Analysis
-
max time kernel
119s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 13:55
Static task
static1
Behavioral task
behavioral1
Sample
739005ddcf4e566a01a2ec1dc3c35182c14d410b8945c072ddaf8d0af89bf2afN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
739005ddcf4e566a01a2ec1dc3c35182c14d410b8945c072ddaf8d0af89bf2afN.exe
Resource
win10v2004-20241007-en
General
-
Target
739005ddcf4e566a01a2ec1dc3c35182c14d410b8945c072ddaf8d0af89bf2afN.exe
-
Size
119KB
-
MD5
caff93afd132a28e1bd4ab2cfb4b8560
-
SHA1
e7ee8d13f67782a01fd23116c63a5bff06993f0e
-
SHA256
739005ddcf4e566a01a2ec1dc3c35182c14d410b8945c072ddaf8d0af89bf2af
-
SHA512
4bacc59fffa80e17c758747cda7bb17ee832a800ea4ce253bccb1e4511f43422b2d10b0e752848d56c8da5fb6e1e560b3318ee6a518ca90f5212aa4d927c5f52
-
SSDEEP
3072:8ZhHgkuihetm9lIiDP1TWU/rTWpYn1FdvzmIxdwbECAjIxVWj/:8XH392igU//Wo1FRQbEJjIij/
Malware Config
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2192 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation 739005ddcf4e566a01a2ec1dc3c35182c14d410b8945c072ddaf8d0af89bf2afN.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Encryptado.exe -
Executes dropped EXE 2 IoCs
pid Process 3536 Encryptado.exe 2876 CCleaner.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\50c56171c4e59c7d0e806bb89afce844 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner.exe\" .." CCleaner.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\50c56171c4e59c7d0e806bb89afce844 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CCleaner.exe\" .." CCleaner.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 739005ddcf4e566a01a2ec1dc3c35182c14d410b8945c072ddaf8d0af89bf2afN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Encryptado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CCleaner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe Token: 33 2876 CCleaner.exe Token: SeIncBasePriorityPrivilege 2876 CCleaner.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4264 wrote to memory of 3536 4264 739005ddcf4e566a01a2ec1dc3c35182c14d410b8945c072ddaf8d0af89bf2afN.exe 82 PID 4264 wrote to memory of 3536 4264 739005ddcf4e566a01a2ec1dc3c35182c14d410b8945c072ddaf8d0af89bf2afN.exe 82 PID 4264 wrote to memory of 3536 4264 739005ddcf4e566a01a2ec1dc3c35182c14d410b8945c072ddaf8d0af89bf2afN.exe 82 PID 3536 wrote to memory of 2876 3536 Encryptado.exe 87 PID 3536 wrote to memory of 2876 3536 Encryptado.exe 87 PID 3536 wrote to memory of 2876 3536 Encryptado.exe 87 PID 2876 wrote to memory of 2192 2876 CCleaner.exe 91 PID 2876 wrote to memory of 2192 2876 CCleaner.exe 91 PID 2876 wrote to memory of 2192 2876 CCleaner.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\739005ddcf4e566a01a2ec1dc3c35182c14d410b8945c072ddaf8d0af89bf2afN.exe"C:\Users\Admin\AppData\Local\Temp\739005ddcf4e566a01a2ec1dc3c35182c14d410b8945c072ddaf8d0af89bf2afN.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Users\Admin\AppData\Local\Temp\Encryptado.exe"C:\Users\Admin\AppData\Local\Temp\Encryptado.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"C:\Users\Admin\AppData\Local\Temp\CCleaner.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\CCleaner.exe" "CCleaner.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2192
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5f58160012fc4d8020a715a863eccf38c
SHA10bbf87929058755b44b5b62853db51d9b58ae491
SHA25617abbf270d47965cc81f2ab200d015ca14f3d1d2a189744cb017f9452e7f610e
SHA512bd6101c307f8c6a0c993aa173c0f596bd9d762a560b6f6e4f3f5700280ba2269f0340c006312ee40727a640790aa13ac12f2fe2341271866dcfb2535d4060c0a