Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 06:45
Static task
static1
Behavioral task
behavioral1
Sample
a87d7d7848bc287758c88af1cd7d95ae.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a87d7d7848bc287758c88af1cd7d95ae.exe
Resource
win10v2004-20240226-en
General
-
Target
a87d7d7848bc287758c88af1cd7d95ae.exe
-
Size
89KB
-
MD5
a87d7d7848bc287758c88af1cd7d95ae
-
SHA1
b731e18e2c296f2ebc0104d2c7767ce4d8ebe27e
-
SHA256
1313a049e8bde8b7c39aaea57fc1061df557d49eb2f48e5dd73e438d32eae158
-
SHA512
d20da7eadd1419f2072ffd577a4e892e4ee60b3195a9b9c3cdd8d719b0f4da094f54f8581c8f2640e2411c52b487566b4bbbaee9c89490d8a40f2e8a95a530af
-
SSDEEP
1536:vSMJV+N0qf18HE42faceE/G4t3dMGoZrh8UH1WepL6AV+1o2c:vtJa3f18HT2F6OMTZeUVWML64/
Malware Config
Extracted
njrat
0.7d
HacKed
192.168.64.129:5552
643f582a162261e0ba7633b7acfd7ec1
-
reg_key
643f582a162261e0ba7633b7acfd7ec1
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2948 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation a87d7d7848bc287758c88af1cd7d95ae.exe -
Executes dropped EXE 1 IoCs
pid Process 1188 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\643f582a162261e0ba7633b7acfd7ec1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\643f582a162261e0ba7633b7acfd7ec1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe Token: 33 1188 server.exe Token: SeIncBasePriorityPrivilege 1188 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3132 wrote to memory of 1188 3132 a87d7d7848bc287758c88af1cd7d95ae.exe 89 PID 3132 wrote to memory of 1188 3132 a87d7d7848bc287758c88af1cd7d95ae.exe 89 PID 3132 wrote to memory of 1188 3132 a87d7d7848bc287758c88af1cd7d95ae.exe 89 PID 1188 wrote to memory of 2948 1188 server.exe 90 PID 1188 wrote to memory of 2948 1188 server.exe 90 PID 1188 wrote to memory of 2948 1188 server.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\a87d7d7848bc287758c88af1cd7d95ae.exe"C:\Users\Admin\AppData\Local\Temp\a87d7d7848bc287758c88af1cd7d95ae.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2948
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89KB
MD5a87d7d7848bc287758c88af1cd7d95ae
SHA1b731e18e2c296f2ebc0104d2c7767ce4d8ebe27e
SHA2561313a049e8bde8b7c39aaea57fc1061df557d49eb2f48e5dd73e438d32eae158
SHA512d20da7eadd1419f2072ffd577a4e892e4ee60b3195a9b9c3cdd8d719b0f4da094f54f8581c8f2640e2411c52b487566b4bbbaee9c89490d8a40f2e8a95a530af