Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 23:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
120 seconds
General
-
Target
9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe
-
Size
77KB
-
MD5
e993cfb6e61851f8e4b8a0de1109e7e0
-
SHA1
7ed75b6f3d933016bb4064900780fdf702889e09
-
SHA256
9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6
-
SHA512
ff3b842bc78179bf267852b7f1a73159db146e319f064b556d92c71a968c5061675377ad7e1663cdf2ca98b9f5d10a0ed64037f5223bd217f053e8bda1c6f1ad
-
SSDEEP
1536:c+egCWviDlboRh2Zz6XGuM3M9vxG33eSORdRujx7zG3zJB52HB:cICWqboSx6e3MFC3elRdROVzG352HB
Score
10/10
Malware Config
Signatures
-
Njrat family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1d3c43cd1579029d89b4722896f87cc.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c1d3c43cd1579029d89b4722896f87cc.exe dllhost.exe -
Executes dropped EXE 1 IoCs
pid Process 1188 dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c1d3c43cd1579029d89b4722896f87cc = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\c1d3c43cd1579029d89b4722896f87cc = "\"C:\\Users\\Admin\\AppData\\Roaming\\dllhost.exe\" .." dllhost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe Token: SeDebugPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe Token: 33 1188 dllhost.exe Token: SeIncBasePriorityPrivilege 1188 dllhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 744 wrote to memory of 1188 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 88 PID 744 wrote to memory of 1188 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 88 PID 744 wrote to memory of 1188 744 9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe 88 PID 1188 wrote to memory of 4264 1188 dllhost.exe 95 PID 1188 wrote to memory of 4264 1188 dllhost.exe 95 PID 1188 wrote to memory of 4264 1188 dllhost.exe 95 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4264 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe"C:\Users\Admin\AppData\Local\Temp\9acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6N.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Roaming\dllhost.exe"C:\Users\Admin\AppData\Roaming\dllhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\Users\Admin\AppData\Roaming\dllhost.exe"3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4264
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD5e993cfb6e61851f8e4b8a0de1109e7e0
SHA17ed75b6f3d933016bb4064900780fdf702889e09
SHA2569acd975f4c97ed6d72af28fe63cd828eddaf394a3c6cec34c74739ebcb2005d6
SHA512ff3b842bc78179bf267852b7f1a73159db146e319f064b556d92c71a968c5061675377ad7e1663cdf2ca98b9f5d10a0ed64037f5223bd217f053e8bda1c6f1ad
-
Filesize
516B
MD56f27257307fa0b5c51a85fb3203060ee
SHA104d0578e3f4eaa7c37495ea2ee13aed27697b16f
SHA2561092d7590493d13ab14eef3186133e35b341dbf397b57e5bdd1305fe0fe029e9
SHA512e545d034d1f268773a517475eb662941df925efaf3a57d110f2c0c9d2498ad98da49e0ac07bc0f62cd32875adedf638ed2008f62d7d8bae8cddd27e915251ccb