Analysis
-
max time kernel
30s -
max time network
26s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-05-2024 13:44
General
-
Target
555555555555555555555555555.exe
-
Size
31KB
-
MD5
fe6f894736afcbaaa70712986819dd63
-
SHA1
420b0ef62191359231cf5e07c24fa2774e8ae121
-
SHA256
48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311
-
SHA512
9e8ee88d0f27d6c220a296935158735d1a540c0510332d0a294709cde1c2b2161e9109232350e6933d1096b42af4a24d842a59545e92c6d43448e863c3c53f6a
-
SSDEEP
768:JrMXBwpJbb2zxxO5gaqn5isfvy4QmIDUu0tikqj:+kKJisLQVkGj
Malware Config
Extracted
njrat
0.7d
1
talkh.ddns.net:4444
cf4d648acaef80f615dcce168ffc92e1
-
reg_key
cf4d648acaef80f615dcce168ffc92e1
-
splitter
Y262SUCZ4UJJ
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2724 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 5104 WindowsServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 5104 WindowsServices.exe Token: 33 5104 WindowsServices.exe Token: SeIncBasePriorityPrivilege 5104 WindowsServices.exe Token: 33 5104 WindowsServices.exe Token: SeIncBasePriorityPrivilege 5104 WindowsServices.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
555555555555555555555555555.exeWindowsServices.exedescription pid process target process PID 4180 wrote to memory of 5104 4180 555555555555555555555555555.exe WindowsServices.exe PID 4180 wrote to memory of 5104 4180 555555555555555555555555555.exe WindowsServices.exe PID 4180 wrote to memory of 5104 4180 555555555555555555555555555.exe WindowsServices.exe PID 5104 wrote to memory of 2724 5104 WindowsServices.exe netsh.exe PID 5104 wrote to memory of 2724 5104 WindowsServices.exe netsh.exe PID 5104 wrote to memory of 2724 5104 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\555555555555555555555555555.exe"C:\Users\Admin\AppData\Local\Temp\555555555555555555555555555.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exe"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
31KB
MD5fe6f894736afcbaaa70712986819dd63
SHA1420b0ef62191359231cf5e07c24fa2774e8ae121
SHA25648bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311
SHA5129e8ee88d0f27d6c220a296935158735d1a540c0510332d0a294709cde1c2b2161e9109232350e6933d1096b42af4a24d842a59545e92c6d43448e863c3c53f6a
-
memory/4180-0-0x0000000073EA1000-0x0000000073EA2000-memory.dmpFilesize
4KB
-
memory/4180-1-0x0000000073EA0000-0x0000000074450000-memory.dmpFilesize
5.7MB
-
memory/4180-2-0x0000000073EA0000-0x0000000074450000-memory.dmpFilesize
5.7MB
-
memory/4180-9-0x0000000073EA0000-0x0000000074450000-memory.dmpFilesize
5.7MB
-
memory/5104-10-0x0000000073EA0000-0x0000000074450000-memory.dmpFilesize
5.7MB
-
memory/5104-12-0x0000000073EA0000-0x0000000074450000-memory.dmpFilesize
5.7MB
-
memory/5104-11-0x0000000073EA0000-0x0000000074450000-memory.dmpFilesize
5.7MB
-
memory/5104-13-0x0000000073EA0000-0x0000000074450000-memory.dmpFilesize
5.7MB