Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 21:41
Static task
static1
Behavioral task
behavioral1
Sample
021b477ace5e87113272fd8b16830051.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
021b477ace5e87113272fd8b16830051.exe
Resource
win10v2004-20240226-en
General
-
Target
021b477ace5e87113272fd8b16830051.exe
-
Size
184KB
-
MD5
021b477ace5e87113272fd8b16830051
-
SHA1
d55ddb61b67e53245adc5bd12822ea56f1602820
-
SHA256
e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd
-
SHA512
ef8c8ff1ff3326848becef2615bd2a629dd1eced13c9b9776d75f3a5cfd2e913324422f806264126befdd0d6908d16be081218ab61fe20ef95111cf9a41c8817
-
SSDEEP
3072:qUZiBJUB7JXbbkiTIR4JQffGaJNnN7SD+631zmh6Ty1:hiBWBdbkiTIR4ufGaJNnN7SC631zmh6+
Malware Config
Extracted
njrat
0.7d
HacKed
18.ip.gl.ply.gg:43389
4ac5522ba6619835b9ac056e603570c4
-
reg_key
4ac5522ba6619835b9ac056e603570c4
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1428 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 021b477ace5e87113272fd8b16830051.exe -
Executes dropped EXE 2 IoCs
pid Process 3108 server.exe 1128 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ac5522ba6619835b9ac056e603570c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4ac5522ba6619835b9ac056e603570c4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5024 set thread context of 2040 5024 021b477ace5e87113272fd8b16830051.exe 95 PID 3108 set thread context of 1128 3108 server.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 5024 021b477ace5e87113272fd8b16830051.exe Token: SeDebugPrivilege 3108 server.exe Token: SeDebugPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe Token: 33 1128 server.exe Token: SeIncBasePriorityPrivilege 1128 server.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 5024 wrote to memory of 2040 5024 021b477ace5e87113272fd8b16830051.exe 95 PID 5024 wrote to memory of 2040 5024 021b477ace5e87113272fd8b16830051.exe 95 PID 5024 wrote to memory of 2040 5024 021b477ace5e87113272fd8b16830051.exe 95 PID 5024 wrote to memory of 2040 5024 021b477ace5e87113272fd8b16830051.exe 95 PID 5024 wrote to memory of 2040 5024 021b477ace5e87113272fd8b16830051.exe 95 PID 5024 wrote to memory of 2040 5024 021b477ace5e87113272fd8b16830051.exe 95 PID 5024 wrote to memory of 2040 5024 021b477ace5e87113272fd8b16830051.exe 95 PID 5024 wrote to memory of 2040 5024 021b477ace5e87113272fd8b16830051.exe 95 PID 2040 wrote to memory of 3108 2040 021b477ace5e87113272fd8b16830051.exe 96 PID 2040 wrote to memory of 3108 2040 021b477ace5e87113272fd8b16830051.exe 96 PID 2040 wrote to memory of 3108 2040 021b477ace5e87113272fd8b16830051.exe 96 PID 3108 wrote to memory of 1128 3108 server.exe 97 PID 3108 wrote to memory of 1128 3108 server.exe 97 PID 3108 wrote to memory of 1128 3108 server.exe 97 PID 3108 wrote to memory of 1128 3108 server.exe 97 PID 3108 wrote to memory of 1128 3108 server.exe 97 PID 3108 wrote to memory of 1128 3108 server.exe 97 PID 3108 wrote to memory of 1128 3108 server.exe 97 PID 3108 wrote to memory of 1128 3108 server.exe 97 PID 1128 wrote to memory of 1428 1128 server.exe 98 PID 1128 wrote to memory of 1428 1128 server.exe 98 PID 1128 wrote to memory of 1428 1128 server.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\021b477ace5e87113272fd8b16830051.exe"C:\Users\Admin\AppData\Local\Temp\021b477ace5e87113272fd8b16830051.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\021b477ace5e87113272fd8b16830051.exeC:\Users\Admin\AppData\Local\Temp\021b477ace5e87113272fd8b16830051.exe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp\server.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
PID:1428
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3540 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:3140
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\021b477ace5e87113272fd8b16830051.exe.log
Filesize224B
MD59c4b66f77f12558c48b620ddfb44029d
SHA1446651db643b943ec37b9b3599655e211a4bc73e
SHA25642f723d18283fda6a0904046cc29ee8d10e562d20c7615259a46ae9c0e4c9708
SHA512983aed0ec15a79b716ac6dc080146e4ed098c117c31167053fb5971649dc621d1db5292fdd76f3010f094b75d57ea0bdb35bc829c6ba37e4d276b266361dee8e
-
Filesize
184KB
MD5021b477ace5e87113272fd8b16830051
SHA1d55ddb61b67e53245adc5bd12822ea56f1602820
SHA256e31f4f05884e97c569d6641257f40c4634004565874178c122817538e89948bd
SHA512ef8c8ff1ff3326848becef2615bd2a629dd1eced13c9b9776d75f3a5cfd2e913324422f806264126befdd0d6908d16be081218ab61fe20ef95111cf9a41c8817