Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 01:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
352336c4bc2f0db999e86abb065598d8.exe
Resource
win7-20240903-en
windows7-x64
18 signatures
150 seconds
Behavioral task
behavioral2
Sample
352336c4bc2f0db999e86abb065598d8.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
1 signatures
150 seconds
General
-
Target
352336c4bc2f0db999e86abb065598d8.exe
-
Size
3.1MB
-
MD5
352336c4bc2f0db999e86abb065598d8
-
SHA1
5ae135912754c2348460fa4ce221d637de1a36e4
-
SHA256
7af46e45bdbb2d1b9731841c5c9000c7635b7d9d59e8e3e32508fe202d6132ba
-
SHA512
f75208ec26a0843fad754c68fbebc3b02b944690627e20fbb9b3ae4ae971a369a29c36f074039a44f48a26be24b41352c5bd4b996d0f3c4bbc9896b69bde538e
-
SSDEEP
49152:AHD9PlCsjRnB8Bc4GNFq3GoTapL8Fa75/XlkEQGfSk0oJ0wnnrT3:kZPlpnmBc4GNoXTa8aVdkEQK38wH3
Malware Config
Extracted
Family
njrat
Version
im523
Botnet
HacKed
C2
45.83.207.236:5552
Mutex
c932779fadb451b44351b10e6e56bf73
Attributes
-
reg_key
c932779fadb451b44351b10e6e56bf73
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2984 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c932779fadb451b44351b10e6e56bf73.exe UserOOBEBroker.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c932779fadb451b44351b10e6e56bf73.exe UserOOBEBroker.exe -
Executes dropped EXE 3 IoCs
pid Process 2816 Happy new - .exe 2664 Pakg.exe 3068 UserOOBEBroker.exe -
Loads dropped DLL 2 IoCs
pid Process 2512 352336c4bc2f0db999e86abb065598d8.exe 2664 Pakg.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\c932779fadb451b44351b10e6e56bf73 = "\"C:\\Users\\Admin\\UserOOBEBroker.exe\" .." UserOOBEBroker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c932779fadb451b44351b10e6e56bf73 = "\"C:\\Users\\Admin\\UserOOBEBroker.exe\" .." UserOOBEBroker.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf UserOOBEBroker.exe File created D:\autorun.inf UserOOBEBroker.exe File created F:\autorun.inf UserOOBEBroker.exe File opened for modification F:\autorun.inf UserOOBEBroker.exe File created C:\autorun.inf UserOOBEBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language UserOOBEBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Kills process with taskkill 1 IoCs
pid Process 2164 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main 352336c4bc2f0db999e86abb065598d8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe 3068 UserOOBEBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3068 UserOOBEBroker.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeDebugPrivilege 3068 UserOOBEBroker.exe Token: SeDebugPrivilege 2164 taskkill.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe Token: 33 3068 UserOOBEBroker.exe Token: SeIncBasePriorityPrivilege 3068 UserOOBEBroker.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2512 352336c4bc2f0db999e86abb065598d8.exe 2512 352336c4bc2f0db999e86abb065598d8.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2816 2512 352336c4bc2f0db999e86abb065598d8.exe 31 PID 2512 wrote to memory of 2816 2512 352336c4bc2f0db999e86abb065598d8.exe 31 PID 2512 wrote to memory of 2816 2512 352336c4bc2f0db999e86abb065598d8.exe 31 PID 2512 wrote to memory of 2664 2512 352336c4bc2f0db999e86abb065598d8.exe 32 PID 2512 wrote to memory of 2664 2512 352336c4bc2f0db999e86abb065598d8.exe 32 PID 2512 wrote to memory of 2664 2512 352336c4bc2f0db999e86abb065598d8.exe 32 PID 2512 wrote to memory of 2664 2512 352336c4bc2f0db999e86abb065598d8.exe 32 PID 2664 wrote to memory of 3068 2664 Pakg.exe 33 PID 2664 wrote to memory of 3068 2664 Pakg.exe 33 PID 2664 wrote to memory of 3068 2664 Pakg.exe 33 PID 2664 wrote to memory of 3068 2664 Pakg.exe 33 PID 3068 wrote to memory of 2984 3068 UserOOBEBroker.exe 34 PID 3068 wrote to memory of 2984 3068 UserOOBEBroker.exe 34 PID 3068 wrote to memory of 2984 3068 UserOOBEBroker.exe 34 PID 3068 wrote to memory of 2984 3068 UserOOBEBroker.exe 34 PID 3068 wrote to memory of 2164 3068 UserOOBEBroker.exe 36 PID 3068 wrote to memory of 2164 3068 UserOOBEBroker.exe 36 PID 3068 wrote to memory of 2164 3068 UserOOBEBroker.exe 36 PID 3068 wrote to memory of 2164 3068 UserOOBEBroker.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\352336c4bc2f0db999e86abb065598d8.exe"C:\Users\Admin\AppData\Local\Temp\352336c4bc2f0db999e86abb065598d8.exe"1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\Happy new - .exe"C:\Users\Admin\AppData\Local\Temp\Happy new - .exe"2⤵
- Executes dropped EXE
PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\Pakg.exe"C:\Users\Admin\AppData\Local\Temp\Pakg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\UserOOBEBroker.exe"C:\Users\Admin\UserOOBEBroker.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\UserOOBEBroker.exe" "UserOOBEBroker.exe" ENABLE4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM Exsample.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD567931560029cc67967f024e3c42c107a
SHA1fed599a8ee2a821e9f93109d1e660118ff3f0451
SHA25699e3e8a30f946770b612f530e63f0448d4e0dc261d165918b09abd2dd67d08c3
SHA51285a9a9735e3ba7693ee3d01b808929e48e0ca7d03762ef54a1024ae89238d992310a575fd5c429c62cb2030732dd25033c1ce71e0320c196fd755d62f1c47a96
-
Filesize
12.0MB
MD5c6bd70a2120cc3746df3ba4bce4fe00a
SHA191ab9936cf0ec1ec586cc6630c7d1cab6945367d
SHA2569474d988fb6b33f021ca2c9f2dad18d1a0d3b48c9249d8f94465f81bba4154fa
SHA512dd489a0459e3d41fbb5bd727add9d64deb209c433eddc5e9b2e2d2a2c0cbca7a3ebeae83ad2452a5490c303eae9eade2d9e0e6494591ef0c548f9035fb07b568