Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18/01/2025, 11:25
Static task
static1
Behavioral task
behavioral1
Sample
621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe
Resource
win10v2004-20241007-en
General
-
Target
621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe
-
Size
506KB
-
MD5
cea8687c16ca4de232b21a53308714d3
-
SHA1
88d8fbf3e679fa2c081e79d9b561d31b8a359538
-
SHA256
621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3
-
SHA512
e09aedf77f7eedd2e49825bda4ac6e966c301135419d857df2e2c86d78c82c48d09609ed6b6937a5f4582276395bd22f8d51fd1ab3e84e287edac207e8942b3f
-
SSDEEP
12288:/LMEalqxXblqoRX5qbfphLxaOSoSDi7mbsG46w:zqaXNabfphLxaVpDiiQ9
Malware Config
Extracted
njrat
0.7d
Lammer
ie-serving.gl.at.ply.gg:18976
d386661cfe8f30c3a692533641b57806
-
reg_key
d386661cfe8f30c3a692533641b57806
-
splitter
|'|'|
Extracted
njrat
0.7d
Lammer1
ie-serving.gl.at.ply.gg:18976
82f896a33c031e162176bdb24630461b
-
reg_key
82f896a33c031e162176bdb24630461b
-
splitter
|'|'|
Signatures
-
Njrat family
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1400 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d386661cfe8f30c3a692533641b57806.exe explore.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d386661cfe8f30c3a692533641b57806.exe explore.exe -
Executes dropped EXE 5 IoCs
pid Process 2644 crackreado.exe 2828 vn.exe 2656 Lammer.exe 1928 explore.exe 1588 Lammer1.exe -
Loads dropped DLL 7 IoCs
pid Process 2828 vn.exe 2828 vn.exe 2656 Lammer.exe 2656 Lammer.exe 1928 explore.exe 2828 vn.exe 1588 Lammer1.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" vn.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\d386661cfe8f30c3a692533641b57806 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explore.exe\" .." explore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d386661cfe8f30c3a692533641b57806 = "\"C:\\Users\\Admin\\AppData\\Roaming\\explore.exe\" .." explore.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\crackreado.exe:Zone.Identifier 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lammer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lammer1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Temp\crackreado.exe:Zone.Identifier 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2644 crackreado.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeSecurityPrivilege 2868 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe Token: SeRestorePrivilege 2868 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe Token: SeDebugPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe Token: 33 1928 explore.exe Token: SeIncBasePriorityPrivilege 1928 explore.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2644 2868 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe 30 PID 2868 wrote to memory of 2644 2868 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe 30 PID 2868 wrote to memory of 2644 2868 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe 30 PID 2868 wrote to memory of 2828 2868 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe 31 PID 2868 wrote to memory of 2828 2868 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe 31 PID 2868 wrote to memory of 2828 2868 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe 31 PID 2868 wrote to memory of 2828 2868 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe 31 PID 2868 wrote to memory of 2828 2868 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe 31 PID 2868 wrote to memory of 2828 2868 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe 31 PID 2868 wrote to memory of 2828 2868 621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe 31 PID 2828 wrote to memory of 2656 2828 vn.exe 32 PID 2828 wrote to memory of 2656 2828 vn.exe 32 PID 2828 wrote to memory of 2656 2828 vn.exe 32 PID 2828 wrote to memory of 2656 2828 vn.exe 32 PID 2828 wrote to memory of 2656 2828 vn.exe 32 PID 2828 wrote to memory of 2656 2828 vn.exe 32 PID 2828 wrote to memory of 2656 2828 vn.exe 32 PID 2656 wrote to memory of 1928 2656 Lammer.exe 33 PID 2656 wrote to memory of 1928 2656 Lammer.exe 33 PID 2656 wrote to memory of 1928 2656 Lammer.exe 33 PID 2656 wrote to memory of 1928 2656 Lammer.exe 33 PID 2656 wrote to memory of 1928 2656 Lammer.exe 33 PID 2656 wrote to memory of 1928 2656 Lammer.exe 33 PID 2656 wrote to memory of 1928 2656 Lammer.exe 33 PID 2828 wrote to memory of 1588 2828 vn.exe 34 PID 2828 wrote to memory of 1588 2828 vn.exe 34 PID 2828 wrote to memory of 1588 2828 vn.exe 34 PID 2828 wrote to memory of 1588 2828 vn.exe 34 PID 2828 wrote to memory of 1588 2828 vn.exe 34 PID 2828 wrote to memory of 1588 2828 vn.exe 34 PID 2828 wrote to memory of 1588 2828 vn.exe 34 PID 1928 wrote to memory of 1400 1928 explore.exe 35 PID 1928 wrote to memory of 1400 1928 explore.exe 35 PID 1928 wrote to memory of 1400 1928 explore.exe 35 PID 1928 wrote to memory of 1400 1928 explore.exe 35 PID 1928 wrote to memory of 1400 1928 explore.exe 35 PID 1928 wrote to memory of 1400 1928 explore.exe 35 PID 1928 wrote to memory of 1400 1928 explore.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe"C:\Users\Admin\AppData\Local\Temp\621de6d0edff7f4a71f14002d2f31d5ef0a20d3c5d279c0016d6cd4d6cd525e3.exe"1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\crackreado.exe"C:\Users\Admin\AppData\Local\Temp\crackreado.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\vn.exe"C:\Users\Admin\AppData\Local\Temp\vn.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Roaming\explore.exe"C:\Users\Admin\AppData\Roaming\explore.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\explore.exe" "explore.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1400
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer1.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Lammer1.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1588
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266KB
MD508f60cc9834ea6aa7a0debb5a9f31596
SHA1c5648fad6c56ee9709ef43ccbedb7c8eb5e1c765
SHA256012b2fcc90e10eea3a4cae76faaedeb0a0577aa62925ad098c9dd8b6e610e97f
SHA512649d7d0ecbe3cd8d3dbf649ff2389e9c88e094401a64b60429c6142c20f959c183a503245007d3bb5af80d223508298ee5750057c1279f4874942996bb5d4d4e
-
Filesize
49KB
MD5ad82a9592cf1049cc41e09a5ded58087
SHA16c609e53570e6c681889e6ef8a125f3ea06dbd68
SHA256ca36c45944b74585a60c05e618ab6bf891935f78f0137ccb27d23f2be13ca13f
SHA512d96a40310057a7f4cd649fcc38d4d5b377b7a21ae3fd8d2941eb027eb8c107440f9d3bbd5cc67a701f40d4674f3df549dc96b2b0d0d68f592d1ece98bb4021bb
-
Filesize
23KB
MD526faf73fe025e21d49eb7d6d93146937
SHA10656911baa4e191c64e62bc8636f9dd9b4f3ac92
SHA256ed3104c51ae7ce3a6ae62641c6bfbc5094a73eac53e6ca6706434e0815053195
SHA512e7d0fa3cfe3bcd8ad36c01b132a463a1570f49fa3aa019d66e41359c49b2c88ef7af6a48a4de9bbe1f95c3b5840606514afca4011d836446c82ec5a0c1e83a54
-
Filesize
23KB
MD56e21d078457153d26ad7bba875c27266
SHA1021b8de05fd173c442445fdb7a2c35e6c55c22e4
SHA256a80d4c357c01acdf27602109d41827da153c712d5ddc8dce1f19723257fd7e2f
SHA512bf390204b31f532f94965c283210280fbbb47b5d5150825a8648362fb5443dc2d0df98b6bf9d8b0da8d8a273688b7252ed6043081ad545c1109f2cb4c65e6ef4