Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-03-2024 10:11
Static task
static1
Behavioral task
behavioral1
Sample
d33dec279966da2024c05d5fde688253.exe
Resource
win7-20240221-en
General
-
Target
d33dec279966da2024c05d5fde688253.exe
-
Size
1.2MB
-
MD5
d33dec279966da2024c05d5fde688253
-
SHA1
74bde021ba65fdd33fd420568b6a2da406ac07e8
-
SHA256
f17fd9ff93d1b3db6c3e4463d5ca5c11b99827890c58721d2860df75d4323705
-
SHA512
67ec505fb9305493699af82de2054ebedcf033867bd9cd14bac7fef392d5f69ce9aaa61a408e67f346153aaa05c1c65aff8e0c63d99477bd04fc6e25c4262fd8
-
SSDEEP
24576:ANA3R5drXPrfi4T6sNNuT0Zb7mnyxuYuroyvUC0l6:55jl6GuT0tmNTrTsCe6
Malware Config
Extracted
njrat
20
gold
149.248.52.61:87
165d6ed988ac
-
reg_key
165d6ed988ac
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winhosti.exepid process 2304 winhosti.exe -
Loads dropped DLL 4 IoCs
Processes:
d33dec279966da2024c05d5fde688253.exepid process 2144 d33dec279966da2024c05d5fde688253.exe 2144 d33dec279966da2024c05d5fde688253.exe 2144 d33dec279966da2024c05d5fde688253.exe 2144 d33dec279966da2024c05d5fde688253.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2564 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
winhosti.exedescription pid process Token: SeDebugPrivilege 2304 winhosti.exe Token: 33 2304 winhosti.exe Token: SeIncBasePriorityPrivilege 2304 winhosti.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 2564 AcroRd32.exe 2564 AcroRd32.exe 2564 AcroRd32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d33dec279966da2024c05d5fde688253.exedescription pid process target process PID 2144 wrote to memory of 2304 2144 d33dec279966da2024c05d5fde688253.exe winhosti.exe PID 2144 wrote to memory of 2304 2144 d33dec279966da2024c05d5fde688253.exe winhosti.exe PID 2144 wrote to memory of 2304 2144 d33dec279966da2024c05d5fde688253.exe winhosti.exe PID 2144 wrote to memory of 2304 2144 d33dec279966da2024c05d5fde688253.exe winhosti.exe PID 2144 wrote to memory of 2040 2144 d33dec279966da2024c05d5fde688253.exe WScript.exe PID 2144 wrote to memory of 2040 2144 d33dec279966da2024c05d5fde688253.exe WScript.exe PID 2144 wrote to memory of 2040 2144 d33dec279966da2024c05d5fde688253.exe WScript.exe PID 2144 wrote to memory of 2040 2144 d33dec279966da2024c05d5fde688253.exe WScript.exe PID 2144 wrote to memory of 2564 2144 d33dec279966da2024c05d5fde688253.exe AcroRd32.exe PID 2144 wrote to memory of 2564 2144 d33dec279966da2024c05d5fde688253.exe AcroRd32.exe PID 2144 wrote to memory of 2564 2144 d33dec279966da2024c05d5fde688253.exe AcroRd32.exe PID 2144 wrote to memory of 2564 2144 d33dec279966da2024c05d5fde688253.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d33dec279966da2024c05d5fde688253.exe"C:\Users\Admin\AppData\Local\Temp\d33dec279966da2024c05d5fde688253.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\winhosti.exe"C:\Users\Admin\AppData\Roaming\winhosti.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\u.vbs"2⤵
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Phase-3 of Nationwide Vaccination Registration.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD51ab9bf100c1593e436251777985a6a14
SHA156478aa1a24789d2c296901359980f55161ef7ba
SHA256c7e40af812a2f9032cd1784d82b28db5bb253ae64a1b4c370be043d660b685ba
SHA512201de6d95e84cd812db3fc3620b774440d9630e7fd90aae9251983b9f7aea598f6409c73994c548cc839455b489200a44b8a4403f903fa19684a97c412af7732
-
C:\Users\Admin\AppData\Roaming\Phase-3 of Nationwide Vaccination Registration.pdfFilesize
956KB
MD50fa12ed69cc54281b003b26adc5d05a9
SHA15f186fb3817297baf51e8b697ed044ac437dc996
SHA256fa344d98fdf10e10c32971dcdad234925143120e50200048b510e64c4c5c5cf4
SHA51236d2b93a3674b5c8edba8bda3f477b4e2e889ea27862bc00a00c8fa4da31d9683ecd7a3fb1aeec78528ed997663ac3c85af1c00a06190e0a1f74d074cb5c60f9
-
C:\Users\Admin\AppData\Roaming\u.vbsFilesize
1KB
MD53ce49084a8ccb465d430e750ec9a2df3
SHA126fdb9476e7259cc399c2cb311dfe5779d0528a6
SHA2566d4f18ec7564d4e1abcd0c6e4697f9cd029fba5fb4889d647dacd938d9aabb65
SHA51232892546b3526e5b877d15a531ad98e637c2caa282e0043290078456121ff648ead57a58e9740f42cf275850a87c0fac8f504958b58959740f271dd0c1b697fd
-
\Users\Admin\AppData\Roaming\winhosti.exeFilesize
22KB
MD57cbc3b6a36f71c584b08fac91478f033
SHA1e1b3fc39592cc02aa8b40487c827bc96fb3c830d
SHA2561dab360111d8a0f59674bc5c725b88edac598dd7e0171ab7c3bc5416d45e6e89
SHA512f85e4344be0cf30ee9d00e754dcbccfb2bd0833fb16a0a9423388fe2020981e46c20323c385f6be96e0fa52af06b859a65fc006762bd9f2f89062fb7ae180c41
-
memory/2304-23-0x00000000003B0000-0x00000000003BC000-memory.dmpFilesize
48KB
-
memory/2304-24-0x0000000073710000-0x0000000073DFE000-memory.dmpFilesize
6.9MB
-
memory/2304-43-0x0000000004960000-0x00000000049A0000-memory.dmpFilesize
256KB
-
memory/2304-44-0x0000000073710000-0x0000000073DFE000-memory.dmpFilesize
6.9MB
-
memory/2304-45-0x0000000004960000-0x00000000049A0000-memory.dmpFilesize
256KB