Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-02-2024 04:27
Behavioral task
behavioral1
Sample
jjj.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
jjj.exe
Resource
win10v2004-20240221-en
General
-
Target
jjj.exe
-
Size
37KB
-
MD5
1b6f416c01dab81fc69ba006b4cfd768
-
SHA1
ce5f59bcd9ab11d17e5c6dcc5024722f5275328a
-
SHA256
91f01488d2602ac9c3139c22fe0ff48212d8da63be4f9fa33f48ad9ac778a974
-
SHA512
94c083810adc76efd0d8928a93622f2001961efcb0fb002f9dfe77aad9c07eefe4fab768be35f2a674c97c0008f5dc1e5f392c0ce4a1c2a3435ee7f07b8d3ea7
-
SSDEEP
384:SsSKMizdTjnBhFbJ8ycPvZ3hdwKax0rAF+rMRTyN/0L+EcoinblneHQM3epzXGNl:lSgTlLJfcPvZP9aurM+rMRa8NuQ9t
Malware Config
Extracted
njrat
im523
HacKed
nature-dawn.gl.at.ply.gg:80
94d5d7ec08f7537bc3b2ffefec79a8b3
-
reg_key
94d5d7ec08f7537bc3b2ffefec79a8b3
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1976 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 3068 ver.exe -
Loads dropped DLL 1 IoCs
pid Process 2172 jjj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe Token: 33 3068 ver.exe Token: SeIncBasePriorityPrivilege 3068 ver.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2172 wrote to memory of 3068 2172 jjj.exe 28 PID 2172 wrote to memory of 3068 2172 jjj.exe 28 PID 2172 wrote to memory of 3068 2172 jjj.exe 28 PID 2172 wrote to memory of 3068 2172 jjj.exe 28 PID 3068 wrote to memory of 1976 3068 ver.exe 29 PID 3068 wrote to memory of 1976 3068 ver.exe 29 PID 3068 wrote to memory of 1976 3068 ver.exe 29 PID 3068 wrote to memory of 1976 3068 ver.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\jjj.exe"C:\Users\Admin\AppData\Local\Temp\jjj.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Roaming\ver.exe"C:\Users\Admin\AppData\Roaming\ver.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ver.exe" "ver.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1976
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD51b6f416c01dab81fc69ba006b4cfd768
SHA1ce5f59bcd9ab11d17e5c6dcc5024722f5275328a
SHA25691f01488d2602ac9c3139c22fe0ff48212d8da63be4f9fa33f48ad9ac778a974
SHA51294c083810adc76efd0d8928a93622f2001961efcb0fb002f9dfe77aad9c07eefe4fab768be35f2a674c97c0008f5dc1e5f392c0ce4a1c2a3435ee7f07b8d3ea7