Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 22:17
Behavioral task
behavioral1
Sample
1e39c64ba850b0298ab04b9e9c2f69fc.exe
Resource
win7-20231215-en
General
-
Target
1e39c64ba850b0298ab04b9e9c2f69fc.exe
-
Size
402KB
-
MD5
1e39c64ba850b0298ab04b9e9c2f69fc
-
SHA1
1e5f7671e54aa8597ffb3af7fb13e2d0aeaee318
-
SHA256
5ca60c222235db8fcffbd475e7ed5a8d477e7ad251c30c289de58f743750f2e3
-
SHA512
e849cd145f019820b188868c04b3b01bf0f072695350b6fc69025831a68c368979ae7a5756f72a13f7903305dbe1df6fac6f993c63921ff6c32b541580a989b8
-
SSDEEP
6144:zmaKVBGmE84IMNv55giU0pKiFYHxfx15RvOagakZBxkTN2gmeGcFnVQb/DAYbDgl:oSmLAuEY71fviagATFmebVQDcYc5
Malware Config
Extracted
njrat
0.6.4
hhhmach.ddns.net:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 3040 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation test.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe Trojan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe Trojan.exe -
Executes dropped EXE 2 IoCs
pid Process 3688 test.exe 2248 Trojan.exe -
resource yara_rule behavioral2/memory/3424-0-0x0000000000400000-0x00000000004FB000-memory.dmp upx behavioral2/memory/3424-22-0x0000000000400000-0x00000000004FB000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4944 3424 WerFault.exe 88 2612 3424 WerFault.exe 88 -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe 2248 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2248 Trojan.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3424 wrote to memory of 4676 3424 1e39c64ba850b0298ab04b9e9c2f69fc.exe 96 PID 3424 wrote to memory of 4676 3424 1e39c64ba850b0298ab04b9e9c2f69fc.exe 96 PID 3424 wrote to memory of 4676 3424 1e39c64ba850b0298ab04b9e9c2f69fc.exe 96 PID 4676 wrote to memory of 3688 4676 cmd.exe 97 PID 4676 wrote to memory of 3688 4676 cmd.exe 97 PID 4676 wrote to memory of 3688 4676 cmd.exe 97 PID 3688 wrote to memory of 2248 3688 test.exe 102 PID 3688 wrote to memory of 2248 3688 test.exe 102 PID 3688 wrote to memory of 2248 3688 test.exe 102 PID 2248 wrote to memory of 3040 2248 Trojan.exe 98 PID 2248 wrote to memory of 3040 2248 Trojan.exe 98 PID 2248 wrote to memory of 3040 2248 Trojan.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e39c64ba850b0298ab04b9e9c2f69fc.exe"C:\Users\Admin\AppData\Local\Temp\1e39c64ba850b0298ab04b9e9c2f69fc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 2402⤵
- Program crash
PID:4944
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1642⤵
- Program crash
PID:2612
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3424 -ip 34241⤵PID:2484
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE1⤵
- Modifies Windows Firewall
PID:3040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3424 -ip 34241⤵PID:4184
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD5657473de097114583ea97fc3df887639
SHA15994425d0bf4d69dcf5ee43f8014ddc7ec611bfd
SHA256ad3bc3688e0693c553f57980434dd829c9c8a39923b32771c0834db545774387
SHA5129658d35aa5e7b8df84ac3cd03f7331ddf3e4bb5ff8ec9815916a1b8ec3c6fc7e128d920b69b708604525ff04fd12432bf0971b3e44976468d89813753da6143f
-
Filesize
78KB
MD542c5854aa0709d8bf6c28ea82c67b9a5
SHA1124ea473f0572009de85a4a46f361109f4fae7d6
SHA25671e1add662041fee9ff0ddf0139154cf006538559af45f34047aac91efb1b8eb
SHA512c0f4412f2237138b5b66ecc285d7f44bacd67ae23feb0a55561cd4f7850ee6b0fd1b1dac3d2725ed4932aaf155b0fbda284a69b07594789bdb4cbcf0f499d95a