Analysis
-
max time kernel
159s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2023 21:00
Static task
static1
Behavioral task
behavioral1
Sample
9d64f21e7d6558fe3156a419b9a4647f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9d64f21e7d6558fe3156a419b9a4647f.exe
Resource
win10v2004-20231215-en
General
-
Target
9d64f21e7d6558fe3156a419b9a4647f.exe
-
Size
204KB
-
MD5
9d64f21e7d6558fe3156a419b9a4647f
-
SHA1
bd0390ae8acfecfdb09a4c65afd5125c16e90de8
-
SHA256
f19d3649f2bbef5a4f801af5e3f4a475793ec97460fff1fdae3716b0235d6eed
-
SHA512
236c9631bb379195ff9407d059bb89fb70ba4112969c417c76d42a3676dc04e417680e429f2865c0c8608b709305555c7b3c31da116478bd2c9ba7a5688ac00b
-
SSDEEP
3072:NJveA674eGXSmGchlDEtND/zYe5eKSUBz0q7dNUEqu4yaLtrrhCv88SHHZ6TfFQK:NdvHeGX6gwD7HzSj2m9uxaBhV9dzt
Malware Config
Extracted
njrat
Blue
Hacker
honma123.codns.com:8080
98eb9f39a26282e8eb7fd7824affdb3a
-
reg_key
98eb9f39a26282e8eb7fd7824affdb3a
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9d64f21e7d6558fe3156a419b9a4647f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation 9d64f21e7d6558fe3156a419b9a4647f.exe -
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98eb9f39a26282e8eb7fd7824affdb3a.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98eb9f39a26282e8eb7fd7824affdb3a.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2484 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\98eb9f39a26282e8eb7fd7824affdb3a = "\"C:\\Users\\Admin\\AppData\\Local\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\98eb9f39a26282e8eb7fd7824affdb3a = "\"C:\\Users\\Admin\\AppData\\Local\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2484 svchost.exe Token: 33 2484 svchost.exe Token: SeIncBasePriorityPrivilege 2484 svchost.exe Token: 33 2484 svchost.exe Token: SeIncBasePriorityPrivilege 2484 svchost.exe Token: 33 2484 svchost.exe Token: SeIncBasePriorityPrivilege 2484 svchost.exe Token: 33 2484 svchost.exe Token: SeIncBasePriorityPrivilege 2484 svchost.exe Token: 33 2484 svchost.exe Token: SeIncBasePriorityPrivilege 2484 svchost.exe Token: 33 2484 svchost.exe Token: SeIncBasePriorityPrivilege 2484 svchost.exe Token: 33 2484 svchost.exe Token: SeIncBasePriorityPrivilege 2484 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9d64f21e7d6558fe3156a419b9a4647f.exesvchost.exedescription pid process target process PID 1852 wrote to memory of 2484 1852 9d64f21e7d6558fe3156a419b9a4647f.exe svchost.exe PID 1852 wrote to memory of 2484 1852 9d64f21e7d6558fe3156a419b9a4647f.exe svchost.exe PID 1852 wrote to memory of 2484 1852 9d64f21e7d6558fe3156a419b9a4647f.exe svchost.exe PID 2484 wrote to memory of 2516 2484 svchost.exe netsh.exe PID 2484 wrote to memory of 2516 2484 svchost.exe netsh.exe PID 2484 wrote to memory of 2516 2484 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d64f21e7d6558fe3156a419b9a4647f.exe"C:\Users\Admin\AppData\Local\Temp\9d64f21e7d6558fe3156a419b9a4647f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\svchost.exe"C:\Users\Admin\AppData\Local\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\svchost.exeFilesize
204KB
MD59d64f21e7d6558fe3156a419b9a4647f
SHA1bd0390ae8acfecfdb09a4c65afd5125c16e90de8
SHA256f19d3649f2bbef5a4f801af5e3f4a475793ec97460fff1fdae3716b0235d6eed
SHA512236c9631bb379195ff9407d059bb89fb70ba4112969c417c76d42a3676dc04e417680e429f2865c0c8608b709305555c7b3c31da116478bd2c9ba7a5688ac00b
-
memory/1852-8-0x00000000752A0000-0x0000000075A50000-memory.dmpFilesize
7.7MB
-
memory/1852-9-0x0000000004D20000-0x0000000004D2C000-memory.dmpFilesize
48KB
-
memory/1852-3-0x0000000004CD0000-0x0000000004CDE000-memory.dmpFilesize
56KB
-
memory/1852-4-0x0000000004E50000-0x0000000004E72000-memory.dmpFilesize
136KB
-
memory/1852-5-0x00000000077E0000-0x0000000007D84000-memory.dmpFilesize
5.6MB
-
memory/1852-6-0x0000000007310000-0x00000000073A2000-memory.dmpFilesize
584KB
-
memory/1852-2-0x0000000004EA0000-0x0000000004EB0000-memory.dmpFilesize
64KB
-
memory/1852-0-0x00000000752A0000-0x0000000075A50000-memory.dmpFilesize
7.7MB
-
memory/1852-7-0x0000000007450000-0x00000000074EC000-memory.dmpFilesize
624KB
-
memory/1852-10-0x0000000004EA0000-0x0000000004EB0000-memory.dmpFilesize
64KB
-
memory/1852-1-0x00000000003B0000-0x00000000003EA000-memory.dmpFilesize
232KB
-
memory/1852-24-0x00000000752A0000-0x0000000075A50000-memory.dmpFilesize
7.7MB
-
memory/2484-23-0x00000000752A0000-0x0000000075A50000-memory.dmpFilesize
7.7MB
-
memory/2484-25-0x00000000752A0000-0x0000000075A50000-memory.dmpFilesize
7.7MB
-
memory/2484-27-0x00000000087C0000-0x00000000087CA000-memory.dmpFilesize
40KB