Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 02:44
Behavioral task
behavioral1
Sample
c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5.exe
Resource
win10v2004-20240412-en
General
-
Target
c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5.exe
-
Size
23KB
-
MD5
d9a0d6aeb87e51ec47d64c4636f0342b
-
SHA1
530672ae76103f385cfe5caf3b9737c6bc61d9b1
-
SHA256
c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5
-
SHA512
3ca53db6233ec0c3d31924bb5067dc907fb7fa2a1b66858281ab4baec8889822c2ff8f22f51ff6d3efd67842c8992d9f2ba64e76629272d361b354dd50937655
-
SSDEEP
384:noWtkEwn65rgjAsGipk55D16xgXakhbZD0mRvR6JZlbw8hqIusZzZIF:A7O89p2rRpcnuz
Malware Config
Extracted
njrat
0.7d
HacKed
10.10.1.11:5552
7657c14284185fbd3fb108b43c7467ba
-
reg_key
7657c14284185fbd3fb108b43c7467ba
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3056 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2440 server.exe -
Loads dropped DLL 1 IoCs
Processes:
c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5.exepid process 1740 c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7657c14284185fbd3fb108b43c7467ba = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
server.exedescription pid process Token: SeDebugPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe Token: 33 2440 server.exe Token: SeIncBasePriorityPrivilege 2440 server.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5.exeserver.exedescription pid process target process PID 1740 wrote to memory of 2440 1740 c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5.exe server.exe PID 1740 wrote to memory of 2440 1740 c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5.exe server.exe PID 1740 wrote to memory of 2440 1740 c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5.exe server.exe PID 1740 wrote to memory of 2440 1740 c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5.exe server.exe PID 2440 wrote to memory of 3056 2440 server.exe netsh.exe PID 2440 wrote to memory of 3056 2440 server.exe netsh.exe PID 2440 wrote to memory of 3056 2440 server.exe netsh.exe PID 2440 wrote to memory of 3056 2440 server.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5.exe"C:\Users\Admin\AppData\Local\Temp\c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
23KB
MD5d9a0d6aeb87e51ec47d64c4636f0342b
SHA1530672ae76103f385cfe5caf3b9737c6bc61d9b1
SHA256c4838ccd56d3476320070352b7554d227926abb59f7bd6221a1fbe527d6210c5
SHA5123ca53db6233ec0c3d31924bb5067dc907fb7fa2a1b66858281ab4baec8889822c2ff8f22f51ff6d3efd67842c8992d9f2ba64e76629272d361b354dd50937655
-
memory/1740-1-0x00000000004E0000-0x0000000000520000-memory.dmpFilesize
256KB
-
memory/1740-0-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1740-2-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/1740-11-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/2440-12-0x0000000002230000-0x0000000002270000-memory.dmpFilesize
256KB
-
memory/2440-10-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB
-
memory/2440-13-0x00000000742C0000-0x000000007486B000-memory.dmpFilesize
5.7MB