Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 06:19
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20241007-en
General
-
Target
Client.exe
-
Size
31KB
-
MD5
63f444ed65088c9e278ec2e6892899a6
-
SHA1
588c5ca8e39578b9341f7cbaa7bec05af51566c4
-
SHA256
6cb9455b415038c5fe7e6d86677f3751033b0478f7264a171cc7a277ad3b706c
-
SHA512
1859caf0ba1c328142c8910f4504aea0096d55dac286809ae161c827558f60875f76d5840e469644092ecd05891de5da7ef0f492f50f47d8279dd86704a69567
-
SSDEEP
768:1qmqnf1Ll58zx36DLeo0HbFZv8NQmIDUu0tihUBj:0B9q/JvsQVk5j
Malware Config
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2984 netsh.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe Token: 33 2704 Client.exe Token: SeIncBasePriorityPrivilege 2704 Client.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2984 2704 Client.exe 31 PID 2704 wrote to memory of 2984 2704 Client.exe 31 PID 2704 wrote to memory of 2984 2704 Client.exe 31 PID 2704 wrote to memory of 2984 2704 Client.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Client.exe" "Client.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2984
-