Analysis
-
max time kernel
6s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 09:11
Behavioral task
behavioral1
Sample
a8de9617ea415b5192f439ff6ab96294.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a8de9617ea415b5192f439ff6ab96294.exe
Resource
win10v2004-20231215-en
General
-
Target
a8de9617ea415b5192f439ff6ab96294.exe
-
Size
160KB
-
MD5
a8de9617ea415b5192f439ff6ab96294
-
SHA1
30b917dd4479c4944ab97b806c5ec1de9657e3c2
-
SHA256
4fad16bbb59875a3c26bb8b202abffd86217db7462463fece59db8f7aa0f99b9
-
SHA512
ebafd3a1b6e5feea3525e3d6c235e65535529f2e1fc6f833611ee199aee050ffe55f2312bca9f796c4f8a14ebc8e5bee5cc99c44c3d3a1e0b44c838453f0b14b
-
SSDEEP
3072:9ZfeA/+yJGhS5gx7+gHMhi2W1QfA7LjxAJUfop7opolxh:PfeD/S5tpYQf+u/p8m
Malware Config
Extracted
njrat
im523
Source
three-bands.gl.at.ply.gg:24544
c132c845ddc1e459ea58e893b14f206b
-
reg_key
c132c845ddc1e459ea58e893b14f206b
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2704 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 1888 Java64bit.exe -
Loads dropped DLL 1 IoCs
pid Process 1880 a8de9617ea415b5192f439ff6ab96294.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2728 taskkill.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1880 wrote to memory of 1888 1880 a8de9617ea415b5192f439ff6ab96294.exe 28 PID 1880 wrote to memory of 1888 1880 a8de9617ea415b5192f439ff6ab96294.exe 28 PID 1880 wrote to memory of 1888 1880 a8de9617ea415b5192f439ff6ab96294.exe 28 PID 1880 wrote to memory of 1888 1880 a8de9617ea415b5192f439ff6ab96294.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8de9617ea415b5192f439ff6ab96294.exe"C:\Users\Admin\AppData\Local\Temp\a8de9617ea415b5192f439ff6ab96294.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\Java64bit.exe"C:\Users\Admin\AppData\Local\Temp\Java64bit.exe"2⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Update.exe3⤵
- Kills process with taskkill
PID:2728
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Java64bit.exe" "Java64bit.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD5af1cd6bd5650b912b10b1adf6ab3c3c9
SHA143401c377be420663c87d0912bf2071bc75d23a0
SHA256767359c0c19677afe0af0757bd081e59da61102d71fc42b2f8cbef91b57328e6
SHA5120252a76c2e5170daf2ea7975216739e943c233f79806d8378dd26b6b167f65c3a3b5c55c08401de87468ee1786c801f413c7f5e28fcf64d2f00173266fc9264a
-
Filesize
25KB
MD5752265f1075f1472ad6b00a835ebdb2d
SHA11c9ac6f34de8cc79972a0252e009eca7f5a446cc
SHA2561f49690f0fa6a218b98346f01981a6c7d996768358b29d3a2ed75f3956865c61
SHA5125f9e2e6f3f34a30ad8eee60b69b6f7f030d9700ad423f76506ad6c2a158bc69fa530bb1eff2c028fdd908f4c10c72b9788a59d0b969780c0c8fe27e34891131b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c132c845ddc1e459ea58e893b14f206b.exe
Filesize4KB
MD5c00e8376a8d4875321a14e6e0f29a387
SHA1ec1db6fef133e914e34734905dff8a5dd79bb332
SHA2560962e26efd0ae8dc8422f38bbe0dcfeb5e8fafdf3255d6ccd3ce4273bdec65c9
SHA512ba9af8a33bccbade6768ee293009fb18bfb43120b7bedb8f609672740c992f7d179659cc44936cf79943d720bb40a95091d1f5ee4914ecc31683249065e0a188
-
Filesize
78KB
MD55a455917e357f56c82e7a8ee3acf2ec2
SHA162752fe5ea1ed0b71beba5aa8adfe2ebf8e4030a
SHA256361d9d260afd3923e817bcf2cccb147217bcb281eb33089f4f7081ebc123bb37
SHA51231224cedbc2a041fdfe4620c6500035325758eeafab3988916f474e960c541520e485b92af99f644f52426cb1655b9447557cbe08b2a0c90439444327d008ff4