Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 09:07
Static task
static1
Behavioral task
behavioral1
Sample
5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe
Resource
win10v2004-20240611-en
General
-
Target
5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe
-
Size
854KB
-
MD5
092197456099d4a6b908239144fd79be
-
SHA1
e1626d4912665bf0f8ebf8ac1298396a6a670b61
-
SHA256
5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3
-
SHA512
c20067eac3a0279b33f74712c7fa703622d7bc02b8901ea802035045bc30ffc0b8014d82f9bf3af9cf6e4905f4e44493de0f06bea261cd00f3e759c8cd036100
-
SSDEEP
12288:Knh95Si0CtXjOv9xObOhrq5/n2ZwyifuAgm69ahWFDBXs+rcnIOoBwP0YSr7ombt:KnTswXPU/rflCzkwsY4n5GBzjs
Malware Config
Extracted
njrat
0.7d
TANTUNİ YIHYIHYIH
2.kingx.info:1177
11ce597da482a8d03c61b182214eee0d
-
reg_key
11ce597da482a8d03c61b182214eee0d
-
splitter
|'|'|
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid process 3984 netsh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fonts\ = "C:\\Users\\Admin\\AppData\\Roaming\\Fonts\\dllhost.exe" 5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exedescription pid process target process PID 4956 set thread context of 4880 4956 5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe regasm.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exepid process 4956 5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe 4956 5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
regasm.exedescription pid process Token: SeDebugPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe Token: 33 4880 regasm.exe Token: SeIncBasePriorityPrivilege 4880 regasm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exeregasm.exedescription pid process target process PID 4956 wrote to memory of 4880 4956 5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe regasm.exe PID 4956 wrote to memory of 4880 4956 5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe regasm.exe PID 4956 wrote to memory of 4880 4956 5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe regasm.exe PID 4956 wrote to memory of 4880 4956 5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe regasm.exe PID 4956 wrote to memory of 4880 4956 5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe regasm.exe PID 4880 wrote to memory of 3984 4880 regasm.exe netsh.exe PID 4880 wrote to memory of 3984 4880 regasm.exe netsh.exe PID 4880 wrote to memory of 3984 4880 regasm.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe"C:\Users\Admin\AppData\Local\Temp\5ab5b97c731c5898e22153fa6bf4336739faaf9304fe665b89bd4e87955e1ef3.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe" "regasm.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3984
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1