Analysis
-
max time kernel
1807s -
max time network
1819s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-02-2024 03:23
Static task
static1
Behavioral task
behavioral1
Sample
New Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Client.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
New Client.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral4
Sample
New Client.exe
Resource
win11-20240221-en
General
-
Target
New Client.exe
-
Size
188KB
-
MD5
b848808a7c3f542eaf9718c0c8e0159f
-
SHA1
c8fc1af2a0e6df1be9426b5f2e636b7f2b1aa302
-
SHA256
13fde5c8aeb2fe2335dcb803a1a31a404e2f65e990d2a728a0df681ef832b616
-
SHA512
0eb66a47448b588cdbd4b1b1d426c70b10fd073f2612a1f45e3abbec7b61f35735ff2a8cfeb1eb3f5390f89cc3abd88522a1c7ff20ddc8857242e8ce7335ac2d
-
SSDEEP
3072:p2B+64kQ2EJam2dNREz9Vnc4OZMJwGu3U4QyZom8exsrPR5TE7D0XuDTTo6M//lz:p2B+64kQ2EJam2dNREz9FdOZMJwGuE42
Malware Config
Extracted
njrat
Platinum
AntiVirus
127.0.0.1:38277
Client.exe
-
reg_key
Client.exe
-
splitter
|Ghost|
Extracted
njrat
Platinum
HacKed
127.0.0.1:15217
Client.exe
-
reg_key
Client.exe
-
splitter
|Ghost|
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url New Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe New Client.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe New Client.exe -
Executes dropped EXE 2 IoCs
pid Process 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 2504 698415d7cec947128a715922130fd22d.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." New Client.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." New Client.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\windows\system32\annrns.exe New Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 7 IoCs
pid Process 2960 TASKKILL.exe 3056 TASKKILL.exe 3052 TASKKILL.exe 2532 TASKKILL.exe 2756 TASKKILL.exe 2712 taskkill.exe 1072 TASKKILL.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 3008 New Client.exe 3008 New Client.exe 3008 New Client.exe 3008 New Client.exe 3008 New Client.exe 2504 698415d7cec947128a715922130fd22d.exe 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 2504 698415d7cec947128a715922130fd22d.exe 2504 698415d7cec947128a715922130fd22d.exe 2504 698415d7cec947128a715922130fd22d.exe 2504 698415d7cec947128a715922130fd22d.exe 2504 698415d7cec947128a715922130fd22d.exe 2504 698415d7cec947128a715922130fd22d.exe 2504 698415d7cec947128a715922130fd22d.exe 2504 698415d7cec947128a715922130fd22d.exe 2504 698415d7cec947128a715922130fd22d.exe 2504 698415d7cec947128a715922130fd22d.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2504 698415d7cec947128a715922130fd22d.exe -
Suspicious use of AdjustPrivilegeToken 29 IoCs
description pid Process Token: SeDebugPrivilege 3008 New Client.exe Token: SeDebugPrivilege 2756 TASKKILL.exe Token: SeDebugPrivilege 2532 TASKKILL.exe Token: 33 3008 New Client.exe Token: SeIncBasePriorityPrivilege 3008 New Client.exe Token: 33 3008 New Client.exe Token: SeIncBasePriorityPrivilege 3008 New Client.exe Token: 33 3008 New Client.exe Token: SeIncBasePriorityPrivilege 3008 New Client.exe Token: 33 3008 New Client.exe Token: SeIncBasePriorityPrivilege 3008 New Client.exe Token: 33 3008 New Client.exe Token: SeIncBasePriorityPrivilege 3008 New Client.exe Token: 33 3008 New Client.exe Token: SeIncBasePriorityPrivilege 3008 New Client.exe Token: 33 3008 New Client.exe Token: SeIncBasePriorityPrivilege 3008 New Client.exe Token: 33 3008 New Client.exe Token: SeIncBasePriorityPrivilege 3008 New Client.exe Token: 33 3008 New Client.exe Token: SeIncBasePriorityPrivilege 3008 New Client.exe Token: 33 3008 New Client.exe Token: SeIncBasePriorityPrivilege 3008 New Client.exe Token: SeDebugPrivilege 2504 698415d7cec947128a715922130fd22d.exe Token: SeDebugPrivilege 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe Token: SeDebugPrivilege 3056 TASKKILL.exe Token: SeDebugPrivilege 3052 TASKKILL.exe Token: SeDebugPrivilege 2960 TASKKILL.exe Token: SeDebugPrivilege 1072 TASKKILL.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2532 3008 New Client.exe 29 PID 3008 wrote to memory of 2532 3008 New Client.exe 29 PID 3008 wrote to memory of 2532 3008 New Client.exe 29 PID 3008 wrote to memory of 2756 3008 New Client.exe 32 PID 3008 wrote to memory of 2756 3008 New Client.exe 32 PID 3008 wrote to memory of 2756 3008 New Client.exe 32 PID 3008 wrote to memory of 2712 3008 New Client.exe 34 PID 3008 wrote to memory of 2712 3008 New Client.exe 34 PID 3008 wrote to memory of 2712 3008 New Client.exe 34 PID 3008 wrote to memory of 1620 3008 New Client.exe 36 PID 3008 wrote to memory of 1620 3008 New Client.exe 36 PID 3008 wrote to memory of 1620 3008 New Client.exe 36 PID 3008 wrote to memory of 1620 3008 New Client.exe 36 PID 3008 wrote to memory of 2504 3008 New Client.exe 37 PID 3008 wrote to memory of 2504 3008 New Client.exe 37 PID 3008 wrote to memory of 2504 3008 New Client.exe 37 PID 3008 wrote to memory of 2504 3008 New Client.exe 37 PID 2504 wrote to memory of 1072 2504 698415d7cec947128a715922130fd22d.exe 38 PID 2504 wrote to memory of 1072 2504 698415d7cec947128a715922130fd22d.exe 38 PID 2504 wrote to memory of 1072 2504 698415d7cec947128a715922130fd22d.exe 38 PID 2504 wrote to memory of 1072 2504 698415d7cec947128a715922130fd22d.exe 38 PID 1620 wrote to memory of 2960 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 39 PID 1620 wrote to memory of 2960 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 39 PID 1620 wrote to memory of 2960 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 39 PID 1620 wrote to memory of 2960 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 39 PID 2504 wrote to memory of 3052 2504 698415d7cec947128a715922130fd22d.exe 41 PID 2504 wrote to memory of 3052 2504 698415d7cec947128a715922130fd22d.exe 41 PID 2504 wrote to memory of 3052 2504 698415d7cec947128a715922130fd22d.exe 41 PID 2504 wrote to memory of 3052 2504 698415d7cec947128a715922130fd22d.exe 41 PID 1620 wrote to memory of 3056 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 40 PID 1620 wrote to memory of 3056 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 40 PID 1620 wrote to memory of 3056 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 40 PID 1620 wrote to memory of 3056 1620 d9e81b8cdbbb431fb34455d7c346bbb7.exe 40 PID 3008 wrote to memory of 2900 3008 New Client.exe 46 PID 3008 wrote to memory of 2900 3008 New Client.exe 46 PID 3008 wrote to memory of 2900 3008 New Client.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\system32\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\system32\taskkill.exetaskkill /f im explorer.exe2⤵
- Kills process with taskkill
PID:2712
-
-
C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe"C:\Users\Admin\AppData\Local\Temp\d9e81b8cdbbb431fb34455d7c346bbb7.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
-
-
C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe"C:\Users\Admin\AppData\Local\Temp\698415d7cec947128a715922130fd22d.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM wscript.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Windows\SysWOW64\TASKKILL.exeTASKKILL /F /IM cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 12002⤵PID:2900
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5a85056ecfbf94af8efaa2e9dcec8ebb1
SHA1f081275fbbdddad10689e185a750e1fd1ca0d0e5
SHA256e00d04dcc4489101599f86df3956673c2ebcb8adbf05fb603266b91e9336b955
SHA512c510e21e4d5b2b8fb2e7e902f74a6befbe20896490e607d640a2611020f20cede1d154e894fde5be8a6a2e564d2d7eb6d741d9b3ef21cdbefc5abdbc6a056fa9