Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 21:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe
-
Size
59KB
-
MD5
ac2c34d1352613f5d2a61f1613dad5b3
-
SHA1
93013165236cc4159602a33719c874554d4adb26
-
SHA256
a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a
-
SHA512
78cc3e7650c119c2f6c2f71cb732b5af4e473b484783d383b092747f2f723b352af02e1c200ee149b756cacd3dad25b1c9ee2844d089c2e7334357096ec7a819
-
SSDEEP
768:UGWVB9D0rPI3RHWG0IcTfdZCwd7pPpVW5XXihKpMkJjXNwV:UGrcHDcTlwwdtTW5XShKX5NwV
Malware Config
Extracted
Family
njrat
Version
im523
Botnet
HacKed
C2
aboo3zhh.ddns.net:5552
Mutex
d7ba90557f4f3e98c51e552523d78090
Attributes
-
reg_key
d7ba90557f4f3e98c51e552523d78090
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2288 netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: 33 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe Token: SeIncBasePriorityPrivilege 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4712 wrote to memory of 2288 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe 89 PID 4712 wrote to memory of 2288 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe 89 PID 4712 wrote to memory of 2288 4712 a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe"C:\Users\Admin\AppData\Local\Temp\a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe" "a2b7b61d87801940b9bf2d480fb2b0079c7bf229455ae68b5539d010cbf3917a.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:2288
-