Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 06:23
Static task
static1
Behavioral task
behavioral1
Sample
a5a5d0e078a7feb6350da38665d948ae.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a5a5d0e078a7feb6350da38665d948ae.exe
Resource
win10v2004-20240221-en
General
-
Target
a5a5d0e078a7feb6350da38665d948ae.exe
-
Size
235KB
-
MD5
a5a5d0e078a7feb6350da38665d948ae
-
SHA1
8ca1f4a981b997f4cbc3c04e4d492d436cf4d87d
-
SHA256
36965eced5d426883f047d0118a88999a36f9012455b97b8d58dfcb59a3f3fc8
-
SHA512
ff8871672a9b8e7d691d05d5d8266a3e3be9aacc714bda2d1f03ce06983b039e0c31275fb8c4e57a03574c29506e6f446b46adbc8a1c27fa19e7522e51fff2f0
-
SSDEEP
3072:mbSXpN/hC32GhNvKNqWzWofP8qJ0O0ysPfBOm/wPewqo7L+V3/CjtS+XO+j7EE9E:IMpTQ2GhNS8unJ0BlBpI2w83oSB+NBK
Malware Config
Extracted
njrat
0.7d
HacKed
amerkad19.ddns.net:1177
db2108a13871ca4786c6f5eb2f775bc8
-
reg_key
db2108a13871ca4786c6f5eb2f775bc8
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2548 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2140 svchost.exe -
Loads dropped DLL 1 IoCs
pid Process 1676 a5a5d0e078a7feb6350da38665d948ae.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\db2108a13871ca4786c6f5eb2f775bc8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\db2108a13871ca4786c6f5eb2f775bc8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe Token: 33 2140 svchost.exe Token: SeIncBasePriorityPrivilege 2140 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1676 wrote to memory of 2140 1676 a5a5d0e078a7feb6350da38665d948ae.exe 28 PID 1676 wrote to memory of 2140 1676 a5a5d0e078a7feb6350da38665d948ae.exe 28 PID 1676 wrote to memory of 2140 1676 a5a5d0e078a7feb6350da38665d948ae.exe 28 PID 1676 wrote to memory of 2140 1676 a5a5d0e078a7feb6350da38665d948ae.exe 28 PID 2140 wrote to memory of 2548 2140 svchost.exe 29 PID 2140 wrote to memory of 2548 2140 svchost.exe 29 PID 2140 wrote to memory of 2548 2140 svchost.exe 29 PID 2140 wrote to memory of 2548 2140 svchost.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5a5d0e078a7feb6350da38665d948ae.exe"C:\Users\Admin\AppData\Local\Temp\a5a5d0e078a7feb6350da38665d948ae.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2548
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD5a5a5d0e078a7feb6350da38665d948ae
SHA18ca1f4a981b997f4cbc3c04e4d492d436cf4d87d
SHA25636965eced5d426883f047d0118a88999a36f9012455b97b8d58dfcb59a3f3fc8
SHA512ff8871672a9b8e7d691d05d5d8266a3e3be9aacc714bda2d1f03ce06983b039e0c31275fb8c4e57a03574c29506e6f446b46adbc8a1c27fa19e7522e51fff2f0