Analysis
-
max time kernel
125s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 10:01
Static task
static1
General
-
Target
crypted rat.exe
-
Size
110KB
-
MD5
c5095088e4ce78d1a90224a2c769e196
-
SHA1
0dce6ff26e150acd9dd9b9838068011c71b90a3b
-
SHA256
286fd81b6bae4e132cbad308423e3b2b064ea4e8b4ea970c5c1fe31a156c5b1e
-
SHA512
954cceb8006bcd76f03ec7781898a318b7bbcf447501bfbfd7c5902e1a4945df7edcc1b2c3c7a0d19648b28384e87fc47995dceb481fccf4683c07a66a1411c4
-
SSDEEP
3072:abnaOa/AhYN7ofWE9kI93IcakRGEV8IbEWOEx:azssY1ofj9593JRb5xb
Malware Config
Extracted
njrat
0.7d
Debil
hakim32.ddns.net:2000
lake-french.gl.at.ply.gg:33694
5d215efb685d488d29cc52d66504493b
-
reg_key
5d215efb685d488d29cc52d66504493b
-
splitter
|'|'|
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 2576 server.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
crypted rat.exedescription pid process target process PID 628 set thread context of 3708 628 crypted rat.exe RegSvcs.exe -
Drops file in Windows directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File created C:\Windows\server.exe RegSvcs.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
crypted rat.exeRegSvcs.exedescription pid process target process PID 628 wrote to memory of 3708 628 crypted rat.exe RegSvcs.exe PID 628 wrote to memory of 3708 628 crypted rat.exe RegSvcs.exe PID 628 wrote to memory of 3708 628 crypted rat.exe RegSvcs.exe PID 628 wrote to memory of 3708 628 crypted rat.exe RegSvcs.exe PID 628 wrote to memory of 3708 628 crypted rat.exe RegSvcs.exe PID 628 wrote to memory of 3708 628 crypted rat.exe RegSvcs.exe PID 628 wrote to memory of 3708 628 crypted rat.exe RegSvcs.exe PID 3708 wrote to memory of 2576 3708 RegSvcs.exe server.exe PID 3708 wrote to memory of 2576 3708 RegSvcs.exe server.exe PID 3708 wrote to memory of 2576 3708 RegSvcs.exe server.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\crypted rat.exe"C:\Users\Admin\AppData\Local\Temp\crypted rat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\server.exe"C:\Windows\server.exe"3⤵
- Executes dropped EXE
PID:2576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,1236064252342462940,13180713657498721890,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:81⤵PID:1804
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b