Resubmissions
30/07/2024, 21:22
240730-z732astepd 1030/07/2024, 21:18
240730-z5vl5szalj 1030/07/2024, 21:06
240730-zx8h2atala 10Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
30/07/2024, 21:18
Behavioral task
behavioral1
Sample
Injectorka.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Injectorka.exe
Resource
win10v2004-20240730-en
General
-
Target
Injectorka.exe
-
Size
93KB
-
MD5
c40c09bf0ce0defbe50f123e8d6a6174
-
SHA1
d39b7893f4ec53f38e3d05051097fb6cfee2ff7f
-
SHA256
272f68e5e473b2b091e97ee249a7a95aedef51070dcaf94211e573771477a672
-
SHA512
8f5a3b47ae47e0be43ad2925adc36b661c75f64bec2b3e797fc744925cdc186a1dda85ba2907e5a621f0c61a47662e1d3874ee8b3f7c8b31d79ba6ed3af069c4
-
SSDEEP
768:RY3PI530YTXspgM0m2zGjpyDtdXWuDtXYLWhyXxrjEtCdnl2pi1Rz4Rk3zsGdpD3:8IZ0AA0mT1mrWnL5jEwzGi1dD/DDgS
Malware Config
Extracted
njrat
0.7d
Erbaev
hakim32.ddns.net:2000
2.tcp.eu.ngrok.io:14407
007c897a11747d51de02720e8e1c37d9
-
reg_key
007c897a11747d51de02720e8e1c37d9
-
splitter
|'|'|
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2988 netsh.exe 2716 netsh.exe 2720 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\007c897a11747d51de02720e8e1c37d9Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\007c897a11747d51de02720e8e1c37d9Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explower.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2880 server.exe -
Loads dropped DLL 2 IoCs
pid Process 1820 Injectorka.exe 1820 Injectorka.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 2 2.tcp.eu.ngrok.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Explower.exe server.exe File opened for modification C:\Program Files (x86)\Explower.exe server.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injectorka.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe 2880 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2880 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe Token: 33 2880 server.exe Token: SeIncBasePriorityPrivilege 2880 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2880 1820 Injectorka.exe 28 PID 1820 wrote to memory of 2880 1820 Injectorka.exe 28 PID 1820 wrote to memory of 2880 1820 Injectorka.exe 28 PID 1820 wrote to memory of 2880 1820 Injectorka.exe 28 PID 2880 wrote to memory of 2988 2880 server.exe 29 PID 2880 wrote to memory of 2988 2880 server.exe 29 PID 2880 wrote to memory of 2988 2880 server.exe 29 PID 2880 wrote to memory of 2988 2880 server.exe 29 PID 2880 wrote to memory of 2716 2880 server.exe 31 PID 2880 wrote to memory of 2716 2880 server.exe 31 PID 2880 wrote to memory of 2716 2880 server.exe 31 PID 2880 wrote to memory of 2716 2880 server.exe 31 PID 2880 wrote to memory of 2720 2880 server.exe 32 PID 2880 wrote to memory of 2720 2880 server.exe 32 PID 2880 wrote to memory of 2720 2880 server.exe 32 PID 2880 wrote to memory of 2720 2880 server.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injectorka.exe"C:\Users\Admin\AppData\Local\Temp\Injectorka.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2988
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2720
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5b66e20886f9675fe4dbf430ea2d0bf8d
SHA12e676da72201e6e4482e00b300511900c6aee5a0
SHA256899a421c56c18058cbdd16dd7fb313a57d36c1189ca0f442070ed01d17241414
SHA512f431616522f775de27ccde420f0de6f8b3477fbe97cfd8001864b8289a570916a6dd32c84fcf8af6083d8c1b47c61aa5c73ed1e7cc75213d3f24bd94a93cb870
-
Filesize
93KB
MD5c40c09bf0ce0defbe50f123e8d6a6174
SHA1d39b7893f4ec53f38e3d05051097fb6cfee2ff7f
SHA256272f68e5e473b2b091e97ee249a7a95aedef51070dcaf94211e573771477a672
SHA5128f5a3b47ae47e0be43ad2925adc36b661c75f64bec2b3e797fc744925cdc186a1dda85ba2907e5a621f0c61a47662e1d3874ee8b3f7c8b31d79ba6ed3af069c4