Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 14:04
Static task
static1
Behavioral task
behavioral1
Sample
a208e9a7c0f0482b0aafaa70d06a53ed.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a208e9a7c0f0482b0aafaa70d06a53ed.exe
Resource
win10v2004-20240221-en
General
-
Target
a208e9a7c0f0482b0aafaa70d06a53ed.exe
-
Size
597KB
-
MD5
a208e9a7c0f0482b0aafaa70d06a53ed
-
SHA1
8b77c0ddfa1fe0cc04f42feca7f0d9680d6e2056
-
SHA256
e5822b2ea957234e12bc50f2400d32af5c609b49b69e249cb469eb4721193b7c
-
SHA512
21a6cbe57a68eea16ba8bfa17ac27ae362d9b5eaee93a008688f778cea08daf536daeab9be2e365ce6fe7fc17d1fa9906ceda33ff71a686711043435f9a3dd3e
-
SSDEEP
6144:DjF/EARyvEs74fvGjuUNS7go9eXtYlUx8QPme1LIAJNf1+:DjF/EaFsvPSko9e9ra2ZfM
Malware Config
Extracted
njrat
0.7d
HacKed
sniperghost.no-ip.biz:1177
26460d60a3b5b91b213d3bf18b1a3c93
-
reg_key
26460d60a3b5b91b213d3bf18b1a3c93
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3940 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation a208e9a7c0f0482b0aafaa70d06a53ed.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26460d60a3b5b91b213d3bf18b1a3c93.exe googleupdate.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\26460d60a3b5b91b213d3bf18b1a3c93.exe googleupdate.exe -
Executes dropped EXE 1 IoCs
pid Process 1652 googleupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\26460d60a3b5b91b213d3bf18b1a3c93 = "\"C:\\Users\\Admin\\AppData\\Roaming\\googleupdate.exe\" .." googleupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\26460d60a3b5b91b213d3bf18b1a3c93 = "\"C:\\Users\\Admin\\AppData\\Roaming\\googleupdate.exe\" .." googleupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe Token: 33 1652 googleupdate.exe Token: SeIncBasePriorityPrivilege 1652 googleupdate.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4788 wrote to memory of 1652 4788 a208e9a7c0f0482b0aafaa70d06a53ed.exe 91 PID 4788 wrote to memory of 1652 4788 a208e9a7c0f0482b0aafaa70d06a53ed.exe 91 PID 4788 wrote to memory of 1652 4788 a208e9a7c0f0482b0aafaa70d06a53ed.exe 91 PID 1652 wrote to memory of 3940 1652 googleupdate.exe 92 PID 1652 wrote to memory of 3940 1652 googleupdate.exe 92 PID 1652 wrote to memory of 3940 1652 googleupdate.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\a208e9a7c0f0482b0aafaa70d06a53ed.exe"C:\Users\Admin\AppData\Local\Temp\a208e9a7c0f0482b0aafaa70d06a53ed.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Roaming\googleupdate.exe"C:\Users\Admin\AppData\Roaming\googleupdate.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\googleupdate.exe" "googleupdate.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3940
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
597KB
MD5a208e9a7c0f0482b0aafaa70d06a53ed
SHA18b77c0ddfa1fe0cc04f42feca7f0d9680d6e2056
SHA256e5822b2ea957234e12bc50f2400d32af5c609b49b69e249cb469eb4721193b7c
SHA51221a6cbe57a68eea16ba8bfa17ac27ae362d9b5eaee93a008688f778cea08daf536daeab9be2e365ce6fe7fc17d1fa9906ceda33ff71a686711043435f9a3dd3e