Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 10:59
Static task
static1
Behavioral task
behavioral1
Sample
0eb49170e762d1d8745681e2157d8215.exe
Resource
win7-20231215-en
General
-
Target
0eb49170e762d1d8745681e2157d8215.exe
-
Size
33KB
-
MD5
0eb49170e762d1d8745681e2157d8215
-
SHA1
0244d2f6e18bc6124f3a4153acb871c818a4db8b
-
SHA256
6a57368ea33eb414da5c2bdd0e3a12c8d47575c44ba13a966bea162d4796b0c9
-
SHA512
99ae0b41a752b6d15dd54bd9cefdca514e9b1a194014f798902242c8186c9f4edb849a35bdc36171c63e8fe057b5d603c264d192707d2afe3603ad230facad4d
-
SSDEEP
768:VvTSwH0f6lx8gcRfufYHGulkR23t+UG78iK1KB/9dZ:tSwH0fM8jS3R29nG4TgBF
Malware Config
Extracted
njrat
0.7d
HacKed
127.0.0.1:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|'|'|
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2828 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2828 AcroRd32.exe 2828 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0eb49170e762d1d8745681e2157d8215.exerundll32.exedescription pid process target process PID 2000 wrote to memory of 1068 2000 0eb49170e762d1d8745681e2157d8215.exe rundll32.exe PID 2000 wrote to memory of 1068 2000 0eb49170e762d1d8745681e2157d8215.exe rundll32.exe PID 2000 wrote to memory of 1068 2000 0eb49170e762d1d8745681e2157d8215.exe rundll32.exe PID 1068 wrote to memory of 2828 1068 rundll32.exe AcroRd32.exe PID 1068 wrote to memory of 2828 1068 rundll32.exe AcroRd32.exe PID 1068 wrote to memory of 2828 1068 rundll32.exe AcroRd32.exe PID 1068 wrote to memory of 2828 1068 rundll32.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0eb49170e762d1d8745681e2157d8215.exe"C:\Users\Admin\AppData\Local\Temp\0eb49170e762d1d8745681e2157d8215.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\patsh2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\patsh"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\patshFilesize
33KB
MD50eb49170e762d1d8745681e2157d8215
SHA10244d2f6e18bc6124f3a4153acb871c818a4db8b
SHA2566a57368ea33eb414da5c2bdd0e3a12c8d47575c44ba13a966bea162d4796b0c9
SHA51299ae0b41a752b6d15dd54bd9cefdca514e9b1a194014f798902242c8186c9f4edb849a35bdc36171c63e8fe057b5d603c264d192707d2afe3603ad230facad4d
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5befb7adb41c088bdf18c6533c0c33a68
SHA17de7bb005da507ab07c641d94509cb9c38fecfd7
SHA256f1584f3566876177f922e384e57190c4e8be24b497aa60bf16b986d8ccf0cdcd
SHA512182471f95a80913c83e4bf76d5d7a0d6d6a6abdbe26b980cca9c9c0b2f11160bc60209af73d7031503cfb65ad916f9a34aff5040b8062c0a17af4b85d7360689
-
memory/2000-0-0x0000000000170000-0x0000000000186000-memory.dmpFilesize
88KB
-
memory/2000-1-0x000007FEF6150000-0x000007FEF6AED000-memory.dmpFilesize
9.6MB
-
memory/2000-2-0x0000000000B60000-0x0000000000BE0000-memory.dmpFilesize
512KB
-
memory/2000-3-0x000007FEF6150000-0x000007FEF6AED000-memory.dmpFilesize
9.6MB
-
memory/2000-6-0x000007FEF6150000-0x000007FEF6AED000-memory.dmpFilesize
9.6MB