Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 02:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
78fd42f0ec9a7ecf52ef805bf3d1db88.exe
Resource
win7-20231129-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
78fd42f0ec9a7ecf52ef805bf3d1db88.exe
Resource
win10v2004-20231222-en
4 signatures
150 seconds
General
-
Target
78fd42f0ec9a7ecf52ef805bf3d1db88.exe
-
Size
25KB
-
MD5
78fd42f0ec9a7ecf52ef805bf3d1db88
-
SHA1
f917d69c6a8f51f47d2a8dd4f92a54c974ab01f7
-
SHA256
8cf4c92a9e57a674510432fbda9543c350d3191aca49844f39e01fb4145a0a9f
-
SHA512
4471c05eb0378bab820a4fa4595ec14a5a66b5099401b6c17414ace59da992a4f979337099622675be9dbb012212f21dffe89ae16aa10efbf41c8df7b732e97b
-
SSDEEP
768:QL+C2aKZGdp0WAhO4aaQeXixmqenlMMVX:Qf11AhPnXiknlMUX
Score
10/10
Malware Config
Extracted
Family
njrat
Version
SH Stub
Mutex
CARDDfTfqdeb
Attributes
-
reg_key
CARDDfTfqdeb
-
splitter
|'|'|
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup = "C:\\Users\\Public\\Documents\\svchost" reg.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: 33 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe Token: SeIncBasePriorityPrivilege 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3480 wrote to memory of 3016 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe 95 PID 3480 wrote to memory of 3016 3480 78fd42f0ec9a7ecf52ef805bf3d1db88.exe 95 PID 3016 wrote to memory of 2672 3016 cmd.exe 98 PID 3016 wrote to memory of 2672 3016 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\78fd42f0ec9a7ecf52ef805bf3d1db88.exe"C:\Users\Admin\AppData\Local\Temp\78fd42f0ec9a7ecf52ef805bf3d1db88.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v "Startup" /t REG_SZ /d C:\Users\Public\Documents\svchost /f3⤵
- Adds Run key to start application
PID:2672
-
-