Overview
overview
10Static
static
1015a83de318...fa.exe
windows7-x64
615a83de318...fa.exe
windows10-2004-x64
6304f9bc7de...1b.exe
windows7-x64
10304f9bc7de...1b.exe
windows10-2004-x64
1043087ea949...eb.exe
windows7-x64
1043087ea949...eb.exe
windows10-2004-x64
1061bb2c746d...fd.exe
windows7-x64
1061bb2c746d...fd.exe
windows10-2004-x64
1078ae7a93d9...b6.exe
windows7-x64
1078ae7a93d9...b6.exe
windows10-2004-x64
10878487e25e...53.exe
windows7-x64
10878487e25e...53.exe
windows10-2004-x64
10922135a10e...54.exe
windows7-x64
10922135a10e...54.exe
windows10-2004-x64
1098e12d1098...ad.exe
windows7-x64
1098e12d1098...ad.exe
windows10-2004-x64
10b67bc3d957...8f.exe
windows7-x64
8b67bc3d957...8f.exe
windows10-2004-x64
8Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 06:54
Behavioral task
behavioral1
Sample
15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe
Resource
win10v2004-20241007-en
General
-
Target
61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe
-
Size
1.4MB
-
MD5
c58f3effb9efb892109332a676aae546
-
SHA1
c1dced7e3e3b49f23cc0125589cc5b29d4055924
-
SHA256
61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd
-
SHA512
9c9329df603ad34b10437fc6313d61d273b603996a82f88e0d57af9e50ea86bb0cbb2134a3d4905b40fd73cd40222235739f4140cf4de19a3bea352af947adec
-
SSDEEP
24576:a27mrhic6gvYbAKsy5Ulh3iXWl9557sK6X3ZO0GinMSvTNWfshnGmg/ykTPnewlm:anrhr/vAcWKv6X3o0GQN0s/g/ybDT
Malware Config
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 864 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation iFjR7vUJjT.exe -
Executes dropped EXE 2 IoCs
pid Process 3676 iFjR7vUJjT.exe 4532 server.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\602fdca88735a1a1338352d8ae49ef80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\602fdca88735a1a1338352d8ae49ef80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 21 8.tcp.ngrok.io 50 8.tcp.ngrok.io 69 8.tcp.ngrok.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1712 2912 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iFjR7vUJjT.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeDebugPrivilege 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe Token: SeDebugPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe Token: 33 4532 server.exe Token: SeIncBasePriorityPrivilege 4532 server.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2912 wrote to memory of 3676 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 86 PID 2912 wrote to memory of 3676 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 86 PID 2912 wrote to memory of 3676 2912 61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe 86 PID 3676 wrote to memory of 4532 3676 iFjR7vUJjT.exe 95 PID 3676 wrote to memory of 4532 3676 iFjR7vUJjT.exe 95 PID 3676 wrote to memory of 4532 3676 iFjR7vUJjT.exe 95 PID 4532 wrote to memory of 864 4532 server.exe 98 PID 4532 wrote to memory of 864 4532 server.exe 98 PID 4532 wrote to memory of 864 4532 server.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe"C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\iFjR7vUJjT.exe"C:\Users\Admin\AppData\Local\Temp\iFjR7vUJjT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:864
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 20762⤵
- Program crash
PID:1712
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2912 -ip 29121⤵PID:1708
Network
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
DNSipv4bot.whatismyipaddress.com61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exeRemote address:8.8.8.8:53Requestipv4bot.whatismyipaddress.comIN AResponse
-
Remote address:8.8.8.8:53Request17.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.tcp.ngrok.ioIN AResponse8.tcp.ngrok.ioIN A13.58.157.220
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request69.208.201.84.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.tcp.ngrok.ioIN AResponse8.tcp.ngrok.ioIN A13.58.157.220
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.tcp.ngrok.ioIN AResponse8.tcp.ngrok.ioIN A13.58.157.220
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
104 B 80 B 2 2
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
83.210.23.2.in-addr.arpa
-
8.8.8.8:53ipv4bot.whatismyipaddress.comdns61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe75 B 134 B 1 1
DNS Request
ipv4bot.whatismyipaddress.com
-
72 B 158 B 1 1
DNS Request
17.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
13.86.106.20.in-addr.arpa
-
60 B 76 B 1 1
DNS Request
8.tcp.ngrok.io
DNS Response
13.58.157.220
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
72 B 132 B 1 1
DNS Request
69.208.201.84.in-addr.arpa
-
60 B 76 B 1 1
DNS Request
8.tcp.ngrok.io
DNS Response
13.58.157.220
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
60 B 76 B 1 1
DNS Request
8.tcp.ngrok.io
DNS Response
13.58.157.220
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5059302e210a714b3cebd8c6400d7d12e
SHA1eed4e297cdffff9815bf456e4f237b699b33de6d
SHA2567b49bca136184f784b52ca6499108288da623944a0a97eff19e3318364a0a999
SHA5125ae9f86dc384be6d7acb085132846ef690d0e069f43837e8e9edb89558bfb8c3a5232e47332df10b79ee8df2e4e84c509386c5fbb9f8b5a7659ff8cacb1a4dcc