Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:19
Behavioral task
behavioral1
Sample
Client.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Client.exe
Resource
win10v2004-20241007-en
General
-
Target
Client.exe
-
Size
31KB
-
MD5
63f444ed65088c9e278ec2e6892899a6
-
SHA1
588c5ca8e39578b9341f7cbaa7bec05af51566c4
-
SHA256
6cb9455b415038c5fe7e6d86677f3751033b0478f7264a171cc7a277ad3b706c
-
SHA512
1859caf0ba1c328142c8910f4504aea0096d55dac286809ae161c827558f60875f76d5840e469644092ecd05891de5da7ef0f492f50f47d8279dd86704a69567
-
SSDEEP
768:1qmqnf1Ll58zx36DLeo0HbFZv8NQmIDUu0tihUBj:0B9q/JvsQVk5j
Malware Config
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2804 netsh.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe Token: 33 1928 Client.exe Token: SeIncBasePriorityPrivilege 1928 Client.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2804 1928 Client.exe 90 PID 1928 wrote to memory of 2804 1928 Client.exe 90 PID 1928 wrote to memory of 2804 1928 Client.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Client.exe" "Client.exe" ENABLE2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2804
-