Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12/01/2024, 01:03
Behavioral task
behavioral1
Sample
0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe
Resource
win7-20231215-en
General
-
Target
0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe
-
Size
93KB
-
MD5
fcf64d897dc4dd3e3e49f23236a90f78
-
SHA1
3ed20b44d33fbd84c3daa329d8a711841100fcc6
-
SHA256
0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222
-
SHA512
000c7112fff71f40b6e336e4c9d538a621f355d48103d5463727845b26db9324e773952ea5b68afa84cc52032a1b05303906939a21e27ae767c98e8603ddcb37
-
SSDEEP
768:oY305yD9O/pBcxYsbae6GIXb9pDX2t98PL0OXLeuXxrjEtCdnl2pi1Rz4Rk3vsGO:k5IOx6baIa9RZj00ljEwzGi1dDbD4gS
Malware Config
Extracted
njrat
0.7d
HacKed
hakim32.ddns.net:2000
4.tcp.eu.ngrok.io:15904
0898e831b8671183b1f71cc16112d0b9
-
reg_key
0898e831b8671183b1f71cc16112d0b9
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2868 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0898e831b8671183b1f71cc16112d0b9Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0898e831b8671183b1f71cc16112d0b9Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 4 IoCs
pid Process 2828 server.exe 2632 StUpdate.exe 1592 StUpdate.exe 2372 StUpdate.exe -
Loads dropped DLL 11 IoCs
pid Process 2512 0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe 2512 0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe 2632 StUpdate.exe 2632 StUpdate.exe 2632 StUpdate.exe 1592 StUpdate.exe 1592 StUpdate.exe 1592 StUpdate.exe 2372 StUpdate.exe 2372 StUpdate.exe 2372 StUpdate.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2720 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe 2828 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2828 server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe Token: 33 2828 server.exe Token: SeIncBasePriorityPrivilege 2828 server.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2828 2512 0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe 28 PID 2512 wrote to memory of 2828 2512 0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe 28 PID 2512 wrote to memory of 2828 2512 0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe 28 PID 2512 wrote to memory of 2828 2512 0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe 28 PID 2828 wrote to memory of 2868 2828 server.exe 29 PID 2828 wrote to memory of 2868 2828 server.exe 29 PID 2828 wrote to memory of 2868 2828 server.exe 29 PID 2828 wrote to memory of 2868 2828 server.exe 29 PID 2828 wrote to memory of 2720 2828 server.exe 31 PID 2828 wrote to memory of 2720 2828 server.exe 31 PID 2828 wrote to memory of 2720 2828 server.exe 31 PID 2828 wrote to memory of 2720 2828 server.exe 31 PID 2684 wrote to memory of 2632 2684 taskeng.exe 34 PID 2684 wrote to memory of 2632 2684 taskeng.exe 34 PID 2684 wrote to memory of 2632 2684 taskeng.exe 34 PID 2684 wrote to memory of 2632 2684 taskeng.exe 34 PID 2684 wrote to memory of 2632 2684 taskeng.exe 34 PID 2684 wrote to memory of 2632 2684 taskeng.exe 34 PID 2684 wrote to memory of 2632 2684 taskeng.exe 34 PID 2684 wrote to memory of 1592 2684 taskeng.exe 37 PID 2684 wrote to memory of 1592 2684 taskeng.exe 37 PID 2684 wrote to memory of 1592 2684 taskeng.exe 37 PID 2684 wrote to memory of 1592 2684 taskeng.exe 37 PID 2684 wrote to memory of 1592 2684 taskeng.exe 37 PID 2684 wrote to memory of 1592 2684 taskeng.exe 37 PID 2684 wrote to memory of 1592 2684 taskeng.exe 37 PID 2684 wrote to memory of 2372 2684 taskeng.exe 38 PID 2684 wrote to memory of 2372 2684 taskeng.exe 38 PID 2684 wrote to memory of 2372 2684 taskeng.exe 38 PID 2684 wrote to memory of 2372 2684 taskeng.exe 38 PID 2684 wrote to memory of 2372 2684 taskeng.exe 38 PID 2684 wrote to memory of 2372 2684 taskeng.exe 38 PID 2684 wrote to memory of 2372 2684 taskeng.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe"C:\Users\Admin\AppData\Local\Temp\0b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2868
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe3⤵
- Creates scheduled task(s)
PID:2720
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BD53D36B-48F1-42FC-BA8A-D345480469AC} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632
-
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592
-
-
C:\Users\Admin\AppData\Local\Temp\StUpdate.exeC:\Users\Admin\AppData\Local\Temp/StUpdate.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5fcf64d897dc4dd3e3e49f23236a90f78
SHA13ed20b44d33fbd84c3daa329d8a711841100fcc6
SHA2560b772f76147e7b238d14de0355cef5e90726574f9fa313675f687a7c4913d222
SHA512000c7112fff71f40b6e336e4c9d538a621f355d48103d5463727845b26db9324e773952ea5b68afa84cc52032a1b05303906939a21e27ae767c98e8603ddcb37
-
Filesize
5B
MD5311d687faffaed10f44ea27c024986b6
SHA1eece910ea8cb7aed467e2e7700f7c223d3fbbc9e
SHA256608547d80bf0e4b3d9cfffd324702b4aa38db2f0bfb3db4bd517b556fdf4de2b
SHA512296d2cbbbf39917b174682a73e571a98130b2fe1c2dcb7c84adbd185a0b3a81384ad556e3a88cdeaa01fbd5cb486c58c1e1dff22f77cd3e9df7315b93355272b