Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 15:24
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
General
-
Target
Server.exe
-
Size
37KB
-
MD5
952ea2d47e241b1a82eeb265457c5644
-
SHA1
16048d925d1722c3a97bbbd0ab0dc05f169c1af7
-
SHA256
c7a2ec6110cfa5ae4b53b2b854013459bcdba8fff179bf95e5b707a2e4b98427
-
SHA512
9001eaa366acab6c0574912215d18d73ee944482a469243a0e40dc340a6523b4ce58ea0ed18f232eac8813477f5918c649353da0abd32c57fc3735721be407ad
-
SSDEEP
384:Io66MizdTjnBhFbJ8ycP3h3hNwKaB0rAF+rMRTyN/0L+EcoinblneHQM3epzXaNg:36QTlLJfcP3hH9amrM+rMRa8NuQWt
Malware Config
Extracted
njrat
im523
HacKed
cnet-contracting.gl.at.ply.gg:10206
3eec6dad022c4e8fee29e905fa2de108
-
reg_key
3eec6dad022c4e8fee29e905fa2de108
-
splitter
|'|'|
Signatures
-
Njrat family
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2776 AcroRd32.exe 2776 AcroRd32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2472 wrote to memory of 3040 2472 Server.exe 30 PID 2472 wrote to memory of 3040 2472 Server.exe 30 PID 2472 wrote to memory of 3040 2472 Server.exe 30 PID 2472 wrote to memory of 3040 2472 Server.exe 30 PID 2472 wrote to memory of 3040 2472 Server.exe 30 PID 2472 wrote to memory of 3040 2472 Server.exe 30 PID 2472 wrote to memory of 3040 2472 Server.exe 30 PID 3040 wrote to memory of 2776 3040 rundll32.exe 31 PID 3040 wrote to memory of 2776 3040 rundll32.exe 31 PID 3040 wrote to memory of 2776 3040 rundll32.exe 31 PID 3040 wrote to memory of 2776 3040 rundll32.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Celex2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Celex"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5952ea2d47e241b1a82eeb265457c5644
SHA116048d925d1722c3a97bbbd0ab0dc05f169c1af7
SHA256c7a2ec6110cfa5ae4b53b2b854013459bcdba8fff179bf95e5b707a2e4b98427
SHA5129001eaa366acab6c0574912215d18d73ee944482a469243a0e40dc340a6523b4ce58ea0ed18f232eac8813477f5918c649353da0abd32c57fc3735721be407ad
-
Filesize
3KB
MD5fc60904885c2d009818b97ea33181dd2
SHA1f40489cafaed00ce59b6c03bb17e660120bf645c
SHA256d44d551affb71fac9df320e4c26ce80b5906cd3717539a26c37709f9b0c2a0a4
SHA51297c1bbb6251e547e2da406833d59a15016293fea81477ad1956bc3206b985aa072e1587e8dbb4876f3c05cb1a429653517f3c51800c1544a95f9522d82a1bc07