Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 04:06
Behavioral task
behavioral1
Sample
8b5a798a5aefc7817f4ad1412e69a6ce.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8b5a798a5aefc7817f4ad1412e69a6ce.exe
Resource
win10v2004-20231215-en
General
-
Target
8b5a798a5aefc7817f4ad1412e69a6ce.exe
-
Size
291KB
-
MD5
8b5a798a5aefc7817f4ad1412e69a6ce
-
SHA1
cef0d699332025e8da7fe747eb69346be932cb9d
-
SHA256
36bcbc6f042482039ffd4e6f5c4c83ce5b86394da2506670b86d3d7525f79549
-
SHA512
0af6f31e22c82890d5e81424fa2ff7a47d2c98e43d5d3ba4541c045920a536158cdc080f32194ccfb84d1e802be3e5192e5d0bdeb89740fcadca33bf08fefafd
-
SSDEEP
768:crKFygpFRA/vMHTi9bDoMVpb0mjv8gx5poyKcMYocg3arRw:uKFygOnYi9bRVBjv8YoyIYxgy
Malware Config
Extracted
njrat
v2.0
0909909
174.67.28.4:6786
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 8b5a798a5aefc7817f4ad1412e69a6ce.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe Payload.exe -
Executes dropped EXE 1 IoCs
pid Process 2776 Payload.exe -
Loads dropped DLL 1 IoCs
pid Process 2280 8b5a798a5aefc7817f4ad1412e69a6ce.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" 8b5a798a5aefc7817f4ad1412e69a6ce.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe Token: 33 2776 Payload.exe Token: SeIncBasePriorityPrivilege 2776 Payload.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2776 2280 8b5a798a5aefc7817f4ad1412e69a6ce.exe 28 PID 2280 wrote to memory of 2776 2280 8b5a798a5aefc7817f4ad1412e69a6ce.exe 28 PID 2280 wrote to memory of 2776 2280 8b5a798a5aefc7817f4ad1412e69a6ce.exe 28 PID 2280 wrote to memory of 2776 2280 8b5a798a5aefc7817f4ad1412e69a6ce.exe 28 PID 2280 wrote to memory of 2760 2280 8b5a798a5aefc7817f4ad1412e69a6ce.exe 29 PID 2280 wrote to memory of 2760 2280 8b5a798a5aefc7817f4ad1412e69a6ce.exe 29 PID 2280 wrote to memory of 2760 2280 8b5a798a5aefc7817f4ad1412e69a6ce.exe 29 PID 2280 wrote to memory of 2760 2280 8b5a798a5aefc7817f4ad1412e69a6ce.exe 29 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2760 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b5a798a5aefc7817f4ad1412e69a6ce.exe"C:\Users\Admin\AppData\Local\Temp\8b5a798a5aefc7817f4ad1412e69a6ce.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Views/modifies file attributes
PID:2760
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52a5cb068b79e07db9f89c97868325267
SHA1a19e71347f4763e408cad2bb15430956045cf002
SHA2567c17c22002894349eb618786aae5f72b3bc168d5e9e48b4de6efe98ab05bc6db
SHA5128a235c4c397f4d4864834392a808260ad643d213b0cced98675ef56e3ed169bcb7cefc2a46ff743fa5443ddf006f2864627baf273dfbe0b5abf996352e7d4961
-
Filesize
1022B
MD592f19613c496364ce789460ab170df13
SHA1928eee23d3385c60f6b767b6e489f591c0231599
SHA256dc6f5e77fdab54bbc9ecf447282977fa0ac7bfc9c49aeb8f1125b3ce94353515
SHA512d3089580132c248f2ebcb1474da5a9777fb1919f63c0f1d59d502ff1287fb3f8430abf831bb0074c6a05a6ff3b918c9c75ab6a93b3ef9e8c440c84ac413c0ebf
-
Filesize
291KB
MD58b5a798a5aefc7817f4ad1412e69a6ce
SHA1cef0d699332025e8da7fe747eb69346be932cb9d
SHA25636bcbc6f042482039ffd4e6f5c4c83ce5b86394da2506670b86d3d7525f79549
SHA5120af6f31e22c82890d5e81424fa2ff7a47d2c98e43d5d3ba4541c045920a536158cdc080f32194ccfb84d1e802be3e5192e5d0bdeb89740fcadca33bf08fefafd