Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 15:15
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
General
-
Target
Server.exe
-
Size
23KB
-
MD5
eec3e4c86729b800330a8b0312478e58
-
SHA1
93110b4284258f34d73a14c329623be1f1cffb9c
-
SHA256
4e9e0a6041a348e713a6b919cb7f2e0754dd22cb046e1b1ef0e222543038e9ab
-
SHA512
e0cf6aa0110de1eed199ed0c63c5622067f20347ed66a12fb8933b92935699687ecc690ca2d7146a6ceee3f0431563d53c4d988a40dfa8ea29adde5ea5a52a25
-
SSDEEP
384:qYmdk8XvCJrQLdRGSiEYo7Y65gPyx6BDXNRmRvR6JZlbw8hqIusZzZy3ly:9wWkti8aeRpcnuL0
Malware Config
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5096 netsh.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cf2a6cabb60ab913a0c3e3caa2c47947 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cf2a6cabb60ab913a0c3e3caa2c47947 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .." Server.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe Token: 33 2084 Server.exe Token: SeIncBasePriorityPrivilege 2084 Server.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2084 wrote to memory of 5096 2084 Server.exe 86 PID 2084 wrote to memory of 5096 2084 Server.exe 86 PID 2084 wrote to memory of 5096 2084 Server.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5096
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1