Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 01:55
Behavioral task
behavioral1
Sample
ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe
Resource
win10v2004-20241007-en
General
-
Target
ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe
-
Size
37KB
-
MD5
c656f530c130c90a375047f3f501ab03
-
SHA1
4d3fb02a42eaab3b9e36a144148a1a9ee3ae5efa
-
SHA256
ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1
-
SHA512
831000fd3f1ff365507243ceacae40b48d8d0d0dbb46b955a17f2eed8e29c8d30283e3904f3bff11593aa382dc3bfe2cdba5ab4265030ee212f7064ca1223ad6
-
SSDEEP
384:5sh7qi0hJZtbH9KyM+2ZzmuHtgs2yHFrAF+rMRTyN/0L+EcoinblneHQM3epzXtV:yWJ95M+2Z6uKdylrM+rMRa8Nurft
Malware Config
Extracted
njrat
im523
HacKed
tcp://kiwitech1337-20411.portmap.host:20411
3e667850c59c9299d789f6e186e7293a
-
reg_key
3e667850c59c9299d789f6e186e7293a
-
splitter
|'|'|
Signatures
-
Njrat family
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 7 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2804 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2804 AcroRd32.exe 2804 AcroRd32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2184 wrote to memory of 1716 2184 ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe 30 PID 2184 wrote to memory of 1716 2184 ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe 30 PID 2184 wrote to memory of 1716 2184 ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe 30 PID 2184 wrote to memory of 1716 2184 ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe 30 PID 2184 wrote to memory of 1716 2184 ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe 30 PID 2184 wrote to memory of 1716 2184 ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe 30 PID 2184 wrote to memory of 1716 2184 ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe 30 PID 1716 wrote to memory of 2804 1716 rundll32.exe 31 PID 1716 wrote to memory of 2804 1716 rundll32.exe 31 PID 1716 wrote to memory of 2804 1716 rundll32.exe 31 PID 1716 wrote to memory of 2804 1716 rundll32.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe"C:\Users\Admin\AppData\Local\Temp\ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\sasiski2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\sasiski"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD5c656f530c130c90a375047f3f501ab03
SHA14d3fb02a42eaab3b9e36a144148a1a9ee3ae5efa
SHA256ad43c66111cba44c1841ebc590a1dc4e525ab38d74433dd41c26b178f4b8c2e1
SHA512831000fd3f1ff365507243ceacae40b48d8d0d0dbb46b955a17f2eed8e29c8d30283e3904f3bff11593aa382dc3bfe2cdba5ab4265030ee212f7064ca1223ad6
-
Filesize
3KB
MD5c2f8290aa9c04c7a7c4473cb11eefa5f
SHA195cdc464f57e63fb064468d5a5ea339cd0083edb
SHA256a12723b3fba5b3bebc5a320f2ad3874e61c2bfc4f0028d839edf64c6e3c7ceb4
SHA512af438c07db7abbf116587623754bc615e206a5298922a6c30586dd457f4ec00580e0f43514f2dfd0d23ed9140094291576113100a2dc1697fd3e16f910a36b01