Analysis
-
max time kernel
155s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2023 09:38
Behavioral task
behavioral1
Sample
11374849012dfeed18493578007f0c53.exe
Resource
win7-20231023-en
General
-
Target
11374849012dfeed18493578007f0c53.exe
-
Size
93KB
-
MD5
11374849012dfeed18493578007f0c53
-
SHA1
367d9ee8bbd2c911c8d9b51fa6f1b664e90036c2
-
SHA256
16607e62e5e61fd70634ebde62a145329a23d3d31867c2e86554b5f9ad313063
-
SHA512
46c9a2d2cef8771be3d6b22c88834a3e53de5c7b7751dff39e01566c01621a36225629dfba3fcdc5e1157fa49ee181ff05cd796b1825706e8a7a00a229721d6c
-
SSDEEP
768:oY37yTnkpjTMpALPGMtsas88EtNXhU9f1mxCXxrjEtCdnl2pi1Rz4Rk3vsGdp0gM:Ly7kVbPGHz88EbE1pjEwzGi1dDbD0gS
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
5.tcp.eu.ngrok.io:13940
d31f5482257e7847270785c2b6a88c7b
-
reg_key
d31f5482257e7847270785c2b6a88c7b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 2748 netsh.exe 3508 netsh.exe 1104 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11374849012dfeed18493578007f0c53.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation 11374849012dfeed18493578007f0c53.exe -
Drops startup file 6 IoCs
Processes:
server.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d31f5482257e7847270785c2b6a88c7bWindows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d31f5482257e7847270785c2b6a88c7bWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3264 server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
Processes:
server.exedescription ioc process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
server.exepid process 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe 3264 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
server.exepid process 3264 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe Token: 33 3264 server.exe Token: SeIncBasePriorityPrivilege 3264 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
11374849012dfeed18493578007f0c53.exeserver.exedescription pid process target process PID 1056 wrote to memory of 3264 1056 11374849012dfeed18493578007f0c53.exe server.exe PID 1056 wrote to memory of 3264 1056 11374849012dfeed18493578007f0c53.exe server.exe PID 1056 wrote to memory of 3264 1056 11374849012dfeed18493578007f0c53.exe server.exe PID 3264 wrote to memory of 1104 3264 server.exe netsh.exe PID 3264 wrote to memory of 1104 3264 server.exe netsh.exe PID 3264 wrote to memory of 1104 3264 server.exe netsh.exe PID 3264 wrote to memory of 3508 3264 server.exe netsh.exe PID 3264 wrote to memory of 3508 3264 server.exe netsh.exe PID 3264 wrote to memory of 3508 3264 server.exe netsh.exe PID 3264 wrote to memory of 2748 3264 server.exe netsh.exe PID 3264 wrote to memory of 2748 3264 server.exe netsh.exe PID 3264 wrote to memory of 2748 3264 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11374849012dfeed18493578007f0c53.exe"C:\Users\Admin\AppData\Local\Temp\11374849012dfeed18493578007f0c53.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\appFilesize
4B
MD54d853d9c7197ee7fa81c6535b1f7d655
SHA1eac3d866e991967b385f3dd22da25e410d8f7f49
SHA2565abdb6175f820f0ac3d8647fbb1f7a0bcc91757a782a8a145570944ca6a00c96
SHA512dc5a09d8586eb9f591f6e00187817c19f693e9328a1b2e5838c61c0b234e9608eecc45bbf7f4a90912e9a456d0ab469ed2503bafb4988b276cec8d5f0b18fda7
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD511374849012dfeed18493578007f0c53
SHA1367d9ee8bbd2c911c8d9b51fa6f1b664e90036c2
SHA25616607e62e5e61fd70634ebde62a145329a23d3d31867c2e86554b5f9ad313063
SHA51246c9a2d2cef8771be3d6b22c88834a3e53de5c7b7751dff39e01566c01621a36225629dfba3fcdc5e1157fa49ee181ff05cd796b1825706e8a7a00a229721d6c
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD511374849012dfeed18493578007f0c53
SHA1367d9ee8bbd2c911c8d9b51fa6f1b664e90036c2
SHA25616607e62e5e61fd70634ebde62a145329a23d3d31867c2e86554b5f9ad313063
SHA51246c9a2d2cef8771be3d6b22c88834a3e53de5c7b7751dff39e01566c01621a36225629dfba3fcdc5e1157fa49ee181ff05cd796b1825706e8a7a00a229721d6c
-
C:\Users\Admin\AppData\Roaming\server.exeFilesize
93KB
MD511374849012dfeed18493578007f0c53
SHA1367d9ee8bbd2c911c8d9b51fa6f1b664e90036c2
SHA25616607e62e5e61fd70634ebde62a145329a23d3d31867c2e86554b5f9ad313063
SHA51246c9a2d2cef8771be3d6b22c88834a3e53de5c7b7751dff39e01566c01621a36225629dfba3fcdc5e1157fa49ee181ff05cd796b1825706e8a7a00a229721d6c
-
memory/1056-13-0x00000000750B0000-0x0000000075661000-memory.dmpFilesize
5.7MB
-
memory/1056-2-0x00000000009D0000-0x00000000009E0000-memory.dmpFilesize
64KB
-
memory/1056-0-0x00000000750B0000-0x0000000075661000-memory.dmpFilesize
5.7MB
-
memory/1056-1-0x00000000750B0000-0x0000000075661000-memory.dmpFilesize
5.7MB
-
memory/3264-14-0x00000000750B0000-0x0000000075661000-memory.dmpFilesize
5.7MB
-
memory/3264-15-0x0000000000E30000-0x0000000000E40000-memory.dmpFilesize
64KB
-
memory/3264-16-0x00000000750B0000-0x0000000075661000-memory.dmpFilesize
5.7MB
-
memory/3264-47-0x00000000750B0000-0x0000000075661000-memory.dmpFilesize
5.7MB
-
memory/3264-48-0x0000000000E30000-0x0000000000E40000-memory.dmpFilesize
64KB
-
memory/3264-49-0x00000000750B0000-0x0000000075661000-memory.dmpFilesize
5.7MB