Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 06:23
Static task
static1
Behavioral task
behavioral1
Sample
a5a5d0e078a7feb6350da38665d948ae.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a5a5d0e078a7feb6350da38665d948ae.exe
Resource
win10v2004-20240221-en
General
-
Target
a5a5d0e078a7feb6350da38665d948ae.exe
-
Size
235KB
-
MD5
a5a5d0e078a7feb6350da38665d948ae
-
SHA1
8ca1f4a981b997f4cbc3c04e4d492d436cf4d87d
-
SHA256
36965eced5d426883f047d0118a88999a36f9012455b97b8d58dfcb59a3f3fc8
-
SHA512
ff8871672a9b8e7d691d05d5d8266a3e3be9aacc714bda2d1f03ce06983b039e0c31275fb8c4e57a03574c29506e6f446b46adbc8a1c27fa19e7522e51fff2f0
-
SSDEEP
3072:mbSXpN/hC32GhNvKNqWzWofP8qJ0O0ysPfBOm/wPewqo7L+V3/CjtS+XO+j7EE9E:IMpTQ2GhNS8unJ0BlBpI2w83oSB+NBK
Malware Config
Extracted
njrat
0.7d
HacKed
amerkad19.ddns.net:1177
db2108a13871ca4786c6f5eb2f775bc8
-
reg_key
db2108a13871ca4786c6f5eb2f775bc8
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3344 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation a5a5d0e078a7feb6350da38665d948ae.exe -
Executes dropped EXE 1 IoCs
pid Process 2260 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\db2108a13871ca4786c6f5eb2f775bc8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\db2108a13871ca4786c6f5eb2f775bc8 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe Token: 33 2260 svchost.exe Token: SeIncBasePriorityPrivilege 2260 svchost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2260 2632 a5a5d0e078a7feb6350da38665d948ae.exe 88 PID 2632 wrote to memory of 2260 2632 a5a5d0e078a7feb6350da38665d948ae.exe 88 PID 2632 wrote to memory of 2260 2632 a5a5d0e078a7feb6350da38665d948ae.exe 88 PID 2260 wrote to memory of 3344 2260 svchost.exe 91 PID 2260 wrote to memory of 3344 2260 svchost.exe 91 PID 2260 wrote to memory of 3344 2260 svchost.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5a5d0e078a7feb6350da38665d948ae.exe"C:\Users\Admin\AppData\Local\Temp\a5a5d0e078a7feb6350da38665d948ae.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3344
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD5a5a5d0e078a7feb6350da38665d948ae
SHA18ca1f4a981b997f4cbc3c04e4d492d436cf4d87d
SHA25636965eced5d426883f047d0118a88999a36f9012455b97b8d58dfcb59a3f3fc8
SHA512ff8871672a9b8e7d691d05d5d8266a3e3be9aacc714bda2d1f03ce06983b039e0c31275fb8c4e57a03574c29506e6f446b46adbc8a1c27fa19e7522e51fff2f0