Analysis
-
max time kernel
57s -
max time network
57s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19-06-2024 20:34
Behavioral task
behavioral1
Sample
New Client.exe
Resource
win10-20240404-en
windows10-1703-x64
13 signatures
1800 seconds
General
-
Target
New Client.exe
-
Size
167KB
-
MD5
9b54186fd1e37a0a269ddd75f0def04a
-
SHA1
9d7a02b97d379d19665ff13118bd94eeaeb149a1
-
SHA256
0546b7eecf794f4164e9d5d4a1207a2e4b28b7a6c2fae28884a9ee8149bf2824
-
SHA512
96d8fa4573ec0fcf6cb221e113f298922e8f38a1c3800810188f0e751b8ea2bedc5470fb95c2cd1ecb369c5871c59b407180b5970ac4671ea873ccf5dbbdabfe
-
SSDEEP
3072:z5qmG/oN36tTQviFCh+BnwfWl9zsaF9bSYvMGUJ8T2SXZyrgoBJtbN/3MCK2kev0:z5329zzvMI/JdSI5eb
Score
10/10
Malware Config
Extracted
Family
njrat
Version
Platinum
Botnet
LOX
C2
127.0.0.1:12106
Mutex
Microsoft Edge.exe
Attributes
-
reg_key
Microsoft Edge.exe
-
splitter
|Ghost|
Signatures
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.url Microsoft Edge.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe Microsoft Edge.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe Microsoft Edge.exe -
Executes dropped EXE 1 IoCs
pid Process 3664 Microsoft Edge.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge.exe = "\"C:\\ProgramData\\Microsoft Edge.exe\" .." Microsoft Edge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge.exe = "\"C:\\ProgramData\\Microsoft Edge.exe\" .." Microsoft Edge.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
flow ioc 1 pastebin.com 5 pastebin.com 7 pastebin.com 9 pastebin.com 11 pastebin.com 2 pastebin.com 6 pastebin.com 8 pastebin.com 10 pastebin.com 12 pastebin.com -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 3664 Microsoft Edge.exe Token: 33 3664 Microsoft Edge.exe Token: SeIncBasePriorityPrivilege 3664 Microsoft Edge.exe Token: 33 3664 Microsoft Edge.exe Token: SeIncBasePriorityPrivilege 3664 Microsoft Edge.exe Token: SeDebugPrivilege 952 taskmgr.exe Token: SeSystemProfilePrivilege 952 taskmgr.exe Token: SeCreateGlobalPrivilege 952 taskmgr.exe Token: 33 3664 Microsoft Edge.exe Token: SeIncBasePriorityPrivilege 3664 Microsoft Edge.exe Token: 33 952 taskmgr.exe Token: SeIncBasePriorityPrivilege 952 taskmgr.exe Token: 33 3664 Microsoft Edge.exe Token: SeIncBasePriorityPrivilege 3664 Microsoft Edge.exe Token: 33 3664 Microsoft Edge.exe Token: SeIncBasePriorityPrivilege 3664 Microsoft Edge.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe 952 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5028 wrote to memory of 3664 5028 New Client.exe 74 PID 5028 wrote to memory of 3664 5028 New Client.exe 74 PID 5028 wrote to memory of 3664 5028 New Client.exe 74 PID 5028 wrote to memory of 4536 5028 New Client.exe 75 PID 5028 wrote to memory of 4536 5028 New Client.exe 75 PID 5028 wrote to memory of 4536 5028 New Client.exe 75 PID 4536 wrote to memory of 4200 4536 cmd.exe 77 PID 4536 wrote to memory of 4200 4536 cmd.exe 77 PID 4536 wrote to memory of 4200 4536 cmd.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Client.exe"C:\Users\Admin\AppData\Local\Temp\New Client.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\ProgramData\Microsoft Edge.exe"C:\ProgramData\Microsoft Edge.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\New Client.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 53⤵PID:4200
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
167KB
MD59b54186fd1e37a0a269ddd75f0def04a
SHA19d7a02b97d379d19665ff13118bd94eeaeb149a1
SHA2560546b7eecf794f4164e9d5d4a1207a2e4b28b7a6c2fae28884a9ee8149bf2824
SHA51296d8fa4573ec0fcf6cb221e113f298922e8f38a1c3800810188f0e751b8ea2bedc5470fb95c2cd1ecb369c5871c59b407180b5970ac4671ea873ccf5dbbdabfe