Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
04-02-2024 22:56
Static task
static1
Behavioral task
behavioral1
Sample
90607a7629033870512ce47aa2644430.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
90607a7629033870512ce47aa2644430.exe
Resource
win10v2004-20231222-en
General
-
Target
90607a7629033870512ce47aa2644430.exe
-
Size
149KB
-
MD5
90607a7629033870512ce47aa2644430
-
SHA1
74a2b921aa81012febfe62ca170c2291098e6a4d
-
SHA256
eebb78b35724ef9aec1c4c6c45cfcbc6005b9485e5698d58f8bf63d71f776d71
-
SHA512
ee0b6347237e5caedb27c73fb8966d11d4a9b383b9c4fb30e724183a4f40cfe29ed7d3ab8c97bcff6e3f33e99cc6df036adb55e4a65b6da665429a32a9a62fc5
-
SSDEEP
3072:3jFv0c5kHW4/ePbZIC6YqmwH9gi36BsNSijgvxttpk8D:3jFvT5YGtId0egi3EsNBqb7
Malware Config
Extracted
njrat
im523
4
rlawlsl154.codns.com:443
a695e871b7f2f081334e678e67df6a28
-
reg_key
a695e871b7f2f081334e678e67df6a28
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 208 netsh.exe -
Drops startup file 2 IoCs
Processes:
90607a7629033870512ce47aa2644430.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a695e871b7f2f081334e678e67df6a28.exe 90607a7629033870512ce47aa2644430.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a695e871b7f2f081334e678e67df6a28.exe 90607a7629033870512ce47aa2644430.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
90607a7629033870512ce47aa2644430.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a695e871b7f2f081334e678e67df6a28 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\90607a7629033870512ce47aa2644430.exe\" .." 90607a7629033870512ce47aa2644430.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\a695e871b7f2f081334e678e67df6a28 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\90607a7629033870512ce47aa2644430.exe\" .." 90607a7629033870512ce47aa2644430.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
90607a7629033870512ce47aa2644430.exedescription ioc process File opened for modification F:\autorun.inf 90607a7629033870512ce47aa2644430.exe File created C:\autorun.inf 90607a7629033870512ce47aa2644430.exe File opened for modification C:\autorun.inf 90607a7629033870512ce47aa2644430.exe File created D:\autorun.inf 90607a7629033870512ce47aa2644430.exe File created F:\autorun.inf 90607a7629033870512ce47aa2644430.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
90607a7629033870512ce47aa2644430.exepid process 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe 448 90607a7629033870512ce47aa2644430.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
90607a7629033870512ce47aa2644430.exepid process 448 90607a7629033870512ce47aa2644430.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
Processes:
90607a7629033870512ce47aa2644430.exedescription pid process Token: SeDebugPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe Token: 33 448 90607a7629033870512ce47aa2644430.exe Token: SeIncBasePriorityPrivilege 448 90607a7629033870512ce47aa2644430.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
90607a7629033870512ce47aa2644430.exedescription pid process target process PID 448 wrote to memory of 208 448 90607a7629033870512ce47aa2644430.exe netsh.exe PID 448 wrote to memory of 208 448 90607a7629033870512ce47aa2644430.exe netsh.exe PID 448 wrote to memory of 208 448 90607a7629033870512ce47aa2644430.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90607a7629033870512ce47aa2644430.exe"C:\Users\Admin\AppData\Local\Temp\90607a7629033870512ce47aa2644430.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\90607a7629033870512ce47aa2644430.exe" "90607a7629033870512ce47aa2644430.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\svchost.exeFilesize
149KB
MD590607a7629033870512ce47aa2644430
SHA174a2b921aa81012febfe62ca170c2291098e6a4d
SHA256eebb78b35724ef9aec1c4c6c45cfcbc6005b9485e5698d58f8bf63d71f776d71
SHA512ee0b6347237e5caedb27c73fb8966d11d4a9b383b9c4fb30e724183a4f40cfe29ed7d3ab8c97bcff6e3f33e99cc6df036adb55e4a65b6da665429a32a9a62fc5
-
memory/448-0-0x00000000007E0000-0x000000000080E000-memory.dmpFilesize
184KB
-
memory/448-1-0x00000000753B0000-0x0000000075B60000-memory.dmpFilesize
7.7MB
-
memory/448-2-0x00000000051F0000-0x000000000528C000-memory.dmpFilesize
624KB
-
memory/448-3-0x0000000002C00000-0x0000000002C10000-memory.dmpFilesize
64KB
-
memory/448-4-0x0000000005890000-0x0000000005E34000-memory.dmpFilesize
5.6MB
-
memory/448-15-0x0000000005380000-0x0000000005390000-memory.dmpFilesize
64KB
-
memory/448-14-0x00000000056C0000-0x0000000005752000-memory.dmpFilesize
584KB
-
memory/448-16-0x0000000005660000-0x000000000566A000-memory.dmpFilesize
40KB
-
memory/448-17-0x00000000753B0000-0x0000000075B60000-memory.dmpFilesize
7.7MB
-
memory/448-18-0x0000000005380000-0x0000000005390000-memory.dmpFilesize
64KB