Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 19:09
Static task
static1
Behavioral task
behavioral1
Sample
7fce93d7a0ba558b2de26cecc8f9d57d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7fce93d7a0ba558b2de26cecc8f9d57d.exe
Resource
win10v2004-20231215-en
General
-
Target
7fce93d7a0ba558b2de26cecc8f9d57d.exe
-
Size
455KB
-
MD5
7fce93d7a0ba558b2de26cecc8f9d57d
-
SHA1
e957a6a02e091358888a7ca30e77652df102464e
-
SHA256
cf317453c3b9c8f13467a034f2a350fac57a7cfe2c038a86d9f706906fb2b6dc
-
SHA512
7f45fbaefc32e8b24790b137ee77c044e8ca3619c61d71db62a0307ed98e2102da607df496385ca82c49a093d57117de022e5e3d933062cad2e320e8688fbb6f
-
SSDEEP
6144:Od2/yLTYnbgz2q/ZyKphVdvoe77GUZqKCXF1x3HOb2YyPPD71lhNlOQ5JmpD:F/yPYb6wGv+U7cXOBQD3/e
Malware Config
Extracted
njrat
im523
14.04.2017
ytka.duckdns.org:1604
ed423977d6a5549373be05c39703ea7d
-
reg_key
ed423977d6a5549373be05c39703ea7d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 1 IoCs
Processes:
doclan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\luk.lnk doclan.exe -
Executes dropped EXE 4 IoCs
Processes:
BitsProg.exedoclan.execonhost.execonhost.exepid process 2892 BitsProg.exe 2348 doclan.exe 2884 conhost.exe 1460 conhost.exe -
Loads dropped DLL 3 IoCs
Processes:
doclan.exepid process 2348 doclan.exe 2348 doclan.exe 2348 doclan.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
conhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .." conhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .." conhost.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
conhost.exedescription ioc process File created F:\autorun.inf conhost.exe File opened for modification F:\autorun.inf conhost.exe File created C:\autorun.inf conhost.exe File opened for modification C:\autorun.inf conhost.exe File created D:\autorun.inf conhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\ProgramData\doclan.exe nsis_installer_1 C:\ProgramData\doclan.exe nsis_installer_2 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2236 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
conhost.exepid process 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe 1460 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
conhost.exepid process 1460 conhost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
taskkill.execonhost.exedescription pid process Token: SeDebugPrivilege 2236 taskkill.exe Token: SeDebugPrivilege 1460 conhost.exe Token: 33 1460 conhost.exe Token: SeIncBasePriorityPrivilege 1460 conhost.exe Token: 33 1460 conhost.exe Token: SeIncBasePriorityPrivilege 1460 conhost.exe Token: 33 1460 conhost.exe Token: SeIncBasePriorityPrivilege 1460 conhost.exe Token: 33 1460 conhost.exe Token: SeIncBasePriorityPrivilege 1460 conhost.exe Token: 33 1460 conhost.exe Token: SeIncBasePriorityPrivilege 1460 conhost.exe Token: 33 1460 conhost.exe Token: SeIncBasePriorityPrivilege 1460 conhost.exe Token: 33 1460 conhost.exe Token: SeIncBasePriorityPrivilege 1460 conhost.exe Token: 33 1460 conhost.exe Token: SeIncBasePriorityPrivilege 1460 conhost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
7fce93d7a0ba558b2de26cecc8f9d57d.exedoclan.execonhost.execonhost.exedescription pid process target process PID 2200 wrote to memory of 2892 2200 7fce93d7a0ba558b2de26cecc8f9d57d.exe BitsProg.exe PID 2200 wrote to memory of 2892 2200 7fce93d7a0ba558b2de26cecc8f9d57d.exe BitsProg.exe PID 2200 wrote to memory of 2892 2200 7fce93d7a0ba558b2de26cecc8f9d57d.exe BitsProg.exe PID 2200 wrote to memory of 2348 2200 7fce93d7a0ba558b2de26cecc8f9d57d.exe doclan.exe PID 2200 wrote to memory of 2348 2200 7fce93d7a0ba558b2de26cecc8f9d57d.exe doclan.exe PID 2200 wrote to memory of 2348 2200 7fce93d7a0ba558b2de26cecc8f9d57d.exe doclan.exe PID 2200 wrote to memory of 2348 2200 7fce93d7a0ba558b2de26cecc8f9d57d.exe doclan.exe PID 2348 wrote to memory of 2884 2348 doclan.exe conhost.exe PID 2348 wrote to memory of 2884 2348 doclan.exe conhost.exe PID 2348 wrote to memory of 2884 2348 doclan.exe conhost.exe PID 2348 wrote to memory of 2884 2348 doclan.exe conhost.exe PID 2884 wrote to memory of 1460 2884 conhost.exe conhost.exe PID 2884 wrote to memory of 1460 2884 conhost.exe conhost.exe PID 2884 wrote to memory of 1460 2884 conhost.exe conhost.exe PID 1460 wrote to memory of 2364 1460 conhost.exe netsh.exe PID 1460 wrote to memory of 2364 1460 conhost.exe netsh.exe PID 1460 wrote to memory of 2364 1460 conhost.exe netsh.exe PID 1460 wrote to memory of 2236 1460 conhost.exe taskkill.exe PID 1460 wrote to memory of 2236 1460 conhost.exe taskkill.exe PID 1460 wrote to memory of 2236 1460 conhost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fce93d7a0ba558b2de26cecc8f9d57d.exe"C:\Users\Admin\AppData\Local\Temp\7fce93d7a0ba558b2de26cecc8f9d57d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\BitsProg.exe"C:\ProgramData\BitsProg.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\doclan.exe"C:\ProgramData\doclan.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\conhost.exeC:\Users\Admin\AppData\Roaming\conhost.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\conhost.exe" "conhost.exe" ENABLE5⤵
- Modifies Windows Firewall
-
C:\Windows\system32\taskkill.exetaskkill /F /IM cmd.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\BitsProg.exeFilesize
46KB
MD54aba833aab8032707642515bebc59d1b
SHA1d5079efd8335aa23162f0165abf426d21a105607
SHA256822c77973808a0c96608824606d38dcf7b48684919fc2ba57965b6d45dd4b6ad
SHA51225c86a5e9af0f951c6a5851a3e7330d517a63bdbdd245f8eb0fd3668208c585bcb121cab91ae3583a31940b15eb26711a8a424e98731c7804221d6b26a9d5a14
-
C:\ProgramData\doclan.exeFilesize
396KB
MD5b9388102124c0d070b2ae86908938b41
SHA1bfc1a3713f25ba86ca80ed325c5ff30066ecfcc6
SHA256f877ac762828cd7ceeb48028eb6b291a105d8c615912f86d256a6c5f48ccc779
SHA512f417a1e4160ca7491341de5ee2413f0ca21a6d5757f05d25d176b6ab8b4ede8557891a6d2f051c4710e6714ba16a4cf1f608e5ecc32c3b10b37c3d5bac322438
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeFilesize
1.0MB
MD500a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeFilesize
553KB
MD5ae75d40102dda007891aa83aada20c26
SHA161366eb56d2f5cfc6e05b2f8b7b389b22f2905f1
SHA2565c430c4a7364c6f1115beb0176ae53b65ebed872eeeb1a7dc6d53927a77a323a
SHA512a18fba1c24972e01a02f466fdaf95bd1214ca682b035e59f7289b952cb3d18be505ac3e1a3c4ad84352fa22fd2aabb17e4d684c928c053b35801cc298ba3f945
-
C:\Users\Admin\AppData\Roaming\conhost.exeFilesize
641KB
MD5d98bdce1bd880ede97625a1c352cdd63
SHA177fcfd979ed3d8400d56dcfdde246a97e490b1fa
SHA2569fb3e241c5976382f323a57bc7262800a39bb21d9fcce5fc2ca0c87798129d62
SHA5129e86fa2e131b48f112ba1a423c7c6269b9b52bba66300b99fd27157baa3d36534e6cf996f8f349b6e5e4fe8ea22469454ff1d47c12e543afe4646e85be8c623f
-
C:\Users\Admin\AppData\Roaming\conhost.exeFilesize
562KB
MD58c8a4eda0a81b90524fb643065b3213f
SHA10c869e96f609776615fa4d5aafb867f0bf4cba1f
SHA256e848fd8907e3d93ecb078004f43d36428e45dfcf1d17eaa033f09a84aab17236
SHA512af5ffa287ac280f18d7bb6ef0a268fdbfc86728edcc5b0e40519e994c3bcd1fa0f5b6dcdea010b18c20ec49e62361f3237ad34d2856dd81b01d58ac4a118d194
-
\Users\Admin\AppData\Roaming\conhost.exeFilesize
781KB
MD5452ca4d9b9257dc7b82acbcf1c5fc67b
SHA1a6c4df84fe9bd1232cc4181bbde3d8581f5b7dc6
SHA2567a90995136dab545a2774413673790bd348ec52bdeac628d2774e3504dc6b23f
SHA5120d91db451f502533bd9110267923830e5a620ef7b2e81ed0a26093c77d6a676ad655b38a40351b9ddf2fcfb8ce6c2d32385cc8a4b6847065b2fce8f2c54b8c15
-
\Users\Admin\AppData\Roaming\conhost.exeFilesize
634KB
MD504fad8bf6d861a107a2013de6661b709
SHA15abddcc23bc9d228e2035b01881f941aa9b6c8b0
SHA256e1f2ebb5614db0b12163835a0cc37d0411d45670afe7fb6296996b9b7e543de1
SHA5127da0295897ee815547e61d19bede86345c5e90c84b8a0e29b19274c70ff55cd942e34cd75ca4533321ae345f3e74ea27a389e2394079b81aeff242ff5fb7634c
-
\Users\Admin\AppData\Roaming\conhost.exeFilesize
511KB
MD518ae2c037859c758aec5605c391e020b
SHA11cb1aded142e84fa1472622eaf13c5907198ec6f
SHA256086472e4594293e71bae02e86b335d8dc2b686817e98eb85c45f85eb276cb1a6
SHA51234b7233e6d341ebe33899d32fd440ad112bde05202cb5f450532c44befe118fe6945cd130590257ddabe9f8f3155d089d73d7b3036d37d25cc913a64de079996
-
memory/1460-50-0x000000001ADE0000-0x000000001AE60000-memory.dmpFilesize
512KB
-
memory/1460-56-0x000000001ADE0000-0x000000001AE60000-memory.dmpFilesize
512KB
-
memory/1460-53-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmpFilesize
9.9MB
-
memory/1460-48-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmpFilesize
9.9MB
-
memory/1460-47-0x00000000009D0000-0x0000000000AE0000-memory.dmpFilesize
1.1MB
-
memory/1460-52-0x000000001ADE0000-0x000000001AE60000-memory.dmpFilesize
512KB
-
memory/1460-54-0x000000001ADE0000-0x000000001AE60000-memory.dmpFilesize
512KB
-
memory/1460-55-0x000000001ADE0000-0x000000001AE60000-memory.dmpFilesize
512KB
-
memory/1460-51-0x000000001ADE0000-0x000000001AE60000-memory.dmpFilesize
512KB
-
memory/2200-0-0x0000000000210000-0x0000000000286000-memory.dmpFilesize
472KB
-
memory/2200-1-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmpFilesize
9.9MB
-
memory/2200-14-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmpFilesize
9.9MB
-
memory/2884-32-0x000000001B1C0000-0x000000001B240000-memory.dmpFilesize
512KB
-
memory/2884-35-0x000000001B1C0000-0x000000001B240000-memory.dmpFilesize
512KB
-
memory/2884-34-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmpFilesize
9.9MB
-
memory/2884-38-0x000000001B1C0000-0x000000001B240000-memory.dmpFilesize
512KB
-
memory/2884-39-0x0000000000590000-0x00000000005A0000-memory.dmpFilesize
64KB
-
memory/2884-31-0x000000001B1C0000-0x000000001B240000-memory.dmpFilesize
512KB
-
memory/2884-28-0x000000001B1C0000-0x000000001B240000-memory.dmpFilesize
512KB
-
memory/2884-24-0x0000000000CD0000-0x0000000000DE0000-memory.dmpFilesize
1.1MB
-
memory/2884-25-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmpFilesize
9.9MB
-
memory/2884-49-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmpFilesize
9.9MB
-
memory/2892-29-0x000000001B080000-0x000000001B100000-memory.dmpFilesize
512KB
-
memory/2892-9-0x0000000000140000-0x0000000000150000-memory.dmpFilesize
64KB
-
memory/2892-37-0x000000001B080000-0x000000001B100000-memory.dmpFilesize
512KB
-
memory/2892-36-0x000000001B080000-0x000000001B100000-memory.dmpFilesize
512KB
-
memory/2892-33-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmpFilesize
9.9MB
-
memory/2892-30-0x000000001B080000-0x000000001B100000-memory.dmpFilesize
512KB
-
memory/2892-13-0x000007FEF5BE0000-0x000007FEF65CC000-memory.dmpFilesize
9.9MB