Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 16:41
Static task
static1
Behavioral task
behavioral1
Sample
064827f373f0bb93f4616642146a91fc.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
064827f373f0bb93f4616642146a91fc.exe
Resource
win10v2004-20231215-en
General
-
Target
064827f373f0bb93f4616642146a91fc.exe
-
Size
25KB
-
MD5
064827f373f0bb93f4616642146a91fc
-
SHA1
99202be7f698c30dbf0c9d4af3efefd7bc0cec4f
-
SHA256
b81766c2273db2979fc060aa926a13b6b560ad446612088371464a606c80fae4
-
SHA512
e75cbd54a310e882bed97052046e784b14e161232a368042a0f37df39579725f9497428aad55714aafdb8452a643ac3e2b9ca6c8b0e793e5949ad2c752179bf4
-
SSDEEP
768:yaVnrEeAvRH+DHOoVeiInaZxekZ9pjOOdPD9:LRExV9oVKUrntJ
Malware Config
Extracted
njrat
im523
aaa
127.0.0.1:5552
192.168.100.4:5552
bdae7bc82fc5afd8ef934e53747b3bda
-
reg_key
bdae7bc82fc5afd8ef934e53747b3bda
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdae7bc82fc5afd8ef934e53747b3bda.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdae7bc82fc5afd8ef934e53747b3bda.exe svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
Server.exesvchost.exepid process 2508 Server.exe 2808 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
Server.exepid process 2508 Server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\bdae7bc82fc5afd8ef934e53747b3bda = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bdae7bc82fc5afd8ef934e53747b3bda = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe Token: 33 2808 svchost.exe Token: SeIncBasePriorityPrivilege 2808 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
064827f373f0bb93f4616642146a91fc.exeServer.exesvchost.exedescription pid process target process PID 3040 wrote to memory of 2508 3040 064827f373f0bb93f4616642146a91fc.exe Server.exe PID 3040 wrote to memory of 2508 3040 064827f373f0bb93f4616642146a91fc.exe Server.exe PID 3040 wrote to memory of 2508 3040 064827f373f0bb93f4616642146a91fc.exe Server.exe PID 3040 wrote to memory of 2508 3040 064827f373f0bb93f4616642146a91fc.exe Server.exe PID 2508 wrote to memory of 2808 2508 Server.exe svchost.exe PID 2508 wrote to memory of 2808 2508 Server.exe svchost.exe PID 2508 wrote to memory of 2808 2508 Server.exe svchost.exe PID 2508 wrote to memory of 2808 2508 Server.exe svchost.exe PID 2808 wrote to memory of 2840 2808 svchost.exe netsh.exe PID 2808 wrote to memory of 2840 2808 svchost.exe netsh.exe PID 2808 wrote to memory of 2840 2808 svchost.exe netsh.exe PID 2808 wrote to memory of 2840 2808 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\064827f373f0bb93f4616642146a91fc.exe"C:\Users\Admin\AppData\Local\Temp\064827f373f0bb93f4616642146a91fc.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE4⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Server.exeFilesize
37KB
MD525e1a437f519c6fae7d58c979850b235
SHA1bf7b2905fd7fb26e6670a9d21585344392513e4f
SHA256ba98637b354d445da2d87a5b150dadf38fae99e2732268c7b72ff62d563e6bef
SHA512ffb9c4d4f48893e971994e80360c96f218c5de8f29edf162239f15dffe642032544e09a5adf89d68ecd81630ce8f0bf253144fcaf14cf0d3fa6274dd85365ed2
-
memory/2508-13-0x00000000021A0000-0x00000000021E0000-memory.dmpFilesize
256KB
-
memory/2508-11-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/2508-12-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/2508-22-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/2808-21-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/2808-23-0x0000000000C80000-0x0000000000CC0000-memory.dmpFilesize
256KB
-
memory/2808-24-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/2808-26-0x0000000073F90000-0x000000007453B000-memory.dmpFilesize
5.7MB
-
memory/2808-27-0x0000000000C80000-0x0000000000CC0000-memory.dmpFilesize
256KB
-
memory/3040-2-0x000000001B220000-0x000000001B2A0000-memory.dmpFilesize
512KB
-
memory/3040-1-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmpFilesize
9.9MB
-
memory/3040-10-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmpFilesize
9.9MB
-
memory/3040-0-0x0000000000170000-0x000000000017C000-memory.dmpFilesize
48KB