Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 11:03
Behavioral task
behavioral1
Sample
testingg.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
testingg.exe
Resource
win10v2004-20241007-en
General
-
Target
testingg.exe
-
Size
93KB
-
MD5
87301d7789d34f5f9e2d497b4d9b8f88
-
SHA1
b65a76d11f1d2e44d6f5113cf0212bc36abb17b1
-
SHA256
fdab671fc30cd30956d58c4b148fc1164cf45c9d766bb0e5b34f144b40d68516
-
SHA512
e60f39a599e59e72137edc83b00704abd716fbadc2a46b942aa325491a9af02628b2225123ba27ed09c077933b526917b3004d7e6659708e43308eb1fbfe7856
-
SSDEEP
1536:jey1GkeUqZJO5kNSimjEwzGi1dDYDfgS:jedUqZJOiAOi1dO4
Malware Config
Extracted
njrat
0.7d
Player
hakim32.ddns.net:2000
147.185.221.19:27692
031d13bbbb63d50987953ffedfddbc61
-
reg_key
031d13bbbb63d50987953ffedfddbc61
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2748 netsh.exe 2788 netsh.exe 2536 netsh.exe -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\031d13bbbb63d50987953ffedfddbc61Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\031d13bbbb63d50987953ffedfddbc61Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2852 server.exe -
Loads dropped DLL 2 IoCs
pid Process 2792 testingg.exe 2792 testingg.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\svchost.exe.exe server.exe File created C:\Windows\SysWOW64\svchost.exe.exe server.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\svchost.exe.exe server.exe File opened for modification C:\Program Files (x86)\svchost.exe.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language testingg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe 2852 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2852 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe Token: 33 2852 server.exe Token: SeIncBasePriorityPrivilege 2852 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2852 2792 testingg.exe 29 PID 2792 wrote to memory of 2852 2792 testingg.exe 29 PID 2792 wrote to memory of 2852 2792 testingg.exe 29 PID 2792 wrote to memory of 2852 2792 testingg.exe 29 PID 2852 wrote to memory of 2748 2852 server.exe 30 PID 2852 wrote to memory of 2748 2852 server.exe 30 PID 2852 wrote to memory of 2748 2852 server.exe 30 PID 2852 wrote to memory of 2748 2852 server.exe 30 PID 2852 wrote to memory of 2788 2852 server.exe 32 PID 2852 wrote to memory of 2788 2852 server.exe 32 PID 2852 wrote to memory of 2788 2852 server.exe 32 PID 2852 wrote to memory of 2788 2852 server.exe 32 PID 2852 wrote to memory of 2536 2852 server.exe 33 PID 2852 wrote to memory of 2536 2852 server.exe 33 PID 2852 wrote to memory of 2536 2852 server.exe 33 PID 2852 wrote to memory of 2536 2852 server.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\testingg.exe"C:\Users\Admin\AppData\Local\Temp\testingg.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2748
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2536
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5bbcd2be775370c1e106e66d077a93f3b
SHA1a44b6a98f30e3275fc304bc3b29e0eab8ae47f20
SHA256a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1
SHA512bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72
-
Filesize
93KB
MD587301d7789d34f5f9e2d497b4d9b8f88
SHA1b65a76d11f1d2e44d6f5113cf0212bc36abb17b1
SHA256fdab671fc30cd30956d58c4b148fc1164cf45c9d766bb0e5b34f144b40d68516
SHA512e60f39a599e59e72137edc83b00704abd716fbadc2a46b942aa325491a9af02628b2225123ba27ed09c077933b526917b3004d7e6659708e43308eb1fbfe7856