Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06-01-2024 10:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4574bd93391feb09a4f2fb7feaa0f29d.exe
Resource
win7-20231215-en
4 signatures
150 seconds
General
-
Target
4574bd93391feb09a4f2fb7feaa0f29d.exe
-
Size
33KB
-
MD5
4574bd93391feb09a4f2fb7feaa0f29d
-
SHA1
8bf4ce7c275d6efb9470f617189d2945f9039935
-
SHA256
cdc771adbd55add756c3fd400ae846c8b8d378c68feac22e0bcc96dc480a6dc4
-
SHA512
f346a22c4b6b9dc3199300b591b40cfc54555b849e90fa38d3001c4a7f4d6ca3b139348b60409903ec3bd7fd9742a3e2ddba510485e4d68d7f5be43a029fadfa
-
SSDEEP
768:VvTgsrbTI3IOTT95Hrg1XVbXBAQ/nvF8Nul2y:tJbaM7BHnmulZ
Malware Config
Extracted
Family
njrat
Version
0.7d
Botnet
HacKed
C2
rxlwee.ddns.net:5552
Mutex
Windows Update
Attributes
-
reg_key
Windows Update
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
4574bd93391feb09a4f2fb7feaa0f29d.exedescription pid process Token: SeDebugPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: 33 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe Token: SeIncBasePriorityPrivilege 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
4574bd93391feb09a4f2fb7feaa0f29d.exedescription pid process target process PID 2496 wrote to memory of 2596 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe netsh.exe PID 2496 wrote to memory of 2596 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe netsh.exe PID 2496 wrote to memory of 2596 2496 4574bd93391feb09a4f2fb7feaa0f29d.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4574bd93391feb09a4f2fb7feaa0f29d.exe"C:\Users\Admin\AppData\Local\Temp\4574bd93391feb09a4f2fb7feaa0f29d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\4574bd93391feb09a4f2fb7feaa0f29d.exe" "4574bd93391feb09a4f2fb7feaa0f29d.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2496-0-0x0000000000270000-0x0000000000286000-memory.dmpFilesize
88KB
-
memory/2496-1-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmpFilesize
9.6MB
-
memory/2496-2-0x00000000020F0000-0x0000000002170000-memory.dmpFilesize
512KB
-
memory/2496-3-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmpFilesize
9.6MB
-
memory/2496-4-0x00000000020F0000-0x0000000002170000-memory.dmpFilesize
512KB
-
memory/2496-5-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmpFilesize
9.6MB