Analysis
-
max time kernel
300s -
max time network
297s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
15-02-2024 13:13
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10-20240214-en
Behavioral task
behavioral3
Sample
Client.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral4
Sample
Client.exe
Resource
win11-20240214-en
General
-
Target
Client.exe
-
Size
31KB
-
MD5
ae6157924ef21b5c57f904a2fa44eed9
-
SHA1
58c369ec7399bb91e9253efed30e722fdd287a1e
-
SHA256
3792524100bb9e7468dad52bbdd3a84175effa0cceb78dea77cefe46ffc2e4b2
-
SHA512
c62d889bd493709e3419af1813a7befa895f721acdde9af733209bfb803f30a57c02102ad02ea186dafab6b609c5ffa86fe1542841bc45df1bd55aa7690f8331
-
SSDEEP
768:MC9K6MpN/BizxNOZBs9RSLJFTvTJQmIDUu0tiBhj:D7gUczJtQVk+j
Malware Config
Extracted
njrat
0.7d
Update
llllllllllllllllllllllllllll.site:2222
b776413e4d59521efc868682834c8333
-
reg_key
b776413e4d59521efc868682834c8333
-
splitter
Y262SUCZ4UJJ
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1228 netsh.exe -
Drops startup file 2 IoCs
Processes:
Update.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b776413e4d59521efc868682834c8333.exe Update.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b776413e4d59521efc868682834c8333.exe Update.exe -
Executes dropped EXE 1 IoCs
Processes:
Update.exepid process 1796 Update.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Update.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b776413e4d59521efc868682834c8333 = "\"C:\\ProgramData\\Update.exe\" .." Update.exe Set value (str) \REGISTRY\USER\S-1-5-21-2694788800-2737334826-1937309534-1000\Software\Microsoft\Windows\CurrentVersion\Run\b776413e4d59521efc868682834c8333 = "\"C:\\ProgramData\\Update.exe\" .." Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Client.exepid process 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe 2268 Client.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Client.exeUpdate.exedescription pid process Token: SeDebugPrivilege 2268 Client.exe Token: SeDebugPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe Token: 33 1796 Update.exe Token: SeIncBasePriorityPrivilege 1796 Update.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Client.exeUpdate.exedescription pid process target process PID 2268 wrote to memory of 1796 2268 Client.exe Update.exe PID 2268 wrote to memory of 1796 2268 Client.exe Update.exe PID 2268 wrote to memory of 1796 2268 Client.exe Update.exe PID 1796 wrote to memory of 1228 1796 Update.exe netsh.exe PID 1796 wrote to memory of 1228 1796 Update.exe netsh.exe PID 1796 wrote to memory of 1228 1796 Update.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Update.exe"C:\ProgramData\Update.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\ProgramData\Update.exe" "Update.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Update.exeFilesize
31KB
MD5ae6157924ef21b5c57f904a2fa44eed9
SHA158c369ec7399bb91e9253efed30e722fdd287a1e
SHA2563792524100bb9e7468dad52bbdd3a84175effa0cceb78dea77cefe46ffc2e4b2
SHA512c62d889bd493709e3419af1813a7befa895f721acdde9af733209bfb803f30a57c02102ad02ea186dafab6b609c5ffa86fe1542841bc45df1bd55aa7690f8331
-
memory/1796-10-0x0000000073C20000-0x00000000741D0000-memory.dmpFilesize
5.7MB
-
memory/1796-11-0x00000000028B0000-0x00000000028C0000-memory.dmpFilesize
64KB
-
memory/1796-12-0x0000000073C20000-0x00000000741D0000-memory.dmpFilesize
5.7MB
-
memory/1796-14-0x0000000073C20000-0x00000000741D0000-memory.dmpFilesize
5.7MB
-
memory/1796-15-0x00000000028B0000-0x00000000028C0000-memory.dmpFilesize
64KB
-
memory/1796-16-0x0000000073C20000-0x00000000741D0000-memory.dmpFilesize
5.7MB
-
memory/2268-0-0x0000000073C20000-0x00000000741D0000-memory.dmpFilesize
5.7MB
-
memory/2268-1-0x00000000027F0000-0x0000000002800000-memory.dmpFilesize
64KB
-
memory/2268-2-0x0000000073C20000-0x00000000741D0000-memory.dmpFilesize
5.7MB
-
memory/2268-9-0x0000000073C20000-0x00000000741D0000-memory.dmpFilesize
5.7MB