Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-10-2024 20:39
Behavioral task
behavioral1
Sample
1732-1-0x0000000000270000-0x0000000000286000-memory.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
1732-1-0x0000000000270000-0x0000000000286000-memory.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
1732-1-0x0000000000270000-0x0000000000286000-memory.exe
-
Size
88KB
-
MD5
57a6137708aa3c2866131919b12d17c2
-
SHA1
4328e6c04348966ba9cb2a5f3883ccb51571cda8
-
SHA256
d8b284c741d37196fbf6fe4513bf457f158a65b1b649a71f12855669e6bbcbeb
-
SHA512
80a4f19ef88327b8048ab075aeddc9cc8b1123db2fb1dbff5de4783c6a68b833e78c51ec0b87a0c6b626c7f8edf708e974693e088b84dc964891acac02cb493a
-
SSDEEP
1536:CXOeboN36tbQviFw1ScTIBnvAefLteF3nLrB9z3nTaF9btS9vM:CXOeboN36tbQviFCtcBn1fWl9zDaF9bJ
Score
10/10
Malware Config
Extracted
Family
njrat
Version
Platinum
Botnet
uzbek
C2
127.0.0.1:14026
Mutex
yzbekt.exe
Attributes
-
reg_key
yzbekt.exe
-
splitter
|Ghost|
Signatures
-
Njrat family
-
Deletes itself 1 IoCs
pid Process 1160 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1720 yzbekt.exe -
Loads dropped DLL 2 IoCs
pid Process 3048 1732-1-0x0000000000270000-0x0000000000286000-memory.exe 3048 1732-1-0x0000000000270000-0x0000000000286000-memory.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\yzbekt.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\yzbekt.exe\" .." yzbekt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yzbekt.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\yzbekt.exe\" .." yzbekt.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 2 0.tcp.eu.ngrok.io 6 0.tcp.eu.ngrok.io 14 0.tcp.eu.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1732-1-0x0000000000270000-0x0000000000286000-memory.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yzbekt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe 1720 yzbekt.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe Token: 33 1720 yzbekt.exe Token: SeIncBasePriorityPrivilege 1720 yzbekt.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3048 wrote to memory of 1720 3048 1732-1-0x0000000000270000-0x0000000000286000-memory.exe 30 PID 3048 wrote to memory of 1720 3048 1732-1-0x0000000000270000-0x0000000000286000-memory.exe 30 PID 3048 wrote to memory of 1720 3048 1732-1-0x0000000000270000-0x0000000000286000-memory.exe 30 PID 3048 wrote to memory of 1720 3048 1732-1-0x0000000000270000-0x0000000000286000-memory.exe 30 PID 3048 wrote to memory of 1160 3048 1732-1-0x0000000000270000-0x0000000000286000-memory.exe 31 PID 3048 wrote to memory of 1160 3048 1732-1-0x0000000000270000-0x0000000000286000-memory.exe 31 PID 3048 wrote to memory of 1160 3048 1732-1-0x0000000000270000-0x0000000000286000-memory.exe 31 PID 3048 wrote to memory of 1160 3048 1732-1-0x0000000000270000-0x0000000000286000-memory.exe 31 PID 1160 wrote to memory of 2772 1160 cmd.exe 33 PID 1160 wrote to memory of 2772 1160 cmd.exe 33 PID 1160 wrote to memory of 2772 1160 cmd.exe 33 PID 1160 wrote to memory of 2772 1160 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\1732-1-0x0000000000270000-0x0000000000286000-memory.exe"C:\Users\Admin\AppData\Local\Temp\1732-1-0x0000000000270000-0x0000000000286000-memory.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Roaming\yzbekt.exe"C:\Users\Admin\AppData\Roaming\yzbekt.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\1732-1-0x0000000000270000-0x0000000000286000-memory.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 53⤵
- System Location Discovery: System Language Discovery
PID:2772
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD557a6137708aa3c2866131919b12d17c2
SHA14328e6c04348966ba9cb2a5f3883ccb51571cda8
SHA256d8b284c741d37196fbf6fe4513bf457f158a65b1b649a71f12855669e6bbcbeb
SHA51280a4f19ef88327b8048ab075aeddc9cc8b1123db2fb1dbff5de4783c6a68b833e78c51ec0b87a0c6b626c7f8edf708e974693e088b84dc964891acac02cb493a