Analysis
-
max time kernel
7s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 05:26
Behavioral task
behavioral1
Sample
Private DR 8.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Private DR 8.exe
Resource
win10v2004-20231215-en
General
-
Target
Private DR 8.exe
-
Size
32KB
-
MD5
3545a1d643a4bbe8254e6288ef8b8970
-
SHA1
54c78dd9b1af967af5bae3436666b4cc6ec9981a
-
SHA256
ce9f3a26c1dc03bdb6b44d8f21155c01481cfef00d52aed3e8cb2d127d9a0bf7
-
SHA512
56cfac7a646b9a9c898131d714497af04c29f72aa05dcb4c680e384e62058af5bb136017e6a79a5e5b8d069d488f2651fa0ccddbf332ffd99b0975d63624e884
-
SSDEEP
384:FwZ2iQY1yEccOrM5si+dCLp6dqs9dFPI4+hAVoTi+NlDQodg9TduS/EIGsJjwE7I:CI05cTvTdCmvsuouDuCEIGfRu+f
Malware Config
Extracted
njrat
0.7d
Hacked By HiDDen PerSOn
127.0.0.1:5552
ccedfcf6c833355573619d64c1fe7aea
-
reg_key
ccedfcf6c833355573619d64c1fe7aea
-
splitter
|'|'|
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Private DR 8.exedescription pid process target process PID 2480 wrote to memory of 2436 2480 Private DR 8.exe rundll32.exe PID 2480 wrote to memory of 2436 2480 Private DR 8.exe rundll32.exe PID 2480 wrote to memory of 2436 2480 Private DR 8.exe rundll32.exe PID 2480 wrote to memory of 2436 2480 Private DR 8.exe rundll32.exe PID 2480 wrote to memory of 2436 2480 Private DR 8.exe rundll32.exe PID 2480 wrote to memory of 2436 2480 Private DR 8.exe rundll32.exe PID 2480 wrote to memory of 2436 2480 Private DR 8.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Private DR 8.exe"C:\Users\Admin\AppData\Local\Temp\Private DR 8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\PRIVATE DR82⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\PRIVATE DR8"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PRIVATE DR8Filesize
32KB
MD53545a1d643a4bbe8254e6288ef8b8970
SHA154c78dd9b1af967af5bae3436666b4cc6ec9981a
SHA256ce9f3a26c1dc03bdb6b44d8f21155c01481cfef00d52aed3e8cb2d127d9a0bf7
SHA51256cfac7a646b9a9c898131d714497af04c29f72aa05dcb4c680e384e62058af5bb136017e6a79a5e5b8d069d488f2651fa0ccddbf332ffd99b0975d63624e884
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5665302c934136b55da868419a3afdcb4
SHA1c7363cf0f76aa99ded02edcb04610fc8756a71db
SHA2563569c38de00a82b1c591a67e69c238b12e4abba877bdd7adab3c0c6696ccbd8c
SHA512ef23c32546128bd7b2bb458226e6fd9c77c4265e3d38f10799a966e6973a96e1ce41243e77e49ce8c4a9351cfa0a2d8bf5d9e68f6c2945044b23d6c7bdd64a12
-
memory/2480-0-0x0000000074D90000-0x000000007533B000-memory.dmpFilesize
5.7MB
-
memory/2480-2-0x0000000000B40000-0x0000000000B80000-memory.dmpFilesize
256KB
-
memory/2480-1-0x0000000074D90000-0x000000007533B000-memory.dmpFilesize
5.7MB
-
memory/2480-5-0x0000000074D90000-0x000000007533B000-memory.dmpFilesize
5.7MB