Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 15:27
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
General
-
Target
Server.exe
-
Size
37KB
-
MD5
952ea2d47e241b1a82eeb265457c5644
-
SHA1
16048d925d1722c3a97bbbd0ab0dc05f169c1af7
-
SHA256
c7a2ec6110cfa5ae4b53b2b854013459bcdba8fff179bf95e5b707a2e4b98427
-
SHA512
9001eaa366acab6c0574912215d18d73ee944482a469243a0e40dc340a6523b4ce58ea0ed18f232eac8813477f5918c649353da0abd32c57fc3735721be407ad
-
SSDEEP
384:Io66MizdTjnBhFbJ8ycP3h3hNwKaB0rAF+rMRTyN/0L+EcoinblneHQM3epzXaNg:36QTlLJfcP3hH9amrM+rMRa8NuQWt
Malware Config
Extracted
njrat
im523
HacKed
cnet-contracting.gl.at.ply.gg:10206
3eec6dad022c4e8fee29e905fa2de108
-
reg_key
3eec6dad022c4e8fee29e905fa2de108
-
splitter
|'|'|
Signatures
-
Njrat family
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 7 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\_auto_file\ rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2744 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2744 AcroRd32.exe 2744 AcroRd32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1764 wrote to memory of 2944 1764 Server.exe 31 PID 1764 wrote to memory of 2944 1764 Server.exe 31 PID 1764 wrote to memory of 2944 1764 Server.exe 31 PID 1764 wrote to memory of 2944 1764 Server.exe 31 PID 1764 wrote to memory of 2944 1764 Server.exe 31 PID 1764 wrote to memory of 2944 1764 Server.exe 31 PID 1764 wrote to memory of 2944 1764 Server.exe 31 PID 2944 wrote to memory of 2744 2944 rundll32.exe 32 PID 2944 wrote to memory of 2744 2944 rundll32.exe 32 PID 2944 wrote to memory of 2744 2944 rundll32.exe 32 PID 2944 wrote to memory of 2744 2944 rundll32.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Celex2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Celex"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2744
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5952ea2d47e241b1a82eeb265457c5644
SHA116048d925d1722c3a97bbbd0ab0dc05f169c1af7
SHA256c7a2ec6110cfa5ae4b53b2b854013459bcdba8fff179bf95e5b707a2e4b98427
SHA5129001eaa366acab6c0574912215d18d73ee944482a469243a0e40dc340a6523b4ce58ea0ed18f232eac8813477f5918c649353da0abd32c57fc3735721be407ad
-
Filesize
3KB
MD5a30df1506369ba6e85dc91149a1d5fce
SHA12dcea877d948e39afc4ad7ba763b7e76acce49e7
SHA25691e2f729add2eeaf90315d2e962b4d3b60f9c326ff0b3e581df809bee38f7793
SHA51251bcc4cff77b372ec632c261678aba59c7a4f2d4a9c4d5c153dff1e882256009cf2054ee74266fdc1388ef4e7a1b688367d7feadbeb9b60b20088e6043f2dd17