Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 10:40
Static task
static1
Behavioral task
behavioral1
Sample
17e8b8ca2511a8273d049a478d075fc2.exe
Resource
win7-20231215-en
General
-
Target
17e8b8ca2511a8273d049a478d075fc2.exe
-
Size
349KB
-
MD5
17e8b8ca2511a8273d049a478d075fc2
-
SHA1
3a473b8f7bbd4c878ffd9101482d164a6bbac60c
-
SHA256
c093b4cd2ad7f9eaf3dc918333d6df78753ff18f71b4ac722862a7d8cf44031a
-
SHA512
4094b0be82a62ac2d7ae08aeae432ba1a89ca9c40f7c5bfec19bbde529a8a0fdef56f19be63263936cab2dd429dbdd70df754d9ba35b45253597b99d15329429
-
SSDEEP
6144:jXXXXXXXXXXXXXXXXXfqJuiHivvWxzfHWojlNBXNU+Y07sxKCYsRCgPtZXzgAtxs:
Malware Config
Extracted
njrat
0.7d
Hack
runtime.kro.kr:6522
15ac00e92ea47b4f7ac4e4714b9affcb
-
reg_key
15ac00e92ea47b4f7ac4e4714b9affcb
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
dllhost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15ac00e92ea47b4f7ac4e4714b9affcb.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15ac00e92ea47b4f7ac4e4714b9affcb.exe dllhost.exe -
Executes dropped EXE 1 IoCs
Processes:
dllhost.exepid process 2780 dllhost.exe -
Loads dropped DLL 1 IoCs
Processes:
17e8b8ca2511a8273d049a478d075fc2.exepid process 2332 17e8b8ca2511a8273d049a478d075fc2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
dllhost.exedescription pid process Token: SeDebugPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe Token: 33 2780 dllhost.exe Token: SeIncBasePriorityPrivilege 2780 dllhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
17e8b8ca2511a8273d049a478d075fc2.exedllhost.exedescription pid process target process PID 2332 wrote to memory of 2780 2332 17e8b8ca2511a8273d049a478d075fc2.exe dllhost.exe PID 2332 wrote to memory of 2780 2332 17e8b8ca2511a8273d049a478d075fc2.exe dllhost.exe PID 2332 wrote to memory of 2780 2332 17e8b8ca2511a8273d049a478d075fc2.exe dllhost.exe PID 2332 wrote to memory of 2780 2332 17e8b8ca2511a8273d049a478d075fc2.exe dllhost.exe PID 2780 wrote to memory of 2844 2780 dllhost.exe netsh.exe PID 2780 wrote to memory of 2844 2780 dllhost.exe netsh.exe PID 2780 wrote to memory of 2844 2780 dllhost.exe netsh.exe PID 2780 wrote to memory of 2844 2780 dllhost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17e8b8ca2511a8273d049a478d075fc2.exe"C:\Users\Admin\AppData\Local\Temp\17e8b8ca2511a8273d049a478d075fc2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\dllhost.exe"C:\Users\Admin\dllhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\dllhost.exe" "dllhost.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\dllhost.exeFilesize
349KB
MD517e8b8ca2511a8273d049a478d075fc2
SHA13a473b8f7bbd4c878ffd9101482d164a6bbac60c
SHA256c093b4cd2ad7f9eaf3dc918333d6df78753ff18f71b4ac722862a7d8cf44031a
SHA5124094b0be82a62ac2d7ae08aeae432ba1a89ca9c40f7c5bfec19bbde529a8a0fdef56f19be63263936cab2dd429dbdd70df754d9ba35b45253597b99d15329429
-
memory/2332-0-0x0000000000D10000-0x0000000000D6E000-memory.dmpFilesize
376KB
-
memory/2332-1-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2332-2-0x00000000008E0000-0x00000000008EE000-memory.dmpFilesize
56KB
-
memory/2332-3-0x0000000000C80000-0x0000000000CC0000-memory.dmpFilesize
256KB
-
memory/2332-13-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2780-11-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2780-12-0x0000000000C20000-0x0000000000C7E000-memory.dmpFilesize
376KB
-
memory/2780-14-0x0000000004A50000-0x0000000004A90000-memory.dmpFilesize
256KB
-
memory/2780-16-0x0000000074430000-0x0000000074B1E000-memory.dmpFilesize
6.9MB
-
memory/2780-17-0x0000000004A50000-0x0000000004A90000-memory.dmpFilesize
256KB