Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-02-2024 08:40
Static task
static1
Behavioral task
behavioral1
Sample
a3593e1bb1cbff5e24dfe2c56cf49a8d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a3593e1bb1cbff5e24dfe2c56cf49a8d.exe
Resource
win10v2004-20240221-en
General
-
Target
a3593e1bb1cbff5e24dfe2c56cf49a8d.exe
-
Size
863KB
-
MD5
a3593e1bb1cbff5e24dfe2c56cf49a8d
-
SHA1
631958481f0565176351295df0bfaea81f139c60
-
SHA256
e064534d97cf20ede110465c290e99afad30967d8556775796a3a04203f48fec
-
SHA512
70c92f024236d0aaf5549d10558ccb0c1f3a21761f0bf3506473c36e9e49a613aa838c5b53469b3573b130697b3613e1d4d4d3fd78fd9bb05b7e9d1b34772976
-
SSDEEP
12288:l4lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUgaT7ddRq9MmCS:l4lavt0LkLL9IMixoEgea/HRq9MmCS
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.10.10:5552
0dc24807523d3cd24b54cd0996e4c49b
-
reg_key
0dc24807523d3cd24b54cd0996e4c49b
-
splitter
|'|'|
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a3593e1bb1cbff5e24dfe2c56cf49a8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a3593e1bb1cbff5e24dfe2c56cf49a8d.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2844 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2648 5341.exe 2616 server.exe -
Loads dropped DLL 4 IoCs
pid Process 1684 a3593e1bb1cbff5e24dfe2c56cf49a8d.exe 1684 a3593e1bb1cbff5e24dfe2c56cf49a8d.exe 1684 a3593e1bb1cbff5e24dfe2c56cf49a8d.exe 2648 5341.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\0dc24807523d3cd24b54cd0996e4c49b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a3593e1bb1cbff5e24dfe2c56cf49a8d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe Token: 33 2616 server.exe Token: SeIncBasePriorityPrivilege 2616 server.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1684 wrote to memory of 2648 1684 a3593e1bb1cbff5e24dfe2c56cf49a8d.exe 28 PID 1684 wrote to memory of 2648 1684 a3593e1bb1cbff5e24dfe2c56cf49a8d.exe 28 PID 1684 wrote to memory of 2648 1684 a3593e1bb1cbff5e24dfe2c56cf49a8d.exe 28 PID 1684 wrote to memory of 2648 1684 a3593e1bb1cbff5e24dfe2c56cf49a8d.exe 28 PID 2648 wrote to memory of 2616 2648 5341.exe 29 PID 2648 wrote to memory of 2616 2648 5341.exe 29 PID 2648 wrote to memory of 2616 2648 5341.exe 29 PID 2648 wrote to memory of 2616 2648 5341.exe 29 PID 2616 wrote to memory of 2844 2616 server.exe 30 PID 2616 wrote to memory of 2844 2616 server.exe 30 PID 2616 wrote to memory of 2844 2616 server.exe 30 PID 2616 wrote to memory of 2844 2616 server.exe 30 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" a3593e1bb1cbff5e24dfe2c56cf49a8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a3593e1bb1cbff5e24dfe2c56cf49a8d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System a3593e1bb1cbff5e24dfe2c56cf49a8d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3593e1bb1cbff5e24dfe2c56cf49a8d.exe"C:\Users\Admin\AppData\Local\Temp\a3593e1bb1cbff5e24dfe2c56cf49a8d.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\5341\5341.exe"C:\Users\Admin\AppData\Local\Temp\5341\5341.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:2844
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD52c658b294b94ada8f4ccf02e4c682ade
SHA19f5393f9f374199070f0ad15ae17426d414053d4
SHA25632435ea75fdd3b309051fc45ec5c3ef5b1768791f5421ea25c7fd85b38496337
SHA512d8991a605721ce3adaedb8aa40b29858d8c5fa0cc8b74fb3a0e997bfa5e73629822a03c438bcc903cfb4df01eb59293a7e4b9332c28cfc3f5af7ccdec8123d52