Analysis
-
max time kernel
25s -
max time network
24s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 16:52
Behavioral task
behavioral1
Sample
Payload.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Payload.exe
Resource
win10v2004-20241007-en
General
-
Target
Payload.exe
-
Size
55KB
-
MD5
5c56be92df69c8add408d506c5532239
-
SHA1
0dad011e6ddbd559d30217bf8b9da634a72c2023
-
SHA256
b58ab675e6430d8d9eeb6d316a635f5eb62fb19cd1120b3d1376136df5c8a44e
-
SHA512
85ebfc2be987a011bb4db28842a90a7be26560ee843600f0b39b0805980ba27cc00db7cd635305dfdeecb6333576c6ba501fe0f79d56f0cbe8eaa12ecc3560cf
-
SSDEEP
1536:qPsoDnb4DNQ7SCCHDrwsNMDxXExI3pm9m:noDnEWOrHDrwsNMDxXExI3pm
Malware Config
Extracted
njrat
<- NjRAT 0.7d Horror Edition ->
Victim
youth-latex.gl.at.ply.gg:56149
4c4f4a71cf4fc204c1ef58ead9ffcdec
-
reg_key
4c4f4a71cf4fc204c1ef58ead9ffcdec
-
splitter
Y262SUCZ4UJJ
Signatures
-
Njrat family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4c4f4a71cf4fc204c1ef58ead9ffcdec.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4c4f4a71cf4fc204c1ef58ead9ffcdec.exe dllhost.exe -
Executes dropped EXE 1 IoCs
pid Process 2304 dllhost.exe -
Loads dropped DLL 1 IoCs
pid Process 2324 Payload.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\4c4f4a71cf4fc204c1ef58ead9ffcdec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4c4f4a71cf4fc204c1ef58ead9ffcdec = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dllhost.exe\" .." dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2132 cmd.exe 2588 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2588 PING.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2304 dllhost.exe Token: 33 2304 dllhost.exe Token: SeIncBasePriorityPrivilege 2304 dllhost.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2324 wrote to memory of 2304 2324 Payload.exe 29 PID 2324 wrote to memory of 2304 2324 Payload.exe 29 PID 2324 wrote to memory of 2304 2324 Payload.exe 29 PID 2324 wrote to memory of 2304 2324 Payload.exe 29 PID 2304 wrote to memory of 2636 2304 dllhost.exe 31 PID 2304 wrote to memory of 2636 2304 dllhost.exe 31 PID 2304 wrote to memory of 2636 2304 dllhost.exe 31 PID 2304 wrote to memory of 2636 2304 dllhost.exe 31 PID 2304 wrote to memory of 2132 2304 dllhost.exe 33 PID 2304 wrote to memory of 2132 2304 dllhost.exe 33 PID 2304 wrote to memory of 2132 2304 dllhost.exe 33 PID 2304 wrote to memory of 2132 2304 dllhost.exe 33 PID 2132 wrote to memory of 2588 2132 cmd.exe 35 PID 2132 wrote to memory of 2588 2132 cmd.exe 35 PID 2132 wrote to memory of 2588 2132 cmd.exe 35 PID 2132 wrote to memory of 2588 2132 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\dllhost.exe"C:\Users\Admin\AppData\Local\Temp\dllhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn CleanSweepCheck /f3⤵
- System Location Discovery: System Language Discovery
PID:2636
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\PING.EXEping 0 -n 24⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2588
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD55c56be92df69c8add408d506c5532239
SHA10dad011e6ddbd559d30217bf8b9da634a72c2023
SHA256b58ab675e6430d8d9eeb6d316a635f5eb62fb19cd1120b3d1376136df5c8a44e
SHA51285ebfc2be987a011bb4db28842a90a7be26560ee843600f0b39b0805980ba27cc00db7cd635305dfdeecb6333576c6ba501fe0f79d56f0cbe8eaa12ecc3560cf