Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2024 03:50
Static task
static1
Behavioral task
behavioral1
Sample
7ece92212c59df419305a7915b0deb40.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7ece92212c59df419305a7915b0deb40.exe
Resource
win10v2004-20231215-en
General
-
Target
7ece92212c59df419305a7915b0deb40.exe
-
Size
148KB
-
MD5
7ece92212c59df419305a7915b0deb40
-
SHA1
d39d2595dc53bec55ac4fa6262feb5ceb1e8637e
-
SHA256
c4a303a933d34ae05da9b5208a1b523a4e0a53c40d648457b124338b8cede1ff
-
SHA512
66ddb7692d0921b70f7cde29f0a7dc5d35f7bd8c0e78c97b9fe583e9a8379fd4915cdd746c868fa19ac8476ec7c6f137835c141523412810580077e99e6a8079
-
SSDEEP
3072:mR99ArBvfOBSdThazVJXdQ5/AdaAEUJ7XlE3pYLSxwp3Sb8:ocB1d9iXeSU87XlE+OxwpCb
Malware Config
Extracted
njrat
im523
4
rlawlsl154.codns.com:443
a695e871b7f2f081334e678e67df6a28
-
reg_key
a695e871b7f2f081334e678e67df6a28
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 4632 netsh.exe -
Drops startup file 2 IoCs
Processes:
7ece92212c59df419305a7915b0deb40.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a695e871b7f2f081334e678e67df6a28.exe 7ece92212c59df419305a7915b0deb40.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a695e871b7f2f081334e678e67df6a28.exe 7ece92212c59df419305a7915b0deb40.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7ece92212c59df419305a7915b0deb40.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a695e871b7f2f081334e678e67df6a28 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7ece92212c59df419305a7915b0deb40.exe\" .." 7ece92212c59df419305a7915b0deb40.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a695e871b7f2f081334e678e67df6a28 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\7ece92212c59df419305a7915b0deb40.exe\" .." 7ece92212c59df419305a7915b0deb40.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
7ece92212c59df419305a7915b0deb40.exedescription ioc process File created D:\autorun.inf 7ece92212c59df419305a7915b0deb40.exe File created F:\autorun.inf 7ece92212c59df419305a7915b0deb40.exe File opened for modification F:\autorun.inf 7ece92212c59df419305a7915b0deb40.exe File created C:\autorun.inf 7ece92212c59df419305a7915b0deb40.exe File opened for modification C:\autorun.inf 7ece92212c59df419305a7915b0deb40.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7ece92212c59df419305a7915b0deb40.exepid process 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe 496 7ece92212c59df419305a7915b0deb40.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7ece92212c59df419305a7915b0deb40.exepid process 496 7ece92212c59df419305a7915b0deb40.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
7ece92212c59df419305a7915b0deb40.exedescription pid process Token: SeDebugPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe Token: 33 496 7ece92212c59df419305a7915b0deb40.exe Token: SeIncBasePriorityPrivilege 496 7ece92212c59df419305a7915b0deb40.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7ece92212c59df419305a7915b0deb40.exedescription pid process target process PID 496 wrote to memory of 4632 496 7ece92212c59df419305a7915b0deb40.exe netsh.exe PID 496 wrote to memory of 4632 496 7ece92212c59df419305a7915b0deb40.exe netsh.exe PID 496 wrote to memory of 4632 496 7ece92212c59df419305a7915b0deb40.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ece92212c59df419305a7915b0deb40.exe"C:\Users\Admin\AppData\Local\Temp\7ece92212c59df419305a7915b0deb40.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\7ece92212c59df419305a7915b0deb40.exe" "7ece92212c59df419305a7915b0deb40.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\svchost.exeFilesize
148KB
MD57ece92212c59df419305a7915b0deb40
SHA1d39d2595dc53bec55ac4fa6262feb5ceb1e8637e
SHA256c4a303a933d34ae05da9b5208a1b523a4e0a53c40d648457b124338b8cede1ff
SHA51266ddb7692d0921b70f7cde29f0a7dc5d35f7bd8c0e78c97b9fe583e9a8379fd4915cdd746c868fa19ac8476ec7c6f137835c141523412810580077e99e6a8079
-
memory/496-0-0x0000000074550000-0x0000000074D00000-memory.dmpFilesize
7.7MB
-
memory/496-1-0x0000000000D60000-0x0000000000D8E000-memory.dmpFilesize
184KB
-
memory/496-2-0x00000000057A0000-0x000000000583C000-memory.dmpFilesize
624KB
-
memory/496-3-0x0000000001850000-0x0000000001860000-memory.dmpFilesize
64KB
-
memory/496-4-0x0000000005DF0000-0x0000000006394000-memory.dmpFilesize
5.6MB
-
memory/496-14-0x0000000005C40000-0x0000000005CD2000-memory.dmpFilesize
584KB
-
memory/496-15-0x0000000074550000-0x0000000074D00000-memory.dmpFilesize
7.7MB
-
memory/496-16-0x00000000066F0000-0x00000000066FA000-memory.dmpFilesize
40KB
-
memory/496-17-0x0000000005950000-0x0000000005960000-memory.dmpFilesize
64KB