Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 19:09
Static task
static1
Behavioral task
behavioral1
Sample
7fce93d7a0ba558b2de26cecc8f9d57d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7fce93d7a0ba558b2de26cecc8f9d57d.exe
Resource
win10v2004-20231215-en
General
-
Target
7fce93d7a0ba558b2de26cecc8f9d57d.exe
-
Size
455KB
-
MD5
7fce93d7a0ba558b2de26cecc8f9d57d
-
SHA1
e957a6a02e091358888a7ca30e77652df102464e
-
SHA256
cf317453c3b9c8f13467a034f2a350fac57a7cfe2c038a86d9f706906fb2b6dc
-
SHA512
7f45fbaefc32e8b24790b137ee77c044e8ca3619c61d71db62a0307ed98e2102da607df496385ca82c49a093d57117de022e5e3d933062cad2e320e8688fbb6f
-
SSDEEP
6144:Od2/yLTYnbgz2q/ZyKphVdvoe77GUZqKCXF1x3HOb2YyPPD71lhNlOQ5JmpD:F/yPYb6wGv+U7cXOBQD3/e
Malware Config
Extracted
njrat
im523
14.04.2017
ytka.duckdns.org:1604
ed423977d6a5549373be05c39703ea7d
-
reg_key
ed423977d6a5549373be05c39703ea7d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7fce93d7a0ba558b2de26cecc8f9d57d.execonhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation 7fce93d7a0ba558b2de26cecc8f9d57d.exe Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation conhost.exe -
Drops startup file 1 IoCs
Processes:
doclan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\luk.lnk doclan.exe -
Executes dropped EXE 4 IoCs
Processes:
BitsProg.exedoclan.execonhost.execonhost.exepid process 1596 BitsProg.exe 212 doclan.exe 452 conhost.exe 4076 conhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
conhost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .." conhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ed423977d6a5549373be05c39703ea7d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\conhost.exe\" .." conhost.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
conhost.exedescription ioc process File created F:\autorun.inf conhost.exe File opened for modification F:\autorun.inf conhost.exe File created C:\autorun.inf conhost.exe File opened for modification C:\autorun.inf conhost.exe File created D:\autorun.inf conhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\ProgramData\doclan.exe nsis_installer_1 C:\ProgramData\doclan.exe nsis_installer_2 -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3580 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
conhost.exepid process 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe 4076 conhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
conhost.exepid process 4076 conhost.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
taskkill.execonhost.exedescription pid process Token: SeDebugPrivilege 3580 taskkill.exe Token: SeDebugPrivilege 4076 conhost.exe Token: 33 4076 conhost.exe Token: SeIncBasePriorityPrivilege 4076 conhost.exe Token: 33 4076 conhost.exe Token: SeIncBasePriorityPrivilege 4076 conhost.exe Token: 33 4076 conhost.exe Token: SeIncBasePriorityPrivilege 4076 conhost.exe Token: 33 4076 conhost.exe Token: SeIncBasePriorityPrivilege 4076 conhost.exe Token: 33 4076 conhost.exe Token: SeIncBasePriorityPrivilege 4076 conhost.exe Token: 33 4076 conhost.exe Token: SeIncBasePriorityPrivilege 4076 conhost.exe Token: 33 4076 conhost.exe Token: SeIncBasePriorityPrivilege 4076 conhost.exe Token: 33 4076 conhost.exe Token: SeIncBasePriorityPrivilege 4076 conhost.exe Token: 33 4076 conhost.exe Token: SeIncBasePriorityPrivilege 4076 conhost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
7fce93d7a0ba558b2de26cecc8f9d57d.exedoclan.execonhost.execonhost.exedescription pid process target process PID 4924 wrote to memory of 1596 4924 7fce93d7a0ba558b2de26cecc8f9d57d.exe BitsProg.exe PID 4924 wrote to memory of 1596 4924 7fce93d7a0ba558b2de26cecc8f9d57d.exe BitsProg.exe PID 4924 wrote to memory of 212 4924 7fce93d7a0ba558b2de26cecc8f9d57d.exe doclan.exe PID 4924 wrote to memory of 212 4924 7fce93d7a0ba558b2de26cecc8f9d57d.exe doclan.exe PID 4924 wrote to memory of 212 4924 7fce93d7a0ba558b2de26cecc8f9d57d.exe doclan.exe PID 212 wrote to memory of 452 212 doclan.exe conhost.exe PID 212 wrote to memory of 452 212 doclan.exe conhost.exe PID 452 wrote to memory of 4076 452 conhost.exe conhost.exe PID 452 wrote to memory of 4076 452 conhost.exe conhost.exe PID 4076 wrote to memory of 4604 4076 conhost.exe netsh.exe PID 4076 wrote to memory of 4604 4076 conhost.exe netsh.exe PID 4076 wrote to memory of 3580 4076 conhost.exe taskkill.exe PID 4076 wrote to memory of 3580 4076 conhost.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fce93d7a0ba558b2de26cecc8f9d57d.exe"C:\Users\Admin\AppData\Local\Temp\7fce93d7a0ba558b2de26cecc8f9d57d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\BitsProg.exe"C:\ProgramData\BitsProg.exe"2⤵
- Executes dropped EXE
-
C:\ProgramData\doclan.exe"C:\ProgramData\doclan.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\conhost.exeC:\Users\Admin\AppData\Roaming\conhost.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\conhost.exe" "conhost.exe" ENABLE5⤵
- Modifies Windows Firewall
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM cmd.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\BitsProg.exeFilesize
46KB
MD54aba833aab8032707642515bebc59d1b
SHA1d5079efd8335aa23162f0165abf426d21a105607
SHA256822c77973808a0c96608824606d38dcf7b48684919fc2ba57965b6d45dd4b6ad
SHA51225c86a5e9af0f951c6a5851a3e7330d517a63bdbdd245f8eb0fd3668208c585bcb121cab91ae3583a31940b15eb26711a8a424e98731c7804221d6b26a9d5a14
-
C:\ProgramData\doclan.exeFilesize
396KB
MD5b9388102124c0d070b2ae86908938b41
SHA1bfc1a3713f25ba86ca80ed325c5ff30066ecfcc6
SHA256f877ac762828cd7ceeb48028eb6b291a105d8c615912f86d256a6c5f48ccc779
SHA512f417a1e4160ca7491341de5ee2413f0ca21a6d5757f05d25d176b6ab8b4ede8557891a6d2f051c4710e6714ba16a4cf1f608e5ecc32c3b10b37c3d5bac322438
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeFilesize
409KB
MD53f7505a47a226e431bc813de5d359695
SHA1d767624f41e9cf5691c3ca507ca3967de3eae659
SHA256fa4b7115ed091455b4f5bc4cd0f0c5d034e88b495d6a888fba49253bb4847fc2
SHA5122254202f53f8c78a5e8a37e2d3fa0a517bb569dac2dcdbb0a51500c007d20dda9719bd2efdfeb285fbe9bf7d0d0576d97cdf621e6707e43b9493f76f9dbca07b
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeFilesize
336KB
MD5dda6cd90c77ab497488748a1f7c268fe
SHA150512fa43993d7433400f791fa649febfd19186c
SHA2567b667f5ff9e73d34c38bcfe8b9bbe50393948697dc5c5c897f7b64aa61ffe119
SHA512a6795c0497a4e755c98af7eae2ea692fbf8213ec7f8f0dfe3746a440c91fb5dc40f06ff8f329f4be08a0f51372ef62fdefb51b9e3a2757300dd8a657c179f70b
-
C:\Users\Admin\AppData\Roaming\conhost.exeFilesize
1.0MB
MD500a9e6fdd884f9276c09c478a3b1d101
SHA13be2b06abfec17151b86bb172eba193f968a4ebc
SHA2567e8e4fe2adb306db8d5785949c4c0e00c2c6bcc13606d78a3e1fccd0d20dd134
SHA51223f46750190d1da38fdc91bd6b767a6125d5443d9b751736d5f02c7dfd5446e4a2b9dfc63ac8199f7893add1e651ac9b6e9d4d6e6348362262bb7034afeeea4d
-
memory/452-39-0x0000000000910000-0x0000000000920000-memory.dmpFilesize
64KB
-
memory/452-38-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmpFilesize
10.8MB
-
memory/452-44-0x000000001B760000-0x000000001B77E000-memory.dmpFilesize
120KB
-
memory/452-41-0x0000000000910000-0x0000000000920000-memory.dmpFilesize
64KB
-
memory/452-30-0x0000000000060000-0x0000000000170000-memory.dmpFilesize
1.1MB
-
memory/452-33-0x0000000000910000-0x0000000000920000-memory.dmpFilesize
64KB
-
memory/452-31-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmpFilesize
10.8MB
-
memory/452-43-0x000000001A600000-0x000000001A610000-memory.dmpFilesize
64KB
-
memory/452-35-0x000000001D9F0000-0x000000001DF18000-memory.dmpFilesize
5.2MB
-
memory/452-42-0x000000001B7E0000-0x000000001B856000-memory.dmpFilesize
472KB
-
memory/452-58-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmpFilesize
10.8MB
-
memory/1596-36-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmpFilesize
10.8MB
-
memory/1596-24-0x000001AD47E20000-0x000001AD47E30000-memory.dmpFilesize
64KB
-
memory/1596-22-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmpFilesize
10.8MB
-
memory/1596-37-0x000001AD47E20000-0x000001AD47E30000-memory.dmpFilesize
64KB
-
memory/1596-21-0x000001AD461A0000-0x000001AD461B0000-memory.dmpFilesize
64KB
-
memory/1596-34-0x000001AD47E20000-0x000001AD47E30000-memory.dmpFilesize
64KB
-
memory/1596-40-0x000001AD47E20000-0x000001AD47E30000-memory.dmpFilesize
64KB
-
memory/4076-63-0x000000001ADD0000-0x000000001ADE0000-memory.dmpFilesize
64KB
-
memory/4076-57-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmpFilesize
10.8MB
-
memory/4076-59-0x000000001ADD0000-0x000000001ADE0000-memory.dmpFilesize
64KB
-
memory/4076-60-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmpFilesize
10.8MB
-
memory/4076-61-0x000000001ADD0000-0x000000001ADE0000-memory.dmpFilesize
64KB
-
memory/4076-62-0x000000001ADD0000-0x000000001ADE0000-memory.dmpFilesize
64KB
-
memory/4924-15-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmpFilesize
10.8MB
-
memory/4924-0-0x00000000000D0000-0x0000000000146000-memory.dmpFilesize
472KB
-
memory/4924-23-0x00007FFECC6E0000-0x00007FFECD1A1000-memory.dmpFilesize
10.8MB