Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 19:47
Behavioral task
behavioral1
Sample
Payload.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Payload.exe
Resource
win10v2004-20241007-en
General
-
Target
Payload.exe
-
Size
55KB
-
MD5
33e1d80a59c7d0c32334ebe05bfbaec0
-
SHA1
afab8c4fc1216bd5f5e46fd6f029f71de1eaf491
-
SHA256
fcec89df07c34596a89b0a11a1c113d470843690b81416fd77fd01ef201402f6
-
SHA512
e0ade8d57d9227de619810bc95aef7f23ec22f496c69aff5b515d809ebb7107e3ed8234202f04028ac4f03f245bc7ad7eafd62622a8c0e9f9ea5b1dcf1b4a69e
-
SSDEEP
1536:TRksDnHNwZ8Cam8LDdwsNMD2XExI3pm/m:6sDn6SKiDdwsNMD2XExI3pm
Malware Config
Signatures
-
Njrat family
-
Drops startup file 38 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus34.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba504e39d49d09ba3f0b71067d651692.exe Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus5.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus6.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus7.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus31.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus9.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus26.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus29.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus30.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\celex.exe Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus3.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus8.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus18.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus19.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus11.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus24.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus25.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus33.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus2.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus10.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus20.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus32.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus13.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus15.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus28.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus35.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus1.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus12.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus16.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus23.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus22.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus27.bat Payload.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ba504e39d49d09ba3f0b71067d651692.exe Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus4.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus14.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus17.bat Payload.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\virus21.bat Payload.exe -
Executes dropped EXE 4 IoCs
pid Process 2092 b0bed7e1c28d426faa600897a8a921ac.exe 2488 ca485065e8704d5a90da8efa3c401605.exe 2652 c0d8c707209c47b2921e0dac39d6eeba.exe 1696 dcf23be551bf43f0b977e9fb11cc0bbc.exe -
Loads dropped DLL 4 IoCs
pid Process 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\ba504e39d49d09ba3f0b71067d651692 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe\" .." Payload.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ba504e39d49d09ba3f0b71067d651692 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Payload.exe\" .." Payload.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payload.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1448 Payload.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: SeDebugPrivilege 2092 b0bed7e1c28d426faa600897a8a921ac.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 272 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 272 AUDIODG.EXE Token: 33 272 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 272 AUDIODG.EXE Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe Token: 33 1448 Payload.exe Token: SeIncBasePriorityPrivilege 1448 Payload.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1448 Payload.exe 1448 Payload.exe 1448 Payload.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2092 1448 Payload.exe 31 PID 1448 wrote to memory of 2092 1448 Payload.exe 31 PID 1448 wrote to memory of 2092 1448 Payload.exe 31 PID 1448 wrote to memory of 2092 1448 Payload.exe 31 PID 1448 wrote to memory of 2488 1448 Payload.exe 32 PID 1448 wrote to memory of 2488 1448 Payload.exe 32 PID 1448 wrote to memory of 2488 1448 Payload.exe 32 PID 1448 wrote to memory of 2488 1448 Payload.exe 32 PID 1448 wrote to memory of 2652 1448 Payload.exe 34 PID 1448 wrote to memory of 2652 1448 Payload.exe 34 PID 1448 wrote to memory of 2652 1448 Payload.exe 34 PID 1448 wrote to memory of 2652 1448 Payload.exe 34 PID 1448 wrote to memory of 1696 1448 Payload.exe 35 PID 1448 wrote to memory of 1696 1448 Payload.exe 35 PID 1448 wrote to memory of 1696 1448 Payload.exe 35 PID 1448 wrote to memory of 1696 1448 Payload.exe 35 PID 1448 wrote to memory of 2388 1448 Payload.exe 36 PID 1448 wrote to memory of 2388 1448 Payload.exe 36 PID 1448 wrote to memory of 2388 1448 Payload.exe 36 PID 1448 wrote to memory of 2388 1448 Payload.exe 36 PID 2388 wrote to memory of 1856 2388 cmd.exe 38 PID 2388 wrote to memory of 1856 2388 cmd.exe 38 PID 2388 wrote to memory of 1856 2388 cmd.exe 38 PID 2388 wrote to memory of 1856 2388 cmd.exe 38 PID 2388 wrote to memory of 1856 2388 cmd.exe 38 PID 2388 wrote to memory of 1856 2388 cmd.exe 38 PID 2388 wrote to memory of 1856 2388 cmd.exe 38 PID 1448 wrote to memory of 1600 1448 Payload.exe 40 PID 1448 wrote to memory of 1600 1448 Payload.exe 40 PID 1448 wrote to memory of 1600 1448 Payload.exe 40 PID 1448 wrote to memory of 1600 1448 Payload.exe 40 PID 1600 wrote to memory of 3008 1600 cmd.exe 42 PID 1600 wrote to memory of 3008 1600 cmd.exe 42 PID 1600 wrote to memory of 3008 1600 cmd.exe 42 PID 1600 wrote to memory of 3008 1600 cmd.exe 42 PID 1600 wrote to memory of 3008 1600 cmd.exe 42 PID 1600 wrote to memory of 3008 1600 cmd.exe 42 PID 1600 wrote to memory of 3008 1600 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payload.exe"C:\Users\Admin\AppData\Local\Temp\Payload.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\b0bed7e1c28d426faa600897a8a921ac.exe"C:\Users\Admin\AppData\Local\Temp\b0bed7e1c28d426faa600897a8a921ac.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
C:\Users\Admin\AppData\Local\Temp\ca485065e8704d5a90da8efa3c401605.exe"C:\Users\Admin\AppData\Local\Temp\ca485065e8704d5a90da8efa3c401605.exe"2⤵
- Executes dropped EXE
PID:2488
-
-
C:\Users\Admin\AppData\Local\Temp\c0d8c707209c47b2921e0dac39d6eeba.exe"C:\Users\Admin\AppData\Local\Temp\c0d8c707209c47b2921e0dac39d6eeba.exe"2⤵
- Executes dropped EXE
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\dcf23be551bf43f0b977e9fb11cc0bbc.exe"C:\Users\Admin\AppData\Local\Temp\dcf23be551bf43f0b977e9fb11cc0bbc.exe"2⤵
- Executes dropped EXE
PID:1696
-
-
C:\Windows\SysWOW64\cmd.execmd /c rundll32.exe user32.dll,LockWorkStation2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe user32.dll,LockWorkStation3⤵
- System Location Discovery: System Language Discovery
PID:1856
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c rundll32.exe user32.dll,LockWorkStation2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe user32.dll,LockWorkStation3⤵
- System Location Discovery: System Language Discovery
PID:3008
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4ec1⤵
- Suspicious use of AdjustPrivilegeToken
PID:272
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5683bcb1f86f4410931abe39a63eb7057
SHA1d338aac5ff479fc94d3c840e862665de1dac8c8f
SHA256c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12
SHA51260b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2
-
Filesize
345KB
MD58efb7339fe13cf8cea9f6445776655c0
SHA1081afd73c757c83825cf1e8ed4a4eab259d23b97
SHA256c1badbacd2abe44fe4e8685c8eee7e983bf8b6780cfca03ae31f8fcebc98b1fb
SHA5122a37e74aeff17b4f435d02a30019a017a4ff4fa29fc898229f6195876f53b38154c063cf052deebcc06785650f875d67eeb0de372a76df3c4e71bd4fc0392956
-
Filesize
844KB
MD58cac1595b184f66d7a122af38d5dfe71
SHA1e0bc0162472edf77a05134e77b540663ac050ab6
SHA25600201a2fd4916193c9c7bbba7be6a77fa5876085480b67da4e1228fd8b23ae5f
SHA51288d3753ce73bbf95ee1fdbdff21eb9331e59ca92cfa5c489f141c07dc90871e3032e331c9dd77b1fec4522add3ac25c51d5c699d7801a5343dd2ae447c60f8f8