Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 16:47
Behavioral task
behavioral1
Sample
6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe
Resource
win7-20240221-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe
-
Size
37KB
-
MD5
871722db5b9b702357b675e48e491193
-
SHA1
ec5cf5b57414fa8253a842bb06fc6822b85e399d
-
SHA256
6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8
-
SHA512
9757a9bfc13b23a30590dfc145f837c22fffad56f1c47ca7354ddded78c8afc2418b0a5ce0f0add6aaf59354355577141a1b05115b8faf5d978445570a58b478
-
SSDEEP
384:GstKUiDtblmJEpRGyEf7JfJuQCY6iXQrAF+rMRTyN/0L+EcoinblneHQM3epzXIf:5tiHpR9Ef7JsQCFiArM+rMRa8NuCFt
Score
10/10
Malware Config
Extracted
Family
njrat
Version
im523
Botnet
HacKed
C2
5.tcp.eu.ngrok.io:11024
Mutex
886e4e6cf55be20a7d674097273f111d
Attributes
-
reg_key
886e4e6cf55be20a7d674097273f111d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2524 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\886e4e6cf55be20a7d674097273f111d.exe ESET Service.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\886e4e6cf55be20a7d674097273f111d.exe ESET Service.exe -
Executes dropped EXE 1 IoCs
pid Process 2516 ESET Service.exe -
Loads dropped DLL 1 IoCs
pid Process 3012 6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\886e4e6cf55be20a7d674097273f111d = "\"C:\\Users\\Admin\\AppData\\Roaming\\ESET Service.exe\" .." ESET Service.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\886e4e6cf55be20a7d674097273f111d = "\"C:\\Users\\Admin\\AppData\\Roaming\\ESET Service.exe\" .." ESET Service.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 2 5.tcp.eu.ngrok.io 22 5.tcp.eu.ngrok.io 39 5.tcp.eu.ngrok.io -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf ESET Service.exe File opened for modification C:\autorun.inf ESET Service.exe File created D:\autorun.inf ESET Service.exe File created F:\autorun.inf ESET Service.exe File opened for modification F:\autorun.inf ESET Service.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
pid Process 2720 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe 2516 ESET Service.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2516 ESET Service.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 2516 ESET Service.exe Token: SeDebugPrivilege 2720 taskkill.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe Token: 33 2516 ESET Service.exe Token: SeIncBasePriorityPrivilege 2516 ESET Service.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3012 wrote to memory of 2516 3012 6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe 28 PID 3012 wrote to memory of 2516 3012 6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe 28 PID 3012 wrote to memory of 2516 3012 6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe 28 PID 3012 wrote to memory of 2516 3012 6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe 28 PID 2516 wrote to memory of 2524 2516 ESET Service.exe 29 PID 2516 wrote to memory of 2524 2516 ESET Service.exe 29 PID 2516 wrote to memory of 2524 2516 ESET Service.exe 29 PID 2516 wrote to memory of 2524 2516 ESET Service.exe 29 PID 2516 wrote to memory of 2720 2516 ESET Service.exe 31 PID 2516 wrote to memory of 2720 2516 ESET Service.exe 31 PID 2516 wrote to memory of 2720 2516 ESET Service.exe 31 PID 2516 wrote to memory of 2720 2516 ESET Service.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe"C:\Users\Admin\AppData\Local\Temp\6f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Roaming\ESET Service.exe"C:\Users\Admin\AppData\Roaming\ESET Service.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ESET Service.exe" "ESET Service.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2524
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM taskmgr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5871722db5b9b702357b675e48e491193
SHA1ec5cf5b57414fa8253a842bb06fc6822b85e399d
SHA2566f3d6bf9ee09bd4cd6af117cca33965c33b99a7380d8de14450b7d4a3cd499b8
SHA5129757a9bfc13b23a30590dfc145f837c22fffad56f1c47ca7354ddded78c8afc2418b0a5ce0f0add6aaf59354355577141a1b05115b8faf5d978445570a58b478