Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016.exe
Resource
win10v2004-20240226-en
General
-
Target
a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016.exe
-
Size
432KB
-
MD5
ad0f6231d44f6d0e08379256a3f765c0
-
SHA1
765c2ba3990b9c2a603a0012dfac8e34e39eda38
-
SHA256
a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016
-
SHA512
8bcf9c48c9137b897194cd757ff80153462ce2ad2f2d468ab70ba4479808f3a8bd99006d50a0802289de43092b7079286a86091674d0173325b50ad089309eb0
-
SSDEEP
96:fsDYb94x6pIEYaXcwhx5zWLYxT9FS7Z0epAIb+zNt:UEb94x8pYapz1WLOxU7Z0dcY
Malware Config
Extracted
njrat
0.7d
2021
aqq.linkpc.net:999
a1776750d898d3976ceabc94432acfb1
-
reg_key
a1776750d898d3976ceabc94432acfb1
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2428 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
System64.exepid process 2552 System64.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
System64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a1776750d898d3976ceabc94432acfb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System64.exe\" .." System64.exe Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\a1776750d898d3976ceabc94432acfb1 = "\"C:\\Users\\Admin\\AppData\\Roaming\\System64.exe\" .." System64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
System64.exedescription pid process Token: SeDebugPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe Token: 33 2552 System64.exe Token: SeIncBasePriorityPrivilege 2552 System64.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016.exeSystem64.exedescription pid process target process PID 1332 wrote to memory of 2552 1332 a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016.exe System64.exe PID 1332 wrote to memory of 2552 1332 a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016.exe System64.exe PID 1332 wrote to memory of 2552 1332 a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016.exe System64.exe PID 2552 wrote to memory of 2428 2552 System64.exe netsh.exe PID 2552 wrote to memory of 2428 2552 System64.exe netsh.exe PID 2552 wrote to memory of 2428 2552 System64.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016.exe"C:\Users\Admin\AppData\Local\Temp\a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System64.exe"C:\Users\Admin\AppData\Roaming\System64.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\System64.exe" "System64.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\System64.exeFilesize
432KB
MD5ad0f6231d44f6d0e08379256a3f765c0
SHA1765c2ba3990b9c2a603a0012dfac8e34e39eda38
SHA256a665eae243d8d987de7378c95a9e7894d95b7ca6632e7455dcb9431870e67016
SHA5128bcf9c48c9137b897194cd757ff80153462ce2ad2f2d468ab70ba4479808f3a8bd99006d50a0802289de43092b7079286a86091674d0173325b50ad089309eb0
-
memory/1332-0-0x0000000000280000-0x00000000002F2000-memory.dmpFilesize
456KB
-
memory/1332-1-0x000007FEF59B0000-0x000007FEF639C000-memory.dmpFilesize
9.9MB
-
memory/1332-2-0x0000000000340000-0x000000000034C000-memory.dmpFilesize
48KB
-
memory/1332-9-0x000007FEF59B0000-0x000007FEF639C000-memory.dmpFilesize
9.9MB
-
memory/2552-8-0x00000000002E0000-0x0000000000352000-memory.dmpFilesize
456KB
-
memory/2552-10-0x000007FEF59B0000-0x000007FEF639C000-memory.dmpFilesize
9.9MB
-
memory/2552-11-0x000000001AD10000-0x000000001AD90000-memory.dmpFilesize
512KB
-
memory/2552-12-0x000007FEF59B0000-0x000007FEF639C000-memory.dmpFilesize
9.9MB