Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11-10-2024 01:24
Behavioral task
behavioral1
Sample
455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe
Resource
win10v2004-20241007-en
General
-
Target
455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe
-
Size
27KB
-
MD5
65abbb1b8cb5f121249ad00bf99995aa
-
SHA1
e2716aa2af91bfa1e44e029fc86776690d3d2c74
-
SHA256
455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334
-
SHA512
bef09a4254b4c0087487d2d28172ecfd133e05508f665545cc2c94b7349cd254edd22e3b37eeeb01f9aeac6dfb4caf024bfa9b52abfe67d42ae3923ac3ae295c
-
SSDEEP
384:CLpHqxzDGoEXHWtyXc0gCQP8thFMRAQk93vmhm7UMKmIEecKdbXTzm9bVhcar6D1:cpKFy4pFRA/vMHTi9bD
Malware Config
Extracted
njrat
v2.0
HacKed
193.161.193.99:41878
Windows
-
reg_key
Windows
-
splitter
|-F-|
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk 455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk Payload.exe -
Executes dropped EXE 1 IoCs
pid Process 2780 Payload.exe -
Loads dropped DLL 1 IoCs
pid Process 2860 455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe" 455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL" Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe Token: 33 2780 Payload.exe Token: SeIncBasePriorityPrivilege 2780 Payload.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2860 wrote to memory of 2780 2860 455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe 31 PID 2860 wrote to memory of 2780 2860 455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe 31 PID 2860 wrote to memory of 2780 2860 455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe 31 PID 2860 wrote to memory of 2780 2860 455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe 31 PID 2860 wrote to memory of 2704 2860 455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe 32 PID 2860 wrote to memory of 2704 2860 455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe 32 PID 2860 wrote to memory of 2704 2860 455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe 32 PID 2860 wrote to memory of 2704 2860 455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe 32 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2704 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe"C:\Users\Admin\AppData\Local\Temp\455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\Payload.exe"2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2704
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD565abbb1b8cb5f121249ad00bf99995aa
SHA1e2716aa2af91bfa1e44e029fc86776690d3d2c74
SHA256455193e153b09c0c36a9f14f7c1db75e21231615f992c413281b1135dd5b8334
SHA512bef09a4254b4c0087487d2d28172ecfd133e05508f665545cc2c94b7349cd254edd22e3b37eeeb01f9aeac6dfb4caf024bfa9b52abfe67d42ae3923ac3ae295c
-
Filesize
1KB
MD5175dcf91ef523df6166fc091918c8841
SHA1e07af27597a939af81039147f404680d28f33850
SHA25678be10b7e3783e797bfff8f3f5dcaab17d0612c508dd9259b046f8dab5cb89de
SHA5126de78d023e2fb500944d7cbe2995b91bf98c54f97e8b36cefae5458c3c6e7b68eea3e3e746777bfad62d59b069bd3143d07f3c8d90dedb0d6eccd90fb8c79378
-
Filesize
1022B
MD52003bb0332ddfd3d91153db0bd88564e
SHA132e60a8379db536b5037a7bf909289960369582b
SHA256b3fd92b0ef90b98cb7d9ed6435266f9d8e364054038ce8490bd0d005ef144517
SHA512be63a85396b5c4deefebd891c5997785708a27bcc6a95b3221328be4711b9315c57966de43503bec3a58c674238ce57aa401f6afcdcb4d66e9b5723c465b28d7