Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 16:19
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10v2004-20241007-en
General
-
Target
Server.exe
-
Size
93KB
-
MD5
77e8ae03f54ed1ce413314dbb8e00435
-
SHA1
398ce9204237c30280dce2f3d6cfed34946383c0
-
SHA256
430d6a10f2a37a3a8957e5fabfda4f3c7fa9af76bc4b2c020638f023e06f0267
-
SHA512
6a679cd51e75ed9374cd17da763f180fd370e7d86fa88475a75eb1b07bd4f0e4f72b4fdf006345af3c0086a1978a358ade19a3ca422d892e41c3d0a47032b159
-
SSDEEP
768:gY3wI7yZnDQMMpAZrGSt6udttXy4sahkGJiXxrjEtCdnl2pi1Rz4Rk3wsGdpTgS7:II+ZD3rGWNd7dhkhjEwzGi1dDoDTgS
Malware Config
Extracted
njrat
0.7d
noip
hakim32.ddns.net:2000
mahmoudabu9pos.ddns.net:27005
fdce5dfdbb5ec4d4d26d1b02578ff07b
-
reg_key
fdce5dfdbb5ec4d4d26d1b02578ff07b
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2804 netsh.exe 3012 netsh.exe 2708 netsh.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdce5dfdbb5ec4d4d26d1b02578ff07bWindows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdce5dfdbb5ec4d4d26d1b02578ff07bWindows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 1436 server.exe -
Loads dropped DLL 2 IoCs
pid Process 1556 Server.exe 1556 Server.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe 1436 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1436 server.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe Token: 33 1436 server.exe Token: SeIncBasePriorityPrivilege 1436 server.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1556 wrote to memory of 1436 1556 Server.exe 30 PID 1556 wrote to memory of 1436 1556 Server.exe 30 PID 1556 wrote to memory of 1436 1556 Server.exe 30 PID 1556 wrote to memory of 1436 1556 Server.exe 30 PID 1436 wrote to memory of 2804 1436 server.exe 31 PID 1436 wrote to memory of 2804 1436 server.exe 31 PID 1436 wrote to memory of 2804 1436 server.exe 31 PID 1436 wrote to memory of 2804 1436 server.exe 31 PID 1436 wrote to memory of 3012 1436 server.exe 33 PID 1436 wrote to memory of 3012 1436 server.exe 33 PID 1436 wrote to memory of 3012 1436 server.exe 33 PID 1436 wrote to memory of 3012 1436 server.exe 33 PID 1436 wrote to memory of 2708 1436 server.exe 34 PID 1436 wrote to memory of 2708 1436 server.exe 34 PID 1436 wrote to memory of 2708 1436 server.exe 34 PID 1436 wrote to memory of 2708 1436 server.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2804
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3012
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2708
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5B
MD5bbcd2be775370c1e106e66d077a93f3b
SHA1a44b6a98f30e3275fc304bc3b29e0eab8ae47f20
SHA256a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1
SHA512bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72
-
Filesize
93KB
MD577e8ae03f54ed1ce413314dbb8e00435
SHA1398ce9204237c30280dce2f3d6cfed34946383c0
SHA256430d6a10f2a37a3a8957e5fabfda4f3c7fa9af76bc4b2c020638f023e06f0267
SHA5126a679cd51e75ed9374cd17da763f180fd370e7d86fa88475a75eb1b07bd4f0e4f72b4fdf006345af3c0086a1978a358ade19a3ca422d892e41c3d0a47032b159