Analysis
-
max time kernel
59s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 03:23
Static task
static1
Behavioral task
behavioral1
Sample
New Client.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Client.exe
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
New Client.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral4
Sample
New Client.exe
Resource
win11-20240221-en
General
-
Target
New Client.exe
-
Size
188KB
-
MD5
b848808a7c3f542eaf9718c0c8e0159f
-
SHA1
c8fc1af2a0e6df1be9426b5f2e636b7f2b1aa302
-
SHA256
13fde5c8aeb2fe2335dcb803a1a31a404e2f65e990d2a728a0df681ef832b616
-
SHA512
0eb66a47448b588cdbd4b1b1d426c70b10fd073f2612a1f45e3abbec7b61f35735ff2a8cfeb1eb3f5390f89cc3abd88522a1c7ff20ddc8857242e8ce7335ac2d
-
SSDEEP
3072:p2B+64kQ2EJam2dNREz9Vnc4OZMJwGu3U4QyZom8exsrPR5TE7D0XuDTTo6M//lz:p2B+64kQ2EJam2dNREz9FdOZMJwGuE42
Malware Config
Extracted
njrat
Platinum
AntiVirus
127.0.0.1:38277
Client.exe
-
reg_key
Client.exe
-
splitter
|Ghost|
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\Control Panel\International\Geo\Nation New Client.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe New Client.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe New Client.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.url New Client.exe -
Executes dropped EXE 1 IoCs
pid Process 1620 2f0a0f36e26b4a1fac1b7b824fa348eb.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-910440534-423636034-2318342392-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." New Client.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\New Client.exe\" .." New Client.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 2f0a0f36e26b4a1fac1b7b824fa348eb.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\windows\system32\ohseqk.exe New Client.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 3 IoCs
pid Process 388 TASKKILL.exe 1076 TASKKILL.exe 4372 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe 2384 New Client.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2384 New Client.exe Token: SeDebugPrivilege 1076 TASKKILL.exe Token: SeDebugPrivilege 388 TASKKILL.exe Token: 33 2384 New Client.exe Token: SeIncBasePriorityPrivilege 2384 New Client.exe Token: 33 2384 New Client.exe Token: SeIncBasePriorityPrivilege 2384 New Client.exe Token: 33 2384 New Client.exe Token: SeIncBasePriorityPrivilege 2384 New Client.exe Token: 33 2384 New Client.exe Token: SeIncBasePriorityPrivilege 2384 New Client.exe Token: 33 2384 New Client.exe Token: SeIncBasePriorityPrivilege 2384 New Client.exe Token: 33 2384 New Client.exe Token: SeIncBasePriorityPrivilege 2384 New Client.exe Token: SeShutdownPrivilege 1620 2f0a0f36e26b4a1fac1b7b824fa348eb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2384 wrote to memory of 388 2384 New Client.exe 85 PID 2384 wrote to memory of 388 2384 New Client.exe 85 PID 2384 wrote to memory of 1076 2384 New Client.exe 88 PID 2384 wrote to memory of 1076 2384 New Client.exe 88 PID 2384 wrote to memory of 4372 2384 New Client.exe 92 PID 2384 wrote to memory of 4372 2384 New Client.exe 92 PID 2384 wrote to memory of 1620 2384 New Client.exe 96 PID 2384 wrote to memory of 1620 2384 New Client.exe 96 PID 2384 wrote to memory of 1620 2384 New Client.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM wscript.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:388
-
-
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM cmd.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /f im explorer.exe2⤵
- Kills process with taskkill
PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\2f0a0f36e26b4a1fac1b7b824fa348eb.exe"C:\Users\Admin\AppData\Local\Temp\2f0a0f36e26b4a1fac1b7b824fa348eb.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
225KB
MD5af2379cc4d607a45ac44d62135fb7015
SHA139b6d40906c7f7f080e6befa93324dddadcbd9fa
SHA25626b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739
SHA51269899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99