Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 21:58
Behavioral task
behavioral1
Sample
a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe
Resource
win10v2004-20240226-en
General
-
Target
a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe
-
Size
36KB
-
MD5
be620fcc4aa93db6323afb9d59f58433
-
SHA1
96c315802257494d3474d4b3dd819415bfad187f
-
SHA256
a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98
-
SHA512
a31951ac3da5fec54a02c85635ce21131038e181cf07fcd73af19ec96084a3e00b8d7adc6aca33f0db87723daead6d34cf2726e2f5b57d1508bd39ab0776cdd0
-
SSDEEP
768:a8cNwislUV0bwA74K8EjrM+rMRa8Nundgt:avqlU6X4KL8+gRJNsd
Malware Config
Extracted
njrat
im523
HacKed
37.1.222.208:5555
3efef41c199db4e308a09fd4aa069af7
-
reg_key
3efef41c199db4e308a09fd4aa069af7
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2652 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2540 svchost.exe -
Loads dropped DLL 2 IoCs
pid Process 2512 a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe 2512 a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe Token: 33 2540 svchost.exe Token: SeIncBasePriorityPrivilege 2540 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2540 2512 a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe 28 PID 2512 wrote to memory of 2540 2512 a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe 28 PID 2512 wrote to memory of 2540 2512 a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe 28 PID 2512 wrote to memory of 2540 2512 a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe 28 PID 2540 wrote to memory of 2652 2540 svchost.exe 29 PID 2540 wrote to memory of 2652 2540 svchost.exe 29 PID 2540 wrote to memory of 2652 2540 svchost.exe 29 PID 2540 wrote to memory of 2652 2540 svchost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe"C:\Users\Admin\AppData\Local\Temp\a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2652
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD5be620fcc4aa93db6323afb9d59f58433
SHA196c315802257494d3474d4b3dd819415bfad187f
SHA256a569d0e761a74ce9324fe2acd2d8d18ba16fe7882a4c8c2d29eed0fa47083a98
SHA512a31951ac3da5fec54a02c85635ce21131038e181cf07fcd73af19ec96084a3e00b8d7adc6aca33f0db87723daead6d34cf2726e2f5b57d1508bd39ab0776cdd0