Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 19:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe
Resource
win7-20240215-en
4 signatures
150 seconds
General
-
Target
187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe
-
Size
232KB
-
MD5
a1bcab7fd0b0cf0ff951fb7e2cd7d904
-
SHA1
3dd8f8ab5e889f496c6795b5a145018ea72b3006
-
SHA256
187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a
-
SHA512
d89fa4a42bab51501d7f52ea72dc1fc9b9049707808fcffe55abdafd706dab3f97254e15cefff9e2bdcea756f4c2fa44decce58b8fe0b3891b166fea7b3d23da
-
SSDEEP
6144:6PLuOE2FcpKZbo5xzGxuCuQM+O2pfLuVTGlx:qLi2FcpKe5xzGxuCzZpf
Malware Config
Extracted
Family
njrat
Version
0.7d
Botnet
H4ck3d
C2
afr0j4ck.ddns.net:7000
Mutex
a11b2f32a00452092d12171e04c83a72
Attributes
-
reg_key
a11b2f32a00452092d12171e04c83a72
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 1488 netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exedescription pid process Token: SeDebugPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: 33 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe Token: SeIncBasePriorityPrivilege 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exedescription pid process target process PID 2328 wrote to memory of 1488 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe netsh.exe PID 2328 wrote to memory of 1488 2328 187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe"C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe" "187c8bf04459e99a197ea104f1a7df46130f99dad500fa8da827e73fff5e5a8a.exe" ENABLE2⤵
- Modifies Windows Firewall
PID:1488