Analysis
-
max time kernel
120s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 23:48
Static task
static1
Behavioral task
behavioral1
Sample
9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe
Resource
win10v2004-20241007-en
General
-
Target
9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe
-
Size
77KB
-
MD5
e993cfb6e61851f8e4b8a0de1109e7e0
-
SHA1
7ed75b6f3d933016bb4064900780fdf702889e09
-
SHA256
9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6
-
SHA512
ff3b842bc78179bf267852b7f1a73159db146e319f064b556d92c71a968c5061675377ad7e1663cdf2ca98b9f5d10a0ed64037f5223bd217f053e8bda1c6f1ad
-
SSDEEP
1536:c+egCWviDlboRh2Zz6XGuM3M9vxG33eSORdRujx7zG3zJB52HB:cICWqboSx6e3MFC3elRdROVzG352HB
Malware Config
Signatures
-
Njrat family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1d3c43cd1579029d89b4722896f87cc.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1d3c43cd1579029d89b4722896f87cc.exe dllhost.exe -
Executes dropped EXE 1 IoCs
pid Process 2280 dllhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\c1d3c43cd1579029d89b4722896f87cc = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\c1d3c43cd1579029d89b4722896f87cc = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe Token: SeDebugPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe Token: 33 2280 dllhost.exe Token: SeIncBasePriorityPrivilege 2280 dllhost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2280 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 31 PID 2096 wrote to memory of 2280 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 31 PID 2096 wrote to memory of 2280 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 31 PID 2096 wrote to memory of 2280 2096 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 31 PID 2280 wrote to memory of 2908 2280 dllhost.exe 32 PID 2280 wrote to memory of 2908 2280 dllhost.exe 32 PID 2280 wrote to memory of 2908 2280 dllhost.exe 32 PID 2280 wrote to memory of 2908 2280 dllhost.exe 32 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2908 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe"C:\Users\Admin\AppData\Local\Temp\9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2908
-
-
Network
-
Remote address:8.8.8.8:53Requestoxy01.duckdns.orgIN AResponseoxy01.duckdns.orgIN A62.139.223.142
-
Remote address:8.8.8.8:53Requestoxy01.duckdns.orgIN AResponseoxy01.duckdns.orgIN A62.139.223.142
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
-
152 B 3
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5e993cfb6e61851f8e4b8a0de1109e7e0
SHA17ed75b6f3d933016bb4064900780fdf702889e09
SHA2569acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6
SHA512ff3b842bc78179bf267852b7f1a73159db146e319f064b556d92c71a968c5061675377ad7e1663cdf2ca98b9f5d10a0ed64037f5223bd217f053e8bda1c6f1ad