Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
02-12-2024 15:05
Behavioral task
behavioral1
Sample
Server.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
Server.exe
-
Size
23KB
-
MD5
eec3e4c86729b800330a8b0312478e58
-
SHA1
93110b4284258f34d73a14c329623be1f1cffb9c
-
SHA256
4e9e0a6041a348e713a6b919cb7f2e0754dd22cb046e1b1ef0e222543038e9ab
-
SHA512
e0cf6aa0110de1eed199ed0c63c5622067f20347ed66a12fb8933b92935699687ecc690ca2d7146a6ceee3f0431563d53c4d988a40dfa8ea29adde5ea5a52a25
-
SSDEEP
384:qYmdk8XvCJrQLdRGSiEYo7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZy3ly:9wWkti8aeRpcnuL0
Malware Config
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3760 netsh.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cf2a6cabb60ab913a0c3e3caa2c47947 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cf2a6cabb60ab913a0c3e3caa2c47947 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe Token: 33 2012 Server.exe Token: SeIncBasePriorityPrivilege 2012 Server.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2012 wrote to memory of 3760 2012 Server.exe 85 PID 2012 wrote to memory of 3760 2012 Server.exe 85 PID 2012 wrote to memory of 3760 2012 Server.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3760
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1