Analysis
-
max time kernel
59s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21/07/2024, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
NjRat 0.7D Green Edition by im523.exe
Resource
win10-20240611-en
General
-
Target
NjRat 0.7D Green Edition by im523.exe
-
Size
2.5MB
-
MD5
db03ed78b35220d0a178d0c4cba27e76
-
SHA1
ba576c67c78c680e2f8c5375d294b5dbd7c3250e
-
SHA256
42b9c295089c7cf9141f5d0a40a1155cfd3627888579473f8c9b80e8e3ea1c48
-
SHA512
c272cfef5199450c903443ae3259191d1ecfd8795854e297aef36c819af8887233419b98bb54e5e5894846a1454c398991487547191c66de00881c31e6d1ae93
-
SSDEEP
49152:LJNiJe3T1/rgMVwPpIGGHgoQhLL2RWNbftLLQPFfO5SSOp:LJNReMVmILHg3gMQSjO
Malware Config
Signatures
-
XMRig Miner payload 9 IoCs
resource yara_rule behavioral2/memory/3444-16-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/3444-17-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/3444-23-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/3444-22-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/3444-21-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/3444-20-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/3444-19-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/3444-24-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/3444-25-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3788 ffhzguglhicn.exe -
resource yara_rule behavioral2/memory/3444-12-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-14-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-13-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-11-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-16-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-17-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-23-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-22-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-21-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-20-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-19-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-15-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-24-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/3444-25-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3788 set thread context of 1380 3788 ffhzguglhicn.exe 103 PID 3788 set thread context of 3444 3788 ffhzguglhicn.exe 104 -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3296 sc.exe 3496 sc.exe 2508 sc.exe 3564 sc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4176 NjRat 0.7D Green Edition by im523.exe 4176 NjRat 0.7D Green Edition by im523.exe 4176 NjRat 0.7D Green Edition by im523.exe 4176 NjRat 0.7D Green Edition by im523.exe 3788 ffhzguglhicn.exe 3788 ffhzguglhicn.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe 3444 explorer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLockMemoryPrivilege 3444 explorer.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3788 wrote to memory of 1380 3788 ffhzguglhicn.exe 103 PID 3788 wrote to memory of 1380 3788 ffhzguglhicn.exe 103 PID 3788 wrote to memory of 1380 3788 ffhzguglhicn.exe 103 PID 3788 wrote to memory of 1380 3788 ffhzguglhicn.exe 103 PID 3788 wrote to memory of 1380 3788 ffhzguglhicn.exe 103 PID 3788 wrote to memory of 1380 3788 ffhzguglhicn.exe 103 PID 3788 wrote to memory of 1380 3788 ffhzguglhicn.exe 103 PID 3788 wrote to memory of 1380 3788 ffhzguglhicn.exe 103 PID 3788 wrote to memory of 1380 3788 ffhzguglhicn.exe 103 PID 3788 wrote to memory of 3444 3788 ffhzguglhicn.exe 104 PID 3788 wrote to memory of 3444 3788 ffhzguglhicn.exe 104 PID 3788 wrote to memory of 3444 3788 ffhzguglhicn.exe 104 PID 3788 wrote to memory of 3444 3788 ffhzguglhicn.exe 104 PID 3788 wrote to memory of 3444 3788 ffhzguglhicn.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe"C:\Users\Admin\AppData\Local\Temp\NjRat 0.7D Green Edition by im523.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4176 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "WAPQYYAB"2⤵
- Launches sc.exe
PID:3296
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "WAPQYYAB" binpath= "C:\ProgramData\evhjkmhsccca\ffhzguglhicn.exe" start= "auto"2⤵
- Launches sc.exe
PID:3496
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog2⤵
- Launches sc.exe
PID:2508
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "WAPQYYAB"2⤵
- Launches sc.exe
PID:3564
-
-
C:\ProgramData\evhjkmhsccca\ffhzguglhicn.exeC:\ProgramData\evhjkmhsccca\ffhzguglhicn.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:1380
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5db03ed78b35220d0a178d0c4cba27e76
SHA1ba576c67c78c680e2f8c5375d294b5dbd7c3250e
SHA25642b9c295089c7cf9141f5d0a40a1155cfd3627888579473f8c9b80e8e3ea1c48
SHA512c272cfef5199450c903443ae3259191d1ecfd8795854e297aef36c819af8887233419b98bb54e5e5894846a1454c398991487547191c66de00881c31e6d1ae93