Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 06:39
Static task
static1
Behavioral task
behavioral1
Sample
GorkerPrivate.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
GorkerPrivate.exe
Resource
win10v2004-20241007-en
General
-
Target
GorkerPrivate.exe
-
Size
895KB
-
MD5
533cfcfdbce621d1a75048ed80c82113
-
SHA1
b840f235522f8775e0f590d65580fc511c63762e
-
SHA256
8f74d8dcb94fe2599559dee63511ed67eb75fa47cb8b75104002c4baca0e460e
-
SHA512
c2742323604eaf97df952e6082b20e747fb19c227670eccab58a2a329a24239577af1bb1454fb29b23cb7f0108a9eee9592deb51b462aa7dfbaba4bb6ec61668
-
SSDEEP
6144:qt5IG6wZ9AI57tN0rBe6TM05wiBRju4h4/aOnzJRQuMIwy5zn98psF16TrG8PsTu:fYAI+rBjpOUREzLw2f1WrG8HXXQG
Malware Config
Extracted
njrat
0.7d
HacKed
9cpanel.hackcrack.io:3489
Windows Explorer
-
reg_key
Windows Explorer
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 988 netsh.exe -
Executes dropped EXE 6 IoCs
pid Process 2676 Setup.exe 2728 Setup.exe 2220 Gorker Private .exe 3056 svchost.exe 1636 explorer.exe 796 explorer.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Corporation Security = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svchost.exe" Setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" ." explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe Token: 33 796 explorer.exe Token: SeIncBasePriorityPrivilege 796 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2676 2748 GorkerPrivate.exe 31 PID 2748 wrote to memory of 2676 2748 GorkerPrivate.exe 31 PID 2748 wrote to memory of 2676 2748 GorkerPrivate.exe 31 PID 2748 wrote to memory of 2728 2748 GorkerPrivate.exe 32 PID 2748 wrote to memory of 2728 2748 GorkerPrivate.exe 32 PID 2748 wrote to memory of 2728 2748 GorkerPrivate.exe 32 PID 2748 wrote to memory of 2220 2748 GorkerPrivate.exe 33 PID 2748 wrote to memory of 2220 2748 GorkerPrivate.exe 33 PID 2748 wrote to memory of 2220 2748 GorkerPrivate.exe 33 PID 2728 wrote to memory of 3056 2728 Setup.exe 34 PID 2728 wrote to memory of 3056 2728 Setup.exe 34 PID 2728 wrote to memory of 3056 2728 Setup.exe 34 PID 2220 wrote to memory of 2812 2220 Gorker Private .exe 35 PID 2220 wrote to memory of 2812 2220 Gorker Private .exe 35 PID 2220 wrote to memory of 2812 2220 Gorker Private .exe 35 PID 3056 wrote to memory of 1636 3056 svchost.exe 36 PID 3056 wrote to memory of 1636 3056 svchost.exe 36 PID 3056 wrote to memory of 1636 3056 svchost.exe 36 PID 1636 wrote to memory of 796 1636 explorer.exe 37 PID 1636 wrote to memory of 796 1636 explorer.exe 37 PID 1636 wrote to memory of 796 1636 explorer.exe 37 PID 796 wrote to memory of 988 796 explorer.exe 38 PID 796 wrote to memory of 988 796 explorer.exe 38 PID 796 wrote to memory of 988 796 explorer.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\GorkerPrivate.exe"C:\Users\Admin\AppData\Local\Temp\GorkerPrivate.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\explorer.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE6⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:988
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe"C:\Users\Admin\AppData\Local\Temp\Gorker Private .exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2220 -s 6083⤵PID:2812
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
401KB
MD555128e0a30d438cb5e4d85beb4d61d4f
SHA1aa99199ae8d2e1471cb9ec3c8fc1c6cfb355c914
SHA2562a2e49592f82336a9d1a01fd190bc44e98b3caf17c05c046f06e8d4549d2930b
SHA51260fedb8c75623fdefd173dae60a1952520699e42acd58b1075303f3d93abad03a1235f19327cfc6204053a29e16ba6a4de14f3e6fc99667a5d0ac75afd283bc3
-
Filesize
477KB
MD50e6c9432cba1614fccc232f201028c72
SHA16082cf9489faa785c066195f108548e705a6d407
SHA256c9a2faffee3de29e278a89e54b07edb1f520f5e665480a1002d401fd83cde2e8
SHA512c341000eb6f10c3ee1fb722914abb8ba2e1a3ab32a0ccdd92561c0604d58924699d3f9886b8bd03ab13223c9c78eef74045b181520298dba3323a2809c670abb
-
Filesize
357KB
MD5cff755ff758e9e71d0af34017a8e9d8e
SHA18d401767360e61261cee79a18e061d9a0dc95724
SHA256c4b3fdf0d7a1dc296560d0ca1f09ce89f3acbcab445fe5fcf5fe908ed3844be2
SHA512a752a4ed0229cb7ee5a8b0768254f1acb89b1da876a7594952c75cffdb7b7990a45a335332144ae0ff06e0e0dd5e033a89fa29ed2355e2084bcc249e41a73052
-
Filesize
339KB
MD5301e8d9a2445dd999ce816c17d8dbbb3
SHA1b91163babeb738bd4d0f577ac764cee17fffe564
SHA2562ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb
SHA5124941a820d26206fa3e333419622c3b07c8ebdaad51d1c6976df912e9ec123ad39a0c67fb5c3e362658f8463b366892fc4575d4cc2ebe62c2011d10ed5eb6bba3