Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 13:59
Behavioral task
behavioral1
Sample
48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe
Resource
win7-20240419-en
General
-
Target
48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe
-
Size
31KB
-
MD5
fe6f894736afcbaaa70712986819dd63
-
SHA1
420b0ef62191359231cf5e07c24fa2774e8ae121
-
SHA256
48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311
-
SHA512
9e8ee88d0f27d6c220a296935158735d1a540c0510332d0a294709cde1c2b2161e9109232350e6933d1096b42af4a24d842a59545e92c6d43448e863c3c53f6a
-
SSDEEP
768:JrMXBwpJbb2zxxO5gaqn5isfvy4QmIDUu0tikqj:+kKJisLQVkGj
Malware Config
Extracted
njrat
0.7d
1
talkh.ddns.net:4444
cf4d648acaef80f615dcce168ffc92e1
-
reg_key
cf4d648acaef80f615dcce168ffc92e1
-
splitter
Y262SUCZ4UJJ
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 2612 netsh.exe -
Executes dropped EXE 1 IoCs
Processes:
WindowsServices.exepid process 3048 WindowsServices.exe -
Loads dropped DLL 1 IoCs
Processes:
48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exepid process 1824 48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
WindowsServices.exedescription pid process Token: SeDebugPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe Token: 33 3048 WindowsServices.exe Token: SeIncBasePriorityPrivilege 3048 WindowsServices.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exeWindowsServices.exedescription pid process target process PID 1824 wrote to memory of 3048 1824 48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe WindowsServices.exe PID 1824 wrote to memory of 3048 1824 48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe WindowsServices.exe PID 1824 wrote to memory of 3048 1824 48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe WindowsServices.exe PID 1824 wrote to memory of 3048 1824 48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe WindowsServices.exe PID 3048 wrote to memory of 2612 3048 WindowsServices.exe netsh.exe PID 3048 wrote to memory of 2612 3048 WindowsServices.exe netsh.exe PID 3048 wrote to memory of 2612 3048 WindowsServices.exe netsh.exe PID 3048 wrote to memory of 2612 3048 WindowsServices.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe"C:\Users\Admin\AppData\Local\Temp\48bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsServices.exe"C:\Users\Admin\AppData\Roaming\WindowsServices.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\WindowsServices.exe" "WindowsServices.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\WindowsServices.exeFilesize
31KB
MD5fe6f894736afcbaaa70712986819dd63
SHA1420b0ef62191359231cf5e07c24fa2774e8ae121
SHA25648bc9497ff9b6e89c49c58196375fea257d99fbff312a449ad9cd0d25e16a311
SHA5129e8ee88d0f27d6c220a296935158735d1a540c0510332d0a294709cde1c2b2161e9109232350e6933d1096b42af4a24d842a59545e92c6d43448e863c3c53f6a
-
memory/1824-2-0x0000000074280000-0x000000007482B000-memory.dmpFilesize
5.7MB
-
memory/1824-1-0x0000000074280000-0x000000007482B000-memory.dmpFilesize
5.7MB
-
memory/1824-0-0x0000000074281000-0x0000000074282000-memory.dmpFilesize
4KB
-
memory/1824-11-0x0000000074280000-0x000000007482B000-memory.dmpFilesize
5.7MB
-
memory/3048-10-0x0000000074280000-0x000000007482B000-memory.dmpFilesize
5.7MB
-
memory/3048-12-0x0000000074280000-0x000000007482B000-memory.dmpFilesize
5.7MB