Analysis
-
max time kernel
1800s -
max time network
1809s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
24-02-2024 03:23
Static task
static1
Behavioral task
behavioral1
Sample
New Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Client.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
New Client.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral4
Sample
New Client.exe
Resource
win11-20240221-en
General
-
Target
New Client.exe
-
Size
188KB
-
MD5
b848808a7c3f542eaf9718c0c8e0159f
-
SHA1
c8fc1af2a0e6df1be9426b5f2e636b7f2b1aa302
-
SHA256
13fde5c8aeb2fe2335dcb803a1a31a404e2f65e990d2a728a0df681ef832b616
-
SHA512
0eb66a47448b588cdbd4b1b1d426c70b10fd073f2612a1f45e3abbec7b61f35735ff2a8cfeb1eb3f5390f89cc3abd88522a1c7ff20ddc8857242e8ce7335ac2d
-
SSDEEP
3072:p2B+64kQ2EJam2dNREz9Vnc4OZMJwGu3U4QyZom8exsrPR5TE7D0XuDTTo6M//lz:p2B+64kQ2EJam2dNREz9FdOZMJwGuE42
Malware Config
Extracted
njrat
Platinum
AntiVirus
127.0.0.1:38277
Client.exe
-
reg_key
Client.exe
-
splitter
|Ghost|
Signatures
-
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe New Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url New Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe New Client.exe -
Executes dropped EXE 2 IoCs
pid Process 2828 157fa94688624d349c00db3c51c8581a.exe 4200 6a34055d7546487c979a4f66440271b7.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." New Client.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." New Client.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\r: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\O: WScript.exe File opened (read-only) \??\m: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\i: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\t: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\v: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\A: WScript.exe File opened (read-only) \??\E: WScript.exe File opened (read-only) \??\K: WScript.exe File opened (read-only) \??\P: WScript.exe File opened (read-only) \??\b: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\T: WScript.exe File opened (read-only) \??\R: WScript.exe File opened (read-only) \??\u: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\a: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\x: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\G: WScript.exe File opened (read-only) \??\I: WScript.exe File opened (read-only) \??\L: WScript.exe File opened (read-only) \??\U: WScript.exe File opened (read-only) \??\p: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\j: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\l: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\z: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\N: WScript.exe File opened (read-only) \??\W: WScript.exe File opened (read-only) \??\g: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\n: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\o: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\y: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\S: WScript.exe File opened (read-only) \??\X: WScript.exe File opened (read-only) \??\Y: WScript.exe File opened (read-only) \??\Z: WScript.exe File opened (read-only) \??\e: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\k: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\q: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\w: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\M: WScript.exe File opened (read-only) \??\V: WScript.exe File opened (read-only) \??\h: 157fa94688624d349c00db3c51c8581a.exe File opened (read-only) \??\B: WScript.exe File opened (read-only) \??\H: WScript.exe File opened (read-only) \??\J: WScript.exe File opened (read-only) \??\Q: WScript.exe File opened (read-only) \??\s: 157fa94688624d349c00db3c51c8581a.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x001000000000ff67-24.dat autoit_exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\windows\system32\tjbbns.exe New Client.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wl.jpg" 157fa94688624d349c00db3c51c8581a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 3 IoCs
pid Process 2180 TASKKILL.exe 2160 TASKKILL.exe 4900 taskkill.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000\Control Panel\Desktop 157fa94688624d349c00db3c51c8581a.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000_Classes\Local Settings 6a34055d7546487c979a4f66440271b7.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe 4404 New Client.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4404 New Client.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4404 New Client.exe Token: SeDebugPrivilege 2160 TASKKILL.exe Token: SeDebugPrivilege 2180 TASKKILL.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe Token: SeIncBasePriorityPrivilege 4404 New Client.exe Token: 33 4404 New Client.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4404 wrote to memory of 2180 4404 New Client.exe 74 PID 4404 wrote to memory of 2180 4404 New Client.exe 74 PID 4404 wrote to memory of 2160 4404 New Client.exe 75 PID 4404 wrote to memory of 2160 4404 New Client.exe 75 PID 4404 wrote to memory of 4900 4404 New Client.exe 79 PID 4404 wrote to memory of 4900 4404 New Client.exe 79 PID 4404 wrote to memory of 2828 4404 New Client.exe 81 PID 4404 wrote to memory of 2828 4404 New Client.exe 81 PID 4404 wrote to memory of 2828 4404 New Client.exe 81 PID 4404 wrote to memory of 4200 4404 New Client.exe 83 PID 4404 wrote to memory of 4200 4404 New Client.exe 83 PID 4404 wrote to memory of 4200 4404 New Client.exe 83 PID 4200 wrote to memory of 4560 4200 6a34055d7546487c979a4f66440271b7.exe 84 PID 4200 wrote to memory of 4560 4200 6a34055d7546487c979a4f66440271b7.exe 84 PID 4200 wrote to memory of 4560 4200 6a34055d7546487c979a4f66440271b7.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f im explorer.exe2⤵
- Kills process with taskkill
PID:4900
-
-
C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe"C:\Users\Admin\AppData\Local\Temp\157fa94688624d349c00db3c51c8581a.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\6a34055d7546487c979a4f66440271b7.exe"C:\Users\Admin\AppData\Local\Temp\6a34055d7546487c979a4f66440271b7.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loll.VBS"3⤵
- Enumerates connected drives
PID:4560
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2481⤵PID:824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
793KB
MD5a83185ef7c03bfe0e0fbe10098876a34
SHA1b166fed95e9bcc9f8b0ac4deafa9c45c21e91d0d
SHA2567a923db27ae488a02e77242b1bbceb9a64898b9c2d085372a5ef5fca06b2a4be
SHA512283e698b326d044480c49351531249ab9ed3a851c1d2c4a36c87fc5ecbaf2771af58f39cc0fc1551d08a4674ad766a3d4b96b6ee6ca1e6e967727f320f599f4c
-
Filesize
396KB
MD5a703c3b8a39537ce9be339bbc7339a45
SHA110354130b42e12c39eb6f3ce95b8368f581ef71b
SHA256fce41ec4380d80f04eea4f2bb4ed9734c0ed31fb85c8897c0e299fbc0de41f60
SHA512f73d2daaf572028655e4168834af7fb5477af4748f99845db314c57ab3a08c16d64bd2c5489f5c84ac3b0dcd16ec414284b5994091c3e44929fc7e923d26cb07
-
Filesize
168B
MD52b56784f8f16a689b305a1c768f28689
SHA1e81ce025337ff3ebfc8bc48d43d360345a18688f
SHA256dcd7fe09e32ec3a9fd356f12ded8e3f2ae520a99c8dc996b48dc98a39d68a077
SHA512d0134e11bea5809b966cae3cc60828e557d6acddab890e56c0e22bed7c4facda582f77dd00a7ccb6da66200cc610ba9bd4423dcf33075f3b2b18434f219bbd68
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\prj_13626871_c66985d209c8197ecce4f5ce7899b49d_1656581581.mp3
Filesize83KB
MD54843241a72238329e13f2497733fd70c
SHA1c6b6fcc361bbcf17e9d05868deec5700b9e1d048
SHA2563c6de7e0e9b3781a9bbf710553efaacbd61afd486034a1a633e571fdb02f4348
SHA512f302d7b69c6a9eced6770ca2e6da3119c3bdf9c2a6a90657814cf0b5ddc52f3c336a4c5e45152443bb6d6f3fa777e3d99c82a3c090c6fa5b4b377f5aa0e1ba20
-
Filesize
138KB
MD57c30424c525cb64760083e066ca1f77d
SHA169c369028e3db4fe5c2fbc69cbd837d66496c480
SHA256b75685e5fe51601632066ae2cb162738b340c9873f3b30cd4eb0b6f80cc27643
SHA51259d726222ffc846ada2e7c6d040e0f0114e2cb92e72f81f23489aa6681b07a1c8cfceb7e81f9b7d7678d33b313302d9cf39c345d862e43f2768e145df14ef8df