Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/04/2024, 20:39
Behavioral task
behavioral1
Sample
4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe
Resource
win10v2004-20240412-en
General
-
Target
4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe
-
Size
425KB
-
MD5
a64155197e86d698360b4d89aeb9b862
-
SHA1
445055a3e79c38765833045dceaae7b9a760028d
-
SHA256
4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf
-
SHA512
f8baf13f0d3615896d970b4fe8baa0d8aff4d0975963d8937d2ffd96e66e5a26391f4b6b21bec4cff4f2db9602ae465f635694ef80a47485817ea6f5852a4f81
-
SSDEEP
12288:WquErHF6xC9D6DmR1J98w4oknqO/CyQftQYqYbLmKT:brl6kD68JmlokQfttqY2KT
Malware Config
Extracted
njrat
0.7d
14 mai generateur xbox
89.94.35.57:1604
ef05e501c2e286164abf5fcaa961559f
-
reg_key
ef05e501c2e286164abf5fcaa961559f
-
splitter
|'|'|
Signatures
-
UPX dump on OEP (original entry point) 16 IoCs
resource yara_rule behavioral1/memory/1988-0-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-14-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-15-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-16-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-19-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-20-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-21-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-22-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-23-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-24-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-25-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-26-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-27-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-28-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-29-0x0000000000060000-0x000000000015F000-memory.dmp UPX behavioral1/memory/1988-30-0x0000000000060000-0x000000000015F000-memory.dmp UPX -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2616 netsh.exe -
resource yara_rule behavioral1/memory/1988-0-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-14-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-15-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-16-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-19-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-20-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-21-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-22-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-23-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-24-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-25-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-26-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-27-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-28-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-29-0x0000000000060000-0x000000000015F000-memory.dmp upx behavioral1/memory/1988-30-0x0000000000060000-0x000000000015F000-memory.dmp upx -
AutoIT Executable 15 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1988-14-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-15-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-16-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-19-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-20-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-21-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-22-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-23-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-24-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-25-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-26-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-27-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-28-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-29-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe behavioral1/memory/1988-30-0x0000000000060000-0x000000000015F000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1988 set thread context of 2108 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 28 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe Token: 33 2108 RegAsm.exe Token: SeIncBasePriorityPrivilege 2108 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1988 wrote to memory of 2108 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 28 PID 1988 wrote to memory of 2108 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 28 PID 1988 wrote to memory of 2108 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 28 PID 1988 wrote to memory of 2108 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 28 PID 1988 wrote to memory of 2108 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 28 PID 1988 wrote to memory of 2108 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 28 PID 1988 wrote to memory of 2108 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 28 PID 1988 wrote to memory of 2108 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 28 PID 1988 wrote to memory of 2108 1988 4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe 28 PID 2108 wrote to memory of 2616 2108 RegAsm.exe 29 PID 2108 wrote to memory of 2616 2108 RegAsm.exe 29 PID 2108 wrote to memory of 2616 2108 RegAsm.exe 29 PID 2108 wrote to memory of 2616 2108 RegAsm.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe"C:\Users\Admin\AppData\Local\Temp\4389f797ce290f2b270cdb341e519ceab66f40475178cd667663d82d4af3adbf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2616
-
-