Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-03-2024 02:01
Behavioral task
behavioral1
Sample
f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exe
Resource
win10v2004-20240319-en
General
-
Target
f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exe
-
Size
29KB
-
MD5
a051c849e389cec5636e4f0f9b080e8c
-
SHA1
70228c5ab77e03193e527ccb995c5ec3b0c09b1a
-
SHA256
f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf
-
SHA512
cd0a2ba45982f81b24bc289fa3a4bf10da2f828c845d2a73ce62bea8729d95737eed6e59d70ac05606b6d97d4cd36d721b538975f01b0c837324c95d22dc2e75
-
SSDEEP
384:EPqvANl7TxTD+VF2dbofPauxnaIuN15708COmqDk9jeHqGBsbh0w4wlAokw9Ohgd:ru75oa4fuTC8cqojeVBKh0p29SgR5d
Malware Config
Extracted
njrat
0.6.4
hacker
01KeKe-41878.portmap.io:41878
12826896566034991c9912d3a1ee9bf7
-
reg_key
12826896566034991c9912d3a1ee9bf7
-
splitter
|'|'|
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2664 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2664 AcroRd32.exe 2664 AcroRd32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exerundll32.exedescription pid process target process PID 2016 wrote to memory of 2840 2016 f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exe rundll32.exe PID 2016 wrote to memory of 2840 2016 f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exe rundll32.exe PID 2016 wrote to memory of 2840 2016 f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exe rundll32.exe PID 2016 wrote to memory of 2840 2016 f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exe rundll32.exe PID 2016 wrote to memory of 2840 2016 f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exe rundll32.exe PID 2016 wrote to memory of 2840 2016 f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exe rundll32.exe PID 2016 wrote to memory of 2840 2016 f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exe rundll32.exe PID 2840 wrote to memory of 2664 2840 rundll32.exe AcroRd32.exe PID 2840 wrote to memory of 2664 2840 rundll32.exe AcroRd32.exe PID 2840 wrote to memory of 2664 2840 rundll32.exe AcroRd32.exe PID 2840 wrote to memory of 2664 2840 rundll32.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exe"C:\Users\Admin\AppData\Local\Temp\f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\lalaker122⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\lalaker12"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lalaker12Filesize
29KB
MD5a051c849e389cec5636e4f0f9b080e8c
SHA170228c5ab77e03193e527ccb995c5ec3b0c09b1a
SHA256f151cd6e8e2a73bb0594cc6767d193d016fc88cc9973712a9dec06284b6b3adf
SHA512cd0a2ba45982f81b24bc289fa3a4bf10da2f828c845d2a73ce62bea8729d95737eed6e59d70ac05606b6d97d4cd36d721b538975f01b0c837324c95d22dc2e75
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD53f6f84360c3804225759155940e7a62e
SHA160be3937f8842eeaaecd1526d5fb7f328b1d402f
SHA25622a58c56985a65f3459c81c3417bec8c541372084ece0310443c8fd856d51a72
SHA5127c887af6c16a9b704ad67f44a9f0127e75ea9a348cb3c32e25bdb341f698d36ae84df1c2b8b7f3313b6d4d8a986c47cdd1ebedf350e7b684df55a0ecfac144e2
-
memory/2016-0-0x0000000074D20000-0x00000000752CB000-memory.dmpFilesize
5.7MB
-
memory/2016-1-0x0000000074D20000-0x00000000752CB000-memory.dmpFilesize
5.7MB
-
memory/2016-2-0x00000000003D0000-0x0000000000410000-memory.dmpFilesize
256KB
-
memory/2016-5-0x0000000074D20000-0x00000000752CB000-memory.dmpFilesize
5.7MB