Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-02-2024 14:04
Static task
static1
Behavioral task
behavioral1
Sample
a208e9a7c0f0482b0aafaa70d06a53ed.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a208e9a7c0f0482b0aafaa70d06a53ed.exe
Resource
win10v2004-20240221-en
General
-
Target
a208e9a7c0f0482b0aafaa70d06a53ed.exe
-
Size
597KB
-
MD5
a208e9a7c0f0482b0aafaa70d06a53ed
-
SHA1
8b77c0ddfa1fe0cc04f42feca7f0d9680d6e2056
-
SHA256
e5822b2ea957234e12bc50f2400d32af5c609b49b69e249cb469eb4721193b7c
-
SHA512
21a6cbe57a68eea16ba8bfa17ac27ae362d9b5eaee93a008688f778cea08daf536daeab9be2e365ce6fe7fc17d1fa9906ceda33ff71a686711043435f9a3dd3e
-
SSDEEP
6144:DjF/EARyvEs74fvGjuUNS7go9eXtYlUx8QPme1LIAJNf1+:DjF/EaFsvPSko9e9ra2ZfM
Malware Config
Extracted
njrat
0.7d
HacKed
sniperghost.no-ip.biz:1177
26460d60a3b5b91b213d3bf18b1a3c93
-
reg_key
26460d60a3b5b91b213d3bf18b1a3c93
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2692 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26460d60a3b5b91b213d3bf18b1a3c93.exe googleupdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26460d60a3b5b91b213d3bf18b1a3c93.exe googleupdate.exe -
Executes dropped EXE 1 IoCs
pid Process 2328 googleupdate.exe -
Loads dropped DLL 1 IoCs
pid Process 1740 a208e9a7c0f0482b0aafaa70d06a53ed.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\26460d60a3b5b91b213d3bf18b1a3c93 = "\"C:\\Users\\Admin\\AppData\\Roaming\\googleupdate.exe\" .." googleupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\26460d60a3b5b91b213d3bf18b1a3c93 = "\"C:\\Users\\Admin\\AppData\\Roaming\\googleupdate.exe\" .." googleupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe Token: 33 2328 googleupdate.exe Token: SeIncBasePriorityPrivilege 2328 googleupdate.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1740 wrote to memory of 2328 1740 a208e9a7c0f0482b0aafaa70d06a53ed.exe 28 PID 1740 wrote to memory of 2328 1740 a208e9a7c0f0482b0aafaa70d06a53ed.exe 28 PID 1740 wrote to memory of 2328 1740 a208e9a7c0f0482b0aafaa70d06a53ed.exe 28 PID 1740 wrote to memory of 2328 1740 a208e9a7c0f0482b0aafaa70d06a53ed.exe 28 PID 1740 wrote to memory of 2328 1740 a208e9a7c0f0482b0aafaa70d06a53ed.exe 28 PID 1740 wrote to memory of 2328 1740 a208e9a7c0f0482b0aafaa70d06a53ed.exe 28 PID 1740 wrote to memory of 2328 1740 a208e9a7c0f0482b0aafaa70d06a53ed.exe 28 PID 2328 wrote to memory of 2692 2328 googleupdate.exe 29 PID 2328 wrote to memory of 2692 2328 googleupdate.exe 29 PID 2328 wrote to memory of 2692 2328 googleupdate.exe 29 PID 2328 wrote to memory of 2692 2328 googleupdate.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a208e9a7c0f0482b0aafaa70d06a53ed.exe"C:\Users\Admin\AppData\Local\Temp\a208e9a7c0f0482b0aafaa70d06a53ed.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Users\Admin\AppData\Roaming\googleupdate.exe"C:\Users\Admin\AppData\Roaming\googleupdate.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\googleupdate.exe" "googleupdate.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2692
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597KB
MD5a208e9a7c0f0482b0aafaa70d06a53ed
SHA18b77c0ddfa1fe0cc04f42feca7f0d9680d6e2056
SHA256e5822b2ea957234e12bc50f2400d32af5c609b49b69e249cb469eb4721193b7c
SHA51221a6cbe57a68eea16ba8bfa17ac27ae362d9b5eaee93a008688f778cea08daf536daeab9be2e365ce6fe7fc17d1fa9906ceda33ff71a686711043435f9a3dd3e