 wrote to memory of 3120 4996 server.exe netsh.exe PID 4996 wrote to memory of 3392 4996 server.exe netsh.exe PID 4996 wrote to memory of 3392 4996 server.exe netsh.exe PID 4996 wrote to memory of 3392 4996 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11374849012dfeed18493578007f0c53.exe"C:\Users\Admin\AppData\Local\Temp\11374849012dfeed18493578007f0c53.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1712 -
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
PID:3120 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD54d853d9c7197ee7fa81c6535b1f7d655
SHA1eac3d866e991967b385f3dd22da25e410d8f7f49
SHA2565abdb6175f820f0ac3d8647fbb1f7a0bcc91757a782a8a145570944ca6a00c96
SHA512dc5a09d8586eb9f591f6e00187817c19f693e9328a1b2e5838c61c0b234e9608eecc45bbf7f4a90912e9a456d0ab469ed2503bafb4988b276cec8d5f0b18fda7
-
Filesize
93KB
MD511374849012dfeed18493578007f0c53
SHA1367d9ee8bbd2c911c8d9b51fa6f1b664e90036c2
SHA25616607e62e5e61fd70634ebde62a145329a23d3d31867c2e86554b5f9ad313063
SHA51246c9a2d2cef8771be3d6b22c88834a3e53de5c7b7751dff39e01566c01621a36225629dfba3fcdc5e1157fa49ee181ff05cd796b1825706e8a7a00a229721d6c
-
Filesize
93KB
MD511374849012dfeed18493578007f0c53
SHA1367d9ee8bbd2c911c8d9b51fa6f1b664e90036c2
SHA25616607e62e5e61fd70634ebde62a145329a23d3d31867c2e86554b5f9ad313063
SHA51246c9a2d2cef8771be3d6b22c88834a3e53de5c7b7751dff39e01566c01621a36225629dfba3fcdc5e1157fa49ee181ff05cd796b1825706e8a7a00a229721d6c
-
Filesize
93KB
MD511374849012dfeed18493578007f0c53
SHA1367d9ee8bbd2c911c8d9b51fa6f1b664e90036c2
SHA25616607e62e5e61fd70634ebde62a145329a23d3d31867c2e86554b5f9ad313063
SHA51246c9a2d2cef8771be3d6b22c88834a3e53de5c7b7751dff39e01566c01621a36225629dfba3fcdc5e1157fa49ee181ff05cd796b1825706e8a7a00a229721d6c