Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 09:32
Behavioral task
behavioral1
Sample
8bfdedc30182ece284b09591788cc931.exe
Resource
win7-20231215-en
General
-
Target
8bfdedc30182ece284b09591788cc931.exe
-
Size
402KB
-
MD5
8bfdedc30182ece284b09591788cc931
-
SHA1
4ff3a3ad179c7bb9aa91493beb6ed30882fe8e46
-
SHA256
00b99ceddb783a0fe3cac7aa2faa936ab54c5d6ff42280aaa307b04175c97103
-
SHA512
92c584c203e66e95352109666f538ab4252543331dd9bda2463e4caec4e08b713796ca598babdd4260f43451f99fd6d1ee008bbbd0e6cf9d1edce1d6d2b4af15
-
SSDEEP
6144:JmaKVBGmE84IMNv55giU0pKiFYHxfx15RvOagakZBxkTN2gmeGcFnVQb/DAYbDgW:eSmLAuEY71fviagATFmebVQDcYc6
Malware Config
Extracted
njrat
0.6.4
hhhmach.ddns.net:1177
5cd8f17f4086744065eb0992a09e05a2
-
reg_key
5cd8f17f4086744065eb0992a09e05a2
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2936 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation test.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe Trojan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe Trojan.exe -
Executes dropped EXE 2 IoCs
pid Process 3036 test.exe 1100 Trojan.exe -
resource yara_rule behavioral2/memory/4288-0-0x0000000000400000-0x00000000004FA000-memory.dmp upx behavioral2/memory/4288-22-0x0000000000400000-0x00000000004FA000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 4212 4288 WerFault.exe 16 3720 4288 WerFault.exe 16 -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe 1100 Trojan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1100 Trojan.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4288 wrote to memory of 1460 4288 8bfdedc30182ece284b09591788cc931.exe 47 PID 4288 wrote to memory of 1460 4288 8bfdedc30182ece284b09591788cc931.exe 47 PID 4288 wrote to memory of 1460 4288 8bfdedc30182ece284b09591788cc931.exe 47 PID 1460 wrote to memory of 3036 1460 cmd.exe 48 PID 1460 wrote to memory of 3036 1460 cmd.exe 48 PID 1460 wrote to memory of 3036 1460 cmd.exe 48 PID 3036 wrote to memory of 1100 3036 test.exe 63 PID 3036 wrote to memory of 1100 3036 test.exe 63 PID 3036 wrote to memory of 1100 3036 test.exe 63 PID 1100 wrote to memory of 2936 1100 Trojan.exe 59 PID 1100 wrote to memory of 2936 1100 Trojan.exe 59 PID 1100 wrote to memory of 2936 1100 Trojan.exe 59
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe"C:\Users\Admin\AppData\Local\Temp\8bfdedc30182ece284b09591788cc931.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 2602⤵
- Program crash
PID:4212
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c test.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\test.exetest.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1642⤵
- Program crash
PID:3720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4288 -ip 42881⤵PID:4348
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE1⤵
- Modifies Windows Firewall
PID:2936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4288 -ip 42881⤵PID:3968
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD572b73eaf6a91ecfaf35b96652a94e3b3
SHA19459172d9c6f1f67da9c278d4eb9f0be437ef5ec
SHA256bf1be6dc394164cdb8f185955e634febb6a1e6229c7d5c3183b5c4cc1545d5f2
SHA512dd6913a7014e34162e3b5dbf929fcc99e1aa1491051fc9c35d1440fe5c100061c911adb8f2c5c05acf62a35125d195f2c6a143c6bd6c7914e0b4d4c4aecaee7d
-
Filesize
78KB
MD542c5854aa0709d8bf6c28ea82c67b9a5
SHA1124ea473f0572009de85a4a46f361109f4fae7d6
SHA25671e1add662041fee9ff0ddf0139154cf006538559af45f34047aac91efb1b8eb
SHA512c0f4412f2237138b5b66ecc285d7f44bacd67ae23feb0a55561cd4f7850ee6b0fd1b1dac3d2725ed4932aaf155b0fbda284a69b07594789bdb4cbcf0f499d95a
-
Filesize
77KB
MD5a03fed79dc35f460551dd70da2f46715
SHA1375f9048b51b92b7ecf4a8606070368be1ad71cb
SHA256d180b725c61b5e56850904832aff1ce0f6d99cd26d02f119f5f8cea60146ab9e
SHA5128e67f1e688238193034bece7d2bf87601ced58e2ef2319fbd4e2b3c0998b8972bfc9ae5d24b35846b7a5a35a6f57c10de4879fe77dcd87f653fc098e6e644266