Analysis
-
max time kernel
144s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 11:01
Static task
static1
Behavioral task
behavioral1
Sample
fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe
Resource
win10v2004-20241007-en
General
-
Target
fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe
-
Size
1.2MB
-
MD5
1d0533150b9b44246d4431607b3871ab
-
SHA1
73e34d8ab2f51edd471b06c3e2ad17c29701536a
-
SHA256
fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03
-
SHA512
a658d2f0768a94c632bb7bb1202584d27ff1bd5db94f8c3cf25f059803c01b3ed49c0ca4db326016a149723034a9bd56531072db2f0203c054d7e28d0ca277da
-
SSDEEP
24576:eAHnh+eWsN3skA4RV1Hom2KXMmHaW7aWvCaFg5a7PCmWX95u:Jh+ZkldoPK8YaW7CaZ7IHu
Malware Config
Extracted
njrat
0.7d
redlanhopto
redlan.hopto.org:5553
d25d360449d7bab3069e1b77b3a914a3
-
reg_key
d25d360449d7bab3069e1b77b3a914a3
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2568 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 2944 data.exe 2084 data.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0034000000016d17-15.dat autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2288 set thread context of 2608 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 30 PID 2944 set thread context of 2780 2944 data.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language data.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language data.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1028 schtasks.exe 1152 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 2944 data.exe 2944 data.exe 2084 data.exe 2084 data.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe Token: 33 2608 RegAsm.exe Token: SeIncBasePriorityPrivilege 2608 RegAsm.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 2944 data.exe 2944 data.exe 2944 data.exe 2084 data.exe 2084 data.exe 2084 data.exe -
Suspicious use of SendNotifyMessage 9 IoCs
pid Process 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 2944 data.exe 2944 data.exe 2944 data.exe 2084 data.exe 2084 data.exe 2084 data.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2608 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 30 PID 2288 wrote to memory of 2608 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 30 PID 2288 wrote to memory of 2608 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 30 PID 2288 wrote to memory of 2608 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 30 PID 2288 wrote to memory of 2608 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 30 PID 2288 wrote to memory of 2608 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 30 PID 2288 wrote to memory of 2608 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 30 PID 2288 wrote to memory of 2608 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 30 PID 2288 wrote to memory of 2608 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 30 PID 2608 wrote to memory of 2568 2608 RegAsm.exe 31 PID 2608 wrote to memory of 2568 2608 RegAsm.exe 31 PID 2608 wrote to memory of 2568 2608 RegAsm.exe 31 PID 2608 wrote to memory of 2568 2608 RegAsm.exe 31 PID 2288 wrote to memory of 1152 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 34 PID 2288 wrote to memory of 1152 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 34 PID 2288 wrote to memory of 1152 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 34 PID 2288 wrote to memory of 1152 2288 fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe 34 PID 2916 wrote to memory of 2944 2916 taskeng.exe 37 PID 2916 wrote to memory of 2944 2916 taskeng.exe 37 PID 2916 wrote to memory of 2944 2916 taskeng.exe 37 PID 2916 wrote to memory of 2944 2916 taskeng.exe 37 PID 2944 wrote to memory of 2780 2944 data.exe 38 PID 2944 wrote to memory of 2780 2944 data.exe 38 PID 2944 wrote to memory of 2780 2944 data.exe 38 PID 2944 wrote to memory of 2780 2944 data.exe 38 PID 2944 wrote to memory of 2780 2944 data.exe 38 PID 2944 wrote to memory of 2780 2944 data.exe 38 PID 2944 wrote to memory of 2780 2944 data.exe 38 PID 2944 wrote to memory of 2780 2944 data.exe 38 PID 2944 wrote to memory of 2780 2944 data.exe 38 PID 2944 wrote to memory of 1028 2944 data.exe 39 PID 2944 wrote to memory of 1028 2944 data.exe 39 PID 2944 wrote to memory of 1028 2944 data.exe 39 PID 2944 wrote to memory of 1028 2944 data.exe 39 PID 2916 wrote to memory of 2084 2916 taskeng.exe 41 PID 2916 wrote to memory of 2084 2916 taskeng.exe 41 PID 2916 wrote to memory of 2084 2916 taskeng.exe 41 PID 2916 wrote to memory of 2084 2916 taskeng.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe"C:\Users\Admin\AppData\Local\Temp\fbfdfa9de3a80cc647a1173b193cbe3e7e2c56088c7e5fda2b75b2561eeebe03.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "RegAsm.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2568
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn igfxHK /tr "C:\Users\Admin\AppData\Roaming\chkdsk\data.exe" /sc minute /mo 1 /F2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1152
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {67C3ECA4-8482-4521-B447-6511616211AA} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Roaming\chkdsk\data.exeC:\Users\Admin\AppData\Roaming\chkdsk\data.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\SysWOW64\schtasks.exe" /create /tn igfxHK /tr "C:\Users\Admin\AppData\Roaming\chkdsk\data.exe" /sc minute /mo 1 /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1028
-
-
-
C:\Users\Admin\AppData\Roaming\chkdsk\data.exeC:\Users\Admin\AppData\Roaming\chkdsk\data.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2084
-
Network
-
Remote address:8.8.8.8:53Requestredlan.hopto.orgIN AResponseredlan.hopto.orgIN A184.105.237.195
-
637 B 248 B 7 6
-
562 B 208 B 6 5
-
637 B 248 B 7 6
-
637 B 248 B 7 6
-
545 B 168 B 5 4
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD583f3f462b393cd26b35fe5a2155fd56e
SHA1c72058398f76f1cd4acccc49623df5111b4c8118
SHA25607872c5471feb3012d922777283cfb6e6065e20ba30dea2b192ca118d9d2d275
SHA5128157bde3faeb9c85ac43f6b1e2b09b456fe3745b07bbc61fe14e714c6f5a87d93ec897732a65d2f2b5d272736db7b0e77202b2b39934ab8705eaa120fa53a7d7