Analysis Overview
SHA256
66879712d25cecad35783be6c4e117bc9c01278ed7dd6d7b958b623e34d21908
Threat Level: Known bad
The file Crack Nursultan Client.exe was found to be: Known bad.
Malicious Activity Summary
Njrat family
Modifies Windows Firewall
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-05 12:57
Signatures
Njrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-05 12:57
Reported
2024-03-05 13:00
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1796 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1796 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1796 wrote to memory of 4592 | N/A | C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe
"C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe" "Crack Nursultan Client.exe" ENABLE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.192.93.86:17647 | 2.tcp.eu.ngrok.io | tcp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 86.93.192.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/1796-0-0x00000000751D0000-0x0000000075781000-memory.dmp
memory/1796-1-0x00000000751D0000-0x0000000075781000-memory.dmp
memory/1796-2-0x0000000001690000-0x00000000016A0000-memory.dmp
memory/1796-3-0x00000000751D0000-0x0000000075781000-memory.dmp
memory/1796-4-0x00000000751D0000-0x0000000075781000-memory.dmp
memory/1796-5-0x0000000001690000-0x00000000016A0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-05 12:57
Reported
2024-03-05 13:00
Platform
win7-20240221-en
Max time kernel
151s
Max time network
168s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2964 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2964 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2964 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2964 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe
"C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Crack Nursultan Client.exe" "Crack Nursultan Client.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 18.156.13.209:17647 | 2.tcp.eu.ngrok.io | tcp |
Files
memory/2964-0-0x0000000074CE0000-0x000000007528B000-memory.dmp
memory/2964-1-0x0000000074CE0000-0x000000007528B000-memory.dmp
memory/2964-2-0x0000000000630000-0x0000000000670000-memory.dmp
memory/2964-3-0x0000000074CE0000-0x000000007528B000-memory.dmp
memory/2964-4-0x0000000074CE0000-0x000000007528B000-memory.dmp
memory/2964-5-0x0000000000630000-0x0000000000670000-memory.dmp