Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2024 00:05
Static task
static1
Behavioral task
behavioral1
Sample
وزنية زاحفههه.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
وزنية زاحفههه.exe
Resource
win10v2004-20240611-en
General
-
Target
وزنية زاحفههه.exe
-
Size
8.2MB
-
MD5
d4ef1c3f94508ff6e738fb6c38e05252
-
SHA1
33ca3ece9797409707a6c6c7773bb3c4a3e85a4d
-
SHA256
71b39da7c5a7414f5308daae6f98208d1c1636e69dbaa51d09c8ebc84b180c38
-
SHA512
a961910facdea67ec2a9cad4ad2f13ba27a085a58c00a7ac40dc2f04b05a7039638e52842185158ff45e93fdf810c0477db09dbab8e0b70b3aa41fdb67a2a8bf
-
SSDEEP
196608:z3dxfNpGMa42dp0+Qav9NHPZtku5uU689q7wfqIF:z3dRNpGoW0ClNhCuefwfjF
Malware Config
Extracted
njrat
0.7d
Server
127.0.0.1:6522
6eff5e1ac69475e84ad4e71ee67ef805
-
reg_key
6eff5e1ac69475e84ad4e71ee67ef805
-
splitter
Y262SUCZ4UJJ
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3128 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Client.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation Client.exe -
Drops startup file 2 IoCs
Processes:
Trojan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eff5e1ac69475e84ad4e71ee67ef805.exe Trojan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6eff5e1ac69475e84ad4e71ee67ef805.exe Trojan.exe -
Executes dropped EXE 3 IoCs
Processes:
Client.exeEqualizerAPO32-1.3.2.exeTrojan.exepid process 2248 Client.exe 4804 EqualizerAPO32-1.3.2.exe 3260 Trojan.exe -
Loads dropped DLL 1 IoCs
Processes:
EqualizerAPO32-1.3.2.exepid process 4804 EqualizerAPO32-1.3.2.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Trojan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6eff5e1ac69475e84ad4e71ee67ef805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6eff5e1ac69475e84ad4e71ee67ef805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .." Trojan.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\aut58A0.tmp nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\aut58A0.tmp nsis_installer_2 -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
Trojan.exedescription pid process Token: SeDebugPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe Token: 33 3260 Trojan.exe Token: SeIncBasePriorityPrivilege 3260 Trojan.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
وزنية زاحفههه.exeClient.exeTrojan.exedescription pid process target process PID 532 wrote to memory of 2248 532 وزنية زاحفههه.exe Client.exe PID 532 wrote to memory of 2248 532 وزنية زاحفههه.exe Client.exe PID 532 wrote to memory of 2248 532 وزنية زاحفههه.exe Client.exe PID 532 wrote to memory of 4804 532 وزنية زاحفههه.exe EqualizerAPO32-1.3.2.exe PID 532 wrote to memory of 4804 532 وزنية زاحفههه.exe EqualizerAPO32-1.3.2.exe PID 532 wrote to memory of 4804 532 وزنية زاحفههه.exe EqualizerAPO32-1.3.2.exe PID 2248 wrote to memory of 3260 2248 Client.exe Trojan.exe PID 2248 wrote to memory of 3260 2248 Client.exe Trojan.exe PID 2248 wrote to memory of 3260 2248 Client.exe Trojan.exe PID 3260 wrote to memory of 3128 3260 Trojan.exe netsh.exe PID 3260 wrote to memory of 3128 3260 Trojan.exe netsh.exe PID 3260 wrote to memory of 3128 3260 Trojan.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe"C:\Users\Admin\AppData\Local\Temp\وزنية زاحفههه.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\Client.exeC:\Users\Admin\AppData\Local\Temp/Client.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Users\Admin\AppData\Local\Temp\Trojan.exe"C:\Users\Admin\AppData\Local\Temp\Trojan.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\EqualizerAPO32-1.3.2.exeC:\Users\Admin\AppData\Local\Temp/EqualizerAPO32-1.3.2.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4804
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD50400e17a5bdb1fa5877c12d609dd15f8
SHA10e2af75fd16b9d2902a69c94a6eaa1cef4565f64
SHA25699b91723fd7afa33700fb055e3dd505af43957841774d35945271d92c3388e6b
SHA5126fa737ef7ec683b9dae18a9f150555f1dc5da6cf0e9c74b8b3aca58055539a8f5ded243bee14f2247712373213c1da5aee9d7c6149791fc7950ad9293d0eed9a
-
Filesize
7.3MB
MD5340537574c05238b1bec13fe9f9e80b0
SHA14d77a3a81c4272073d1ca80267e5dac1316fc421
SHA256580d8e5253a6610f8089d5a60597620c6ecb619f7bbb4d28ed75393342fbb708
SHA512c283d4096cf6c1713fb2a6e4c56c7d76093e167736ff84f62d437512ed2161a01aaab916b80b62486b29d50abd525b518b6b3f6de99399db77320a50dabd2901
-
Filesize
164KB
MD5bfe060c22b44914e05d3f5367de6c9fe
SHA124c72b0b57b0066a5e8b235104a0502400e44b9a
SHA25643041f8540dccbc33268bfbef53037d17170b037f6393e77c21429f303ae828f
SHA512ad3a23edd8d62b198e4a2ccf03f6d607dee41fa23fd6f9dfabdc5ee424b5e22a6e00b8a28e50fe177829a2cc25ce05484423e97c682036fc5146e2adf560bc44