Analysis
-
max time kernel
160s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 04:01
Behavioral task
behavioral1
Sample
8b5861dc1c5772a6512aef0fa0761956.exe
Resource
win7-20231215-en
10 signatures
150 seconds
General
-
Target
8b5861dc1c5772a6512aef0fa0761956.exe
-
Size
5.7MB
-
MD5
8b5861dc1c5772a6512aef0fa0761956
-
SHA1
dcebd52e16bba1ac7ddceb29d524143b25c568e5
-
SHA256
a22dbc7aab26757e26cc2c626b54a62ab425cbe19fe202fb8b7f70e2b5d64082
-
SHA512
bdb24999f68786633b50cee878ddf5f852ea5fa38aa1ba750c00b296c91253b78ccf74540ccded36b281eb51dede60916120e88c59afcd310076b4fdb6db2968
-
SSDEEP
98304:EfaCOBF2ChX5cFY2jh2nu/MCxFAkS2EWbDeqa9Q80jQt0ehfMRYFanpAuARQEsRk:manBFJO8O2rnyeF/0jC0elIp3cppxX
Malware Config
Extracted
Family
njrat
Version
Njrat 0.7 Golden By Hassan Amiri
Botnet
566
C2
192.168.0.23:1604
Mutex
Windows Update
Attributes
-
reg_key
Windows Update
-
splitter
|Hassan|
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 8b5861dc1c5772a6512aef0fa0761956.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8b5861dc1c5772a6512aef0fa0761956.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8b5861dc1c5772a6512aef0fa0761956.exe -
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe 8b5861dc1c5772a6512aef0fa0761956.exe -
resource yara_rule behavioral1/memory/1180-22-0x0000000000300000-0x000000000119C000-memory.dmp themida behavioral1/memory/1180-23-0x0000000000300000-0x000000000119C000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b5861dc1c5772a6512aef0fa0761956.exe\" .." 8b5861dc1c5772a6512aef0fa0761956.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8b5861dc1c5772a6512aef0fa0761956.exe\" .." 8b5861dc1c5772a6512aef0fa0761956.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8b5861dc1c5772a6512aef0fa0761956.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1180 8b5861dc1c5772a6512aef0fa0761956.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1180 8b5861dc1c5772a6512aef0fa0761956.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: 33 1180 8b5861dc1c5772a6512aef0fa0761956.exe Token: SeIncBasePriorityPrivilege 1180 8b5861dc1c5772a6512aef0fa0761956.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b5861dc1c5772a6512aef0fa0761956.exe"C:\Users\Admin\AppData\Local\Temp\8b5861dc1c5772a6512aef0fa0761956.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1180