Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 04:55
Behavioral task
behavioral1
Sample
d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe
Resource
win10v2004-20241007-en
General
-
Target
d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe
-
Size
37KB
-
MD5
4699bec8cd50aa7f2cecf0df8f0c26a0
-
SHA1
c7c6c85fc26189cf4c68d45b5f8009a7a456497d
-
SHA256
d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d
-
SHA512
5701a107e8af1c89574274c8b585ddd87ae88332284fc18090bbcccf5d11b65486ccf70450d4451fec7c75474a62518dd3c5e2bedda98487085276ac51d7ac0e
-
SSDEEP
768:HXGD2mUbCv/cPDYjM/cA8rM+rMRa8NuEx2t:H2DSbW0rEMUAP+gRJNbx
Malware Config
Extracted
njrat
im523
school
167.71.56.116:22764
872de6721af0b6833a743205be97e089
-
reg_key
872de6721af0b6833a743205be97e089
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 592 netsh.exe -
Executes dropped EXE 1 IoCs
pid Process 2088 rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\872de6721af0b6833a743205be97e089 = "\"C:\\Windows\\rundll32.exe\" .." rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\872de6721af0b6833a743205be97e089 = "\"C:\\Windows\\rundll32.exe\" .." rundll32.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf rundll32.exe File opened for modification C:\autorun.inf rundll32.exe File created D:\autorun.inf rundll32.exe File created F:\autorun.inf rundll32.exe File opened for modification F:\autorun.inf rundll32.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\rundll32.exe d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe File opened for modification C:\Windows\rundll32.exe rundll32.exe File created C:\Windows\rundll32.exe d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2088 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe Token: 33 2088 rundll32.exe Token: SeIncBasePriorityPrivilege 2088 rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2088 2500 d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe 31 PID 2500 wrote to memory of 2088 2500 d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe 31 PID 2500 wrote to memory of 2088 2500 d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe 31 PID 2500 wrote to memory of 2088 2500 d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe 31 PID 2500 wrote to memory of 2088 2500 d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe 31 PID 2500 wrote to memory of 2088 2500 d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe 31 PID 2500 wrote to memory of 2088 2500 d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe 31 PID 2088 wrote to memory of 592 2088 rundll32.exe 32 PID 2088 wrote to memory of 592 2088 rundll32.exe 32 PID 2088 wrote to memory of 592 2088 rundll32.exe 32 PID 2088 wrote to memory of 592 2088 rundll32.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe"C:\Users\Admin\AppData\Local\Temp\d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\rundll32.exe"C:\Windows\rundll32.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\rundll32.exe" "rundll32.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:592
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD54699bec8cd50aa7f2cecf0df8f0c26a0
SHA1c7c6c85fc26189cf4c68d45b5f8009a7a456497d
SHA256d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d
SHA5125701a107e8af1c89574274c8b585ddd87ae88332284fc18090bbcccf5d11b65486ccf70450d4451fec7c75474a62518dd3c5e2bedda98487085276ac51d7ac0e